Protecting Texas Critical Infrastructure from Cyber Threats

Texas operates one of the most complex critical infrastructure ecosystems in the United States, spanning energy production, water systems, transportation networks, financial institutions, and healthcare delivery. Cybersecurity threats to these sectors carry consequences that extend beyond data loss — operational disruptions can cascade across state and national supply chains. This page maps the regulatory architecture, sector classifications, structural mechanics, and operational frameworks governing critical infrastructure protection (CIP) in Texas.

• Definition and scope
• Core mechanics or structure
• Causal relationships or drivers
• Classification boundaries
• Tradeoffs and tensions
• Common misconceptions
• Checklist or steps (non-advisory)
• Reference table or matrix

Definition and scope

Critical infrastructure protection in the Texas cybersecurity context refers to the set of policies, regulatory obligations, operational controls, and interagency coordination mechanisms designed to prevent, detect, and respond to cyber threats targeting systems whose disruption would have severe effects on public health, safety, economic security, or national defense. The foundational federal definition originates in Presidential Policy Directive 21 (PPD-21), which designates 16 critical infrastructure sectors and assigns sector-specific lead agencies.

Texas's position in the national infrastructure landscape is structurally significant. The Electric Reliability Council of Texas (ERCOT) operates the largest single-state electrical grid in the country, serving approximately 90 percent of the state's electric load (ERCOT). Texas also accounts for a substantial share of U.S. petroleum refining capacity, hosts the Port of Houston — one of the largest ports by total tonnage in the nation — and operates an independent water infrastructure network that includes more than 7,000 public water systems (Texas Commission on Environmental Quality).

The scope of CIP cybersecurity in Texas encompasses both state-regulated entities and federally regulated entities operating within Texas borders. Coverage differs sharply between these two categories: state agencies and institutions of higher education fall under the jurisdiction of the Texas Department of Information Resources (DIR), while privately owned infrastructure in sectors such as energy, telecommunications, and finance falls primarily under federal regulatory authority. For the full regulatory architecture governing this split, see Regulatory Context for Texas Cybersecurity.

Scope boundary: This page addresses cyber threat frameworks applicable within Texas's geographic and statutory jurisdiction. It does not cover federal enforcement actions under statutes such as the Computer Fraud and Abuse Act (18 U.S.C. § 1030), tribal entity obligations, or cybersecurity requirements imposed by the European Union's NIS2 Directive on Texas-based entities with EU operations. Situations involving multi-state data flows or federally chartered institutions operating in Texas may trigger requirements that fall outside DIR's direct authority.

Core mechanics or structure

Critical infrastructure protection operates through a layered structure combining federal frameworks, state-level mandates, sector-specific regulations, and voluntary coordination mechanisms.

Federal framework layer: The NIST Cybersecurity Framework (CSF), published by the National Institute of Standards and Technology, provides the baseline organizational structure: Identify, Protect, Detect, Respond, and Recover. CSF 2.0, released in 2024, adds a "Govern" function to address organizational risk management structures. Texas DIR's security control standards for state agencies are derived from NIST SP 800-53, Rev. 5, which catalogs more than 1,000 individual security and privacy controls organized into 20 control families.

State regulatory layer: Texas Government Code, Chapter 2054, Subchapter N-1 — enacted by HB 3834 during the 86th Legislature in 2019 — mandates cybersecurity training for all state agency employees who use a computer and requires incident reporting to DIR. The Texas Cybersecurity Framework, maintained by DIR, translates federal standards into state-specific implementation guidance for covered entities.

Sector-specific regulatory layer: Energy infrastructure in Texas is subject to North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards, specifically the CIP-002 through CIP-014 series, enforced by the Federal Energy Regulatory Commission (FERC). Healthcare entities are regulated under HIPAA Security Rule requirements enforced by the U.S. Department of Health and Human Services Office for Civil Rights. Financial institutions face oversight from the Federal Financial Institutions Examination Council (FFIEC) and — for Texas state-chartered institutions — the Texas Department of Banking.

Interagency coordination layer: The Texas Division of Emergency Management (TDEM) coordinates with federal partners including the Cybersecurity and Infrastructure Security Agency (CISA) under the DHS umbrella. CISA's 16-sector structure maps directly onto its Infrastructure Resilience Planning Framework, which Texas local governments and critical infrastructure operators can use for jurisdiction-level planning.

Causal relationships or drivers

The threat environment affecting Texas critical infrastructure is shaped by a convergence of structural, geopolitical, and technological factors.

Grid isolation as both asset and vulnerability: ERCOT's electrical independence from the Eastern and Western Interconnections — which enables Texas to avoid federal FERC jurisdiction over most wholesale electricity transactions — also limits redundancy pathways during a grid disruption. The February 2021 winter storm event, while meteorological rather than cyber in origin, exposed cascading failure dynamics that cybersecurity planners now model as analogous scenarios for cyberattack impact.

Industrial control system (ICS) and operational technology (OT) exposure: Texas energy, water, and pipeline operators rely extensively on supervisory control and data acquisition (SCADA) systems and other OT environments. These systems were historically designed for isolation but are increasingly networked for remote monitoring and efficiency. The CISA ICS-CERT advisories document persistent targeting of OT systems by nation-state actors, with the energy sector receiving the highest volume of documented intrusion attempts among all 16 sectors.

Ransomware targeting public sector entities: Texas experienced a coordinated ransomware attack in August 2019 that simultaneously struck 22 local government entities — the Texas DIR confirmed the incident as a supply chain compromise originating through a single managed service provider. This event accelerated Texas legislative action on incident reporting and coordinated response. The texas-ransomware-threats-and-response page covers the threat taxonomy in detail.

Supply chain attack vectors: Critical infrastructure operators increasingly source software, hardware, and managed services from third-party vendors. A compromise at any supply chain node can propagate laterally into protected systems. Texas supply chain cybersecurity obligations for state-contracted vendors are governed by DIR procurement security requirements under Chapter 2054.

Classification boundaries

Texas critical infrastructure sectors map to both federal PPD-21 designations and state-specific regulatory categories. The distinctions carry direct implications for which regulatory body holds primary jurisdiction.

Federally primary sectors (operating in Texas):
- Energy: Regulated under NERC CIP standards (electric), TSA Security Directives (pipelines, post-2021), and EPA cybersecurity guidance (water systems receiving federal funding).
- Financial services: FFIEC, OCC, FDIC, and CFPB maintain primary authority over national banks, federal credit unions, and large payment processors.
- Healthcare and public health: HHS OCR enforces HIPAA Security Rule; the Texas Health and Human Services Commission (HHSC) enforces state-level protections for Medicaid data. Details on healthcare-specific requirements appear at Texas Cybersecurity for Healthcare Organizations.
- Communications: Federal Communications Commission (FCC) holds primary jurisdiction over telecommunications infrastructure.

State-primary sectors:
- State agency IT systems: DIR holds direct regulatory authority under Chapter 2054.
- Local government entities: Texas Government Code defines specific CIP obligations for qualifying local governments; see Texas Cybersecurity for Local Governments.
- Public school districts: SB 820 (87th Legislature, 2021) established cybersecurity reporting and training requirements; see Texas Cybersecurity for School Districts.
- State institutions of higher education: Subject to DIR framework requirements; covered under Chapter 2054 obligations.

Private sector entities: Texas DIR's direct regulatory authority does not extend to private companies unless they contract with state government. Private critical infrastructure operators in Texas (refineries, private hospitals, privately owned water utilities) are primarily regulated by federal sector-specific agencies and applicable Texas civil statutes, including Texas Business & Commerce Code, Chapter 521 (breach notification), discussed at Texas Data Breach Notification Requirements.

Tradeoffs and tensions

Jurisdictional fragmentation vs. coordinated response: The split between federal and state authority creates response coordination challenges. During the 2019 coordinated ransomware attack, affected municipalities had to navigate both DIR coordination channels and CISA federal assistance simultaneously, with different reporting timelines and documentation requirements applying to each. The Texas Cybersecurity Incident Response framework attempts to rationalize these pathways but cannot eliminate the underlying jurisdictional structure.

ERCOT grid independence vs. federal CIP enforcement: Because ERCOT is not a public utility under FERC jurisdiction for most purposes, the applicability of NERC CIP standards to ERCOT-connected entities has required specific legislative and regulatory clarification. The Texas Legislature through SB 3 (87th Legislature, 2021) imposed new grid reliability requirements, but the cybersecurity-specific provisions operate through a different regulatory pathway than NERC CIP, creating parallel compliance obligations for some operators.

Operational continuity vs. security controls: Industrial control system environments present a documented tension between patching and availability. NERC CIP-007 requires patch management for covered electronic security perimeters, but energy operators must balance patch cycles against reliability obligations — unplanned outages during patching can themselves trigger NERC reliability violations.

Transparency vs. threat intelligence protection: Texas Government Code §552.139 exempts from public disclosure any information that would reveal a vulnerability in critical infrastructure systems. This exemption, while operationally justified, limits public accountability review of infrastructure security investments and incident timelines. The tension between government transparency under the Texas Public Information Act and critical infrastructure protection is a recurring legislative and legal issue.

Small operators and compliance cost burdens: The more than 7,000 public water systems in Texas include rural water districts serving fewer than 500 connections. These entities face the same baseline EPA and CISA cybersecurity guidance as metropolitan utilities but operate with significantly fewer IT resources. The Texas Cybersecurity Grants and Funding page addresses available state and federal assistance mechanisms.

Common misconceptions

Misconception: ERCOT's grid isolation makes Texas energy infrastructure more secure from cyberattack.
Correction: Isolation from interstate interconnections reduces certain pathways for electrical fault propagation but does not reduce the attack surface for cyber intrusion. SCADA systems, energy management platforms, and remote access infrastructure present the same cyber exposure whether or not the grid connects to neighboring states. NERC CIP standards apply to ERCOT-connected entities that meet threshold criteria regardless of interstate connectivity.

Misconception: DIR regulates all cybersecurity in Texas.
Correction: DIR's statutory authority under Chapter 2054 covers state agencies, institutions of higher education, and certain local government entities. Private companies, federally chartered banks, telecommunications carriers, and federally regulated utilities operating in Texas are not subject to DIR enforcement. The broader Texas cybersecurity landscape is introduced at the Texas Security Authority home page.

Misconception: A data breach notification under Texas B&C Code §521.053 satisfies all applicable reporting obligations.
Correction: Texas breach notification is one layer in a multi-layered reporting structure. A healthcare entity experiencing the same breach must also comply with HIPAA Breach Notification Rule requirements (45 CFR §§ 164.400–414), which impose a 60-day notification window to HHS and, for breaches affecting 500 or more individuals in a state, immediate media notification. NERC CIP-008 requires separate incident reporting for electric sector events. State agency employees must report incidents to DIR under Chapter 2054. These obligations operate independently and do not substitute for one another.

Misconception: Voluntary CISA advisories have no compliance weight.
Correction: CISA Binding Operational Directives (BODs) and Emergency Directives are legally binding on federal civilian executive branch agencies. For Texas state agencies, DIR may incorporate CISA guidance into mandatory security control standards. For private critical infrastructure operators, CISA guidance is advisory but may inform standard-of-care determinations in civil litigation following a breach.

Misconception: Critical infrastructure cybersecurity is solely a technical function.
Correction: Regulatory frameworks including NIST CSF 2.0 and NERC CIP explicitly address governance, policy, workforce, and third-party risk as components of a complete CIP program. The "Govern" function in CSF 2.0 and the supply chain risk management controls in NIST SP 800-53 Rev. 5 (SA-12, SR control family) treat organizational structure and procurement practices as integral security elements.

Checklist or steps (non-advisory)

The following sequence reflects the standard phases documented across NIST CSF, NERC CIP, and DIR framework publications for critical infrastructure cybersecurity program implementation. This is a descriptive enumeration of recognized phases, not professional advice.

Phase 1 — Asset and system inventory
- Catalog all operational technology (OT), industrial control systems (ICS), and IT assets connected to or supporting critical systems
- Classify assets by function, criticality tier, and regulatory category (e.g., NERC BES Cyber System, HIPAA electronic protected health information, DIR-covered system)
- Document network architecture diagrams, including electronic security perimeters and communication pathways

Phase 2 — Regulatory obligation mapping
- Identify applicable federal frameworks (NERC CIP series, HIPAA Security Rule, FFIEC CAT, TSA Security Directives)
- Identify applicable Texas statutes (Chapter 2054, B&C Code Chapter 521)
- Confirm which CISA sector-specific agency guidance applies to the entity's primary sector designation

Phase 3 — Risk assessment
- Conduct vulnerability assessments aligned to NIST SP 800-30 or equivalent methodology
- Assess supply chain risk per NIST SP 800-161 Rev. 1 for third-party vendors
- Document threat scenarios including ransomware, nation-state intrusion, and insider threat vectors relevant to the specific sector

Phase 4 — Control implementation
- Implement controls mapped to NIST SP 800-53 Rev. 5 control families or NERC CIP standards as applicable
- Apply Texas DIR security control standards for state-covered entities
- Address access management, patch management, incident detection, and physical security of cyber assets

Phase 5 — Incident response planning
- Develop and document an Incident Response Plan aligned to NIST SP 800-61 Rev. 2
- Map reporting obligations: DIR (Chapter 2054 agencies), CISA (voluntary/mandatory depending on sector), HHS OCR (HIPAA), NERC (CIP-008), Texas OAG (B&C §521.053)
- Establish coordination contacts with Texas Division of Emergency Management and relevant CISA Regional staff

Phase 6 — Testing and exercises
- Conduct tabletop exercises incorporating cross-sector and supply chain disruption scenarios
- Perform technical penetration testing against OT/IT boundaries
- Review and update plans following each exercise cycle

Phase 7 — Ongoing monitoring and reporting
- Implement continuous monitoring per NIST SP 800-137 or equivalent
- File required periodic reports (NERC CIP-008 incident reports, DIR annual assessments)
- Track legislative and regulatory changes through DIR, CISA, and applicable sector-specific agency publications

Reference table or matrix

Texas Critical Infrastructure Sectors: Regulatory Authority and Primary Framework