A new era of cyber threats is approaching for the energy sector

Cyber threats targeting the energy sector come in many forms, including state-sponsored actors seeking to disrupt national infrastructure, cybercriminals motivated by profit, and insiders intentionally causing damage.

The consequences of a successful attack can be severe, potentially disrupting energy supplies and causing economic and social damage, according to Darktrace’s research focused on the UK and US energy sector over a three-year period (November 2021 – Dec 2024).

“Our three-year analysis reveals critical vulnerabilities in UK and US energy sectors requiring immediate attention. Security teams should prioritise three key areas: First, reduce the significant exposure of OT systems to the internet, as the energy sector leads in such vulnerable configurations which can be exploited to gain initial access. Second, implement comprehensive asset visibility solutions, as most organisations lack proper inventory management, which we’ve seen being exploited in supply chain attacks across the sector. Third, strengthen email security protocols, as our research shows 55% of successful attacks still originate through phishing campaigns. We’ve identified state-sponsored threat actors and sophisticated attackers already present in energy networks, specifically targeting industrial control systems. As the sector accelerates digital transformation toward net-zero goals, security teams must ensure protective measures evolve in parallel,” Zoe Tilsiter, Analyst Lead at Darktrace who authored the report, told Help Net Security.

Email as the initial attack vector

As seen in cases from both the US and UK, and across energy customers of all types, 55% of incidents involved email or SaaS, making it the most frequent attack vector. The inbox remains the primary method for delivering malicious payloads, followed by the spread of SaaS compromises throughout a deployment. 

In most cases, the phishing emails were used to harvest credentials, leading to compromise of (often) Microsoft 365 accounts.

18% of cases utilized and deployed ransomware. Common threat actors included ALPHV/BlackCat and Fog with others including Sodinokibi, Hunters International, and KOK08. Some of these ransomware groups such as Sodinokibi operate as a RaaS model. 13% of cases gained initial access due to poor cyber security posture.

Since 2022, there has been a definitive increase in attacks in EMEA on renewable energy producers and providers. Companies such as Honeywell and Schneider Electric were targeted in an espionage campaign thought to be linked to APT28 between 2019 and 2022.

In April 2022, electrical substations in Ukraine were targeted by Sandworm (Russian General Staff of the Armed Forces of the Russian Federation (GRU). The IT IEC-104 protocol was targeted which interacts with electrical utility equipment to send power flow commands to substation devices.

Lazarus group (North Korea-sponsored APT) affected energy companies across US, Canada and Japan by exploiting the Log4j vulnerability (CVE-2021-44228) on internet exposed VMware Horizon and Unified Access Gateway servers.

AI adoption in energy sector

AI is making its presence felt across various sectors, and the energy sector is no exception. However, despite its potential, the sector is not yet fully AI-driven. It is thought that AI adoption within the sector can create more risks if usage is not accompanied by sufficient training. Currently, there is no definite proof AI has been used in attacks on the energy sector.

Attackers adopting AI could change the modus operandi, scale and speed of attacks, potentially causing more damage. It could theoretically be used by adversaries to train language models to conduct reconnaissance and targeting methodologies on a larger scale.

“There are stories of AI going to take down the power grid, under a cursory review it looks plausible on the surface but a lot of the time they’re not technically astute. I don’t think we’re there yet in any stretch of the imagination; we’re a long way off,” said Mark Bristow, Director, Cyber Infrastructure Protection Innovation Center (CIPIC) at MITRE.

Overreliance, outsourcing, and the cloud

The sector has historically leaned too heavily on a handful of critical vendors and systems. This concentration of reliance increases the risk that a single targeted attack could have cascading impacts across critical national infrastructure (CNI). As the Royal United Services Institute (RUSI) warned, “key software systems are controlled by a handful of companies,” posing serious risk due to lack of supplier diversity.

Energy industry executives are starting to consider hosting OT devices such as HMIs and very small aperture terminals (VSATs) in the cloud, as well as their discrete logic control systems and 5G communications. Cloud setups can help with scale and speed, but they also bring new risks. One US expert said, “The risk is ending up with assets screwed to ethernet converters and plugged to the cloud.”

At the same time, energy companies are outsourcing more work. This means they often do not know what software their vendors use or how secure it is.