Companies in the energy, oil/gas, and utilities sectors are sitting ducks for threat actors. These companies can afford no downtime, are more likely to pay the ransom, and are easy to penetrate.
Those findings are just a fraction of the security challenges energy, oil/gas, and utilities organizations face in today's cyber threat environment, according to Sophos in its latest report on the State of Ransomware in Critical Infrastructure, 2024.
Numbers, Dollars, and Grief
Let's start with the big picture. Energy, oil/gas, and utilities are critical infrastructure sectors whose assets, systems, and networks are deemed vital by the federal government. These companies cannot afford to have a "bad day." A shutdown means no gas, electricity, or oil, with dire consequences. That makes this sector a juicy target for cybercriminals.
The number of companies in these sectors that ransomware attacks have hit has risen from 55 percent in 2020 to 67 percent this year. Attacks impacted about 62 percent of all computers compared to a cross-sector average of 49 percent. And 49 percent of all ransomware attacks started with an exploited vulnerability.
Median ransom payments have reached $2.5 million—about $500,000 higher than the cross-sector average. Now, 55 percent of all targeted firms need a month or more to recover from a cyberattack, up from 36 percent last year. And 79 percent of companies in this sector report that their backups were compromised, while 80 percent reported stolen data was also encrypted.
Security, Prevention, and Relief
The ransomware risk is constant and growing. Oil/gas and utilities are particularly vulnerable, given that their physical infrastructure is intertwined with legacy IT, which is not always updated or easily patched. They suffer from the same issues and vulnerabilities as other types of businesses. There is a growing skills gap, and being able to pay and retain IT security talent is a pretty significant cost, especially for smaller companies providing services in rural areas.
To successfully protect their assets, systems, and networks, these critical infrastructure companies need to take control of their attack surface. They must emplace multi-layered cyber-security. They need to be proactive, monitoring and evaluating risks. They must be reactive, relying on threat detection to spot and contain breaches. They also need to collaborate with reliable third-party experts who can provide effective cyber-defenses.
Oil/gas and utility companies need to focus on their primary mission: finding, making, and delivering energy. That leaves a larger opportunity for MSPs to help keep the lights on.
Sophos is ready to help oil/gas and utility companies by safeguarding their IT systems before any attacks occur. Sophos Managed Detection and Response (MDR) is a 24/7 managed security service that helps organizations detect, investigate, and respond to cyberattacks. Sophos Managed Risk can be bundled with Sophos MDR to identify and eliminate blind spots that help to stop potential ransomware attackers in the first place, safeguarding critical power services across the nation.
To better understand the ransomware threat, you can download a copy of the State of Ransomware in Critical Infrastructure, 2024.