A new report by SecurityScorecard and KPMG found that the top cybersecurity threat to US energy companies is actually their own third-party vendors.

The study analyzed 250 energy companies, of which 90% had previously faced cyberattacks related to third-party vendor failures. Attacks on electric companies are “disproportionately high,” and are responsible for 45% of the attacks in the energy sector.

Another major issue is the legacy technology that these companies rely on. Due to the need for careful investigations of each new patch, the energy sector relies on older tech that’s slow to update. While this prevents customers from losing power due to technical failures, it means these companies lag behind modern threats.

Through the same study, we learned that 39% of these attacks originated from the June 2023 MOVEit hack. In that attack, threat actors breached the file transfer software MOVEit and gained access to company information. While most of the data focused on US companies, the breach impacted the global supply chain.

IT vendors and software companies are at the most risk of being breached by hackers. Together, they made up over 67% of the third-party companies that were attacked.

“The energy sector’s growing dependence on third-party vendors highlights a critical vulnerability — its security is only as strong as its weakest link,” said Ryan Sherstobitoff, Senior Vice President of Threat Research and Intelligence at SecurityScorecard. “Our research shows that this rising reliance poses significant risks. It’s time for the industry to take decisive action and strengthen cybersecurity measures before a breach turns into a national emergency.”

Many experts believe these businesses can only be protected by proactively improving their defenses.