Geopolitical upheaval and growing cyber threats are putting UK energy supply chains at risk. In this article, we explore ways to secure critical national infrastructure against this growing threat through collaboration.
In a volatile geopolitical environment, energy-sector and other critical infrastructure supply chains - both physical and digital - are increasingly prone to cyber attacks by threat actors. The critical nature of energy, underpinning our societies and economies, means any disruption to its extraction, generation, distribution or supply can have far-reaching consequences. With conflicts raging in Ukraine and Gaza, ongoing threats from Russia, China, Iran and North Korea, as well as ‘hacktivists’ motivated by environmental concerns, the UK energy sector faces a heightened threat level.
According to the International Energy Association, the average number of weekly attacks on utilities has more than doubled in recent years. Meanwhile, the US National Security Agency (NSA) issued an urgent warning just last year to energy operators, alerting them to a rise in pro-Russia hacktivist activity.
The risks are exacerbated by the digitalisation of energy infrastructure and the systems that control it. Digital technologies play a crucial role in enabling energy operators to decarbonise the energy mix, improve the efficiency of their operations and deliver commercial advantages. But digital transformation has rapidly expanded the attack surface available to hackers, especially with operational technology and other connected systems moving out of siloed IT networks into the online environment.
Digitalisation also brings with it a growing reliance on external vendors and partners to supply and support essential software and systems. Many of these service providers offer common systems used by multiple energy operators, meaning a cyber security breach at any one of them could have wide-ranging consequences across the whole sector.
The drive to decarbonise is expected to bring further upheaval to supply chains. More critical suppliers need to be brought on stream, and an estimated USD1.2 trillion needs to be invested in production if net zero emissions targets are to be achieved by 2050. That means the number and variety of potential targets for threat actors will continue to grow in the years ahead.
The global energy industry relies on a growing roster of digital suppliers at every stage of energy extraction, generation, transportation and supply. These include:
Operational technology (OT) used throughout the energy sector is especially vulnerable to attacks, given the essential role it plays in managing and maintaining critical national infrastructure. State-aligned and politically motivated criminals view these operational systems as important targets.
Many OT systems have recently been brought online and connected to sensors and remote technology, which exposes them to significantly greater risk. Operational technology systems have traditionally resided in off-line environments, where they have languished for 20 years or so becoming increasingly outdated. When these systems are suddenly brought online, they are immediately exposed to a host of internet-based threats they were not designed to repel.
The risks are well recognised by the industry, with 71% of energy professionals in a recent DNV Cyber survey acknowledging their increased vulnerability to operational technology cyber events – up from 64% in 2023.
Supply chain risks to the UK energy sector are exacerbated by the recent deterioration in the global geopolitical environment. Uncertainty and mistrust are rife around the world.
In late 2023, the UK’s National Cyber Security Centre (NCSC) reiterated its warning of an enduring and significant threat posed by states and state-aligned groups to UK national assets. The report stated that “some [hostile groups] have stated a desire to achieve a more disruptive and destructive impact against western critical national infrastructure, including in the UK.” In February 2024, the NCSC revealed that threat actors had been exploiting native tools and processes built into computer systems to gain persistent access and avoid detection. The NCSC said it is likely this type of activity poses a threat to UK critical national infrastructure.
This fits the pattern of increasing attacks on energy infrastructure worldwide in recent years. These include attacks on undersea infrastructure such as the Baltic gas and data pipelines targeted in October 2023. In May 2023, Russian hackers attacked 22 Danish power companies to gain access to the country’s decentralised power grid, and in May 2021 there was a ranswomware attack on the Colonial oil pipeline between Texas and New York. In 2022, there was an advanced cyber-attack on Ukraine’s power grid by Russian hacking group Sandworm, while in late 2024 China-affiliated actors carried out a string of cyber-attacks on US infrastructure. Other attacks that impacted the energy sector included the 3CX Supply Chain Attack of 2023 and the 2024 ENGlobal Cybersecurity Breach
.
With the energy industry under attack worldwide, supply chain partners and vendors are seen as prime targets by threat actors. Third-party vendors for the energy sector provide a vast range of systems, components, services and expertise. They include software providers and technical support organisations, manufacturers of essential physical assets and structures, logistics companies handling fuel or equipment transportation, and telecom providers supporting critical communication networks.
A cybersecurity research report co-authored by SecurityScorecard and KPMG LLP, found that supply chain risks are disproportionately high in the energy sector, with 45% of cybersecurity breaches originating with third-party vendors – significantly higher than the global rate of 29%. The same report found that 67% of energy-sector breaches were linked to software and IT providers. In the UK, specialist reinsurance group Chaucer reported that there were 48 successful cyber-attacks on UK utility companies in 2023 – up by 586% from 2022.
The UK has extensive critical national infrastructure, including both physical and digital assets that could become targets of attacks. Physical assets include power stations, power grids, transmission lines, nuclear energy facilities, hydroelectric plants and a whole range of large-scale distribution assets. Digital technologies and assets are used to monitor, control, manage and maintain critical infrastructure. They include:
As discussed earlier, widely used operational technology (OT) systems that were previously deployed off-line are now connected to online systems and sensors – exposing them to internet-based threats. Many of these legacy systems require urgent upgrades to bring them in line with the latest cybersecurity standards.
The IT systems used to control and manage energy transmission and distribution networks are a key target. These systems help to balance supply and demand in real-time, ensuring energy is delivered where it’s needed at the right time to avoid power cuts or shortages. If major control centres are breached, it could lead to widespread outages and disruption affecting millions of people.
Today’s digital supply chains mean that any energy operator is connected to many direct third-party suppliers, as well as a multitude of connections beyond direct vendors. In its recent survey, DNV Cyber pointed out that supply chain complexity has significant implications for cyber-resilience. Energy companies rely on suppliers globally whose systems may be more vulnerable than their own – making rigorous supply chain risk management a top priority.
The complexity of energy-sector supply chains provides multiple potential points of entry. Any weak points in supply chain defences can offer hackers a way in, enabling them to wreak havoc in the organisations that manage, control and protect critical energy networks.
The difficulty of securing supply chains is heightened by a lack of visibility into digital supply chain networks, particularly beyond immediate third-party providers. The DNV Cyber research found that only 16% of professionals are very confident in their organisation’s visibility of supply chain vulnerabilities. That means most organisations do not have a clear understanding of the security postures and cyber-defences in place among their suppliers, let alone the network of companies digitally connected to those vendors.
Lack of visibility is often accompanied by a lack of transparency when it comes to reporting cyber-attacks within supply chains. According to DNV Cyber, more than a third (34%) of professionals in the energy sector suspect that suppliers have been infiltrated by hackers, but that those suppliers have not reported the breaches – perhaps fearful of jeopardising contractual agreements. Greater transparency is vital if the energy sector is to combat today’s cyber threats. Keeping quiet about breaches only plays into the hands of cyber criminals, potentially leaving them free to try and infiltrate connected organisations at a later point
.
The most obvious step for improving supply chain resilience in the energy sector is of course implementing strict vendor security processes as part of supplier onboarding, followed by regular re-assessments and continuous monitoring throughout the contract lifecycle.
The DNV Cyber research found that many companies are already trying to address the issue by involving cyber security teams in the procurement of new systems, software and equipment. More than half of respondents (53%) said that cyber security issues were typically included in their procurement processes, while 71% said cyber security was incorporated in the early phases of new infrastructure projects.
It’s important to develop a consistent, rigorous approach to managing cyber security risk throughout procurement and ongoing supplier management. This approach needs to be aligned with industry peers and regulator requirements, to extend protection throughout the sector. Continuous collaboration, intelligence sharing and implementing best practice in supply chain risk management are vital to address the scale of the threat.
To help establish best practice, organisations can align with the NCSC CAF and GOVASSURE standards for Critical National Infrastructure protection. They can also participate in the Energy Cyber Security Programme – a collaborative effort between the Department for Business, Energy and Industrial Strategy (BEIS) and the National Cyber Security Centre (NCSC) to provide technical advice on managing cyber risks for critical national infrastructure operators. Organisations can gain further security assurances by aligning with the latest EU NIS2 Directive, which offers a unified legal framework for hardening cyber security and enhancing operational resilience across CNI and their supply chains.
However, in a supply chain network as vast and complex as the energy sector’s, keeping track of risks throughout all critical suppliers and even beyond in organisations’ extended supply chains remains an enormous challenge.
As pointed out in the UK Government Cyber Security Strategy, for example, and corresponding with the findings from the DNV Cyber research, when it comes to supply chain security and achieving greater resilience to supply chain incidents, enhanced visibility into supply chain dependencies beyond immediate 3rd parties is of fundamental importance. This visibility is also crucial in order to identify systemic and concentration risks as well as potential single points of failure, which remain a major blind spot for organisations and entire sectors.
Regulators are acutely aware of the threat supply chain attacks can pose to many critical sectors, especially the energy sector and other CNI sectors. As a result, they have introduced several new regulations like the Digital Operational Resilience Act (DORA) for financial services, NIS2 for European CNI or the upcoming cyber security and resilience bill in the UK to increase visibility into supply chain dependencies and mitigate systemic threats to CNI sectors. But organisations currently have no easy way of achieving this enhanced visibility.
Traditional Third-Party Risk Management (TPRM) has fundamental limitations. It is time-consuming, resource-heavy, and often reliant on manually completed supplier questionnaires, making it difficult to achieve visibility into extended supply chains, let alone identify concentration risk. Additionally, TPRM is typically conducted in silos, preventing organisations from sharing intelligence and leading to inefficiencies and duplicated efforts.
A collaborative approach can address these challenges by acting as a force multiplier for energy companies. By working together, organisations can map risks across a shared supply chain, leveraging collective resources to uncover systemic risks that would be difficult to detect individually.
Risk Ledger is already working to foster communities within different CNI sectors to help them leverage their collective resources by providing them with the necessary insights to identify concentration risks that may have only been possible with significantly more funding.
In one such community, we brought together ten operators of CNI, where they can view risks raised against specific suppliers by their peers, discuss best practices to mitigate these risks, and collaboratively engage with suppliers to address these risks. Moreover, they will be able to collaborate on supply chain attacks as they occur, significantly improving their access to up-to-date information from suppliers to determine the extent they may be exposed to any attack or disruption.
Finally, by overlaying each of their supply chain maps together, they are able to have visibility across the entire supply chain, and identify potential concentration risk that may pose a threat to the entire community, that may not have been known if this had been done in isolation.
The collaborative approach offers significant advantages for energy companies, since they often share many of the same suppliers. This shared oversight ensures multiple entities are monitoring each supplier while eliminating duplicate efforts, ultimately enabling both collective assurance and unified risk management. By sharing security activity within their environments, and then collaborating on making the weakest nodes in the system stronger collectively, we can save a lot of time and resources. Even more importantly, it actually enhances the security of the entire ecosystem.
The reality is that organisations are linked, whether they like it or not, and the responsibility for preventing cyber crime is inescapably shared by the entire ecosystem. To put it simply, an organisation’s defences are only as strong as those of the other organisations in the ecosystem, so sharing resources and data is in everyone’s best interests.
Connected organisations have a natural incentive to make sure there isn’t a breach within their ecosystem. When everyone is connected, an attack on one organisation is tantamount to an attack on every organisation, which means that looking out for each other can only be beneficial. And conversely, failing to collaborate can only be detrimental for everyone involved. When it comes to cyber security, organisations can only win when they play as a team.
Get in touch to find out more about our community Defend-as-One approach to supply chain security, and how Risk Ledger can help you harden the security of your supply chain and achieve better operational resilience.
Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.