Recent Report Reveals Software & IT Vendors Are Top Security Risk for Houston Energy Sector Businesses

A concerning new report from SecurityScorecard and KPMG has revealed that software and IT vendors pose the greatest cybersecurity threat to the US energy sector, with these third parties being responsible for 67% of all third-party breaches. This finding comes at a critical time when the energy sector is becoming increasingly digitized and dependent on software systems for its operations.

  Key Findings from the Report:

• Third-party risk drives almost half (45%) of all breaches in the energy sector, significantly higher than the global average of 29%
• A staggering 90% of companies that suffered multiple breaches were compromised through third-party vendors
• While 81% of energy companies maintain strong security ratings (A or B grades), the remaining 19% with weak security postures pose a significant risk to the entire supply chain

The MOVEit Incident: A Case Study

The report highlights how a single software vulnerability can have cascading effects throughout the industry. The MOVEit file transfer software vulnerability (CVE-2023-34362) alone accounted for 39% of all third-party breaches in the study, demonstrating how heavily the sector relies on common software tools.

Increasing Digital Transformation Brings New Risks

As noted in a comment from Energy Digital magazine by Scott Johnson, VP of Product Management at Black Duck, “The fact is, most energy companies are now software companies that deliver energy to their customers via their software and technology” This digital transformation, while necessary for modernization, has created new attack vectors for cybercriminals.

Supply Chain Vulnerabilities

Deryck Mitchelson, Global CISO at Check Point Software, in the same Energy Digital Magazine article emphasizes that “Supply chain attacks pose a significant threat to the energy sector, where critical infrastructure relies on a complex web of suppliers, vendors and partners to maintain operations.” Once attackers breach a vendor’s systems, they can move laterally through networks, potentially affecting multiple energy companies.

Recommended Security Measures:

1. Enhanced Third-Party Risk Management

• Prioritize software and IT vendor assessments
• Implement continuous monitoring of vendor security postures
• Establish strict security requirements for new vendor relationships

2. Secure by Design Approach

• Demand built-in security features from technology vendors
• Verify vendor compliance with cybersecurity best practices
• Require security capabilities in base products rather than as premium add-ons

3. Network Segmentation

• Implement strong access controls
• Limit vendor access to critical systems
• Create clear boundaries between operational and IT networks

4. Proactive Security Monitoring

• Deploy comprehensive Security Operations Center (SOC) capabilities
• Enable robust logging and monitoring across all environments
• Maintain visibility into both on-premises and cloud systems

 How CinchOps Can Help Secure the Energy Sector

As the SecurityScorecard and KPMG report highlights, energy companies face significant risks from their software and IT vendors. CinchOps offers a multi-layered approach aligned with DOE’s Supply Chain Cybersecurity Principles to address these specific challenges:

Security-First IT Management

• Proactive monitoring and security patching of all IT systems and software
• Regular security assessments to identify potential vulnerabilities
• Dedicated cybersecurity team providing 24/7 threat monitoring and response

Vendor Security Management

• Assessment and monitoring of third-party vendor security postures
• Documentation and tracking of all vendor relationships and access levels
• Implementation of zero-trust principles for vendor access management

Secure Infrastructure Design

• Network segmentation to limit potential breach impact
• Implementation of least-privilege access controls
• Deployment of advanced endpoint protection across all systems

Compliance and Documentation

• Alignment with CISA’s “Secure by Design” principles
• Regular compliance audits and reporting
• Detailed documentation of security controls and procedures

With the energy sector facing increased scrutiny and evolving cyber threats, CinchOps provides the expertise and systematic approach needed to protect critical infrastructure and operations. Our team understands both the technical and regulatory landscape of the energy sector, enabling us to deliver security solutions that address current threats while preparing for future challenges.

Contact CinchOps to learn how we can strengthen your organization’s security posture and protect against supply chain vulnerabilities. Go to the Security Assessment Services page and request your FREE assessment.