SecurityScorecard and KPMG LLP have released a co-authored cybersecurity report analyzing vulnerabilities in the 250 largest U.S. energy companies. Titled “A Quantitative Analysis of Cyber Risks in the U.S. Energy Supply Chain,” the report provides a detailed overview of cybersecurity risks affecting the energy sector and its supply chains.
The release of this report coincides with global regulatory efforts to enhance cybersecurity in the energy industry. These initiatives are part of broader commitments made during the June 2024 G7 summit to strengthen cyber defenses against rising threats. The U.S. government has also been actively engaging with energy sector leaders to advance the Supply Chain Cybersecurity Principles, alongside ongoing efforts by the International Counter Ransomware Initiative (CRI).
SecurityScorecard’s research highlights the energy sector’s vulnerability to ransomware attacks, particularly through third-party vendors. Although industrial control systems (ICS) and operational technology (OT) have been the traditional focus of cybersecurity, the transition to cleaner energy and a more interconnected grid is creating new vulnerabilities. As the industry becomes increasingly reliant on software, the risk of cyberattacks rises.
Ryan Sherstobitoff, Senior Vice President of Threat Research and Intelligence at SecurityScorecard, emphasized the critical nature of third-party risks:
“The energy sector’s growing dependence on third-party vendors highlights a critical vulnerability—its security is only as strong as its weakest link. Our research shows that this rising reliance poses significant risks. It’s time for the industry to take decisive action and strengthen cybersecurity measures before a breach turns into a national emergency.”
