Third-party vendors were to blame for nearly half (45%) of the security breaches in the U.S. energy sector, a newly released joint study from SecurityScorecard and KPMG found. The findings, which gather data from the 250 largest U.S. energy companies, indicated that upwards of 90% of companies in the sector that sustained multiple cybersecurity breaches had been vulnerable due to third-party risks.
That figure was also compared to a global average of 29% for supply chain breaches across all other industries, while 90% of attacks on energy companies breached more than once involved third parties, the “A Quantitative Analysis of Cyber Risks in the U.S. Energy Supply China” study noted. More than two-thirds (67%) of third-party-related breaches involved external software and IT providers, while 22% involved other energy companies.
The study also found that the largest contributor to third-party breaches in the energy sector came from the exploitation of the MOVEit file transfer software vulnerability in 2023, accounting for 39% of breaches.
“With geopolitical and technology-based threats on the rise, this complex system is facing an equally generational risk exposure that could harm citizens and businesses alike,” said Prasanna Govindankutty, principal for cyber security and U.S. cyber sector leader at KPMG.
“The energy sector’s growing dependence on third-party vendors highlights a critical vulnerability – its security is only as strong as its weakest link,” added Ryan Sherstobitoff, Senior Vice President of Threat Research and Intelligence at SecurityScorecard. “Our research shows that this rising reliance poses significant risks. It’s time for the industry to take decisive action and strengthen cybersecurity measures before a breach turns into a national emergency.”
Key Takeaways
The SecurityScorecard and KPMG report warned that third-party risks are “disproportionately high in the energy sector,” and that third-party risk drives almost half (45%) of breaches in the energy sector. As a result, the U.S. energy sector scored only a “B” on cybersecurity, though four-fifths (81%) of companies have either an A or B rating, but the remaining 19% with weak scores pose a significant risk to the entire supply chain.
Moreover, the report found that software and IT vendors were the leading cause of third-party breaches. Of the incidents studied, 67% of third-party breaches were due to software and IT vendors, while only four involved other energy companies.
Fossil fuel scored better than greener energy the study found, and it was noted that oil and natural gas companies scored well above average with an “A,” compared with renewable energy firms, which largely lagged with a “B” score.
The study also noted that vulnerabilities were condensed into key risk factors – and 92% of companies had their lowest scores in just three of 10 risk factors: application security (40%), network security (23%), and DNS (Domain Name System) health (29%).
“The rising threat to the energy sector, particularly from third-party vulnerabilities, underlines the urgent need for a collective defense approach. As cyberattacks increasingly exploit supply chain weaknesses, organizations can no longer afford to operate in silos,” Emily Phelps, director at threat intelligence provider Cyware, told ClearanceJobs via an email.
“Collaboration between trusted companies and industries, alongside the operationalization of threat intelligence, is critical to staying ahead of attackers,” she added. “By turning intelligence into actionable insights, organizations can identify risks earlier, coordinate defenses, and reduce the time it takes to respond.”
Aging Infrastructure
The number of legacy systems within the U.S. energy sector is another issue that needs to be resolved.
“The energy sector continues to be vulnerable to supply chain attacks because of the aging systems and the slow, deliberate nature of their software update processes,” said Willy Leichter, CMO at security provider AppSoc.
“Given the risk involved, it’s understandable that patches are viewed with suspicion and must be thoroughly vetted, and wait for downtime before being deployed,” Leichter told ClearanceJobs. “Unfortunately, this leaves known vulnerabilities and malware exposure for extended periods. The industry must find more agile ways to decouple software updates from operational infrastructure.”
Phelps further suggested that “proactivity is key” and said that energy companies that rely solely on reactive measures could leave critical infrastructure and businesses exposed to recurring threats. “Only through shared intelligence and coordinated efforts can we address these complex, evolving risks effectively.”
