What is the average cost of an energy sector data breach in 2025?

IBM 2025 puts the energy sector at $4.72M average per breach with a per-record cost of $191. The sector is climbing 6% year-over-year, the second-highest growth rate of any sector in the dataset. The headline figure excludes the OT and SCADA side of the energy estate, where single incidents can produce nine-figure operational losses.

Why is the OT cost not captured in IBM data?

IBM's Cost of a Data Breach methodology measures four categories tied to personal-data exposure: detection-escalation, notification, post-breach response, and lost business. OT incidents like pipeline shutdowns or grid disruption do not fit those categories. The relevant cost flows through operational-loss accounting, business-interruption insurance claims, and regulator disallowance proceedings, which IBM does not aggregate.

What was the cost of the Colonial Pipeline breach?

Colonial Pipeline disclosed approximately $15M+ in direct response cost including a $4.4M ransom paid (of which the FBI recovered $2.3M). The broader economic cost from the six-day pipeline shutdown, including fuel shortages across the US East Coast and panic-buying disruption, was in the hundreds of millions but is not attributable to Colonial directly. The most consequential cost was regulatory: the breach triggered the first TSA cybersecurity Pipeline Security Directives within weeks.

What are the maximum NERC CIP penalties?

Up to $1.34M per violation per day under 2024 inflation-adjusted figures. NERC publishes annual aggregate enforcement data showing approximately 100-200 settled CIP violations per year with average penalty of $50K-$300K per settled action. The 2019 settlement with an unnamed Western utility for $10M (the largest single CIP settlement) involved 127 violations of 13 CIP standards over a multi-year period.

What are the TSA Pipeline Security Directive penalties?

Up to $13,910 per violation per day under 2024 figures. The Pipeline Security Directives were issued in May 2021 in direct response to Colonial Pipeline and require cybersecurity-incident reporting, designated cyber-coordinator roles, and contingency planning. Penalties are imposed by TSA. Major pipeline operators have reported cybersecurity budget increases of 30-75% between 2021 and 2025 partly driven by these requirements.

Does cyber insurance cover OT losses in energy?

Frequently no. Most policies issued before 2022 include OT exclusions or property-damage exclusions that interact unhelpfully with OT incidents. The Merck v. ACE Property NotPetya insurance dispute, decided in Merck's favor by the NJ Superior Court in 2022 and still on appeal, has driven a shift toward affirmative OT-inclusive cyber-perils coverage. Premium has risen 25-75% annually since 2021 with deductibles commonly $5M-$25M for mid-size utilities.

What was the Ukraine power grid attack and what did it cost?

The 2015 and 2016 attacks by Russian GRU-affiliated Sandworm operators on Ukrainian regional electricity companies were the first publicly documented cyberattacks to take down a power grid. December 2015 left 230,000 customers without power for up to six hours through manual circuit-breaker opening. December 2016 used Industroyer/CRASHOVERRIDE malware to automate the attack. Direct cost to Ukrainian operators was modest; the case-study value for NERC CIP training and OT defensive planning has been the lasting impact.

Sector File 03.EN / EnergyNERC CIP / TSA SD / GDPROT/IT convergence drives premium

Sector profile

Energy breaches cost $4.72M on average. The OT side is uninsured.

IBM's 2025 energy figure of $4.72M sits at rank #5, 6% above 2024. The headline excludes the operational-technology (OT) and SCADA side of the energy estate, where a single breach can produce nine-figure operational losses through pipeline shutdowns or grid disruption. Colonial Pipeline (2021) is the demonstration: $4.4M ransom paid plus $15M+ direct response, set against a 6-day pipeline shutdown that produced fuel-supply crises across the US East Coast.

Avg total cost

$4.72M

IBM CODB 2025, IT only

Per record

$191

Mid-tier sector

YoY change

+6%

Climbing sharply

OT cost

Excluded

Not in IBM methodology

Section EN.1

The OT/IT convergence cost driver

Operational technology and information technology used to be physically separate networks at most energy companies, with air gaps and unidirectional gateways preventing direct connectivity. The economic pressure to instrument OT systems with cloud-based analytics, remote-monitoring access, and predictive-maintenance integration has compressed the air gaps materially over the past decade. The benefit is real (uptime improvements of 5 to 15%, maintenance-cost reduction of 10 to 25%). The cost is that ransomware that gets into the IT network can now reach OT systems through legitimate management interfaces.

Colonial Pipeline did not have ransomware on OT systems. Colonial shut down OT systems pre-emptively because the IT-side ransomware made it impossible to operate the billing system that tracked which customer's product was flowing through which line. The six-day shutdown was a precautionary measure driven by inability to invoice rather than direct OT compromise. The fact that an IT-side ransomware event could produce an OT shutdown decision was the watershed insight, and it has driven Department of Energy and TSA policy ever since.

The cost asymmetry is severe. An IT breach that exposes 100,000 employee records at an electric utility costs $134 to $200 per record under IBM's methodology, a total of $13M to $20M. An OT incident that requires a 24-hour grid-restoration sequence at the same utility can cost $50M to $300M in commercial losses (lost transmission revenue, regulatory disallowance, customer indemnification), plus indirect cost in regulator scrutiny and lost trust with public utility commissions. The OT cost does not show up in IBM data because it does not fit the personal-data breach methodology.

Section EN.2

NERC CIP and the TSA Pipeline Security Directives

NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) is the mandatory cybersecurity standard for the bulk-electric system. CIP version 014 covers physical security, while CIP versions 002-013 cover cybersecurity controls including identity management, system access, malicious-code prevention, security-event monitoring, and incident response. Penalties are imposed by FERC (the Federal Energy Regulatory Commission) on referral from NERC and can reach $1.34M per violation per day under the 2024 inflation adjustment.

NERC publishes annual aggregate penalty data showing approximately 100-200 settled CIP violations per year with average penalty of $50K to $300K per settled enforcement action. The 2019 settlement with an unnamed Western utility for $10M (the largest single CIP settlement) involved 127 violations of 13 CIP standards over a multi-year period. The case established that CIP penalties accumulate aggressively when violations are systematic rather than isolated.

For the pipeline sector specifically, the TSA Pipeline Security Directives issued in May 2021 (and updated annually since) impose cybersecurity-incident reporting requirements, designated cyber-coordinator obligations, and contingency-planning requirements. TSA enforcement carries penalties up to $13,910 per violation per day under 2024 figures. The TSA framework was created in direct response to Colonial Pipeline and has produced a documented shift in pipeline-sector security investment, with major operators reporting cybersecurity budget increases of 30% to 75% between 2021 and 2025.

Section EN.3

Notable energy-sector breaches

Colonial Pipeline, 2021

DarkSide ransomware / Compromised VPN password, no MFA / 6-day shutdown

$15M+ direct

The breach that changed pipeline regulation. DarkSide ransomware affiliates entered Colonial's IT network through a leaked VPN password that lacked MFA, then encrypted billing and dispatch systems. Colonial paid a $4.4M ransom (of which the FBI subsequently recovered $2.3M through blockchain tracing) and shut down the pipeline for six days while restoring systems. The shutdown produced fuel shortages across the US East Coast, panic buying, and brief disruption to airline operations at multiple major airports. Direct response cost crossed $15M, with the broader sector-wide consequence being TSA's decision to issue the first cybersecurity Pipeline Security Directives within weeks.

Primary source: DOJ press release 7 June 2021; Colonial Pipeline statements May-July 2021; House Energy and Commerce Committee testimony June 2021.

Norsk Hydro, 2019

LockerGoga ransomware / IT/OT convergence / Manual operations for weeks

$71M

Norsk Hydro, one of the world's largest aluminium producers, was hit by LockerGoga ransomware in March 2019. The company refused to pay and instead ran smelter operations in manual mode for weeks while rebuilding systems. The Q1 2019 earnings disclosure put direct breach cost at NOK 550-650M (approximately $63-75M USD), making it one of the most transparently disclosed cyber-incident-cost figures in industrial history. The decision to disclose openly was widely praised and helped establish a public template for industrial-cyber transparency that did not exist before.

Primary source: Norsk Hydro Q1 2019 earnings release 30 April 2019; subsequent quarterly disclosures.

Ukraine Power Grid, 2015 + 2016

Sandworm / GRU / BlackEnergy + Industroyer / Direct ICS compromise

Tactical case study

The first publicly documented cyberattack to take down a power grid. Russian GRU-affiliated Sandworm operators used BlackEnergy malware to compromise three Ukrainian regional electricity companies in December 2015, manually triggering circuit-breaker opening that left 230,000 customers without power for up to six hours. The December 2016 follow-up used Industroyer malware to automate the attack at scale at Kyiv's Ukrenergo substation. Direct cost to the Ukrainian operators was modest; the case study value for global electric utilities, regulators, and CISA threat intelligence has been immense. Industroyer/CRASHOVERRIDE remains the primary case study in NERC CIP training for OT-targeted attacks.

Primary source: SANS ICS report on Ukraine attacks; ESET Industroyer analysis.

Section EN.4

Cyber insurance and the OT exclusion problem

Energy-sector cyber-insurance policies frequently exclude OT-related losses, either through explicit OT exclusions or through "property damage" exclusions that interact unhelpfully with OT incidents that produce physical effects. The 2017 NotPetya attack against Merck produced a landmark insurance dispute when Merck's property insurers invoked the "hostile or warlike action" exclusion to deny a $1.4B claim. The New Jersey Superior Court ruled in 2022 that the exclusion did not apply because the attribution to a sovereign was sufficiently uncertain. The case is still being litigated on appeal as of 2026, but the policy implications have rippled across the energy sector with most operators now demanding affirmative cyber-perils coverage including the OT side.

For utilities and pipelines that successfully obtain OT-inclusive cyber coverage, premium has risen 25% to 75% annually since 2021. The combination of premium increases, deductible increases (commonly to $5M-$25M for mid-size utilities), and OT-specific underwriting questionnaires has materially raised the total cost of cyber readiness even for organisations that have not experienced a breach.

Cross-references

Cost / Forensics

→

OT-capable IR vendor rates and engagement scope.

Regulation / SEC Item 1.05

→

Public-company disclosure for material cyber incidents.

Cost / Per record

→

$191 for energy vs $408 healthcare, full sector table.

Industry / Technology

→

Supply-chain blast radius (SolarWinds, MOVEit) overlap with utility ICS.

Index / All industries

→

All 10 IBM sectors ranked.

Schedule F / Reference Q&A

Frequently Asked Questions

Primary source:Energy sector cost figures from IBM Cost of a Data Breach Report 2025 (IT scope). NERC CIP enforcement data from NERC annual reports. TSA Pipeline Security Directive data from TSA publications. Notable breach data from Norsk Hydro Q1 2019 earnings, DOJ Colonial Pipeline filings, and SANS ICS reports on Ukraine attacks.