On average, the cost of a data breach rose by 10% from 2020 to 2021. The energy industry ranked fifth in data breach costs, surpassed only by the health care, financial, pharmaceutical and technology verticals, according to the 17th annual Cost of a Data Breach Report. Some energy cybersecurity measures can help reduce the cost of a data breach in a big way. For example, take a look at zero trust deployments, artificial intelligence and automation.
It’s important to better understand data security in this growing and crucial field. Take a look at some recent data breaches that affected energy and utility providers. What data security risks and challenges are unique to these sectors?
What Is a Data Breach in the Energy and Utilities Industries?
The energy sector includes oil and gas companies, alternative energy producers and suppliers and utility providers such as electric companies. Energy cybersecurity breaches and failures can have tremendous impacts. They even go beyond the cost to the companies that mine for oil or gas or provide energy to customers. After all, people rely on these services for nearly every aspect of life.
Compromised Password Leads to Gas Shortages
This type of problem joined the United States’ many other challenges in spring 2021. An attacker gained remote access to the network of a major U.S. pipeline company via an employee’s virtual private network (VPN). The VPN was not even in use at the time. However, it remained open for threat actors to use it as a gateway to the company’s main network. The attacker found the password used to access the account on a list of leaked passwords on the dark web. Experts suggest that the employee may have used the same password on another account. A threat actor then stole it from that account and shared it online.
One week after the data breach, the threat actor sent a ransom note. In response, the company shut the pipeline down. They did so on purpose because they wanted to avoid an attack on their operational technology network. After all, these are the systems that control the physical flow of gasoline.
This happened to occur at the same time as increases in COVID-19 vaccinations and car travel across the U.S. Because of this, the resulting gasoline shortage led to long lines at gas stations and high oil prices. That in turn directly affected consumers’ wallets just as many were beginning to return to work and recover financially amidst a global pandemic.
This shows the importance of educating employees on data protection and data security best practices. In particular, make sure to use unique passwords for every account.
San Francisco Utility Fined $2.7 Million
The rise in smart meters introduces new threats to utilities such as power companies. One San Francisco-based utility was saddled with a $2.7 million fine from federal security regulators for failing to protect confidential data, which included more than 30,000 pieces of information. A third-party contractor allegedly copied data from the utility’s network to its own. From there, it was hosted online without a user ID or password.
Threats of ransomware and denial-of-service attacks are also a concern for utilities that implement smart meters and store customer data on their network. That’s a big problem if that network falls out of the control of the utility.
Solar Devices Create Portal to Access the Grid
Cyber attacks and big data security concerns affect all kinds of energy companies. In 2019, the Department of Energy reports, threat actors breached the web portal firewall of a solar power utility. This caused operators to lose visibility for parts of the grid for 10 hours.
Devices such as solar photovoltaic inverters that connect to the internet to help manage the grid can become targets. In particular, attackers can take advantage if the company doesn’t update and secure their inverter software.
What Is the Cost of a Data Breach for Energy and Utilities Companies?
The Cost of a Data Breach Report, which has grown into a leading benchmark report in the cybersecurity industry, shares that the average cost of a data breach in the energy industry is $4.65 million. The good news is this figure has dropped by 27.2% since 2020 when the average cost of a data breach in the industry was up to $6.39 million.
Risks and Challenges of Data Security
Social engineering, system intrusion and web application attacks made up 98% of energy data breaches in 2021. Social engineering, or phishing, attacks were the most common, although ransomware attacks continue to be a threat for the sector.
According to the Verizon report, the following data was stolen, lost or rendered inaccessible by ransomware most often:
- Login credentials
- Internal company data
- Personal data of employees and customers.
In 98% of all cases, the threat actors were not connected with the companies in any way; only 2% of attacks were internal breaches.
There’s more good news, too. The threat of ‘hacktivism’, threat actors who operate because of causes such as environmentalism and sustainability, is on a steep decline. According to the IBM X-Force Threat Intelligence Index, these attacks dropped by 95% between 2015 and 2019. Of course, oil and gas companies could be the primary targets of such attacks. So, their decline frees up energy cybersecurity departments to focus their budget and attention on other threats.
The rise of employees working from home and accessing networks remotely also creates a growing threat. The IBM report discovered that the cost of a data breach rose by an average of $1.07 million when remote work was a factor. In situations where more than 50% of the workforce was remote, it took IT security experts an average of 58 days longer to detect and contain threats.
Taking proactive steps toward employee education regarding cybersecurity best practices can help mitigate risks. Make sure your people know how to reduce the risk of compromised credentials, which were responsible for 20% of all attacks, according to the report. On top of that, train them to look out for the signs of social engineering and phishing.