Why oil and gas security needs a dedicated strategy
The oil and gas industry has always been a high-value target for security incidents, and the threat surface has expanded materially since the Colonial Pipeline ransomware attack in May 2021 and the subsequent TSA pipeline-security directives. The asset base is geographically dispersed, capital-intensive, frequently remote, and increasingly dependent on operational-technology systems that were designed for reliability rather than security. Regulators have responded with prescriptive obligations (TSA Security Directives Pipeline-2021-01, 02A, and the 2022 cybersecurity directives; NERC CIP for the electric-grid-adjacent components; CISA voluntary guidance for the broader sector) and with elevated enforcement attention. The result is that an industry that historically managed security as a subset of physical safety and environmental compliance now has to manage it as a first-class program.
This post walks the threat surface, the asset categories most exposed, and the security risk management process that has become the default for upstream, midstream, and downstream operators.
The 2026 threat landscape
Four threat-actor categories warrant explicit treatment in the assessment process.
State-sponsored advanced-persistent-threat actors targeting energy infrastructure have been documented by CISA, NSA, and FBI joint advisories. The activity ranges from reconnaissance against operational-technology networks to credentialed access to control systems. The Industroyer2 incident in Ukraine, the Colonial Pipeline attack, and the 2024 Volt Typhoon advisories have made clear that the threat is operational, not theoretical.
Ransomware operators have shifted attention to industrial-control-system targets because the operational impact of an outage drives faster ransom payment than data-exfiltration leverage. Pipeline operators, refineries, and midstream gas processors are all in the active target set per the FBI's Internet Crime Complaint Center reporting.
Hacktivist activity tied to energy-sector political controversies (pipeline construction, drilling permits, climate policy) has produced both physical attacks on pipelines and cyber-intrusion attempts.
Insider threats remain a substantial share of the actual incident base, with disgruntled-employee and contractor-error events generating losses comparable to external attacks in any given year. The asset criticality and the geographic dispersion both increase insider exposure.
Asset categories and the controls that protect them
The asset map for an oil and gas operator has six categories that each require distinct controls.
Pipelines and pumping stations are the most distributed asset. They are often above ground in isolated areas, accessible to physical sabotage, and increasingly remote-monitored via cellular or satellite links that introduce a cyber attack surface. Controls include perimeter detection (fence-mounted sensors, CCTV with analytics), aerial monitoring (manned or unmanned), tamper-detection on control valves, and OT-network segmentation that prevents lateral movement from the monitoring layer into the control layer.
Refineries are typically the most urban-proximate asset, with the highest concentration of catastrophic-incident potential. The controls inventory is heavy on physical access control (multi-tier perimeter, badge-controlled internal zones, vehicle inspection at the gate), process-safety-management overlap with security (PSM and security share a substantial control set in the chemical-handling areas), and OT-network segmentation between the business network and the distributed-control-system network. CISA's Industrial Control Systems advisories are the working reference for the latter.
Mass storage facilities have the inverse problem: catastrophic potential without the urban exposure. Controls weight toward 24-hour surveillance, intrusion detection on tank-farm perimeters, and access logging for entry points. The asset insurance side of the program drives a meaningful share of the control design here.
Reservoirs and producing wells in the upstream segment are individually low-value but cumulatively high-value. Most programs use a tiered control set: standard controls at all sites, enhanced controls at the high-criticality subset (high production rate, sour-gas service, environmental sensitivity, regulatory attention).
Offshore production facilities have the highest unit value and the highest unit cost of incident. International maritime regulations (ISPS Code), Coast Guard requirements (for U.S.-flagged or U.S.-water assets), and the relevant Bureau of Safety and Environmental Enforcement rules drive a prescriptive control set. The cyber-physical convergence is most acute here because the facility cannot rely on physical proximity for response.
SCADA and distributed-control systems are the technology layer that ties the asset categories together. Because most legacy systems were designed for reliability and uptime rather than security, they often lack basic capabilities (authentication on control commands, integrity checks on telemetry, audit logging) that the IT side has had for decades. The 2022 TSA pipeline cybersecurity directives, NIST SP 800-82 Rev. 3 (Guide to Operational Technology Security), and the IEC 62443 standard set are the relevant baselines.
The security risk management process
The structure that has converged across the sector is a five-step process that maps cleanly to ISO 31000 and to the Plan-Do-Check-Act cycle used in process-safety management. Operators familiar with PSM find the security program reads as a natural extension.
Step 1: scope and governance. Define the assets covered, the security committee that owns strategic decisions, and the working groups that own the operational execution. The committee typically pulls from the operating businesses, the corporate security function, the IT/OT security function, the legal and compliance team, and the HSE team. Working groups exist for threat assessment, vulnerability assessment, physical security operations, cybersecurity operations, and incident response. The structure is documented as the Security Master Plan and reviewed annually.
Step 2: threat, criticality, and vulnerability assessment. Threats are identified per asset category by reference to current threat intelligence (CISA advisories, ISAC feeds, internal incident history). Criticality is scored per asset using documented criteria (production rate, hazardous-material inventory, regulatory exposure, replacement cost, public-safety impact of an incident). Vulnerability is assessed by walking the relevant controls against each asset or asset class and scoring the gaps.
Step 3: risk scoring and prioritization. Combine the three inputs (threat, criticality, vulnerability) with a consequence factor to produce a risk score per asset. The semi-quantitative scoring method (see the risk scoring methodology post) gives a 1-to-50 score that maps to a five-band risk level. The output is the prioritized list of risks the next twelve to twenty-four months of mitigation spend has to address.
Step 4: mitigation design and implementation. For each risk, define the control mix (engineering, administrative, technical) that will close it. Calculate return on security investment by comparing the implementation cost against the residual-risk reduction. Sequence the implementation to address the highest-priority risks first while respecting operating constraints (turnarounds, drilling campaigns, regulatory deadlines). The Security Master Plan tracks the program at the portfolio level.
Step 5: monitor, exercise, and revise. Operate the controls. Exercise the response plans on a documented cadence. Reassess at least annually, and after every significant incident or operational change. Update the Security Master Plan accordingly.
Best practices that distinguish mature programs
Several practices distinguish the mature operator programs from the developing ones. They are visible in the documentation and in the incident-response posture.
Integration with enterprise risk management rather than standalone security. The output of the security program feeds the enterprise risk register, so the board sees security risks alongside market, credit, operational, and environmental risks.
Cross-functional coordination, particularly between corporate security, IT/OT security, HSE, and legal. The most operationally consequential incidents pull from all four functions, and programs that have rehearsed the coordination respond faster.
Active threat-intelligence consumption. Sector-specific ISACs (the Energy Information Sharing and Analysis Center for electric and oil/gas adjacent), CISA-curated feeds, and commercial threat intelligence are integrated into the assessment process and into the security operations center workflow.
Resilience over prevention. Mature programs accept that some incidents will succeed. They invest commensurately in detection, response, and recovery, not just in prevention. The Cybersecurity Framework 2.0 functions (Govern, Identify, Protect, Detect, Respond, Recover) reflect the same priority distribution.
Documented exit strategies and concentration analysis for the third-party services that have systemic importance to operations. The 2022 TSA pipeline cybersecurity directives reference third-party dependencies. The EU DORA Article 28 requirements (in force January 2025) require a comparable concentration analysis from any operator with EU financial-services counterparties.
The cost of getting it wrong
The Colonial Pipeline incident produced approximately $4.4 million in ransom payment, several days of operational disruption affecting fuel supply across the East Coast, and a regulatory response (the TSA Security Directives) that has subsequently added tens of millions of dollars in compliance cost across the U.S. pipeline industry. The financial cost to Colonial is a fraction of the cost imposed on the industry by the response. The lesson is that the regulatory response to a sector-defining incident usually outlasts the incident, and the operators who already have the program in place pay less and faster than the ones who have to retrofit.
RiskWatch's energy-sector library includes the TSA Security Directives, NIST SP 800-82, IEC 62443, and the NERC CIP cross-mapping for operators with grid-adjacent assets. The free physical security checklist uses the same scoring methodology and can be applied to a single asset or to an entire facility portfolio.