Cyber-attacks on the US power grid have exposed a concerning weakness: third-party vendors who can access critical infrastructure systems. Security experts tracked 23 major cyber-attacks that targeted energy sector suppliers in 2023. These vendors now represent a serious threat to electrical infrastructure’s security as threat actors increasingly exploit their vulnerabilities to compromise power grid operations.
The risks from third-party vendors affect every aspect of energy sector operations – from SCADA systems to basic software maintenance providers. Data shows that 63% of energy companies face breaches through third-party access points, which significantly exceeds typical industry rates. This piece looks at third-party cyber risks in today’s energy sector and reviews common supply chain vulnerabilities. It also explores cybersecurity effectiveness across energy sub-sectors and offers practical steps to improve third-party risk management.
The Rising Threat of Third-Party Cyber Attacks in the Energy Sector
Third-party cyber-attacks have surged dramatically in the energy sector, and recent data shows dangerous vulnerabilities in the supply chain. A complete study reveals that 90% of energy companies experienced data breaches through third-party vendors last year. The energy sector reported 264 breaches that directly stemmed from third-party problems.
Statistics on third-party breaches in the US energy sector
Third-party breaches have severely affected the US energy sector. All top 10 U.S. energy companies have experienced confirmed third-party breaches. Security ratings paint a concerning picture, as 33% of energy companies scored a C or lower, which shows a higher risk of breach exposure.
Recent security analyses revealed these crucial findings:
- MOVEit vulnerability exploitation has affected many global energy companies
- Third-party risk causes 45% of breaches in the U.S. energy sector
- Software and IT vendors make up 67% of third-party breaches
Comparison to global averages in various industries
The energy sector faces higher risks from third-party breaches than other industries. The U.S. energy sector reports 45% of breaches from third parties, which exceeds the global industry average of 29%. These breaches cost energy companies an average of $4.72 million per incident 1.
The most common causes of third-party breaches
Software and IT vendors stand out as the biggest threat when it comes to third-party breaches in the energy sector. Recent incident analysis shows that 67% of third-party breaches originated from software and IT vendors outside the energy sector. Critical infrastructure faces increased cyber threats because organizations depend heavily on digital systems and external software solutions.
Several key risk factors make the security landscape more complex:
Percentage of Companies Affected by the following Risk Factors
40%
Application Security
23%
Network Security
29%
DNS Health
These numbers paint a concerning picture – 92% of companies scored lowest in just these three risk factors. This clearly shows where third-party risk management strategies need to focus immediately.
Vulnerabilities in the Energy Supply Chain
Supply chain vulnerabilities in the energy sector create complex challenges beyond direct cyber-attacks. Multiple entry points for potential security breaches emerge from the intricate network of vendors, suppliers, and service providers. This makes detailed risk management crucial to protect critical infrastructure.
Software and IT vendor risks
Software and IT vendors pose the most significant security threat to the energy sector. These vendors cause 67% of all third-party breaches. Their privileged access to critical systems creates security gaps across multiple areas:
- Network infrastructure management
- SCADA system maintenance
- Software update deployment
- Remote monitoring services
Recent security evaluations show that 92% of energy companies’ lowest security scores exist in three key areas: application security (40%), network security (23%), and DNS health (29%). These vulnerabilities highlight the significant impact of vendor-related risks on core technical operations.
Risks from other energy companies
Energy companies face security challenges because their operations are interconnected. Research shows that 22% of third-party breaches occur with other organizations in the energy sector. These connected systems create unique risks due to:
| Risk Factor | Impact Area |
| Shared Infrastructure | Grid Operations |
| Data Exchange | Customer Information |
| Joint Operations | Control Systems |
| Supply Chain Dependencies | Critical Components |
The MOVEit vulnerability exploitation
The MOVEit file transfer software vulnerability became a major security threat in 2023. It caused 39% of recorded third-party breaches in the energy sector. The attack pattern showed:
- Three major energy companies had their MOVEit installations directly compromised
- Four more breaches happened through vendor systems that used MOVEit
- Attackers gained unauthorized access to sensitive operational data
A single vulnerability in commonly used software can create a ripple effect through the energy sector’s supply chain. Research shows that 90% of companies with multiple breaches were attacked through third-party connections. This fact emphasizes the need to improve vendor security protocols.
The energy supply chain’s complexity makes it hard to track security risks effectively. Most utilities need help to monitor their supply chain beyond immediate vendors. This creates a blind spot where cyber, continuity, and quality risks often surface 5. Vendors make this problem worse by keeping their manufacturing processes secret to protect their competitive edge.
Cybersecurity Performance Across Energy Sub-Sectors
The complete analysis of cybersecurity performance shows significant differences in security preparedness among energy sub-sectors and points out the most critical areas that need immediate attention. An evaluation of 250 leading U.S. energy companies explained the sector’s cybersecurity situation.
Overall industry ratings
The U.S. energy sector shows different cybersecurity maturity levels, with 81% of companies achieving either A or B ratings. The remaining 19% of organizations received unsatisfactory ratings, which could create vulnerabilities across the entire supply chain. The industry’s “B” rating highlights successes and areas needing cybersecurity improvements.
Key performance indicators reveal:
- 42% of companies achieved A ratings
- 39% received B ratings
- 19% scored C or lower
Differences between oil/gas and renewable energy companies
Traditional energy providers and renewable energy companies show apparent differences in their cybersecurity preparedness. The analysis shows notable performance variations:
| Energy Sector | Security Rating | Performance Level |
| Vertically Integrated Oil & Gas | A- (93/94) | Highest |
| Electric & Natural Gas Utilities | B+ (88/90) | Above Average |
| Renewable Energy | B- (81/85) | Below Average |
Oil and natural gas companies showcase better cybersecurity practices and score well above average with an A- rating. Their performance contrasts sharply with renewable energy firms that lag behind with a B- score. This suggests possible vulnerabilities in the expanding green energy sector.
Areas with the lowest security scores
Recent analysis shows that security vulnerabilities cluster in specific domains. 92% of companies show their lowest scores in just three critical areas:
- Application Security (40% of companies)
- Software vulnerability management
- Security configuration issues
- Application access controls
- Network Security (23% of companies)
- Infrastructure protection
- Network access management
- Security protocol implementation
- DNS Health (29% of companies)
- Domain configuration
- DNS security protocols
- Infrastructure resilience
These concentrated weak points offer clear opportunities to improve sector-wide security. A worrying trend shows that software and IT vendors cause 67% of third-party breaches. This highlights the need for better vendor security protocols and monitoring systems.
Security performance varies significantly across energy sub-sectors, which points to broader issues in maintaining consistent cybersecurity standards. Oil and gas companies with vertical integration show strong security practices. However, renewable energy providers score lower, raising questions about their cyber threat resilience as the industry shifts toward greener energy solutions.
Recommendations for Improving Third-Party Cyber Risk Management
Organizations need a detailed approach to third-party risk management that effectively combines prevention and response strategies. A reliable monitoring system must work alongside clear protocols for responding to and recovering from incidents. Studies reveal that breaches through third parties are 12.8% longer to resolve and 11.8% more expensive than direct breaches. These findings highlight why boosted security measures are crucial.
Continuous monitoring of vendors
Companies need systematic approaches to monitor their vendors. Research shows that organizations using threat intelligence detect breaches 28 days faster than others. A successful monitoring strategy should include:
- Up-to-the-minute evaluation of vendor’s security postures
- Automated alerts when security policies are violated
- Ongoing assessment of vendor access privileges
- Regular verification of vendor’s compliance documents
Regular security assessments
Organizations need to assess multiple risk domains to ensure detailed coverage. This assessment framework offers a well-laid-out approach:
| Assessment Area | Key Evaluation Criteria | Frequency |
| Information Security | Access controls, encryption protocols | Quarterly |
| Business Continuity | Disaster recovery, backup systems | Semi-annual |
| Technology Development | Security by design, code review | Quarterly |
| Cloud Governance | Data protection, access management | Monthly |
| Compliance | Regulatory adherence, documentation | Semi-annual |
Developing incident response plans for third-party breaches
Organizations need complete incident response plans that focus on third-party breaches. Research shows that companies with dedicated incident response teams reduce data breach costs by $2.1 million on average. A working response plan must include these key elements:
- Immediate Actions (First 24 Hours)
- Connect with affected vendors quickly
- Put containment strategies in place
- Gather threat intelligence
- Record all response activities
- Information Gathering Phase
- Determine the breach scope and its effects
- Check data exposure levels
- Track vendor recovery timelines
- List affected systems and services
- Remediation Protocols
- Apply isolation procedures
- Launch containment strategies
- Track behavioral patterns
- Use threat intelligence resources
Implementing mandatory security standards for critical infrastructure vendors
Critical infrastructure vendors need strict security standards to guard against emerging threats. Clear security baselines should be established without compromising operational efficiency. Data reveals that 90% of companies faced multiple breaches through third-party connections. This statistic emphasizes the immediate need for standardized security protocols.
Organizations should focus on these essential security measures:
- Vendor Onboarding Requirements
- Detailed security assessments
- Security control documentation
- Compliance standard verification
- Regular security training programs
- Operational Security Standards
- Data transmission encryption requirements
- Access control protocols
- Incident reporting procedures
- Security updates and patches
- Compliance Monitoring
- Security measure audits
- Security incident documentation
- Regulatory compliance verification
- Security control performance assessment
Security teams must work closely with vendor management and executive leadership to implement these recommendations effectively. Clear metrics should track the third-party risk management program’s success through response times, incident resolution rates, and compliance levels.
Conclusion
Third-party cyber risks threaten US power grid security like never before. About 90% of energy companies have experienced vendor-related breaches. Recent security assessments show dangerous weak points in application security, network security, and DNS health. These gaps create multiple ways attackers can breach systems. The energy sector’s complex supply chains make matters worse. Energy companies now face average breach costs of $5 million and take 12.8% longer to resolve than direct breaches.
Energy companies need resilient monitoring systems to manage third-party risk. They should conduct regular security assessments and follow standard vendor protocols. A complete security strategy must include live threat detection and incident response plans. Companies should also keep detailed records of vendor compliance. ProcessBolt’s third-party risk experts can help you employ state-of-the-art attack surface monitoring and vendor risk management solutions. Companies that use these strategic measures substantially reduce their cyber threat exposure and better protect critical infrastructure.
