A new era of cyber threats is approaching for the energy sector

Cyber threats targeting the energy sector come in many forms, including state-sponsored actors seeking to disrupt national infrastructure, cybercriminals motivated by profit, and insiders intentionally causing damage.

The consequences of a successful attack can be severe, potentially disrupting energy supplies and causing economic and social damage, according to Darktrace’s research focused on the UK and US energy sector over a three-year period (November 2021 – Dec 2024).

Email as the initial attack vector

As seen in cases from both the US and UK, and across energy customers of all types, 55% of incidents involved email or SaaS, making it the most frequent attack vector. The inbox remains the primary method for delivering malicious payloads, followed by the spread of SaaS compromises throughout a deployment. 

In most cases, the phishing emails were used to harvest credentials, leading to compromise of (often) Microsoft 365 accounts.

18% of cases utilized and deployed ransomware. Common threat actors included ALPHV/BlackCat and Fog with others including Sodinokibi, Hunters International, and KOK08. Some of these ransomware groups such as Sodinokibi operate as a RaaS model. 13% of cases gained initial access due to poor cyber security posture.

Since 2022, there has been a definitive increase in attacks in EMEA on renewable energy producers and providers. Companies such as Honeywell and Schneider Electric were targeted in an espionage campaign thought to be linked to APT28 between 2019 and 2022.

In April 2022, electrical substations in Ukraine were targeted by Sandworm (Russian General Staff of the Armed Forces of the Russian Federation (GRU). The IT IEC-104 protocol was targeted which interacts with electrical utility equipment to send power flow commands to substation devices.

Lazarus group (North Korea-sponsored APT) affected energy companies across US, Canada and Japan by exploiting the Log4j vulnerability (CVE-2021-44228) on internet exposed VMware Horizon and Unified Access Gateway servers.

AI adoption in energy sector

AI is making its presence felt across various sectors, and the energy sector is no exception. However, despite its potential, the sector is not yet fully AI-driven. It is thought that AI adoption within the sector can create more risks if usage is not accompanied by sufficient training. Currently, there is no definite proof AI has been used in attacks on the energy sector.

Attackers adopting AI could change the modus operandi, scale and speed of attacks, potentially causing more damage. It could theoretically be used by adversaries to train language models to conduct reconnaissance and targeting methodologies on a larger scale.

“There are stories of AI going to take down the power grid, under a cursory review it looks plausible on the surface but a lot of the time they’re not technically astute. I don’t think we’re there yet in any stretch of the imagination; we’re a long way off,” said Mark Bristow, Director, Cyber Infrastructure Protection Innovation Center (CIPIC) at MITRE.

Overreliance, outsourcing, and the cloud

The sector has historically leaned too heavily on a handful of critical vendors and systems. This concentration of reliance increases the risk that a single targeted attack could have cascading impacts across critical national infrastructure (CNI). As the Royal United Services Institute (RUSI) warned, “key software systems are controlled by a handful of companies,” posing serious risk due to lack of supplier diversity.

Energy industry executives are starting to consider hosting OT devices such as HMIs and very small aperture terminals (VSATs) in the cloud, as well as their discrete logic control systems and 5G communications. Cloud setups can help with scale and speed, but they also bring new risks. One US expert said, “The risk is ending up with assets screwed to ethernet converters and plugged to the cloud.”

At the same time, energy companies are outsourcing more work. This means they often do not know what software their vendors use or how secure it is.