Why US Energy Sector is at High Risk of Supply Chain Attacks
Fresh research from KPMG and Security Scorecard has identified the US energy sector as being at particularly high risk of supply chain attacks.
The study revealed that, over the past 12 months, almost half (45%) of security breaches in the industry were third-party related, compared to a global average of 29% for supply chain breaches across all other industries.
Researchers also discovered that 90% of attacks on energy companies breached more than once involved third parties.
The energy sector's increasing reliance on digital infrastructure has created new vulnerabilities that cyber criminals are eager to exploit, with supply chain attacks emerging as a particularly serious threat to critical infrastructure.
Digital transformation creates new risks
The transformation of energy companies into technology-driven enterprises has fundamentally altered the risk landscape.
"The fact is, most energy companies are now software companies that deliver energy to their customers via their software and technology," says Scott Johnson, VP of Product Management at Black Duck.
This shift has created what Johnson describes as "a new dynamic of risk," where cyber attacks on software vulnerabilities have become more attractive to criminals than targeting physical infrastructure, largely because they are "more easily monetised than causing physical destruction."
The ripple effect of supply chain breaches
The interconnected nature of modern energy infrastructure means successful cyber attacks can have far-reaching consequences.
"Supply chain attacks pose a significant threat to the energy sector, where critical infrastructure relies on a complex web of suppliers, vendors and partners to maintain operations," explains Deryck Mitchelson, Global CISO at Check Point Software.
"Once inside, attackers can move laterally through networks, gaining access to sensitive systems and data that would be much harder to breach directly.
"This makes energy companies particularly attractive to attackers, as a successful breach could disrupt not only the company itself but also the larger supply chain and critical services that rely on it."
Recent history provides sobering examples of such impacts. Take the Colonial Pipeline incident, which demonstrated how a single breach could disrupt fuel supplies across an entire region, affecting both businesses and consumers.
These attacks have become increasingly sophisticated, with cyber criminals targetting vulnerabilities in third-party software and services to deliver malware, demand ransoms or shut down operations entirely.
Building robust defence systems
To combat these threats, energy companies must implement comprehensive security measures.
Deryck advocates for a multi-layered approach, starting with the principle of least privilege: "By restricting permissions and applying a need-to-know basis for employees, contractors, and software, energy companies can limit the attack surface that cybercriminals can exploit."
Network segmentation also plays a crucial role in defence strategy.
By dividing networks into distinct zones based on business functions, organisations can contain breaches and prevent them from spreading throughout the system.
This is particularly vital in energy infrastructure, where both operational technology (OT) and information technology (IT) systems must be protected to prevent cascading failures.
The evolution of security practices
Clearly, modern security practices must evolve to match the sophistication of current cyber threats.
"Security Operations Centre (SOC) analysts should be equipped with the tools and technology to proactively hunt for threats across all environments—whether on-premises, in the cloud or on mobile devices," Deryck notes.
"This level of vigilance helps detect and mitigate risks before they can cause significant damage."
The integration of security into software development through DevSecOps practices has become essential, allowing companies to identify malicious modifications in software updates or third-party solutions before they can be exploited.
Johnson emphasises: "Increased supply chain attacks to the energy sector are an excellent reminder that third-party risk management must be a priority and cannot be overlooked."
The stakes are particularly high in the energy sector, where disruptions can affect critical services and infrastructure.
"Hackers know the impact that targeting a pipeline, refinery or even EV charging stations can have on the daily lives of individuals," Johnson points out, highlighting why the sector remains such an attractive target for cyber criminals.
Check out the latest edition of Supply Chain Digital and sign up to our global conference series – Procurement and Supply Chain LIVE 2025.
Supply Chain Digital is a BizClik brand.