SecurityScorecard and KPMG released a report revealing that two-thirds (67%) of third-party energy sector breaches were caused by software and IT vendors. Furthermore, third-party risk prompts nearly half (45%) of energy sector breaches compared to the 29% global rate. 

Security leaders weigh in

Craig Jones, Vice President of Security Operations at Ontinue:

The nature of threats targeting the energy sector and other critical infrastructure companies is likely to continue to evolve in line with technological advancements. As infrastructure becomes increasingly connected and reliant on digital systems, the potential attack surface for cybercriminals rises. We can expect to see more sophisticated attacks that exploit specific vulnerabilities in these systems moving forward. Furthermore, the ever-growing value of data may lead to more targeted ransomware attacks that aim to extract or encrypt particularly valuable or sensitive information.

Jose Seara, CEO and Founder at DeNexus:

This latest study validates some of the findings from our cyber risk management work with industrial and energy companies. Vulnerabilities in third-party software and remote access to industrial equipment are certainly among the top contributors to cyber risk today.

Critical infrastructure and energy sector sites have been increasingly targeted by threat actors and they all need to strengthen their cybersecurity posture. It is imperative for these companies to better understand their cyber risks, identify them and quantify them in monetary terms to drive data-driven decisions on cybersecurity investments.

Companies should be proactive and prepare so that they have a clear playbook for when an incident occurs. This starts by knowing the cyber risk that the organization faces and sharing with stakeholders the nature of those risks, financial losses associated with potential cyber incidents, and which site or facility is at risk. With a cyber risk program in place, companies will be ready to rapidly assess whether a cyber event is material. In addition, they gain visibility into risk mitigation strategies and can optimize their cybersecurity investments. This is particularly important in capital-intensive environments with cyber-physical assets as commonly found in critical infrastructure companies. 

Omri Weinberg, Co-Founder and CRO at DoControl:

The SecurityScorecard/KPMG findings reveal a particularly concerning vulnerability in our energy infrastructure — the disproportionate impact of third-party risks. When 45% of breaches come through third parties (compared to a global average of 29%), and 90% of companies experiencing multiple breaches were compromised through vendor connections, it's clear where the sector's weak points lie.

What makes the energy sector especially vulnerable? First, you’ve got these incredibly complex supply chain dependencies. The industry relies heavily on specialized software and IT vendors, who were responsible for 67% of third-party breaches. Think about it — all these interconnected systems create this sprawling attack surface that’s incredibly difficult to secure.

Then there’s this stark contrast in security maturity across the industry. While most companies — about 81% — maintain good security ratings, you’ve got this minority with poor ratings that create significant risk for everyone else. It’s like having a state-of-the-art security system but leaving one window unlocked — attackers will find it.

Perhaps most concerning is what we’re seeing with renewable energy companies. They’re scoring notably lower in security ratings, likely because they’re newer players with smaller budgets and less mature security programs. This is particularly worrying as we push toward greener energy sources.

While federal funding would help, what we really need are mandatory security standards for vendors working with critical infrastructure. But companies shouldn’t sit around waiting for regulations. They need to take action now — start monitoring their vendors continuously, regularly assess their security posture and that of their vendors, and develop solid incident response plans that account for third-party incidents.

The reality is, in today’s interconnected energy sector, a breach at one point can ripple through the entire supply chain. We need everyone —from the largest utilities to the smallest suppliers — working together to address these vulnerabilities before they lead to serious disruptions.