Cybersecurity in Texas Oil and Gas Operations

Texas oil and gas operations represent one of the most concentrated targets for cyber threats in North American critical infrastructure, combining high-value operational technology (OT), geographically dispersed assets, and complex vendor ecosystems. This page describes the cybersecurity service landscape, regulatory obligations, and sector-specific risk structures that apply to upstream, midstream, and downstream petroleum operations in Texas. Coverage extends to the intersection of federal pipeline security directives, state-level frameworks, and industry standards governing industrial control systems (ICS) and SCADA environments. For the broader statutory and regulatory architecture governing cybersecurity in Texas, see the Regulatory Context for Texas Cybersecurity.

Definition and scope

Cybersecurity in Texas oil and gas operations refers to the set of technical controls, governance frameworks, and regulatory obligations that protect information technology (IT), operational technology (OT), and industrial control systems (ICS) used in petroleum extraction, processing, transmission, and distribution. The sector spans upstream operations (drilling, wellhead management), midstream (pipeline transport, compression stations, storage terminals), and downstream (refining, petrochemical processing, retail distribution).

The Texas Cybersecurity for Energy Sector reference covers the broader energy grid; this page is specific to oil and gas subsectors. Entities covered include operators of interstate and intrastate pipelines, offshore platform operators with onshore Texas control centers, refineries, liquefied natural gas (LNG) export terminals, and gathering and processing facilities. Private equity-owned exploration companies operating exclusively within Texas that do not own pipeline infrastructure occupy a different regulatory position than federally regulated pipeline operators.

Scope limitations: This page does not address electric power generation cybersecurity under NERC CIP, which applies to bulk electric system operators including some dual-use oil and gas facilities. Federally regulated pipelines — those crossing state lines — fall under Transportation Security Administration (TSA) Pipeline Security Directives rather than state DIR authority. Offshore deepwater operations under Bureau of Safety and Environmental Enforcement (BSEE) jurisdiction are similarly outside the Texas state regulatory perimeter, though onshore control systems supporting those operations may be subject to Texas-nexus requirements.

How it works

The cybersecurity framework for Texas oil and gas operations is structured across three distinct regulatory layers, each with different enforcement mechanisms.

1. Federal pipeline security directives (TSA)
The TSA issued Pipeline Security Directive 02D in 2022, requiring critical pipeline owners and operators to implement OT-specific cybersecurity measures including network segmentation between IT and OT environments, access control, and continuous monitoring. Operators must designate a Cybersecurity Coordinator available 24 hours a day, 7 days a week, and report cybersecurity incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 12 hours of identification. The TSA directives apply to TSA-designated critical pipeline facilities, which include the 100 highest-risk natural gas and hazardous liquid pipeline systems nationally — a category that includes major Texas operators.

2. NIST Cybersecurity Framework (CSF) and ICS-CERT guidance
Most Texas-headquartered oil and gas operators align voluntary security programs to the NIST Cybersecurity Framework and NIST SP 800-82 (Guide to Industrial Control Systems Security). NIST SP 800-82 distinguishes between ICS environments — which prioritize availability and physical safety — and traditional IT environments that prioritize confidentiality. This contrast is operationally significant: a patch management schedule acceptable in an enterprise IT environment may be infeasible for a SCADA system controlling pipeline pressure valves where downtime carries physical risk.

3. Texas state-level requirements
The Texas Department of Information Resources (DIR) exercises direct cybersecurity authority over state agencies and institutions of higher education. Private oil and gas operators are not subject to DIR mandates unless they hold state contracts or participate in DIR shared services. However, operators that experience data breaches involving sensitive personal information of Texas residents are subject to notification obligations under Texas Business & Commerce Code §521.053, enforced by the Texas Attorney General's Office.

The process for managing incidents specific to Texas energy infrastructure typically follows four phases:

1. Detection and classification — Distinguishing IT events from OT anomalies using asset inventories aligned to ISA/IEC 62443 standards
2. Containment — Isolating affected OT segments without interrupting physical operations, per TSA-mandated network segmentation
3. Reporting — Notifying CISA within 12 hours (TSA requirement) and, where personal data is involved, the Texas Attorney General under §521.053
4. Recovery and review — Restoring operations per documented business continuity plans and conducting post-incident root cause analysis

For a sector-specific treatment of incident response procedures, see Texas Cybersecurity Incident Response.

Common scenarios

IT/OT convergence incidents
The integration of enterprise resource planning (ERP) systems with SCADA platforms creates lateral movement pathways. Ransomware that originates in corporate IT networks — targeting billing, payroll, or supply chain management systems — can traverse insufficiently segmented networks to reach pipeline control systems. The 2021 Colonial Pipeline incident, which caused fuel supply disruptions across the southeastern United States, originated in an IT environment and prompted TSA to issue its first mandatory pipeline cybersecurity directives.

Third-party and supply chain compromise
Texas oil and gas operations rely on an extended vendor ecosystem: drilling contractors, measurement-as-a-service providers, remote monitoring vendors, and field service technicians who connect directly to OT networks. A compromise at a vendor with remote access credentials can provide a threat actor direct entry to control systems without breaching the operator's perimeter defenses. This attack surface is addressed by Texas Supply Chain Cybersecurity considerations specific to the energy sector.

Phishing targeting field operations staff
Spear-phishing campaigns directed at operations and engineering staff — rather than corporate personnel — exploit the lower cybersecurity training density in field roles. CISA has documented oil and gas sector phishing campaigns that specifically target employees with OT system access credentials. Texas-specific threat intelligence patterns are described under Texas Phishing and Social Engineering Threats.

Ransomware targeting midstream operators
Midstream pipeline operators face ransomware exposure both from encrypted operational data (flow measurement, scheduling systems) and from extortion threats targeting commercially sensitive throughput data. Texas Ransomware Threats and Response documents the incident reporting obligations that apply when ransomware constitutes a reportable breach.

Decision boundaries

Operators must navigate overlapping and sometimes contradictory frameworks when scoping their cybersecurity programs. Three primary decision boundaries govern how obligations are assigned:

Interstate vs. intrastate pipeline jurisdiction
Interstate pipelines fall under TSA and federal jurisdiction. Intrastate pipelines — those operating entirely within Texas — are subject to Texas Railroad Commission (RRC) oversight for safety but face no equivalent state cybersecurity mandate comparable to TSA directives. This creates a regulatory gap where smaller intrastate operators may lack mandatory cybersecurity requirements unless they voluntarily adopt NIST CSF or API Standard 1164 (Pipeline Control Systems Cybersecurity).

Critical vs. non-critical designation
TSA's critical pipeline designation determines whether SD-02D's mandatory requirements apply. Operators not designated as critical are encouraged but not required to implement equivalent controls under TSA's voluntary Pipeline Security Guidelines. Operators should conduct an honest assessment of whether their asset profile would meet TSA's criticality thresholds — a threshold based on throughput volume, population density served, and hazardous liquid classification.

OT vs. IT asset classification
Assets connected to physical processes (PLCs, RTUs, DCS, SCADA historians) require a distinct security posture from enterprise IT assets. ISA/IEC 62443, the international standard for industrial automation and control system security, provides the primary classification framework — distinguishing Security Levels (SL 1 through SL 4) that map to threat capability and consequence severity. An operator applying enterprise IT patch cadences to ICS environments without accounting for availability requirements violates the foundational design principle of ICS security.

Operators seeking to benchmark their programs against peer practices should reference Texas Cybersecurity Frameworks and Standards and the full site index at /index for reference materials across the Texas cybersecurity landscape.

For coverage of critical infrastructure protection obligations beyond the oil and gas sector, Texas Critical Infrastructure Protection provides the broader regulatory and operational context.

References

• CISA — Critical Infrastructure Security and Resilience
• TSA Pipeline Security Directives
• NIST SP 800-82, Guide to Industrial Control Systems (ICS) Security
• NIST Cybersecurity Framework (CSF)
• Texas Business & Commerce Code §521.053 — Breach Notification
• Texas Department of Information Resources (DIR)
• Texas Railroad Commission — Pipeline Safety
• Texas Attorney General — Data Security Breaches
• ISA/IEC 62443 Industrial Cybersecurity Standards
• [API Standard 1