A recent cybersecurity report by SecurityScorecard and KPMG reveals that the US energy sector remains at high risk of cyber threats, particularly from third-party sources. This analysis, evaluating 250 top US energy companies, highlights vulnerabilities across the energy supply chain—from oil and gas production to renewable energy—showing that despite strong security practices in many areas, gaps still leave the sector exposed to ransomware, data breaches, and other cyber disruptions.
Energy, as a critical infrastructure sector, intersects multiple industries, such as manufacturing, technology, and automotive, making cybersecurity in this field essential for national resilience. As Craig Jones, Vice President of Security Operations at Ontinue, says: “The potential attack surface for cybercriminals rises as infrastructure becomes increasingly connected and reliant on digital systems. We can expect more sophisticated attacks that exploit specific vulnerabilities moving forward.”
Key findings of the report show that 19% of companies had unsatisfactory security ratings, potentially compromising the entire sector’s security posture. Renewable energy firms scored significantly lower in security ratings, revealing concerns about gaps in this emerging area. With a surge in renewable energy initiatives, cybersecurity measures for these companies are critical to protecting the future of US energy.
The Impact of Third-Party Risks
The report underscores the impact of third-party risks, with 45% of breaches traced to outside vendors, a rate notably higher than the global average of 29%. This risk is amplified by the dependence on specialized software and IT vendors, who were responsible for 67% of third-party breaches within the sector. Moreover, 90% of entities that suffered multiple breaches were hit via third-party vendors.
Omri Weinberg, Co-founder and CRO of DoControl, points out that these vulnerabilities result from complex supply chain dependencies and a sprawling attack surface. “It’s like having a state-of-the-art security system but leaving one window unlocked—attackers will find it,” he cautions.
Jose Seara, CEO of DeNexus, stresses the necessity for US energy companies to assess their cyber risks proactively. He advocates for companies to develop and maintain a cyber risk program, as it allows them to “rapidly assess whether a cyber event is a material,” optimize cybersecurity investments and safeguard capital-intensive environments typical in critical infrastructure.
This latest analysis aligns with national initiatives, such as the US National Cybersecurity Strategy and the Council on Supply Chain Resilience, to reinforce supply chain security in critical industries. Following the high-profile ransomware attack on the Colonial Pipeline in 2021, federal and industry leaders have pushed for heightened cybersecurity across the energy supply chain to prevent similar incidents that could disrupt national operations.
With cybersecurity measures proving inconsistent across the sector, the report calls for a concerted effort among utilities, suppliers, and regulators to protect US energy infrastructure. “Companies cannot wait for federal mandates to ensure vendor security; they must proactively monitor and assess the security of their vendors,” Weinberg advises.
As the US pivots toward a greener and more interconnected energy grid, cybersecurity will play a key role in protecting the nation’s transition to renewable energy. Guarding the integrity of the energy supply chain, especially from external risks, is essential for both current and future energy security.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.