Cybersecurity Threats to Critical Energy Infrastructure: Business Continuity in a Changing Geopolitical Environment

Introduction

Technological advancements and digitization have revolutionized critical sectors, including the energy infrastructures which sustain societies. Despite the increased efficiency offered by technical advances such as automation and digitalized operating systems, these advances also make the energy sector more vulnerable to cyberattack. As researchers at a U.S. Department of Energy National Laboratory noted, “When critical infrastructure control systems are directly exposed to the Internet, they become an easy target for any potential attacker to find.”

The energy sector’s importance makes it an inviting target for states or private actors seeking to disrupt a society for political, military, or economic advantages. Cyberattacks could have an enormous impact, interrupting the functioning of power plants, transformer stations, and grids; causing blackouts; and creating a deficit of critical raw materials. Cyberattacks on the energy sector could also have a substantial influence on financial markets, as the sector provides products for the rest of the economy. For private energy companies, cyberattacks can significantly harm their reputation, financial situation, and competitive ability.

Because of the high stakes involved and the frequency of cyberattacks in recent years, public and private institutions have been placing greater emphasis on cybersecurity. The International Energy Agency, European Commission, and U.S. Department of Energy have all given attention to the cybersecurity of the energy sector in particular. Some private companies have designated officers or teams responsible for cybersecurity within their organizations. Investors in the energy sector may also be concerned about cyberattack risks. The ISS ESG Cyber Risk Score can help investors seeking to minimize their exposure to such risks.

Understanding Cyber Threats

Cyber threats can take a variety of forms. Figure 1 highlights the most common forms of threats that occur across the Energy Sector. Some of these threats are examined in detail below.

Figure 1: Cyber Threats across the Energy Sector

Source: ISS ESG

Malware

Among the most widely used cyber security threats is malware, a software built to gain unauthorized access to IT systems for stealing data, interrupting system functions, or harming IT networks. Attackers use malware to enter any cyber platform, including critical energy infrastructures. 

A very common malware software is ransomware. Hackers use ransomware to encrypt specified data or systems and hold it captive until a form of ransom is provided.

Ransomware was used to attack the Colonial Pipeline in May 2021.  Colonial Pipeline is one of the longest oil pipelines in the United States, extending from Texas to New Jersey and delivering over 45% of the oil consumed on the East Coast. A ransom of 75 bitcoin (equivalent to US$4.4 million dollars at the time of the attack) was paid to regain access to the system. The event had a substantial impact on the market and consumers. The Brazilian utilities companies Copel and Eletrobras were also targets of ransomware attacks in February 2021.

Phishing and Internal Attacks

Phishing is an online scam that deceives users into sharing private information. According to the cybersecurity firm Lookout, mobile phishing attacks targeting energy companies spiked in 2021. Figure 2 shows results from this Lookout study about trends in phishing attacks in the global energy industry in 2020–2021. The general trend suggests increased phishing attacks targeting the industry.

Figure 2: Comparison of Phishing Rates in the Energy Industry over Time

Source: Lookout

In 2017, the global security firm Symantec reported a huge phishing attack on U.S. and European energy companies. As per the report, the hacker campaign successfully gained access to around 20 energy company networks, including those of U.S. companies and at least one Turkish company, and in some cases could have caused black outs. Another possible phishing incident was the hacker attacks on Ukrainian power companies in 2015.

Distributed Denial-of-Service Attack

A Distributed Denial-of-Service (DDoS) Attack is when hackers flood a server with web traffic to prevent users from accessing the connected online services. The first completely automated grid attack recorded occurred in 2016, when hackers created a malicious code which targeted a Kyiv transmission station and caused a significant blackout lasting over an hour in Ukraine’s capital. Likewise, in 2019, the U.S. Department of Energy reported a DDoS Attack targeting electrical grid operations in Los Angeles County, California, and Salt Lake County, Utah. The hackers interrupted electric system operations successfully, although they did not cause outages. In 2017, a leaked report from the U.K. National Cyber Security Centre  raised concerns over hackers possibly compromising the British energy grid. The smart device installation across the globe by several utilities companies is considered a major vulnerability point for a possible DDoS Attack.

Responses to Cyber Threats

Companies have started to respond and adapt to cyberattack threats by establishing dedicated teams of experts in the domain of cybersecurity and imposing security measures. Some companies have appointed data protection officers to oversee data handling, implementation of data security policies, employee training among employees, and annual reviews to mitigate the cybersecurity risks.

Frequent monitoring also helps to keep the system updated, enhance emergency protocols, and observe the system’s effectiveness in preventing cybercrime. Supplemental measures adopted by some companies include early warning systems for growing risks, information sharing, timely reporting of events to top management, emergent anti-ransomware tools, security awareness trainings such as GridEx, assessing the frequency of cyber-security breaches or incidents, and analyzing non-compliance of cybersecurity standards internally.

Public institutions are also responding to cyberattacks. The International Energy Agency (IEA) has also released a cyber risk assessment report over digitalization on power systems. The European Commission has come up with several reports and policies such as the EU Cybersecurity Strategy Report 2013, the NIS Directives 2016, and the Cybersecurity Package Report 2017, which highlight regulations and effective risk prevention preparedness. Countries such as China, India, Russia, and the United States have developed best practice policies for addressing cybersecurity vulnerability in the Energy sector.

ISS Cyber Risk Score: Offering Insights into Cyber Threats to the Energy Sector

To evaluate the likelihood of cyberattacks on specific companies or institutions, investors can draw on the Cyber Risk Score. Launched by ISS ESG in 2023, the Cyber Risk Score is a data-driven tool that examines the degree to which an organization can identify, manage, and mitigate the risks of cyberattacks. The tool aims to identify the potential for a successful cyberattack over the next 12 months.

The Cyber Risk Score tool assesses the level of a company’s cyberattack risk through distinct scores, ranging from high risk (300 – 500) through elevated risk (501 – 650) and moderate Risk (651 – 775) to low risk (776 – 850). The tool also provides the maximum achievable Cyber Risk Score for a company and includes the company’s sector classification and employee count.

The tool also provides the top three risk signals for each company. These risk signals fall into one of five categories of risk indicators: botnet activity, software misconfigurations, misconfigured infrastructure, website misconfigurations, and demographic elements. Figure 3 presents, by likelihood, the major risk signals that make the energy sector vulnerable to cyberattack.

Figure 3: Leading Reasons for a Successful Cyberattack across the Energy Sector

Source: ISS ESG Cyber Risk Score

The most likely reason for a successful cyberattack is mismanagement across the energy sector. The combination of the sector’s interconnectedness and its decentralized operations increases the potential for poor management of multiple nodes when an attack occurs.

The second most likely reason for a successful cyberattack is the nature of the sector:  it includes an extensive network of linked devices that monitor and control power generation and distribution and petroleum and gas production. This combination of the sector’s connectivity and importance increases the likelihood of cyberattacks, which in turn increases the likelihood that some cyberattacks will be successful.

Figure 4 shows that the majority of more than 90 companies covered in the energy sector have moderate risks of a successful cyberattack. About one-fourth of the companies have low risks and less than a fifth fall into an elevated risk zone.

Figure 4: Cyber Risk Score Distribution for Energy Sector, May 2023

Source: ISS ESG Cyber Risk Score

A comprehensive analysis of energy-sector vulnerability, by industry, to successful cyberattacks (Figure 5) highlights that conventional energy generation (Electric, Gas, and Multi Utilities) and Oil & Gas industries (Integrated Oil & Gas [O&G], Oil & Gas Drilling) have the highest percentages of companies at elevated risk.

Figure 5: Energy Sector Companies at Risk of Successful Cyberattacks (% of Companies), by Industry, May 2023

Source: ISS ESG Cyber Risk Score, ISS ESG Corporate Rating

These types of companies are at high risk because of their role in generating nations’ energy supplies, which are a critical public infrastructure like water and healthcare. The critical importance of energy supplies makes them an inviting target for wartime enemies or other adversaries: shutting down grid operations has left several households without electricity for days and disrupted business operations across industries such as IT, supply chain management, transportation, construction industries, etc.

Nevertheless, not all companies involved in energy generation are at high risk for cyberattacks. Figure 5 shows that the risk of cyberattack is lower among Renewable Electricity companies as well as Oil & Gas Refining & Marketing and Oil & Gas Exploration & Production companies.

A Resource for Investors

Cybersecurity vulnerabilities, including the safety of digitalized critical energy infrastructure, can pose reputational, organizational, or financial risks to investors. Investors may wish to evaluate their portfolios’ vulnerability to cyberattacks on the energy sector to help with both investment decisions and engagement with companies. The ISS ESG Cyber Risk Score can support investors in evaluating this vulnerability.

Explore ISS ESG solutions mentioned in this report:

• Assess and manage cyber risk across your ESG investments with ISS Cyber Risk Score.
• Evaluate ESG related risks, opportunities, and impact for companies with ISS ESG Corporate Rating.