KPMG: US Energy Sector Faces High Risk of Cyber Attacks

Share
The US energy sector is at high risk of supply chain attacks, according to KPMG
Check Point & Black Duck experts weigh in on KPMG research that highlights an increased threat of cyber-attacks targeting US energy sector supply chains

Recent findings from KPMG and Security Scorecard have pinpointed the energy sector in the US as particularly vulnerable to supply chain cyber-attacks.

The study's data is alarming: within the last year, 45% of security breaches in this sector were due to third-party vulnerabilities. This figure starkly contrasts with a global average of 29% across various industries.

Furthermore, an overwhelming 90% of repeatedly compromised energy companies were breached via third-party channels.

The growing dependence of the energy sector on digital frameworks has unfortunately opened up new avenues for cybercriminals.

These attackers are not only sophisticated but are strategically targeting the supply lines that are integral to the sector’s operations.

Digital overhaul amplifies security risks

As energy companies transform into technologically advanced entities, they encounter new kinds of vulnerabilities.

Scott Johnson, VP of Product Management at Black Duck

"The fact is, most energy companies are now software companies that deliver energy to their customers via their software and technology," says Scott Johnson, VP of Product Management at Black Duck.

This transition to digital-first approaches invites a different kind of risk, primarily because cyber-attacks on software are easier to monetise compared to physical sabotage.

This paradigm shift makes energy companies prime targets for cyber theft, as infiltrating their systems can be more lucrative and less risky than traditional methods of industrial control system disruptions.

The wide-reaching impact of supply chain attacks

The integration within the energy sector’s supply chain means that a breach in one area can propagate extensively, affecting various interconnected systems and stakeholders.

"Supply chain attacks pose a significant threat to the energy sector, where critical infrastructure relies on a complex web of suppliers, vendors and partners to maintain operations," explains Deryck Mitchelson, Global CISO at Check Point Software.

"Once inside, attackers can move laterally through networks, gaining access to sensitive systems and data that would be much harder to breach directly.

"This makes energy companies particularly attractive to attackers, as a successful breach could disrupt not only the company itself but also the larger supply chain and critical services that rely on it."

Youtube Placeholder

Successful infiltrations allow hackers to navigate across networks silently, accessing and potentially compromising integral systems that would be difficult to attack directly.

The repercussions of such breaches are not confined to the directly affected company but can ripple through the supply chain, disrupting essential services and causing widespread operational failures.

This scenario isn’t just hypothetical. Incidents like the Colonial Pipeline hack underscore the potential chaos following such breaches, with significant impacts on fuel supply lines and thereby, both businesses and everyday consumers.

Strengthening defences against energy supply chain cyber threats

To fortify against these escalating threats, energy firms need comprehensive, multi-layered security strategies.

Adhering to the principle of least privilege is fundamental, according to Deryck, who suggests limiting access rights across networks to reduce vulnerabilities.

"By restricting permissions and applying a need-to-know basis for employees, contractors, and software, energy companies can limit the attack surface that cybercriminals can exploit," he says.

Deryck Mitchelson, Global CISO at Check Point Software

Additionally, implementing network segmentation can help isolate and contain any breaches to prevent them from cascading through an entire IT system.

This is particularly vital in operational contexts where both IT and operational technology need safeguarding.

Moving forward, the approach to security must be dynamic and proactive.

Security practices must evolve

Deryck urges for enhanced vigilance.

He adds: "Security Operations Centre (SOC) analysts should be equipped with the tools and technology to proactively hunt for threats across all environments—whether on-premises, in the cloud or on mobile devices.

"This level of vigilance helps detect and mitigate risks before they can cause significant damage."

Furthermore, integrating security into software development via DevSecOps — ensuring security is a component throughout the development process — is essential for identifying and mitigating risks from software updates or third-party services before they are exploited by malicious actors.

With attackers understanding the substantial impact of disrupting critical infrastructure such as pipelines or electric vehicle charging stations, the energy sector remains highly attractive for cyber-attacks.

According to Scott, this makes it critical for energy companies to prioritise and reinforce their cybersecurity, particularly related to third-party engagements.

"Increased supply chain attacks to the energy sector are an excellent reminder that third-party risk management must be a priority and cannot be overlooked," he says.

The stakes are particularly high in the energy sector, where disruptions can affect critical services and infrastructure.

"Hackers know the impact that targeting a pipeline, refinery or even EV charging stations can have on the daily lives of individuals," Scott concludes, highlighting why the sector remains such an attractive target for cyber criminals.


Make sure you check out the latest edition of Energy Digital Magazine and also sign up to our global conference series - Sustainability LIVE 2024


Energy Digital is a BizClik brand ​​​​​​​

Share

Featured Articles

Q&A with Amex GBT’s Director of Global Sustainability

Nicole Sautter, Director of Global Sustainability at Amex GBT, shares how it and Shell Aviation are key to reaching SAF goals with the Avelia programme

China's Pivotal Role in the Global Clean Energy Sector

We explore how China, a clean energy leader, drives the global clean energy market, investing heavily in renewables and leading technological innovations

IEF Explores the 'Paradox' of Mining's Role in Clean Energy

The International Energy Forum (IEF) identifies mining's critical yet challenging role in achieving a sustainable, electrified future

CDP: Critical Gaps in Corporate Renewable Energy Targets

Renewable Energy

Gartner says AI's Hunger for Power Strains Data Centres

Technology & AI

Shell, Equinor, Uniper & the Global Energy Storage Problem

Renewable Energy