Third-party breaches shake the foundations of the energy sector

90% of the world’s largest energy companies experienced a third-party breach in the past 12 months, according to SecurityScorecard.

Powering the global economy and everyday activities, the energy sector’s significance makes it a key focus for cyber threats. The urgency to protect this critical sector grows amid economic and political uncertainties. Cyberattacks on energy don’t just cause financial losses and disruptions; they also impact manufacturing, healthcare, and transportation.

Third-party breaches in the energy industry

• 100% of the top 10 US energy companies experienced a third-party breach.
• 92% of the energy companies evaluated have been exposed to a fourth-party breach.
• 33% of energy companies had a C Security Rating or below, indicating higher likelihood of breach.
• In the last 90 days, researchers identified 264 breach incidents related to third-party compromises.
• MOVEit was the most prevalent third-party vulnerability in the last six months, with hundreds of companies impacted around the world.

Ryan Sherstobitoff, SVP of Threat Research and Intelligence, SecurityScorecard, said: “More than two years after the major US pipeline ransomware incident, the world still lacks a common framework for measuring cyber risk. Transparency and information sharing about cybersecurity is critical for national security.”

Researchers analyzed more than 2,000 third-party vendors and discovered that only 4% of them had experienced breaches themselves. However, 90% of the evaluated companies suffered from third-party breaches. This disparity underscores a critical vulnerability in the energy sector’s
supply chain security, where a small number of breaches can cascade into widespread security incidents.

When attackers successfully compromise a widely-used software, they can potentially access all organizations that rely on it.

Underestimating cyber threats to third-party ecosystems

As cited by the new SEC cyber incident disclosure requirements, SecurityScorecard research found that 98% of organizations use at least one third-party vendor that has experienced a breach in the last two years.

Successful management of third-party cyber risks relies on achieving three essential outcomes:

• Efficient use of resources
• Effective risk management and resilience
• Impact on business decision-making

“Hope and prayer may be useful but are clearly not sustainable strategies. Preventing the surge of supply chain attacks requires systematically applying real time data triggering automated workflow to manage risk in the digital ecosystem,” Jim Routh, Fortune 500 CISO and Senior Advisor and Chairman, SecurityScorecard Cybersecurity Advisory Board, concluded.