Third-Party Breaches: The Leading Cybersecurity Threat for the U.S. Energy Sector

A recent report on the cybersecurity status of the U.S.energy sector reveals that third-party breaches are a major vulnerability. Asenergy companies become increasingly digital and dependent on third-partyvendors for software, IT services, and other infrastructure, they are alsobecoming more exposed to cyber risks originating outside their immediate control.With nearly 45% of reported breaches involving third parties—more than theglobal average—the energy sector faces a significant challenge in securing itssupply chain.

Key Findings onSecurity Gaps

The report analyzed data from 250 top U.S. energy companiesacross various sub-sectors, such as oil, natural gas, and renewable energy.While the industry maintains generally strong cybersecurity practices, notablegaps remain:

- Third-Party Vulnerabilities: A substantial portion ofbreaches were traced back to third-party services, notably software and ITproviders, which lack robust security protocols. Specific vulnerabilities, likethe widespread MOVEit file transfer flaw, were exploited by attackers to gainaccess to multiple energy companies.  

- Supply Chain Dependence: Vertically integrated oil and gascompanies had the highest security ratings due to more in-house resources,while renewable energy firms—often smaller and newer—had the lowest. Thisdisparity points to a pressing need for uniform security standards across thesector.

- Ransomware Threat: Ransomware attacks, particularly fromgroups like BlackCat/ALPHV, pose a persistent threat, with energy companiesbeing prime targets due to the industry’s low tolerance for operationaldowntime.

Broader Risks inDownstream Operations

The research indicates that vulnerabilities increasedownstream in the energy supply chain, especially within companies that refine,distribute, or retail energy. These entities are often less equipped to managesophisticated cyber threats, making the entire energy network susceptible todisruptions that could halt supplies to consumers.

RecommendedActions for the Energy Sector

1. Focus on Third-Party Risk Management: Energy firms mustprioritize cybersecurity assessments for their third-party vendors. Continuousmonitoring, backed by vendor commitments to strong security standards, isessential to reduce these risks.

2. Secure Renewable Energy Sources: As the sector shifts tomore interconnected, renewable sources, investment in cybersecurity for thesenewer companies is critical to ensure the resilience of clean energy networks.

3. Balance High-Impact and Low-Impact Threats: Whilepreparing for large-scale disruptions, companies should also address commondata breaches that compromise employee or customer information and could leadto fraud.

4. Learn from Global Incidents: International cyberattackson energy firms offer valuable insights that U.S. companies can adapt tostrengthen their cybersecurity practices.

In an era of increasingly interconnected supplychains, ensuring a secure energy infrastructure is paramount. By addressingthese third-party risks and strengthening the entire network, the U.S. energysector can better safeguard itself against the growing landscape of c