Head of Strategy for IBM Security X-Force
There are few areas more essential to our daily lives than the energy sector, which powers homes, fuels our economy, and connects every piece of critical infrastructure.
In Texas, we know that value first-hand. Hundreds of thousands of us across Texas lost power last February after an ice storm downed power lines. In 2021 the state’s power grid nearly collapsed during a catastrophic freeze. Many fellow Texans lost their lives.
Our economy simply cannot function without dependable energy — but cyberattacks against energy targets are growing. The IBM Security X-Force Threat Intelligence Index 2023 revealed that energy was the industry attacked most often in North America, and the fourth most attacked industry by cybercriminals worldwide in 2022. North America energy organizations experienced 46% of all energy attacks last year, a 25% increase from 2021 levels.
A cyberattack on an energy organization often means the catastrophic loss of electricity, gas, and oil, which can disable emergency services and communication networks. In May 2021 a ransomware attack on the Houston-based Colonial Pipeline crippled the energy supply to millions of citizens, and cost millions to contain and recover. The primary target of the attack was the company’s IT systems, but Colonial shut down the pipeline, fearing that the hackers might have obtained information that would allow them to attack vulnerable parts of the conduit, which carried gasoline, diesel and jet fuel. Panic buying caused widespread gasoline shortages and some filling stations were without fuel for several days.
And today, many attacks are happening faster and with more precision. Threat actors can complete a ransomware attack, for instance, in less than four days. That’s far less than the two-month average attackers needed in 2019, and a 95% jump in speed. Additionally, today, about 15 ransomware attacks can be completed in the same time it used to only take one, according to IBM’s X-Force report.
These attacks can impact the pocketbooks of the everyday consumer. IBM’s 2023 Cost of a Data Breach Report found that in 2023, the average cost of a data breach for organizations in the energy industry reached $4.78 million, the fourth costliest industry and a jump from fifth. Our analysis also found more organizations are passing costs stemming from data breaches onto consumers. In fact, 57% of all organizations raised the prices of their products or services because of a breach.
Protecting a broad attack surface
The energy sector is an especially tempting target because it is vulnerable in several important ways. First, the energy industry is an attractive target for extortion, given its (and the public’s) extremely low tolerance for downtime. Globally, IBM’s X-Force report found that more than one-quarter of cyberattacks involved extortion last year. In addition, the sector’s decentralized locations and global supply networks broaden the attack surface. Every point on the supply chain — every company or individual it does business with — is a potential vulnerability, including transmission and distribution partners.
This means that each piece of hardware and software in the broad supply chain is a potential target of threat actors. Therefore, cybersecurity for the energy sector must be a collaborative endeavor. Everyone across the many areas that touch our energy supplies should be engaged in prevention.
Businesses can take the following steps to help increase their resilience against attackers:
- Think like an attacker and know your attack surface. One-third of attackable assets on networks are unmanaged or unknown, offering easy targets for attackers and risking unintended data exposure. Discover where you’re vulnerable and the ways an attacker could get in with the least detection.
- Train for fast response. Accept that breaches are inevitable and set up methods for rapid response; speed is the biggest key to limiting the blast radius. It’s critical to deploy predictive and forward-looking technology while preparing for a nimble response when—not if—a breach occurs.
- Test regularly. Formulate a sophisticated testing program that implements threat hunting, penetration testing, and objective-based red teaming to help uncover vulnerabilities in your defenses. Perform these tests frequently. Challenge your assumptions about your threat coverage.
While we Texans are known for our independence, the entire value chain needs to work together to curb the increasing threat to our energy sector. Every vendor and person, every piece of hardware and software, is a potential target of threat actors – all must be trained to engage in prevention and know their roles in the event of an incident. Damage from one area can quickly spread to local, regional, and global partners.
Without the energy services that our daily lives depend on, the well-being of millions of people is threatened. To best safeguard our energy systems, we must all be vigilant. We can do this, together.
John Hendley is the head of strategy for IBM Security X-Force, where he leads strategy a global team of over 500 hackers, researchers, threat intelligence analysts, developers, and incident responders. John and his team provide clients – from Fortune 100 enterprise companies to small and mid-sized companies – offensive and defensive security services.