How the energy sector can mitigate rising cyber threats

With Dragos research finding cyber attacks targeting the energy sector across Europe, we explore how the industry can mitigate rising threats

Cyber attacks continue to evolve, with threat actors finding new ways to exploit vulnerabilities within the networks of organisations across all sectors. The energy sector is one such industry, where attacks on infrastructure can negatively impact not only business operations, but everyday life too.

According to research from industrial cyber security specialists Dragos, electric providers without sufficient defence at every level of the Purdue model — due to lack of dedicated security staff or budget — become vulnerable to attacks due to devices likely to be directly connected to the Internet. Further data reveals that 77 per cent of assets within energy sector networks have porous IT or OT boundaries, leading to a larger target on the industry’s back.

Dragos examined cyber activity that can prove a danger to industrial infrastructure, including energy, now and over the next year. Reasons for such attacks identified by the industrial cyber security experts include increasing regional tensions such as the conflict in Ukraine, continued development of Activity Group (AG) techniques, and the high potential of vulnerabilities in one country affecting providers in neighbouring nations.

Energy providers are at particular risk due to the variety of security zones present, as well as trust relationships. Cyber attacks on this particular industry can impact transmission, distribution and services to customers. It’s these factors, combined with the critical nature of its public services, that make the cyber landscape in the sector unique.

Threats against energy sector organisations

In terms of the particular threat actors targeting the energy sector across Europe, Dragos pinpointed the groups DYMALLOY, VANADINITE and XENOTIME.

The victims of attacks conducted by DYMALLOY include electric utilities, as well as oil and gas (ONG) providers. These areas experienced long-term and persistent infiltrations of IT and OT environments throughout 2019 and 2020, to collect intelligence and create future disruptions. Techniques undertaken by these groups have developed and evolved rapidly, leaving security put in place by energy sector security personnel behind.

The VANADINITE group, meanwhile, emerged as an access mechanism in 2019, targeting energy companies as well as government departments. Using security gaps present within external-facing network appliances — such as VPN gateways — this group is capable of gaining access to entire networks and disrupt operations this way.

XENOTIME is a threat group that has been found to target midstream and downstream liquefied natural gas (LNG) entities, with oil and natural gas operation disruption particularly likely in the North Sea, according to Dragos.

Upon further assessment into this criminal activity, Dragos has observed that economic interests of oil and gas entities are likely to generate further intrusions in the near future, as operations expand and markets become more competitive.

Mitigating adversarial access

Particularly common attacks on critical infrastructure such as energy providers in recent times have included ransomware, which not only brings operations to a halt, but can also damage reputation and trust. Security teams must constantly evolve their security strategies, ensuring that patches are up-to-date and access prevention protocols like zero trust are in place.

When it comes to staying protected from cyber attacks, security teams within energy sector organisations can protect network access — a key threat if not properly addressed — by:

  • Implementing multi-factor authentication (MFA) for remote access to systems within the OT network.
  • Looking out for use of open source tools that have been used to target industrial entities, such as SSH.NET, MASSCAN and Impacket.
  • Reviewing architecture for routing protocols between OT and external networks.
  • Utilising a Crown Jewel Analysis (CJA) model — examining physical & logical assets, data, and communication & control interfaces from top to bottom — to identify risks.

Maintaining long-term protection

As energy sector organisations continue expanding their connectivity to improve efficiency, they must ensure that the perimeters of their security processes keep up. Without properly secured infrastructure, no digital transformation will ever be successful, and not only internal operations, but also the data of energy users are bound to become vulnerable. But by following the above recommendations, energy companies can go a long way in keeping their infrastructure protected in the long run.

This endeavour can be strengthened further by partnering with cyber security specialists like Dragos, which provides an all-in-one platform that enables real-time visualisation, protection and response against ever present threats to the organisation. These capabilities, combined with threat intelligence insights and supporting services across the industrial control system (ICS) journey, is sure to provide peace of mind and added confidence in the organisation’s security strategy.

For more information on Dragos’s research around cyber threat activity targeting the European energy sector, download the Dragos European Industrial Infrastructure Cyber Threat Perspective report, here.

This article was written as part of a content campaign with Dragos.


The increasing impact of ransomware on operational technology — Dragos research has found a surge in ransomware attacks on operational technology, disproving that such threats only target IT.

IoT, blockchain and the future of the energy sector — Phil Skipper, head of IoT strategy at Vodafone Business IoT, discusses how IoT and blockchain can shape the future of the energy sector.