The US energy sector is at particularly high risk of supply chain attacks, with 45% of security breaches hitting this industry in the past year third-party related, according to new research by Security Scorecard and KPMG.
This compares to a global average of 29% for supply chain breaches across all other industries.
Additionally, the study found that 90% of attacks on energy companies breached more than once involved third parties.
Two-thirds (67%) of third-party related breaches involved external software and IT providers. Around a fifth (22%) involved other energy companies.
The most common cause of third-party breaches in the energy sector was the large scale exploitation of the MOVEit file transfer software vulnerability by the Clop gang in 2023, making up 39% of recorded third-party breaches.
Three of the seven MOVEit compromises analysed by the research involved energy companies directly using the MOVEit software. The other four were as a result of vendors who were breached via their own MOVEit installations – essentially fourth party breaches.
Prasanna Govindankutty, Principal, Cyber Security US Sector Leader at KPMG, warned that the energy industry is undergoing a “generational” supply chain transition, which has ramped up the cybersecurity risks it is facing.
“With geopolitical and technology-based threats on the rise, this complex system is facing an equally generational risk exposure that could harm citizens and businesses alike,” he commented.
The research analyzed 250 top US energy companies, comprised of a range of sub sectors including power and utilities, oil and gas, natural resources, and chemicals.
Read now: Anjos Nijk on Defending Europe's Electricity Grid Networks
Variation in Energy Sector’s Cybersecurity Performance
Differing levels of cybersecurity performance can be found across the energy sector, the report found.
Overall, the US energy industry scored a ‘B’ rating according to Scorecard’s rating methodology, which is considered good or respectable. These ratings take into account a range of cybersecurity areas.
More than four-fifths (81%) of companies analyzed had A and B ratings, leaving 19% rated as weak, deficient or bad.
Oil and natural gas scored highest of all the energy sub sectors, likely due to their larger size and greater financial capacity to invest in security programs.
The sub sector with the lowest security rating was renewable energy, with companies in this area often newer and smaller.
Among the evaluated security factors, 92% of the lowest scores were concentrated in application security, DNS Health and network security.
Just 8% of the organizations included in the analysis showed evidence of network compromises over the past year. The researchers said this rate is significantly lower than other sectors, such as the global aviation industry, which stands at 17%.