Why US Energy Sector is at High Risk of Supply Chain Attacks

Share
The US energy sector is at high risk of supply chain attacks, according to KPMG
Following fresh KPMG research, experts from Check Point Software and Black Duck consider why the energy sector is at such high risk of supply chain attacks

Fresh research from KPMG and Security Scorecard has identified the US energy sector as being at particularly high risk of supply chain attacks.

The study revealed that, over the past 12 months, almost half (45%) of security breaches in the industry were third-party related, compared to a global average of 29% for supply chain breaches across all other industries.

Researchers also discovered that 90% of attacks on energy companies breached more than once involved third parties.

The energy sector's increasing reliance on digital infrastructure has created new vulnerabilities that cyber criminals are eager to exploit, with supply chain attacks emerging as a particularly serious threat to critical infrastructure.

Digital transformation creates new risks

The transformation of energy companies into technology-driven enterprises has fundamentally altered the risk landscape.

Scott Johnson, VP of Product Management at Black Duck

"The fact is, most energy companies are now software companies that deliver energy to their customers via their software and technology," says Scott Johnson, VP of Product Management at Black Duck.

This shift has created what Johnson describes as "a new dynamic of risk," where cyber attacks on software vulnerabilities have become more attractive to criminals than targeting physical infrastructure, largely because they are "more easily monetised than causing physical destruction."

The ripple effect of supply chain breaches

The interconnected nature of modern energy infrastructure means successful cyber attacks can have far-reaching consequences.

"Supply chain attacks pose a significant threat to the energy sector, where critical infrastructure relies on a complex web of suppliers, vendors and partners to maintain operations," explains Deryck Mitchelson, Global CISO at Check Point Software.

"Once inside, attackers can move laterally through networks, gaining access to sensitive systems and data that would be much harder to breach directly.

"This makes energy companies particularly attractive to attackers, as a successful breach could disrupt not only the company itself but also the larger supply chain and critical services that rely on it."

Youtube Placeholder

Recent history provides sobering examples of such impacts. Take the Colonial Pipeline incident, which demonstrated how a single breach could disrupt fuel supplies across an entire region, affecting both businesses and consumers.

These attacks have become increasingly sophisticated, with cyber criminals targetting vulnerabilities in third-party software and services to deliver malware, demand ransoms or shut down operations entirely.

Building robust defence systems

To combat these threats, energy companies must implement comprehensive security measures.

Deryck advocates for a multi-layered approach, starting with the principle of least privilege: "By restricting permissions and applying a need-to-know basis for employees, contractors, and software, energy companies can limit the attack surface that cybercriminals can exploit."

Network segmentation also plays a crucial role in defence strategy.

By dividing networks into distinct zones based on business functions, organisations can contain breaches and prevent them from spreading throughout the system.

This is particularly vital in energy infrastructure, where both operational technology (OT) and information technology (IT) systems must be protected to prevent cascading failures.

Deryck Mitchelson, Global CISO at Check Point Software

The evolution of security practices

Clearly, modern security practices must evolve to match the sophistication of current cyber threats.

"Security Operations Centre (SOC) analysts should be equipped with the tools and technology to proactively hunt for threats across all environments—whether on-premises, in the cloud or on mobile devices," Deryck notes.

"This level of vigilance helps detect and mitigate risks before they can cause significant damage."

The integration of security into software development through DevSecOps practices has become essential, allowing companies to identify malicious modifications in software updates or third-party solutions before they can be exploited.

Johnson emphasises: "Increased supply chain attacks to the energy sector are an excellent reminder that third-party risk management must be a priority and cannot be overlooked."

The stakes are particularly high in the energy sector, where disruptions can affect critical services and infrastructure.

"Hackers know the impact that targeting a pipeline, refinery or even EV charging stations can have on the daily lives of individuals," Johnson points out, highlighting why the sector remains such an attractive target for cyber criminals.


Check out the latest edition of Supply Chain Digital and sign up to our global conference series – Procurement and Supply Chain LIVE 2025


Supply Chain Digital is a BizClik brand.

Share

Featured Articles

Kinaxis: The 'Customers' Choice' for Supply Chain Planning

Kinaxis has been recognised as a Customers’ Choice in the 2024 edition of Gartner’s ‘Voice of the Customer’ for Supply Chain Planning Solutions

Why Coupa has been Named a Supply Chain Leader by Forrester

Coupa has been named a Leader in The Forrester Wave: Collaborative Supply Networks, Q4 2024, demonstrating its prowess facilitating supplier collaboration

Trick or Treat: Inside the $11.6bn US Halloween Supply Chain

Supply Chain Digital discovers what spooky surprises lie in store for the supply chain and logistics professionals who make Halloween happen every year

Why Vanderlande has Agreed to Acquire Siemens Logistics

Logistics

Procurement & Supply Chain LIVE: Sustainability – The Agenda

Sustainability

Maersk & Danone: Partnering Towards Greener Logistics

Sustainability