In 2022, 10.7% of observed cyberattacks targeted the energy industry, according to the X-Force Threat Intelligence Index 2023.

This puts energy in fourth place overall — the same as the year prior and behind manufacturing, finance and insurance and professional and business services. The report notes that this reduction in total cyberattacks may be partly tied to pushback from highly public breaches in 2021, such as the Colonial Pipeline attack.

Despite the overall drop in threats, however, the industry remains at risk. Consider the recent ransomware attack on Ohio-based Encino Energy, which saw 400 GB of data exposed. The oil producer says that the attack did not impact its operations. However, there’s no word on whether or not they paid the ransom.

To help organizations better navigate the coming year, we’re taking a look back at 2022. What threats were prevalent? How effective were defenses? What’s next for energy cybersecurity?

What were the top energy industry threats in 2022?

The biggest threat to energy organizations in 2022 was the exploitation of public-facing applications, accounting for 40% of all infections. Spear phishing and external remote services each accounted for 20% of cases and botnets were responsible for 19%. Ransomware and BEC both came in at 15%.

Data theft and extortion were the most commonly cited outcomes of these attacks at 23%, with credential harvesting at 15%. Regionally, North America took the top spot with 46% of all attacks, followed by Europe and Latin America at 23% and just under 5% in Asia, the Middle East and Africa.

Read the Threat Index

How effective are current energy defenses?

Current energy defenses are hit or miss.

Here’s why: In cases where companies were able to detect cyber threats, they were able to take action. The Colonial Pipeline attack is a good example. After uncovering evidence of the threat, the company moved quickly to address it. But this move also meant a sudden shutdown of operations, which in turn raised fears of potential energy shortages.

It’s also worth noting that while industrial control system (ICS) attacks on energy companies were lower than expected in 2022 as companies made efforts to detect and deflect these attacks, ransomware volumes rose significantly. What’s more, attacked organizations often do not disclose whether they paid ransom demands as a solution to cybersecurity issues. This means there’s no guarantee that they resolved these threats — only temporarily silenced them.

Where are compliance regulations impacting energy cybersecurity?

Compliance in the energy sector is evolving.

In general, energy organizations are subject to guidelines and recommendations regarding cybersecurity rather than specific regulations. For example, the Cybersecurity Risk Information Sharing Program (CRISP) is a public-private partnership that’s partially funded by the Department of Energy (DOE) and is managed by the Electricity Information Sharing and Analysis Center (E-ISAC). The program encourages sharing threat data across energy industry organizations to help improve overall industry protection.

There are also new federal guidelines on the horizon. As noted by Utility Dive, the new White House national cybersecurity strategy asks energy companies to build proactive rather than reactive security solutions to create “a new generation of interconnected hardware and software systems.”

While this is good news overall for the sector, it may come with some growing pains. For example, many energy companies still rely on legacy ICS and SCADA solutions to connect and manage key operational components. These solutions were never designed to interface with modern applications and services, meaning the implementation of security-by-design may require the complete removal and replacement of these systems, a process that some energy experts warn could drive up prices overall.

It’s also worth noting that the new directive does not cover all energy and utility sector businesses,  such as petroleum refining or water treatment. This means that while new legislative efforts are a good start, they do leave industry gaps.

How common is the CISO role in energy?

As of December 2021, 45% of companies in the U.S. didn’t employ a chief information security officer (CISO), even though 58% feel it’s important to have someone in this role.

Energy is in a similar position. As organizations recognize the key role of security in business operations and industry reputation, CISOs are becoming more common. However, the position is by no means universal. CISOs in the energy sector also face the ongoing challenge of fighting for a seat at the boardroom table. This can be problematic. If efforts at proactive security are not part of strategy discussions up-front, they are often far less effective overall.

Put simply, while both the number and impact of energy CISOs are rising, there’s still room for improvement.

2023: What comes next for energy?

In 2023, energy companies can expect more of the same: More ransomware, more botnets and more data exfiltration.

They should also prepare for a rise in machine learning and artificial intelligence-based attacks as these technologies become more mainstream and play a more prominent role in threat actor operations.

Regardless of the vectors themselves, however, the strategy for energy industry security success remains the same: Better tools for more visibility, underpinned by a seat at the table for CISOs to help them design, implement and manage effective security programs.

More from Intelligence & Analytics

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…