Third-Party Risk Management in Energy: All You Need to Know

The corporate supply chain in the energy sector is vast and complex, spanning from specialised equipment manufacturers to software providers and contractors. While this expansive web of services facilitates the scale of operations of modern energy companies, it also offers a significant attack surface for malicious actors looking to compromise energy companies' security through their third-party vendors.  

Thus, managing third-party risks is now an essential part of security operations for global energy companies. A data breach at a third-party vendor can also compromise the operations, reputation, and finances of its clients and partners in the energy sector. In fact, an incredible 90% of global energy companies have experienced a third-party data breach to date.

Securing your corporate supply chain should thus be top of your list. Here, we will explore the world of third-party risk management (TPRM) within the energy industry. 
‍

What is Third Party Risk Management and Why Is It Important?

Third-party risk management (TPRM) involves identifying, assessing, and mitigating the risks associated with third-party vendors and partners. TPRM is critical in the energy sector because disruptions or failures within organisations’ corporate supply chains have far-reaching consequences.

An energy company's production, distribution, or even national security could be compromised if a vendor’s security is breached. That's why effective TPRM is so crucial. It helps energy companies:

• Protect operations from disruptions caused by third-party breach.
• Maintain regulatory compliance by ensuring vendors meet industry and security standards.
• Safeguard their reputation by minimising the risk of incidents that could damage public trust.
• Enhance overall risk management by proactively identifying and addressing vulnerabilities. 
  ‍

What Risks Exist in the Energy Industry from a TPRM Perspective?

The energy sector faces a unique set of risks regarding third-party relationships. Some of the most significant include: 

Cyber Security Risks

As energy systems become more digitised and interconnected, the risk of cyber attacks targeting suppliers of critical infrastructure such as energy increases. A breach in a vendor's network potentially gives attackers access to sensitive data or even control systems, with potentially disastrous consequences.

Supply Chain Disruptions

The energy industry relies heavily on a vast network of suppliers for equipment, materials, and services. Any disruption in this supply chain, whether due to financial instability, natural disasters, geopolitical tensions or cyber security incidents at these suppliers' own sub-contractors and outsourcing partners, can severely impact operations.

Regulatory Compliance Risks

Energy companies must comply with a complex web of regulations and standards, many of which extend to their third-party relationships. Failure to ensure vendor compliance can result in fines or legal repercussions.

Operational Risks

Third-party vendors and contractors are pivotal in maintaining and supporting energy infrastructure. Mismanagement, negligence, or lack of expertise on their part, leading to breaches, can lead to operational failures, safety incidents, or environmental disasters.
‍

Compliance and Regulatory Elements in Energy

The energy sector is governed by a comprehensive array of laws and regulations that span various domains, including interstate energy transmission, environmental conservation, cybersecurity, and anti-bribery practices. 

This regulatory overview highlights some of the overarching laws and regulations that govern the energy industry. 

1. Network Information Systems Regulation (NIS): The NIS Directive was designed by the EU to increase member states’ cybersecurity capabilities, increase collaboration on cybersecurity, and encourage member states to ‘supervise’ cybersecurity across their Critical National Infrastructure (CNI). The Directive has also become binding in the UK for Operators of Essential Services’ (OES) such as energy companies in the form of the NIS Regulation. Measuring compliance with NIS in the UK is closely related to OES demonstrating that they have implemented the Indicators of Good Practice (IGP) of the NCSC’s Cyber Assessment Framework (CAF). Energy regulator Ofgem, jointly with the Department for Business, Energy & Industrial Strategy have been designated as the competent authorities for the downstream gas and electricity sectors in Great Britain.
   ‍
2. Federal Energy Regulatory Commission (FERC): In the US, FERC's broad regulatory purview encompasses the interstate transmission of electricity, oil, and natural gas. Vendor non-compliance in this domain can expose you to substantial penalties and legal repercussions.
   ‍
3. Sarbanes-Oxley Act (SOX): This act mandates external and internal control assessments, which often extend to third-party vendors. Compliance with this law is particularly crucial if a third-party vendor provides significant operational services. The regulation applies to all publicly traded companies within the United States.
   ‍
4. Dodd-Frank Wall Street Reform and Consumer Protection Act: Under the 'Swap Dealer Rule' outlined in this act, if you engage in significant swap trading activities, you must register as a Swap Dealer. This regulatory obligation extends to third-party vendors involved in swap transactions.
   ‍
5. Environmental Protection Agency (EPA): The regulations established by the EPA regarding air and water quality, waste management, and pollution prevention are binding on you and your third-party vendors.
   ‍
6. The North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP): The NERC CIP standards outline mandatory cybersecurity requirements. If you or your vendors manage critical infrastructure, you must adhere to these regulations.
   ‍
7. Foreign Corrupt Practices Act (FCPA) and UK Bribery Act: These acts prohibit the bribery of foreign officials and necessitate the maintenance of accurate books and records. You must ensure that your third-party vendors fully comply with these anti-corruption laws.
   ‍

Recent Supply Chain Incidents in the Energy Sector

To underscore how important it is to safeguard your corporate supply chain, let's consider several incidents that illustrate the potential consequences of supply chain incidents. 

Specifically, a 2023 report by SecurityScorecard showed that 90% of the world’s top energy companies experienced data breaches caused by third-parties in 2023. These breaches not only leaked sensitive information but also raised doubts about the industry’s security protocols across the board. 

These incidents resulted in financial losses, reputational damage, and destroyed customer confidence. Among the key finding of the report are: 

• There were 264 reported breaches in the energy sector linked to third-party issues.
• All top 10 U.S. energy companies were affected by confirmed third-party breaches.
• The MOVEit vulnerability was prevalent in the last six months, impacting numerous global energy companies.
• 33% of energy companies scored a C or lower in security, indicating a heightened breach risk. 

Five notable recent data breaches in the energy sector include:

SolarWinds

From 2019 to 2020, a cyberattack struck the software supply chain of IT infrastructure management company SolarWinds’ Orion platform. Linked to Russian state-sponsored hackers, the breach began by compromising the company’s supply chain, enabling the attackers to plant malware on the networks of SolarWinds’ customers.

The attackers altered a plugin on the Orion platform, creating a backdoor that allowed them to control third-party servers, exfiltrate data, and deploy additional malicious code. The breach impacted several U.S. federal government agencies, including the Departments of Justice, Homeland Security, and Treasury, along with over 18,000 other customers, including many in CNI sectors such as electrical and energy. The attacks were eventually mitigated through rapid hotfixes and global security patches issued by Microsoft.

3CX

In March 2023, a cyberattack targeted the corporate supply chain of 3CX, a company with approximately 600,000 global customers and 12 million daily users. This attack also affected two energy firms and two financial traders, stemming from a previously compromised trading software downloaded by an employee.

The malware implemented a multi-stage backdoor allowing the attackers to steal corporate login credentials from the employee’s device and move through 3CX’s network. The malware’s automatic startup on devices provided attackers with remote access to all connected systems.

Colonial Pipeline

In May 2021, a ransomware attack targeted Colonial Pipeline, the largest fuel pipeline in the US, which supplies nearly half of the East Coast's transport fuel. The DarkSide hacking group gained access to and encrypted corporate data, threatening to leak it unless Colonial paid the ransom.

The pipeline and its IT and OT systems were pre-emptively shut down for several days, leading to a potential international fuel supply crisis. Eventually, a $5 million ransom was paid to restore the data, concluding one of the most significant attacks against critical infrastructure in the US.

Copel and Eletrobras

In February 2021, Brazilian state-owned utility companies Centrais Elétricas Brasileiras (Eletrobras) and Companhia Paranaense de Energia (Copel) were hit by ransomware attacks from DarkSide, the same group behind the Colonial Pipeline incident.

The attack on Copel led to some operations and services going offline, with 1,000 GB of sensitive data stolen and leaked. Eletrobras’ subsidiary, Eletronuclear, which operates two nuclear power plants, also suffered an attack. While some operations were suspended to protect data, the operational technology systems running the nuclear plants remained isolated and unaffected.

Triton

In 2017, the rogue code Triton was discovered targeting a petrochemical plant in Saudi Arabia. Triton enables hackers to remotely control a plant’s safety systems, potentially disabling them in dangerous situations. Fortunately, a flaw in the code led to the hackers being detected before any harm could be inflicted.

The attackers are believed to have infiltrated the Saudi Arabian petrochemical company’s IT network as early as 2014 through a spear phishing attack. This provided access to a poorly configured firewall and an engineering workstation. Now, the hackers behind Triton are targeting companies in North America and worldwide.
‍

Best Practices For Third-Party Risk Management in the Energy Industry

As the regulatory landscape and risk factors continually evolve, energy companies must reinforce their third-party risk management (TPRM) practices. Regular assessments and strategy updates are crucial for maintaining compliance and safeguarding operations. Implementing these key best practices can strengthen TPRM:

1. Rigorous Vendor Risk Assessments: Conduct thorough due diligence on all third-parties, including detailed background checks, cyber security, data governance, but also business resilience and financial risk assessments, as well as stringent reviews of regulatory compliance adherence. Vendors must demonstrate conformance to applicable regulations like data protection, or environmental and social standards.
   ‍
2. Geopolitical Risk Evaluation: Given the industry's global nature, assess geopolitical risks posed by vendors' locations. Those in politically unstable regions or under stringent oversight may carry higher risks related to sanctions, trade restrictions, or volatility.
   ‍
3. Environmental Impact Review: Scrutinise vendors' environmental practices and sustainability commitments, especially for renewable energy, oil/gas, and waste management companies. Ensure alignment with the organisation's standards.
   ‍
4. Contractual Compliance Mandates: Include specific clauses in vendor contracts requiring full compliance with relevant laws and regulations, along with clearly defined penalties for violations.
   ‍
5. Continuous Monitoring and Auditing: Implement regular monitoring of vendor security and compliance postures. Frequent monitoring and occasional audits should validate self-reported compliance status and internal control effectiveness.
   ‍
6. Business Continuity Planning: Require vendors to maintain robust business continuity and disaster recovery capabilities to prevent disruptions to operations and supply chain.
   ‍
7. Incident Response Preparedness: Mandate that vendors promptly report data breaches or security incidents and have effective response and notification protocols.
   ‍
8. Adequate Insurance Coverage: Verify vendors maintain appropriate insurance for risks associated with their products, services and operations in this high-risk industry.
   ‍
9. Collaborative Vendor Relationships: Foster open communication and partnership with third-parties to proactively identify and address potential compliance gaps.
   ‍
10. Comprehensive Employee Training: Implement regular TPRM training programmemes to raise risk awareness across all levels of the organisation.

By adopting these practices, energy companies can implement a strong, dynamic third-party risk management programme that reduces operational risks, ensures compliance, and cultivates trustworthy business partnerships - protecting the company's reputation and financial standing.
‍

How Risk Ledger Can Help

Navigating the complex world of third-party risk management in the energy industry can be challenging, but you don't have to go it alone. Risk Ledger is the first global network of connected organisations all working together to defend-as-one, detecting, responding, and ultimately preventing cyberattacks against our supply chains.

With Risk Ledger, you can streamline your entire third-party risk management lifecycle, from vendor onboarding and due diligence to continuous monitoring and risk reporting. The platform's advanced features include:

• Automated Risk Assessments: Conduct thorough risk assessments of your third-party vendors using our standardised assessment framework, which has been developed with the help of experts from the NCSC and maps against all leading global risk frameworks.
  ‍
• Compliance Management: Easily track and manage compliance with various regulatory standards and environmental regulations through one centralised dashboard.
  ‍
• Incident Management: Investigate and mitigate incidents in your supply chain collaboratively with your vendors on the Risk Ledger platform, and, using our emerging threats feature, you can map the potential blast radius of and are thus better equipped to deal with fallouts from emerging threats like Log4j, Solarwinds and MOVEit.
  
  
• Continuous Monitoring: By being continuously connected to your suppliers on Risk Ledger, and by receiving automatic notifications if any security controls in any of your vendor changes, you always stay on top of your vendor security postures.
  ‍
• Reporting and Analytics: Customisable reports and dashboards provide valuable insights into your third-party risk posture, enabling data-driven decision-making.

By partnering with Risk Ledger, you can streamline your third-party risk management processes, enhance compliance, and proactively address potential vulnerabilities within your corporate supply chain. Don't let third-party risks jeopardise your operations – take control with a comprehensive solution tailored to the energy industry's unique needs.

In the ever-evolving energy landscape, where third-party relationships are integral to business operations, effective risk management is no longer just a best practice – it's an essential component of a responsible business operation. By implementing the strategies and leveraging tools outlined in this guide, you can fortify your defences against the myriad risks lurking within your corporate supply chain.

Remember, the consequences of inadequate third-party risk management can be severe, ranging from operational disruptions and financial losses to regulatory penalties and irreparable reputational damage.