Supply Chain Security: Why Is It Key for the Energy Sector?

The landscape of the energy sector is undergoing a seismic shift, driven by rapid digital transformation and an increasing reliance on technology. As companies evolve into software-driven enterprises, they find themselves navigating a complex web of risks that were previously unimaginable.

Fresh research from KPMG and Security Scorecard reveals a startling statistic: nearly half of all security breaches in the energy industry over the past year were linked to third-party vendors. 

This figure starkly contrasts with the global average of 29% for supply chain breaches across other industries, indicating that energy companies are facing unique challenges in safeguarding their operations.

Following this research, experts from Check Point Software and Black Duck consider why the energy sector is at such high risk of supply chain attacks and what can be done.

Supply chains in the energy sector

The reliance on a myriad of suppliers and partners creates multiple points of entry for attackers, allowing them to infiltrate networks and access sensitive information with alarming ease. 

Recent high-profile incidents underscore the potential consequences of these vulnerabilities. 

The Colonial Pipeline attack serves as a sobering reminder that a single breach can disrupt fuel supplies across entire regions, affecting both businesses and consumers alike. 

As the energy sector grapples with these challenges, it becomes increasingly clear that robust cybersecurity measures must be prioritised to protect against the ever-present threat of supply chain attacks.

"Most energy companies are now software companies that deliver energy to their customers via their software and technology," says Scott Johnson, VP of Product Management at Black Duck.

This shift has made software vulnerabilities a more attractive target for criminals than traditional physical infrastructure, as they can represent an easier way in to target organisations with large perimeter security.

The digital transformation dilemma

So large is this issue of supply chain security that researchers found over the past year, 90% of attacks on energy companies breached more than once involved third parties. 

"Supply chain attacks pose a significant threat to the energy sector, where critical infrastructure relies on a complex web of suppliers, vendors and partners to maintain operations," explains Deryck Mitchelson, Global CISO at Check Point Software.

This shift has created what Scott describes as "a new dynamic of risk," where cyber attacks on software vulnerabilities have become more attractive to criminals than targeting physical infrastructure, largely because they are "more easily monetised than causing physical destruction."

The ripple effect of supply chain breaches

The interconnected nature of modern energy infrastructure means successful cyber attacks can have far-reaching consequences.

Once inside, attackers can move laterally through networks, gaining access to sensitive systems and data that would be much harder to breach directly.

This makes energy companies particularly attractive to attackers, as a successful breach could disrupt not only the company itself but also the larger supply chain and critical services that rely on it.

Once attackers infiltrate a system, they can navigate laterally through networks, accessing sensitive data and operational systems that are otherwise difficult to breach directly. 

This interconnectedness means that a successful attack on one entity can have cascading effects throughout the entire supply chain.

Building resilient cyber defences

To combat these evolving threats, energy companies must adopt comprehensive security measures.

“Security Operations Centre (SOC) analysts should be equipped with the tools and technology to proactively hunt for threats across all environments—whether on-premises, in the cloud or on mobile devices," Deryck notes.

By restricting access based on necessity—whether for employees or contractors—companies can significantly limit their attack surface. Network segmentation is another crucial strategy; by dividing networks into distinct zones based on business functions, organisations can contain breaches and prevent them from spreading throughout their systems.

Integrating security into software development through DevSecOps practices allows companies to identify malicious modifications before they can be exploited.

Securing the energy sector

The findings from recent studies underscore an urgent call for energy companies to prioritise third-party risk management within their cybersecurity frameworks. 

As digital supply chain attacks increase in frequency and sophistication, organisations must recognise that securing their operations necessitates vigilance not only within their own systems but also across their entire network of suppliers and partners.

With the utilities sector under increasing attack, the energy sector must evolve its approach to cybersecurity - adopting a proactive stance that anticipates risks rather than merely reacting to them. 

******

Make sure you check out the latest edition of Cyber Magazine and also sign up to our global conference series - Tech & AI LIVE 2024

******

Cyber Magazine is a BizClik brand