"The 2021 Ransomware Risk Pulse: Energy Sector" report from Black Kite grades the performance of 150 energy companies from the Fortune 500 on various aspects of security preparedness. The report includes a heat map of how these companies score across the board. To the sector's credit — and thank goodness, considering how vital the services are — most companies rated fairly highly across most of the security postures, including awareness of attack surface (139 As, 11 Bs), fraudulent apps (134 As, 14 Bs, 2 Cs), and social media risks (133 As, 14 Bs, 2 Cs, and 1 F).
Where many companies need to improve is in areas like patch management, which is often overlooked but is vitally important for plugging vulnerabilities; 38 of the 150 companies rated an F here. Credential management was particularly bleak, with 52 companies earning an F. The most disturbing part there is that's exactly how the Colonial Pipeline attackers got in — through an unused but open VPN account.
But perhaps the biggest area for improvement is in SSL/TLS strength. While only 17 of the companies evaluated rated an F, almost half — 72 — squeaked by with a D grade. SSL and, hopefully more often, TLS encrypt communications between the Web client and server, ensuring the company's protocols and certificates are up to date is vital to protect customers' information.
Overall, the energy sector is a mixed bag, but at least now the IT staff knows where to concentrate their efforts. View the full energy sector report from Black Kite.