On average, the cost of a data breach rose by 10% from 2020 to 2021. The energy industry ranked fifth in data breach costs, surpassed only by the health care, financial, pharmaceutical and technology verticals, according to the 17th annual Cost of a Data Breach Report. Some energy cybersecurity measures can help reduce the cost of a data breach in a big way. For example, take a look at zero trust deployments, artificial intelligence and automation.

It’s important to better understand data security in this growing and crucial field. Take a look at some recent data breaches that affected energy and utility providers. What data security risks and challenges are unique to these sectors?

What Is a Data Breach in the Energy and Utilities Industries?

The energy sector includes oil and gas companies, alternative energy producers and suppliers and utility providers such as electric companies. Energy cybersecurity breaches and failures can have tremendous impacts. They even go beyond the cost to the companies that mine for oil or gas or provide energy to customers. After all, people rely on these services for nearly every aspect of life.

Compromised Password Leads to Gas Shortages

This type of problem joined the United States’ many other challenges in spring 2021. An attacker gained remote access to the network of a major U.S. pipeline company via an employee’s virtual private network (VPN). The VPN was not even in use at the time. However, it remained open for threat actors to use it as a gateway to the company’s main network. The attacker found the password used to access the account on a list of leaked passwords on the dark web. Experts suggest that the employee may have used the same password on another account. A threat actor then stole it from that account and shared it online.

One week after the data breach, the threat actor sent a ransom note. In response, the company shut the pipeline down. They did so on purpose because they wanted to avoid an attack on their operational technology network. After all, these are the systems that control the physical flow of gasoline.

This happened to occur at the same time as increases in COVID-19 vaccinations and car travel across the U.S. Because of this, the resulting gasoline shortage led to long lines at gas stations and high oil prices. That in turn directly affected consumers’ wallets just as many were beginning to return to work and recover financially amidst a global pandemic.

This shows the importance of educating employees on data protection and data security best practices. In particular, make sure to use unique passwords for every account.

San Francisco Utility Fined $2.7 Million

The rise in smart meters introduces new threats to utilities such as power companies. One San Francisco-based utility was saddled with a $2.7 million fine from federal security regulators for failing to protect confidential data, which included more than 30,000 pieces of information. A third-party contractor allegedly copied data from the utility’s network to its own. From there, it was hosted online without a user ID or password.

Threats of ransomware and denial-of-service attacks are also a concern for utilities that implement smart meters and store customer data on their network. That’s a big problem if that network falls out of the control of the utility.

Solar Devices Create Portal to Access the Grid

Cyber attacks and big data security concerns affect all kinds of energy companies. In 2019, the Department of Energy reports, threat actors breached the web portal firewall of a solar power utility. This caused operators to lose visibility for parts of the grid for 10 hours.

Devices such as solar photovoltaic inverters that connect to the internet to help manage the grid can become targets. In particular, attackers can take advantage if the company doesn’t update and secure their inverter software.

What Is the Cost of a Data Breach for Energy and Utilities Companies?

The Cost of a Data Breach Report, which has grown into a leading benchmark report in the cybersecurity industry, shares that the average cost of a data breach in the energy industry is $4.65 million. The good news is this figure has dropped by 27.2% since 2020 when the average cost of a data breach in the industry was up to $6.39 million.

Risks and Challenges of Data Security

Social engineering, system intrusion and web application attacks made up 98% of energy data breaches in 2021. Social engineering, or phishing, attacks were the most common, although ransomware attacks continue to be a threat for the sector.

According to the Verizon report, the following data was stolen, lost or rendered inaccessible by ransomware most often:

  • Login credentials
  • Internal company data
  • Personal data of employees and customers.

In 98% of all cases, the threat actors were not connected with the companies in any way; only 2% of attacks were internal breaches.

There’s more good news, too. The threat of ‘hacktivism’, threat actors who operate because of causes such as environmentalism and sustainability, is on a steep decline. According to the IBM X-Force Threat Intelligence Index, these attacks dropped by 95% between 2015 and 2019. Of course, oil and gas companies could be the primary targets of such attacks. So, their decline frees up energy cybersecurity departments to focus their budget and attention on other threats.

The rise of employees working from home and accessing networks remotely also creates a growing threat. The IBM report discovered that the cost of a data breach rose by an average of $1.07 million when remote work was a factor. In situations where more than 50% of the workforce was remote, it took IT security experts an average of 58 days longer to detect and contain threats.

Taking proactive steps toward employee education regarding cybersecurity best practices can help mitigate risks. Make sure your people know how to reduce the risk of compromised credentials, which were responsible for 20% of all attacks, according to the report. On top of that, train them to look out for the signs of social engineering and phishing.

More from Data Protection

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

SpyAgent malware targets crypto wallets by stealing screenshots

4 min read - A new Android malware strain known as SpyAgent is making the rounds — and stealing screenshots as it goes. Using optical character recognition (OCR) technology, the malware is after cryptocurrency recovery phrases often stored in screenshots on user devices.Here's how to dodge the bullet.Attackers shooting their (screen) shotAttacks start — as always — with phishing efforts. Users receive text messages prompting them to download seemingly legitimate apps. If they take the bait and install the app, the SpyAgent malware gets…

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today