As a critical element of national infrastructures worldwide, the energy and utilities sector literally keeps the lights on in today’s world. When water, gas, or electricity is cut off from businesses and families, it can have catastrophic consequences writes Karl Mattson, Field CISO at Noname Security
To improve resilience and guarantee service uptime, energy and utilities companies know that digitisation is key to transforming the services they deliver, but aging technology stacks, a lack of interoperability and collaboration, and poor security hygiene are all limiting progress. This is where APIs are making the digital vision a reality for this sector, enabling energy and utilities companies to move away from the heavy-lifting manual tasks, to automate, to digitise, and to create optimised customer experiences.
However, at the same time, they are also creating a wave of API-related security incidents resulting from leaky APIs, vulnerable systems APIs, authorisation flaws, and more. As a result, the sector is increasingly becoming a target for cyber-attacks. The rush to bring energy and utilities technology up-to-date can lead to APIs being exploited.
Our recent research surveyed over 100 CIOs, CISOs and CTOs from the energy and utilities sector to better understand the trends and effects of API security in their industry.
The threat is real
Compared to previous research, the energy and utilities sector was the only industry to see no change or decrease in the number of businesses affected by API security incidents. However, 78% were affected, demonstrating that the issue shows no signs of abating – and it is not being dealt with properly.
There are several reasons why this could be the case. One might be that the issue is not properly understood, and it is not clear to energy and utilities companies that APIs represent such a large weakness in their cybersecurity strategy. Another could be that cyber criminals are more voraciously targeting this sector compared to others, especially as they know downtime has a big impact, effectively cancelling out the efforts to mitigate against threats.
However, the research points to another significant issue, and that is complacency. Despite the consistently high frequency of API security incidents, 94% of energy and utilities respondents expressed confidence in their API security tools. The apparent disconnect between confidence in existing tools and a high number of API security incidents is concerning, to say the least.
Another concern is the method of attack. Our research showed that web application firewall attacks were most common in 2023, whereas Distributed Denial of Service (DDoS) attacks were previously most likely. This emphasises the need for security professionals in energy and utilities to have an end-to-end holistic platform to identify and mitigate attacks of every kind.
The impact of API security incidents
As the energy and utilities sector is critical to worldwide economies and society, they are in the spotlight when things go wrong – with customers and stakeholders asking difficult questions.
Being on the receiving end of an API security incident can impact the organisation’s bottom line, with the associated costs for quickly restoring systems, reimbursing unhappy customers, and from a loss of business efficiency and productivity. Over half (57%) of global respondents in the energy and utilities sector have suffered a loss of employee goodwill, whereas 53% have cited a loss of productivity due to an API security incident.
With the energy and utilities sector so highly regulated – and in some countries controlled by central government – energy and utilities firms can quickly amass heavy penalties and fines should they be compromised by an API security incident. Nearly half of our survey respondents stated that this had been an issue for their organisation.
At the same time, 79% of said respondents said their API security platform provider helps them to maintain compliance with the Payment Card Industry Data Security Standard (PCI DSS), whilst 80% of sector respondents said their provider helped them to comply with GDPR – the highest percentage of any sector surveyed.
What can be done?
This sector may be considered to be behind in digital transformation initiatives, and therefore the need to modernise has become essential. This poses unique challenges, especially when it comes to securing legacy technology. Whilst our research indicates that respondents in this sector are both increasing their visibility of APIs and testing APIs for vulnerabilities, progress must accelerate in order to robustly shore-up defences.
Energy and utilities companies should work with an API security platform provider that can deliver the strong API security they need. With the ongoing drive towards automation and digitisation, dependence on APIs will only continue to grow and a greater focus around API security is required to set energy and utilities companies on the right path in the coming years.
In the evolving energy and utilities landscape, amidst countries and governments deciding how to redesign infrastructure to ensure customer satisfaction and energy security, enabling organisations to implement a robust API strategy across discovery, posture management, runtime protection, and API security testing is paramount.
Noname’s API Security Disconnect report is available here.