Best Practices for Managing Third-party Risk in the Energy Sector

Back in May this year, President Trump issued an executive order banning US energy sector entities from acquiring electric equipment from foreign adversaries, citing potential cybersecurity threats.

Two months later, the Energy Department’s Office of Electricity wants to know what measures the sector has employed to safeguard its supply chain from cyber attacks, reports Nextgov. In particular, a request for information from Energy “asks whether energy sector asset owners and/or vendors identify, evaluate, and/or mitigate foreign ownership control or influence in the context of adversaries potentially accessing company and utility data, product development, and source code…”

This renewed pressure from the government speaks to a wider issue facing energy companies — increased scrutiny and accountability for the vendors they work with and the overall security of their supply chains.

Below are several best practices the energy sector can employ to mitigate third-party cyber risk.

Assess and continuously monitor each vendor’s security posture

While there’s certainly a renewed focus on vendor risk management, supply chains have been a source of cybersecurity concern among regulators for quite some time. In 2018, a major utility was fined $2.7 million for an inadvertent third-party breach, while that same year a cyber attack on a petrochemical company nearly destroyed a Saudi Arabian chemical plant.

In order to mitigate third-party cyber risk, utilities need an effective means to understand and assess the security posture of their vendors. One way to gain this context and visibility is through the use of security ratings, a data-driven, dynamic measurement of an organization’s cybersecurity performance.

This standardized, easily understandable KPI can be used by utilities companies across the lifecycle of their vendor relationships. During the onboarding and vendor selection phases, security ratings allow busy security professionals to quickly assess potential vendors and partners for cyber risk — replacing time-consuming and unscalable point-in-time security assessments. Once the contract is signed, security teams can then continuously monitor the security performance of each vendor in their portfolio. If and when a partner’s security posture drops below an agreed-upon threshold, security leaders can receive an alert and then work collaboratively with the supplier to remediate the issue.

Gain visibility into the hidden risk lurking on procured vendor technology

As the utility sector continues to go through digital transformation and its systems become ever-more interconnected, cyber risk increases. However, a survey by Siemens and the Ponemon Institute finds that the global energy industry isn’t well-positioned to meet this growing threat of cyber attacks. Of those surveyed, 56% reported at least one shutdown or operation data loss per year and 25% were impacted by mega attacks, often associated with nation-state actors.

In this ever-evolving threat environment, it’s imperative that security leaders do all they can to ensure that the hardware or software they procure from vendors doesn’t expose their companies and networks to unwanted cyber risk.

An important step in this process is gaining visibility into the inventory of critical assets that comprise their vendors’ digital ecosystems — on-premise, but also across geographies, subsidiaries, remote locations, and the cloud — so that these assets can be secured. Managers also need insight into the level of cyber risk associated with each asset. Too often, undetected malware, unknown vulnerabilities, unsecured access points, misconfigured systems, and unpatched software (a leading cause of breaches) can open the doors to an attack.

The strategies outlined in this post — empowered by Bitsight solutions such as Bitsight for Third-Party Risk Management and Bitsight for Security Performance Management — can help security professionals better understand where cyber risk resides across their internal and vendor ecosystems, and effectively establish ownership and accountability for remediating these issues.

Impactful and targeted risk reduction

Of course, these risk-reduction measures should not be a one-time endeavor. Since the cybersecurity environment is never static and new threats are evolving every day, utilities companies must continuously monitor their vendors’ security postures — as well as their own — over time in order to understand and manage cyber risk across their ecosystem.

With these insights, utilities can develop proactive remediation strategies in which they prioritize the areas of highest exposure and disproportionate risk — empowering them to focus their limited security resources to achieve the greatest impact.