Third-Party Risk May Be the Biggest Threat to U.S. Energy
The U.S. energy sector has a lot to be concerned about. From an outdated grid to the dangers of relying on foreign oil, there are plenty of uncertainties keeping executives awake at night. But perhaps the biggest threat to the sector has nothing to do with energy itself. Maybe it is third-party risk and its link to cybersecurity issues.
Vendor Risks In U.S. Energy
Energy companies are subjected to cybersecurity threats as much as companies in any other industry. It is worth noting that a report published in late 2024 indicates that upwards of 45% of all data breaches in the energy sector are related to third-party risks. In addition, 67% of the breaches were linked directly to software and IT vendors.
Why such high numbers for software and IT vendors? It is because the energy sector relies heavily on third-party vendors to meet its IT needs. And because software and IT are the inroads for cybercrime, a network with more vendors in the pipeline is more susceptible to threat actors.
A Strange Disparity
The previously mentioned report highlights a strange disparity based on the type of energy being produced. According to the data, companies involved in fossil fuels tend to score higher on cybersecurity than their renewable energy counterparts. The report says oil and gas companies typically earn an A- rating while renewable energy companies score a B- on average.
This is apparently not due to any inherent weaknesses and renewable energy. Rather, it is due to the nature of renewable energy interconnectedness. Renewable energy systems and installations tend to be smaller. They also tend to be interconnected across larger networks with significantly more vendors in play. More third-party vendors equals more risk.
Risk Management Through Data
Managing third-party risk is one of the services offered by DarkOwl, a leading darknet intelligence firm. They explained on their website that risk management is not a "single point in time exercise." Rather, it is an ongoing endeavor that works best when supported by relevant data.
Risk management through darknet data intelligence is a priority for DarkOwl and other firms offering similar services. The main concept is to take the fight to threat actors rather than waiting for them to emerge from the shadows. How is it done? By monitoring the dark web, harvesting a ton of data, and analyzing it to detect emerging threats.
One particular strategy gathers and analyzes data before scoring it. Potential threats are scored based on their seriousness and likelihood. Through scoring, organizations can better identify potential risks and subsequently protect themselves.
Data is also utilized to score third parties up and down the supply chain. Those vendors most at risk are urged to take steps to mitigate it. When necessary, an organization can cut ties with an insecure vendor before moving on to finding a replacement.
Third-party Risk Is a Reality
Third-party risk is a reality in a world that is now so interconnected across global networks. It is never going away. Therefore, the best way to deal with third parties, from a security perspective, is to continually monitor vendor risk profiles and potential threats. Organizations need to be proactive to stay ahead of the threats.
As far as the U.S. energy sector is concerned, an aging grid is a problem. Likewise for the ongoing attack against fossil fuels. Yet equally threatening is the cybersecurity landscape. And because energy companies rely so heavily on third-party IT and software vendors, they need to be especially cognizant of third-party risk. Third parties could be the biggest vulnerability of all.
