Top US energy companies frequently exposed to critical security flaws

Dive Brief:

• More than 20 of the United States’ top energy companies are vulnerable to cyberattacks because they use equipment with serious vulnerabilities, the security firm SixMap said in a report released Tuesday.
• SixMap detected more than 5,750 vulnerabilities on the networks of 21 U.S. energy providers, with two-thirds of those vulnerabilities defined as high-severity or critical-severity vulnerabilities, according to the report. Of the total vulnerabilities discovered, nearly 380 are being exploited in the wild.
• Researchers found a total of 43 distinct CVEs that were common to 10 of the 21 energy companies evaluated in the report. Six of the 43 vulnerabilities are known to be under exploitation.

Dive Insight:

The report is designed to assess the ongoing risk facing one of the nation’s most important infrastructure sectors. 

The U.S. energy industry has experienced repeated cyberattacks from state-linked threat groups, hacktivists supporting geopolitical causes and financially motivated cybercrime actors. 

Energy is generally considered one of the better-protected of all the U.S.’s critical infrastructure sectors, but it still faces serious vulnerabilities in several areas. Not only do most of the largest companies use equipment with critical vulnerabilities, SixMap said, but some of this equipment is exposed on ports that are not being properly analyzed for cyber risks. 

“We were still able to find exposures and vulnerabilities (and vulnerabilities that known threat actors target) within ephemeral port ranges that most scanning tools do not scan by default,” SixMap CEO Jason Kaplan told Cybersecurity Dive. “It’s also important to note that we only do an external scan and don’t know what mitigation or controls are in place regarding these issues.”

SixMap researchers examined both web domains and IP addresses, including IPv4 and IPv6. The researchers said traditional exposure-management tools cannot discover and assess IPv6 assets.