935% surge in ransomware attacks targeting oil & gas in 2024–2025, per the Dragos ICS/OT Cybersecurity Year in Review. Texas Permian, Eagle Ford, and Barnett operators are primary targets — not because they're careless, but because a single successful attack shuts down production and triggers regulatory exposure under TSA Security Directive Pipeline-2021-02C. CoreRecon delivers OT-aware SOC coverage, ICS monitoring, and 30-minute incident response at $89–$129/endpoint — no enterprise contract required.
After Colonial Pipeline, every ransomware affiliate knows the playbook: hit OT-adjacent systems, trigger an operator shutdown decision, collect ransom before CISA can respond. Texas operators are the highest-density targets in North America — and they're underserved by enterprise MSSPs that don't understand SCADA environments.
A mid-sized Permian Basin independent with 50 employees runs Ignition SCADA, OSIsoft PI historian, and Emerson DeltaV — the same stack as BP or ExxonMobil. If an attacker compromises the IT network adjacent to that OT stack, the shutdown decision and the regulatory exposure are identical. The blast radius doesn't scale with headcount.
The difference: a major has a 40-person SOC, a dedicated OT security team, and 24/7 threat hunting. The independent has an IT generalist and a SCADA vendor support contract. Attackers have done the math. Ransomware affiliates target independents and midstream operators specifically because the payout-to-resistance ratio favors them — a 4-day production outage at an Eagle Ford operator is more leverage per dollar of attacker effort than a Fortune 500 target with active defenses.
CoreRecon closes that gap. OT-aware SOC coverage, ICS monitoring, and 30-minute IR SLA — at pricing designed for operators without enterprise security budgets.
Generic MSSP controls weren't built for environments where a segmentation failure means SCADA can talk to the internet. These are the controls that matter for oil & gas operators — mapped to CoreRecon tiers.
| Control | Why It Matters for Oil & Gas | Common Gap | CoreRecon Coverage |
|---|---|---|---|
| OT Network Segmentation | SCADA, DCS, and historian networks must be isolated from corporate IT. IT/OT convergence without segmentation means a phishing email can reach a control system. Colonial Pipeline demonstrated what happens when an operator can't verify that boundary. | Flat networks where corporate IT, remote access VPN, and OT historian share the same subnet; no east-west traffic monitoring between IT and OT zones | Fortress OT/IT network segmentation design, VLAN enforcement, DMZ architecture for historian access, east-west traffic monitoring |
| ICS-Aware SOC Monitoring | Standard SIEM rules fire on Windows event logs. They don't understand Modbus function codes, DNP3 traffic anomalies, or unusual PLC polling patterns that indicate reconnaissance or pre-positioning in control networks. | Generic MDR coverage with no OT protocol awareness; SCADA logs excluded from SIEM; no ICS threat intelligence feed | Fortress ICS-protocol-aware monitoring, OT asset inventory, anomaly detection on control network traffic, Dragos-informed threat intelligence |
| 24/7 SOC with OT Context | Ransomware deploys at 2am on a Sunday. A production outage triggered by an IT intrusion adjacent to SCADA has the same regulatory clock regardless of when it starts. TSA's 12-hour CISA reporting window doesn't stop for weekends. | Business-hours-only monitoring; IR "on-call" model with 4+ hour response times; no pre-authorized OT shutdown/isolation playbook | Sentinel 24/7 SOC coverage, OT-aware triage, pre-authorized IT/OT isolation playbook, TSA 12-hour reporting workflow |
| Incident Response Retainer | A ransomware event on IT adjacent to OT requires immediate decisions: isolate and shutdown, or contain in-place? Without a pre-engaged IR team that knows your OT topology, operators make that call blind — and frequently make the wrong one. | No IR retainer; incident response is "call the SCADA vendor" — SCADA vendors are not incident responders; no OT-specific IR playbook | Command 30-min SLA IR retainer, pre-authorized OT isolation protocol, CISA coordination, TSA notification workflow, OT-specific containment playbook |
| Third-Party Risk for Vendor Accounts | SCADA vendor remote access accounts are among the most abused vectors in OT attacks. Emerson, Honeywell, and Rockwell maintenance accounts often have persistent VPN access with minimal controls — and vendor employees are targeted specifically to gain OT access. | Vendor VPN accounts with standing persistent access; no session monitoring; no MFA on remote maintenance accounts; vendor access not scoped to maintenance windows | Fortress Vendor access management, just-in-time provisioning for maintenance windows, session recording, privileged account vaulting for SCADA vendor credentials |
10-endpoint minimum. Month-to-month. Designed for operators without a security team — Permian independents, Eagle Ford midstream, Barnett processing facilities, and downstream terminal operators.
30-minute SLA applies to Command tier. Not next-business-day. TSA Pipeline-2021-02C requires a 12-hour CISA reporting window. You can't file an accurate incident report if you don't have an analyst on the call within 30 minutes of detection. Command tier includes pre-authorized OT isolation authority — your team doesn't wait for a manager to approve containment at 3am.
Enterprise MSSPs handle IT security. Oil & gas operators need OT coverage, ICS awareness, and TSA compliance support. Here's how the six dimensions that matter most compare.
| Dimension | CoreRecon | Cybriant | Trustwave | Secureworks |
|---|---|---|---|---|
| OT/ICS Coverage | ICS-protocol-aware monitoring (Modbus, DNP3, OPC-UA). OT asset inventory. OT/IT segmentation design. Pre-authorized SCADA isolation playbook. | IT-focused MDR and SIEM. No documented ICS protocol awareness. OT coverage "available on request." | OT security via SpiderLabs — separate engagement at enterprise pricing. Not in standard MSSP contract. | Taegis XDR covers IT endpoints. OT-specific coverage requires Secureworks Professional Services add-on. No published ICS protocol support. |
| 30-Min SLA | 30-minute SLA on Command tier. Pre-authorized OT containment. Analyst on call before TSA 12-hour clock runs 30 minutes. | 4-hour SLA in published agreements. No OT-specific SLA differentiation. | Enterprise SLAs start at 1-hour. No OT-specific response commitment in published materials. | SLA varies by contract. Standard Taegis SLA is 1-hour initial response. No OT-specific SLA documented. |
| Transparent Pricing | $89/$129/endpoint published publicly. Command at $2,500+/month custom. 10-endpoint minimum, month-to-month. | Quoted per engagement. No published pricing. 6–12 month sales cycles reported. | Enterprise contracts. No published pricing. Minimums reportedly $100K+ annually. | Taegis published at enterprise tier. Mid-market operators report $150K+ annual minimums. No month-to-month option documented. |
| SDVOSB & TX-Native | SDVOSB-certified. Texas-based team. TX threat intel built into SOC. TSA Pipeline directive compliance support included. | National firm. No SDVOSB. No TX-specific SOC or TSA compliance support. | Global MSSP. No SDVOSB. TSA compliance as professional services add-on. | Global MSSP (Atlanta HQ, acquired by Sophos). No SDVOSB. No Texas-specific threat intel or TSA compliance workflow. |
| TSA Directive Support | Pre-built TSA Pipeline-2021-02C reporting templates. 12-hour CISA notification workflow. Cybersecurity Coordinator function covered in Sentinel tier. | No published TSA Pipeline directive compliance workflow. Would require custom professional services engagement. | TSA compliance available via SpiderLabs consulting. Not part of standard MDR/MSSP offering. | No published TSA Pipeline directive support. Regulatory compliance framed as Secureworks Advisory Services engagement. |
| ICS IR Experience | OT-specific IR playbooks. Pre-authorized SCADA isolation protocol. Production-uptime tradeoff framework built into Command tier runbooks. | General IR capabilities. No documented OT/ICS incident response experience or playbooks in published materials. | SpiderLabs has OT IR capability. Requires separate retainer. Not included in standard MSSP engagement. | Secureworks IR has enterprise IT depth. OT-specific IR requires Taegis + Professional Services combination — separate SOW from MDR contract. |
Also: Secureworks vs. CoreRecon deep dive → • Trustwave vs. CoreRecon deep dive →
We map your IT/OT attack surface, identify exposed SCADA-adjacent systems, check for vendor access gaps, and benchmark you against TSA Pipeline-2021-02C requirements. No credit card. No commitment. Delivered in 14 days.
Request your free $2,500 assessment →Delivered within 14 days • No credit card • SDVOSB-certified team
See a sample report — redacted 12-page PDF, real findings.
Both — and the integration between them is where we focus first. Fortress tier includes ICS-protocol-aware monitoring that covers Modbus, DNP3, and OPC-UA traffic anomalies, alongside standard IT SIEM coverage. We build an OT asset inventory during onboarding and monitor for unusual polling patterns, unexpected device communication, and IT-to-OT lateral movement that standard MDR tools miss entirely. Command tier adds a pre-authorized SCADA isolation playbook, so containment decisions don't require a manager approval at 3am — the authority is pre-scoped and documented before any incident occurs.
Command tier: 30 minutes from alert to analyst on the call, any time of day, including holidays. For a ransomware event adjacent to OT, that 30-minute window is what determines whether you're making a documented, defensible containment decision or a panicked shutdown call at 4am. The TSA Pipeline-2021-02C 12-hour CISA reporting window starts when you discover the incident — not when you understand it. Having an analyst on the call within 30 minutes means you're building the incident timeline and notification package in real time, not reconstructing it under regulatory deadline pressure. Fortress tier carries a 4-hour SLA. Sentinel tier is best-effort with standard business priority.
Yes. TSA Security Directive Pipeline-2021-02C (revised 2022) requires pipeline operators to: report cybersecurity incidents to CISA within 12 hours, designate a Cybersecurity Coordinator reachable 24/7, review current practices against TSA-specified cybersecurity measures (access control, patch management, network segmentation, detection & response, recovery planning), and remediate identified gaps. In practice, Sentinel tier covers the Cybersecurity Coordinator function and the 12-hour CISA notification workflow. Fortress tier maps directly to the TSA-specified cybersecurity measures — segmentation, access control, patch tracking, and detection. Command tier provides the documentation package that satisfies TSA's gap analysis and remediation requirements. We've pre-built the reporting templates so your team isn't drafting a CISA notification form during an active incident.
Yes. Cyber insurance carriers have materially tightened requirements for energy sector operators since the Colonial Pipeline incident. Most carriers now require: MFA on remote access and privileged accounts, network segmentation between IT and OT, documented incident response plan with named coordinator, EDR on IT endpoints, and immutable offsite backup with tested recovery procedures. Fortress tier satisfies all five standard carrier requirements. Command tier additionally satisfies the carrier questionnaire line items that ask for an IR retainer with documented SLA and a third-party vendor access management program — both of which have appeared in carrier renewals for pipeline operators since 2022. We provide annual coverage attestation documentation that maps directly to standard energy-sector carrier questionnaire fields, reducing your renewal friction.
Yes — and managing vendor access to your OT environment is one of the first things we address. SCADA vendor remote access accounts (Emerson EcoStruxure, Honeywell Experion, Rockwell FactoryTalk) are among the most abused vectors in OT intrusions — not because the vendors are negligent, but because persistent VPN credentials are targeted specifically to gain OT access without touching the IT network. Fortress tier implements just-in-time provisioning for maintenance windows, session recording on all vendor remote sessions, and privileged account vaulting for SCADA credentials — so vendor access is scoped, monitored, and revocable. We don't replace your vendor relationship; we make it auditable. Your Emerson or Rockwell support contract continues unchanged — we add the visibility layer on top of it.
Most oil & gas operator breaches start on the IT network — weeks before anyone notices. Our free assessment maps your attack surface, identifies IT/OT boundary gaps, checks for exposed SCADA-adjacent systems, and benchmarks you against TSA Pipeline-2021-02C. No credit card. No commitment. Delivered in 14 days.
Request your free $2,500 assessment →Delivered within 14 days • No credit card • SDVOSB-certified team
See a sample report — redacted 12-page PDF, real findings.