Colonial Pipeline is Not Alone: Ransomware Risk in the U.S. Oil/Energy Sector

Jake Olcott | May 17, 2021 | tag: Critical Infrastructure

After last week’s catastrophic cyber incident targeting Colonial Pipeline, could more U.S. Oil and Energy companies be at risk of a ransomware attack? 

BitSight reviewed the cybersecurity performance data we have collected on more than 2,000 of the largest U.S.-based Oil and Energy companies. We find that: 

  • 62% of these companies are roughly 2X more likely to experience a ransomware attack due to their cybersecurity performance. 
  • Nearly 100 companies are at least 4.5x more likely to experience a ransomware attack due to their cybersecurity performance.

U.S. Oil and Gas companies should assess their security programs to discover any gaps that could be exploited by attackers, particular with respect to vulnerability management, patching, configuration management, and endpoint security.  BitSight believes that achieving consistently strong security performance is critical for organizations to reduce the risk of experiencing a ransomware event.

Our Methodology

BitSight reviewed the cybersecurity performance ratings of more than 2,000 Oil and Energy sector companies headquartered in the United States as of April 30, 2021. 

BitSight continuously and non-intrusively assesses organizational cybersecurity performance by evaluating security performance observations across 23 different categories, including compromised and exposed systems, critical vulnerabilities, patching rates, software security, and other key issues. BitSight processes more than 250 billion security measurements on a daily basis to provide an objective security rating (using a 250-900 scale) based on its observations that is independently verified to be correlated with breach risk

Weaker Security Performance = Higher Probability of Ransomware

In recent years, the number of ransomware events has increased dramatically, resulting in significant financial losses for global organizations -- according to Aon’s 2020 Cyber Insurance Snapshot, ransomware attacks have increased 486% over the past two years. According to data compiled by the GeoTech Center, the global cost of ransomware attacks soared from $11.5 billion in 2019 to $20 billion in 2020, with the average downtime for an organization rising from 6.2 days to 16.2 days.

BitSight has collected hundreds of publicly disclosed ransomware incidents affecting organizations over the last several years. We have identified trends, correlations, and other relevant connections between security performance as measured by BitSight and ransomware probability.

BitSight’s research shows that organizations with security performance ratings below 750 have significantly increased likelihood of experiencing a successful ransomware event. We compute the probability of being a ransomware victim for six different ratings groups. For each group, we then compute the relative probability compared to companies with the strongest observable cybersecurity performance (indicated by ratings above 750)

U.S. Oil and Gas Companies at Increased Risk of Ransomware Attack

BitSight finds that U.S. Oil and Gas companies performing below the 750 rating threshold are at greater risk of a devastating and disruptive ransomware attack. We find that 62% of the largest U.S. Oil and Energy companies are at heightened risk of ransomware attack due to their cybersecurity performance. Nearly 100 companies are at least 4.5x more likely to experience a ransomware attack due to their cybersecurity performance.

Key Recommendations

The Colonial Pipeline attack has brought renewed attention to the issue of ransomware in the Oil and Gas sector and broader critical infrastructure environments. 

U.S. Oil and Gas companies should immediately assess their security programs to discover any gaps, particular with respect to vulnerability management, patching, configuration management, and endpoint security. Maintaining excellent cybersecurity performance over time is critical to reducing the risk of experiencing a ransomware event. Patching new and older critical vulnerabilities early and often remains a simple and basic, yet incredibly important factor in reducing risk. 

As the U.S. government considers responses to the ransomware epidemic, prioritizing fundamental security program improvements and measuring the effectiveness of organizational security programs will be critical in improving the state of national security.

For assistance measuring your security performance, please contact BitSight.

New call-to-action

Suggested Posts

Colonial Pipeline is Not Alone: Ransomware Risk in the U.S. Oil/Energy Sector

After last week’s catastrophic cyber incident targeting Colonial Pipeline, could more U.S. Oil and Energy companies be at risk of a ransomware attack? 

READ MORE »

New Study Reveals Cybersecurity Risks in the World’s Largest Airports

Back in 1990, Hollywood producers imagined a complex plot in which an army of mercenaries with malicious intent hack into and take over the air traffic control system at Washington Dulles International Airport. The result was the...

READ MORE »

From Framework to Application: Security Ratings and NIST

This is the introductory post in a series exploring how security ratings can address key aspects of the National Institutes of Standards and Technology’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity. The purpose...

READ MORE »

Subscribe to get security news and updates in your inbox.