On average, the cost of a data breach increased 10% from 2020 to 2021. The energy industry ranked fifth in data breach costs, surpassed only by the healthcare, finance, pharmaceutical, and technology industries, according to the 17th Annual Cost of a Data Breach Report. Some energy cybersecurity measures can help significantly reduce the cost of a data breach. Take a look at zero trust deployments, artificial intelligence, and automation, for example.
It is important to better understand data security in this growing and critical area. Take a look at some of the most recent data breaches affecting utility companies and utilities. What data security risks and challenges are unique to these sectors?
What is a data breach in the energy and utilities industry?
The energy sector includes oil and gas companies, alternative energy producers and suppliers, and utilities such as electricity companies. Energy cybersecurity violations and failures can have a huge impact. They even go beyond the cost of the companies that extract oil or gas or provide energy to customers. After all, people rely on these services in almost all walks of life.
Compromised password leads to gas shortage
This type of problem joined many other US challenges in the spring of 2021. An attacker gained remote access to the network of a large US pipeline company via an employee’s Virtual Private Network (VPN). The VPN wasn’t even in use at the time. However, it remained open to threat actors to use as a gateway to the company’s main network. The attacker found the password for accessing the account in a list of leaked passwords on the Darknet. Experts suspect that the employee may have used the same password for a different account. A threat actor then stole it from that account and shared it online.
A week after the data breach, the threat actor sent a ransom note. In response, the company closed the pipeline. They did this on purpose because they wanted to avoid attacking their operational technology network. After all, these are the systems that control the physical flow of gasoline.
It did so at the same time as the rise in COVID-19 vaccinations and road trips in the United States. For this reason, the resulting shortage of petrol led to long queues at gas stations and high oil prices. This, in turn, had a direct impact on consumer wallets as many began to return to work and recover financially amid a global pandemic.
This shows the importance of training employees on data protection and data security best practices. Be especially careful to use unique passwords for each account.
San Francisco Utility fined $ 2.7 million
The rise of smart meters poses new threats to utilities such as energy companies. A San Francisco-based utility company was fined $ 2.7 million by federal security agencies for failing to protect sensitive data that contained more than 30,000 pieces of information. A third party has allegedly copied data from the utility’s network into its own. From there it was hosted online with no user ID or password.
Ransomware threats and denial of service attacks are also a problem for utility companies that implement smart meters and store customer data on their network. This is a big problem when this network gets out of the control of the utility.
Solar devices create portal for access to the grid
Cyber attacks and big data security problems affect all types of energy companies. In 2019, according to the energy ministry, threat actors broke through the web portal firewall of a solar power supplier. As a result, the operators lost sight of parts of the network for 10 hours.
Devices like photovoltaic inverters that connect to the internet to manage the grid can become targets. In particular, attackers can benefit if the company does not update and secure its inverter software.
What does a data breach cost energy and utility companies?
The Cost of a Data Breach Report, which has become a leading benchmark report in the cybersecurity industry, states that the average cost of a data breach in the energy industry is $ 4.65 million. The good news is that that number has fallen 27.2% since 2020, when the average cost of a data breach in the industry was up to $ 6.39 million.
Data security risks and challenges
In 2021, social engineering, system intrusion, and web application attacks accounted for 98% of data breaches. Social engineering or phishing attacks were the most common attacks, although ransomware attacks continue to pose a threat to the sector.
According to the Verizon report, the following data was most commonly stolen, lost, or made inaccessible by ransomware:
- Internal company data
- Personal data of employees and customers.
In 98% of all cases, the threat actors were in no way affiliated with the company; only 2% of the attacks were internal violations.
There is more good news. The threat from “hacktivism”, threat actors who act for reasons such as environmental protection and sustainability, is decreasing sharply. According to the IBM X-Force Threat Intelligence Index, these attacks decreased by 95% between 2015 and 2019. Of course, oil and gas companies could be the primary targets of such attacks. So their decline gives energy cybersecurity departments the freedom to focus their budget and attention on other threats.
The increase in the number of employees working from home and accessing networks remotely is also a growing threat. The IBM report found that the cost of a data breach increased by an average of $ 1.07 million when Remote work played a role. In situations where more than 50% of the workforce were remote, it took IT security professionals an average of 58 days longer to identify and contain threats.
Taking proactive steps to train employees on cybersecurity best practices can mitigate risk. Make sure your employees know how to reduce the risk of compromised credentials, which the report said was responsible for 20% of all attacks. Additionally, train them to look out for signs of social engineering and phishing.