A joint study by SecurityScorecard and KPMG found that 90% of companies in the energy sector that sustained multiple breaches had security issues caused by third-party vendors.
In collecting data on the 250 largest energy companies, SecurityScorecard and KPMG found that third-party risk drives 45% of breaches in the U.S. energy sector — a number significantly higher than the global rate of 29%.
While 81% of U.S. energy companies scored an "A" or "B" rating on their SecurityScorecard ratings, the remaining 19% with much weaker scores pose a major risk to the entire supply chain, according to the Oct. 23 study.
“The energy sector’s growing dependence on third-party vendors highlights a critical vulnerability — its security is only as strong as its weakest link,” said Ryan Sherstobitoff, senior vice president of threat research and intelligence at SecurityScorecard. “Our research shows that this rising reliance poses significant risks. It’s time for the industry to take decisive action and strengthen cybersecurity measures before a breach turns into a national emergency.”
Other important findings in the study include the following:
- Software and IT vendors are the main cause of third-party breaches: Software and IT vendors outside the energy sector are the main source of third-party breaches. Of the incidents studied, 67% of third-party breaches were caused by software and IT vendors, with only four involving other energy companies.
- Renewable energy companies lag behind: Oil and natural gas companies scored well above average with an “A−,” while renewable energy firms fell behind with a “B−” score.
- Vulnerabilities found in small group of risk factors: 92% of companies had their lowest scores in just 3 of 10 risk factors: application security (40%), network security (23%), and DNS (Domain Name System) health (29%).
Omri Weinberg, co-founder and CRO at DoControl, said he’s most concerned about what the study found with renewable energy companies. Weinberg said those companies are scoring notably lower in security ratings, likely because they are newer players with smaller budgets and less mature security programs.
“This is particularly worrying as we push toward greener energy sources,” said Weinberg. “While federal funding would help, what we really need are mandatory security standards for vendors working with critical infrastructure. In today's interconnected energy sector, a breach at one point can ripple through the entire supply chain. We need everyone — from the largest utilities to the smallest suppliers — working together to address these vulnerabilities before they lead to serious disruptions.”
John Gunn, chief executive officer at Token, added that the majority of energy providers in the U.S. have previously not viewed themselves as being in the crosshairs of cybercriminals and foreign enemies. Gunn said it’s been a rude awakening to realize how vulnerable we are and how much the security of our energy providers has been compromised already.
Gunn said fixing this problem has become more an issue of awareness than the traditional obstacle of finding budget. The budget already exists, Gunn said: and it’s paid for by consumers.
“The rates we pay for energy are set by Public Utility Commissions and they use a ‘cost-of-service’ methodology to set rates,” said Gunn. “Energy providers could easily add billions to their spend on cybersecurity and not face any market pressures — they have no competition. Each person would simply pay a little more on their energy bill and have greater assurance that the lights will stay on, a choice the majority of consumers of electricity would gladly accept.”
Emily Phelps, director at Cyware, said the rising threat to the energy sector, particularly from third-party vulnerabilities, underlines the urgent need for a collective defense approach. Phelps said as cyberattacks increasingly exploit supply chain weaknesses, organizations can no longer afford to operate in silos. Collaboration between trusted companies and industries, alongside the operationalization of threat intelligence, is critical to staying ahead of attackers, said Phelps.
“By turning intelligence into actionable insights, organizations can identify risks earlier, coordinate defenses, and reduce the time it takes to respond,” said Phelps. “Staying proactive is key: relying solely on reactive measures leaves critical infrastructure and businesses exposed to recurring threats. Only through shared intelligence and coordinated efforts can we address these complex, evolving risks effectively."