Home / Blogs

New Research Indicates Nearly 80% of Top US Energy Companies Are at Serious Risk for Cyberattacks

Co-authored by CSC’s Global Director Vincent D’Angelo, Senior Global Brand Security Advisor Quinn Taggart and Global Marketing Leader Sue Watts.

In light of the Biden administration’s recent efforts in protecting critical infrastructure from cyber threats, new research from CSC indicates that a majority of the top energy companies in the U.S. are vulnerable to attack due to shortcomings in their online operations. Specifically, these organizations are vulnerable to domain name and domain name system (DNS) hijacking and phishing attacks based on their lack of effective domain security.

Highlights of CSC’s research on these top energy companies indicates:

Nearly 80%are not usingregistry locks67%are registered withconsumer-grade domain registrars(vs enterprise-grade registrars)Only17%useDNS hosting redundancyOnly3%useDNS security extensions (DNSSEC)73%of companies useDomain-based message authentication, reporting, and conformance (DMARC)

This analysis was conducted on the 30 largest U.S. companies by market capitalization that produce and deliver energy in the U.S. With that being said, the findings are consistent with the domain security posture of 90+ global “energy” companies that are part of CSC’s Forbes Global 2000 report.

Each of the security measures listed above are industry best practices that help mitigate against cyber attacks, and they’re part of CSC’s defense in-depth approach. Threats of not deploying these security measures include:

At CSC, we talk about locking your vital domains as being your first—and best—line of defense. Only 17% of these utility companies are leveraging tools like a registry lock, which leaves the rest vulnerable to social engineering, unauthorized DNS changes, and domain name hijacking.

In addition, 67% of these companies are relying on consumer-quality practices for securing their web domains, which puts them at exponential risk for some of today’s most common cyber threats. Companies need to understand how their choice of provider fits into decisions made about their organization’s overall cybersecurity posture, along with concerns about IP infringement and trademark law. When it comes to the domain ecosystem, choice of domain registrar can affect colleagues responsible for cybersecurity and IT, as well as legal (general counsel), risk, and compliance (chief risk officer)—because it has a major impact on cyber security, phishing attacks and online fraud, and brand abuse.

To manage a domain name portfolio, company’s need to work with a provider that has invested in protecting its own systems. With all of the cybersecurity threats today, not only does a good domain name registrar need to have the right technology—to protect itself and client companies from a data breach—but it also needs best-in-class operations practices that put security at the forefront of its mission, and in how it engages with its clients.

An enterprise-level registrar should have ISO 27001 accredited data centers, SOC 2® compliance, third-party penetration and vulnerability testing. They should conduct regular security tests, including SQL injection and cross-site scripting (XSS). They should also be Internet Corporation for Assigned Names and Number (ICANN) and country-code top-level domain (ccTLD) registry accredited. A registrar that’s qualified to serve an enterprise will offer a full accounting of all domains, DNS, and digital certificate providers. It should provide 24/7/365 support along with cybersecurity training for its staff, including phishing and social engineering awareness. It’s also important for an enterprise-class registrar to:

  • Mandate written requests (never via phone)
  • Be data and General Data Protection Regulation compliant (e.g., WHOIS practices)
  • Have a registry transfer-lock policy

Looking at CSC’s research, only 17% of the energy companies have DNS hosting redundancy, and the lack of this security measure makes them more susceptible to DNS vulnerabilities or a costly distributed denial of service (DDoS) attack. DNSSEC is another proven mitigation tool for DNS threats, as it protects organizations from cache poisoning, but it also has very low use at just 3%. DMARC use is optimistically high, and with the growth and damage done by phishing attacks today, this is a good sign. As the Biden administration takes a closer look at the security around major utilities, it’s imperative that these organizations reassess their approaches to securing their domain security ecosystem to follow enterprise-class strategies for more effective security. All of these security measures will have an immediate effect on cyber risk at these energy companies and will help mitigate the prospect of attacks that can lead to network breaches, system outages, and nefarious actions by bad actors.

By Vincent D'Angelo, Global Director at CSC

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

Related

Topics

Brand Protection

Sponsored byAppdetex

IPv4 Markets

Sponsored byIPXO

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

Domain Management

Sponsored byMarkMonitor

Cybersecurity

Sponsored byVerisign