Growing Cyber Threats to the Energy Sector: An Urgent Call for Enhanced Security
In an increasingly digital world, the energy sector is facing a multitude of cyber threats that come in various forms. These threats include state-sponsored actors aiming to disrupt national infrastructure, cybercriminals driven by financial motives, and insiders who intentionally compromise their organizations. The ramifications of a successful cyberattack on the energy sector can be catastrophic, potentially leading to significant disruptions in energy supplies and causing extensive economic and social damage.
According to a comprehensive study conducted by Darktrace, which analyzed the UK and US energy sectors over a three-year period from November 2021 to December 2024, critical vulnerabilities have been identified that require immediate remedial action. Zoe Tilsiter, the Analyst Lead at Darktrace and the report's author, emphasized the urgent need for security teams to prioritize three main areas to reinforce their cyber defenses.
Firstly, it is imperative to reduce the considerable exposure of Operational Technology (OT) systems to the internet. Alarmingly, the energy sector leads in configurations that are vulnerable to exploitation, making it easier for cybercriminals to gain initial access. Secondly, comprehensive asset visibility solutions must be implemented, as many organizations currently lack effective inventory management. This oversight has been exploited in various supply chain attacks within the sector. Lastly, enhancing email security protocols is crucial; Darktraces findings reveal that 55% of successful cyberattacks still originate from phishing campaigns. Tilsiter warned that state-sponsored threat actors and sophisticated cyber attackers are already infiltrating energy networks, specifically targeting industrial control systems. As the energy sector accelerates its digital transformation in pursuit of net-zero goals, it becomes increasingly vital for security measures to evolve in tandem.
The report highlights that email remains the most frequent vector for cyberattacks, with data from both US and UK energy customers indicating that 55% of incidents involved email or Software as a Service (SaaS) platforms. Phishing emails are typically employed to harvest credentials, leading to the compromise of critical accounts, often Microsoft 365. Notably, 18% of cases reported involved the deployment of ransomware, with common threat actors identified as ALPHV/BlackCat, Fog, and others like Sodinokibi, Hunters International, and KOK08. Some of these ransomware groups operate under a Ransomware as a Service (RaaS) model. Additionally, 13% of incidents stemmed from a poor cybersecurity posture, underscoring the need for better practices.
Since 2022, there has been a marked increase in cyberattacks targeting renewable energy producers and providers in the Europe, Middle East, and Africa (EMEA) region. High-profile companies such as Honeywell and Schneider Electric have been caught in espionage campaigns believed to be linked to the Russian hacking group APT28 between 2019 and 2022. Moreover, in April 2022, electrical substations in Ukraine fell victim to an attack by Sandworm, a group associated with the Russian General Staff of the Armed Forces (GRU), which targeted the IEC-104 protocol used for commanding electrical utility equipment.
On the other side of the globe, the Lazarus Group, a North Korea-sponsored Advanced Persistent Threat (APT), has also affected energy companies across the United States, Canada, and Japan by exploiting vulnerabilities in the widely used Log4j software on internet-exposed VMware Horizon and Unified Access Gateway servers.
In tandem with these security concerns, the adoption of Artificial Intelligence (AI) within the energy sector is gaining traction. While AI presents numerous advantages and efficiencies, its implementation is not yet widespread or fully realized. Experts warn that AI adoption could inadvertently introduce new risks if not coupled with sufficient training and oversight. Until now, there has been no definitive evidence of AI being utilized in attacks on the energy sector; however, should adversaries employ AI, it could significantly alter the scale, speed, and impact of cyberattacks. Mark Bristow, Director of the Cyber Infrastructure Protection Innovation Center (CIPIC) at MITRE, expressed skepticism about the imminent threat AI poses, stating, Were a long way off from AI being capable of causing widespread disruption.
Another critical concern highlighted in the report is the energy sector's historical overreliance on a limited number of critical vendors and systems, which amplifies the risk of a single targeted attack causing cascading failures across national infrastructure. The Royal United Services Institute (RUSI) has cautioned that key software systems are controlled by a handful of companies, which poses serious risks due to the lack of supplier diversity.
Furthermore, energy industry executives are increasingly considering hosting Operational Technology (OT) devices such as Human-Machine Interfaces (HMIs) and Very Small Aperture Terminals (VSATs) in the cloud, along with their discrete logic control systems and 5G communications. While cloud setups can offer enhanced scaling and speed, they also introduce new vulnerabilities. As one US expert noted, The risk is ending up with assets screwed to ethernet converters and plugged to the cloud. Compounding these challenges, energy companies are outsourcing more of their operations, often leading to a lack of knowledge regarding the security of the software utilized by their vendors.
