Despite Colonial Pipeline attack, likelihood of utilities sector hack has increased

WhiteHat Security finds increase in utility software with at least 1 vulnerability

A key metric that indicates vulnerability to cyberattacks has increased since the start of the year, a cybersecurity firm says.

The "Window of Exposure," a key metric that indicates the exposure to cyber breaches for software applications in the utilities sector, increased since the start of the year, WhiteHat Security said in a report.

The report said that the Colonial Pipeline ransomware attack also exposed the risks for vulnerable software applications in the utilities sector.

"Application specific attacks are equally if not more likely than ransomware [with] Colonial Pipeline...fresh in our minds," the report said. "Application weakness [is] an easy backdoor for the installation of ransomware, especially given the high-impact nature of the ransomware in utilities," according to WhiteHat.

Customers wait in line to purchase fuel at the Duck-Thru in Scotland Neck, N.C., on Tuesday, May 11, 2021. The station was doing a brisk business on Tuesday as news of the cyberattack on the Colonial Pipeline spread fear of a gas shortage in rural No


At least 67% of utility sector software has at least one serious exploitable vulnerability, up from 55% at the beginning of the year, WhiteHat said.

"The effort and skill required to discover and exploit these vulnerabilities is fairly low, thus making it easier for the adversary," according to WhiteHat.

The top categories for vulnerability include information leakage, transport layer protection – which handles communication over a network – and content spoofing, where fake websites are set up by hackers.

"An example of this might be a document-sharing application or a cloud server with the barest of controls in place," said Sean Nikkel, senior cyber threat intel analyst at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, in a statement provided to FOX Business. 

While Window of Exposure (WoE) – a benchmark for organizations against their industry peers – for manufacturing has decreased over the past 12 months and the WoE for healthcare has been improving, the WoE for utilities has spiked.


The only sector more vulnerable than utilities is public administration, WhiteHat said.

The uptick in WOE is likely attributable to increased focus on security at utilities, which has resulted in more applications being tested, WhiteHat said.