As cyber threats against American critical infrastructure escalate, new research from security firm SixMap reveals alarming gaps in the cybersecurity defenses of the U.S. energy sector. A study of 21 energy organizations uncovered nearly 60,000 internet-exposed services, including thousands running on overlooked non-standard ports that evade traditional security scans. Among these exposures, 5,756 contain known vulnerabilities, 377 of which are actively exploited in the wild, highlighting systemic risks across the industry.
The SixMap findings underscore a dangerous blind spot in how energy companies manage their external attack surfaces and point to a critical need for broader visibility beyond the top 5,000 common ports typically monitored. The U.S. energy sector remains a prime target for nation-state hackers and financially driven cybercriminals. As threats grow more aggressive and persistent, energy companies must remain vigilant, closely monitoring their digital exposure to prevent exploitation by malicious actors.
In its report titled ‘Energy Sector Exposure Assessment,’ SixMap identified that IPv6 usage is becoming commonplace. Each of the 21 organizations evaluated for this project had numerous IPv6 hosts exposed to the public Internet.
“This may be a surprising finding to some. At SixMap, we often speak with security leaders who are adamant they do not have any IPv6 assets,” it added. “However, after running our discovery procedure, which finds all hosts across IPv4 and IPv6, we regularly find IPv6 assets for almost every large organization we evaluate. Most security leaders are not aware of these assets because their current toolset cannot discover or assess hosts in the IPv6 space.”
Throughout this project, SixMap found 39,986 IP addresses in total, or approximately 1,900 IP addresses per organization. A total of 2,253 IP addresses were in the IPv6 space. That means, in aggregate, about 6% of IP addresses were running on IPv6 across all 21 enterprises. This averages out to roughly 107 IPv6 assets per organization, though there is wide variance.
On average, each organization has about 9% of their IP addresses in the IPv6 space. Seven organizations have at least 14% of their hosts on IPv6 and one has more than 30% on IPv6. As traditional exposure management tools cannot discover IPv6 hosts, and therefore do not monitor or assess them for vulnerabilities, this may be an area of significant risk.
Per organization, the share of IPv6 hosts ranged from 0.3% all the way up to 31%. On average, each organization had 9% of its hosts in the IPv6 space, a surprisingly high share and an area of potential risk as these assets are not tracked by traditional exposure management tools. Additionally, SixMap revealed a sizable share of services are exposed on non-standard ports. Approximately 7% of services were running on ports that fall outside of the top 5,000 most commonly-used ports.
“This is a significant percentage of exposures, as traditional exposure management and attack surface management products typically inspect only the top 1,000 to top 5,000 ports,” the report noted. “That means roughly 7% of services are not identified or assessed by legacy tools, leaving blindspots and potential risks open to attack.”
SixMap also observed significant variation in vulnerability exposure across the energy organizations studied. One organization reported zero external vulnerabilities—a rare and commendable outcome, while three others had fewer than five, and seven had fewer than 50.
At the opposite end, one outlier stood out with an alarming 2,875 vulnerabilities. Many stemmed from an outdated version of the Apache web server, linked to 45 known CVEs. This legacy service was running on multiple ports across numerous hosts, strongly suggesting the presence of shadow IT, assets likely unknown to the security team.
Notably, 405 vulnerabilities, about 7% of all CVEs detected, were found on services operating over non-standard ports. These often fall outside the scope of traditional security tools that scan only the top 5,000 ports, leaving high-risk services effectively hidden, even on hosts that are otherwise being monitored.
SixMap found 43 unique CVEs that were present in the external attack surfaces of at least 10 of the 21 (45%) energy sector organizations evaluated. This suggests potential systemic risk to the industry. If a single vulnerability could be exploited across more than half of the industry’s largest enterprises at once, it could be an industry-disrupting event.
“Research consistently shows that only a small percentage, typically 4% to 6%, of known CVEs are ever exploited in the wild. We can use rough numbers to make the point,” the report highlighted. “The NIST National Vulnerability Database has more than 200,000 CVEs documented, while the CISA Known Exploited Vulnerabilities catalog has just 1,379 CVEs entries. The takeaway is that any CVE known to be exploited in the wild is a major risk and should be prioritized for immediate remediation.”
It added that CVEs with known exploitation activity should never be present in the external attack surface. “A small but significant portion of the CVEs uncovered by SixMap’s research are known to be exploited by specific threat groups. While these groups have various motivations, origins, and tactics, any exploitation activity is a serious threat.”
In conclusion, cybersecurity teams at major U.S. energy enterprises face significant challenges in defending vast attack surfaces, spanning thousands of hosts and assets, against increasingly sophisticated and persistent threat actors.
“Every single exposure is a potential initial attack vector for the threat groups who seek to breach the network. The 21 large energy industry organizations evaluated for this research project have massive digital estates that are invariably difficult to fully monitor, manage, and protect,” according to SixMap. “It’s important to highlight that security teams are not at fault for any unmanaged exposures or vulnerabilities. In many cases, the limitations of traditional security tools are responsible. For example, legacy external attack surface management tools are designed to find unknown hosts but often fail to discover all of the shadow IT assets.”
Additionally, vulnerability management products are built to assess hosts and detect vulnerabilities, but often scan only the top 1,000 or top 5,000 ports, leaving plenty of room for vulnerable services to exist in the shadows of non-standard ports.
“SixMap brings several new innovations to the market that overcome the limitations of legacy security tooling,” the report added. “SixMap’s computational mapping technology enables precise asset discovery across both the IPv4 and IPv6 address spaces, plus port inspection of all 65,535 ports for each asset. These capabilities result in more accurate and complete data on external assets, exposures, and vulnerabilities, so security teams can mitigate risks before an attack occurs.”
