In 2022, 10.7% of observed cyberattacks targeted the energy industry, according to the X-Force Threat Intelligence Index 2023.
This puts energy in fourth place overall — the same as the year prior and behind manufacturing, finance and insurance and professional and business services. The report notes that this reduction in total cyberattacks may be partly tied to pushback from highly public breaches in 2021, such as the Colonial Pipeline attack.
Despite the overall drop in threats, however, the industry remains at risk. Consider the recent ransomware attack on Ohio-based Encino Energy, which saw 400 GB of data exposed. The oil producer says that the attack did not impact its operations. However, there’s no word on whether or not they paid the ransom.
To help organizations better navigate the coming year, we’re taking a look back at 2022. What threats were prevalent? How effective were defenses? What’s next for energy cybersecurity?
What were the top energy industry threats in 2022?
The biggest threat to energy organizations in 2022 was the exploitation of public-facing applications, accounting for 40% of all infections. Spear phishing and external remote services each accounted for 20% of cases and botnets were responsible for 19%. Ransomware and BEC both came in at 15%.
Data theft and extortion were the most commonly cited outcomes of these attacks at 23%, with credential harvesting at 15%. Regionally, North America took the top spot with 46% of all attacks, followed by Europe and Latin America at 23% and just under 5% in Asia, the Middle East and Africa.
Read the Threat Index
How effective are current energy defenses?
Current energy defenses are hit or miss.
Here’s why: In cases where companies were able to detect cyber threats, they were able to take action. The Colonial Pipeline attack is a good example. After uncovering evidence of the threat, the company moved quickly to address it. But this move also meant a sudden shutdown of operations, which in turn raised fears of potential energy shortages.
It’s also worth noting that while industrial control system (ICS) attacks on energy companies were lower than expected in 2022 as companies made efforts to detect and deflect these attacks, ransomware volumes rose significantly. What’s more, attacked organizations often do not disclose whether they paid ransom demands as a solution to cybersecurity issues. This means there’s no guarantee that they resolved these threats — only temporarily silenced them.
Where are compliance regulations impacting energy cybersecurity?
Compliance in the energy sector is evolving.
In general, energy organizations are subject to guidelines and recommendations regarding cybersecurity rather than specific regulations. For example, the Cybersecurity Risk Information Sharing Program (CRISP) is a public-private partnership that’s partially funded by the Department of Energy (DOE) and is managed by the Electricity Information Sharing and Analysis Center (E-ISAC). The program encourages sharing threat data across energy industry organizations to help improve overall industry protection.
There are also new federal guidelines on the horizon. As noted by Utility Dive, the new White House national cybersecurity strategy asks energy companies to build proactive rather than reactive security solutions to create “a new generation of interconnected hardware and software systems.”
While this is good news overall for the sector, it may come with some growing pains. For example, many energy companies still rely on legacy ICS and SCADA solutions to connect and manage key operational components. These solutions were never designed to interface with modern applications and services, meaning the implementation of security-by-design may require the complete removal and replacement of these systems, a process that some energy experts warn could drive up prices overall.
It’s also worth noting that the new directive does not cover all energy and utility sector businesses, such as petroleum refining or water treatment. This means that while new legislative efforts are a good start, they do leave industry gaps.
How common is the CISO role in energy?
As of December 2021, 45% of companies in the U.S. didn’t employ a chief information security officer (CISO), even though 58% feel it’s important to have someone in this role.
Energy is in a similar position. As organizations recognize the key role of security in business operations and industry reputation, CISOs are becoming more common. However, the position is by no means universal. CISOs in the energy sector also face the ongoing challenge of fighting for a seat at the boardroom table. This can be problematic. If efforts at proactive security are not part of strategy discussions up-front, they are often far less effective overall.
Put simply, while both the number and impact of energy CISOs are rising, there’s still room for improvement.
2023: What comes next for energy?
In 2023, energy companies can expect more of the same: More ransomware, more botnets and more data exfiltration.
They should also prepare for a rise in machine learning and artificial intelligence-based attacks as these technologies become more mainstream and play a more prominent role in threat actor operations.
Regardless of the vectors themselves, however, the strategy for energy industry security success remains the same: Better tools for more visibility, underpinned by a seat at the table for CISOs to help them design, implement and manage effective security programs.