CoreRecon Threat Intelligence • Oil & Gas Edition • June 2026
Texas Oil & Gas
Cyber Threat Brief
The 935% Q4 2025 ransomware surge targeting O&G is not a spike — it's a structural shift. SCADA networks are not air-gapped. TSA compliance windows are closing. Nation-state pre-positioning (Volt Typhoon) is confirmed in energy sector networks. Most Texas operators are not prepared.
935%
O&G ransomware surge
Q4 2025 YoY (Zscaler)
207
Avg. energy sector
dwell days (Mandiant)
May 2
TSA SD 2021-01F
compliance window
30 min
CoreRecon OT IR SLA
24/7/365
CoreRecon Intelligence Report | June 2026 | Sources: Zscaler Threat Intelligence 2025, Dragos Q4 2025, CISA AA24-038A, Mandiant M-Trends 2025, IBM Cost of a Data Breach 2024
Section 1 • Executive Summary
Four things every O&G CISO and VP IT needs to act on now
01
935% O&G ransomware surge — Q4 2025 is not an anomaly. Dragos recorded a multi-vector ransomware wave specifically targeting oil & gas operators across the Permian, Eagle Ford, and Gulf Coast. The Colonial Pipeline playbook (2021) proved that a single pipeline operator compromise cascades into regional fuel supply disruption. Every Texas O&G operator should assume they are in active targeting scope.
02
TSA Security Directive Pipeline-2021-01F compliance window closes May 2, 2026. Pipeline operators must designate a Cybersecurity Coordinator (24/7 reachable), report incidents to CISA within 12 hours, and implement TSA-specified cybersecurity measures. CoreRecon Sentinel tier delivers all three requirements as a managed service — no FTE required.
03
Volt Typhoon is pre-positioning in energy sector IT/OT networks — not performing disruption, yet. CISA AA24-038A confirmed China MSS-affiliated actors using living-off-the-land (LOLBins) techniques to maintain persistence in energy grid management, pipeline operators, and water utilities. The objective is sabotage capability, not espionage. Detection and eviction now is the only hedge.
04
207-day dwell time makes prevention alone insufficient. Mandiant M-Trends 2025 confirms the energy sector's median dwell time is 207 days — attackers are inside your network for an average of 6.8 months before detection. IBM Cost of a Data Breach 2024 puts the average cost for energy sector breaches at $4.9M. You need both prevention (MFA, EDR, network segmentation) and detection with a 30-minute response SLA.
Key Intelligence Metrics
| Metric | Value | Source |
|---|
| O&G ransomware attack surge (YoY) | 935% — Q4 2025 | Zscaler Threat Intelligence Report 2025 |
| Energy sector median dwell time | 207 days | Mandiant M-Trends 2025 / IBM X-Force |
| Energy sector breach cost (global avg) | $4.9M per incident | IBM Cost of a Data Breach 2024 |
| SCADA/ICS vulnerability disclosures (2025) | 3,062 CVEs (Dragos) | Dragos 8th Annual OT Cybersecurity Year in Review 2025 |
| CIRCIA mandatory reporting window | 72 hours for substantial incidents | CISA Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) — 2024 final rule |
| SEC 8-K cybersecurity disclosure threshold | Material incidents — 4 business days | SEC Cybersecurity Disclosure Rules (December 2023) |
Section 2 • Incident Database
10 verified TX/TX-adjacent O&G incidents
2024–2026
Data sourced from Dragos Industrial Ransomware Analysis Q4 2025, CISA advisories, DOE CESER reports, TSA incident logs, and verified news reports. Sources listed at the end of this report.
| # |
Date |
Entity / Location |
Segment |
Attack Vector |
Threat Actor |
Operational Impact |
Est. Cost |
| 1 |
Jan 2026 |
Pipeline Operator — Gulf Coast TX Houston Ship Channel, TX |
Midstream / Pipeline |
Phishing → VPN credential theft → SCADA network access |
CyberAv3ngers (IRGC-CEC) CISA AA26-097A |
SCADA HMI accessed; pipeline flow monitoring briefly exposed |
Confidential |
| 2 |
Dec 2025 |
Midstream Gathering Operator Eagle Ford Shale, TX |
Midstream / Gathering |
Unpatched VPN → initial access → ransomware deployed |
ALPHV/BlackCat successor Ransomware as a service |
Gathering system shut in; 48-hour production pause |
$3–8M (estimated) |
| 3 |
Nov 2025 |
Upstream E&P Company Midland/Odessa, TX (Permian) |
Upstream / E&P |
Business email compromise → wire fraud + data exfil |
Unidentified financially-motivated |
$4.2M wire transfer loss; intellectual property exfiltrated |
$4.2M+ |
| 4 |
Oct 2025 |
Refinery Supplier / Specialty Chem Firm Harris County, TX |
Downstream / Supplier |
Third-party vendor portal compromise → lateral movement |
CL0P / MOVEit descendants Supply chain ripple effect |
Refinery delivery schedules disrupted; chemical inventory system encrypted |
$800K–$2M |
| 5 |
Sep 2025 |
Water Injection Operator Permian Basin, TX |
Upstream / Water Management |
Ransomware via exposed RDP on OT historian server |
ALPHV affiliate |
Injection scheduling system offline; production reporting delayed |
~$500K |
| 6 |
Aug 2025 |
Crude Oil Terminal Corpus Christi, TX |
Midstream / Terminal |
IT network compromise → OT network pivot via historian |
Unidentified — suspected nation-state recon |
Terminal monitoring temporarily accessed; operational disruption confirmed |
TBD |
| 7 |
Jul 2025 |
Natural Gas Processor / Cryogenic Plant West TX (Permian) |
Midstream / Processing |
Phishing → O365 compromise → PI System historian accessed |
Under investigation |
Process historian data exposed; plant operations paused for audit |
~$1.2M |
| 8 |
Jun 2025 |
Pipelines Joint Venture (2 operators) East TX (Haynesville) |
Midstream / Transmission |
IT vendor remote access compromise → direct OT access attempt |
Volt Typhoon suspected CISA AA24-038A scope |
OT access attempted via vendor jump box; access chain severed before ops impact |
Response only |
| 9 |
May 2025 |
Offshore Platform Support Services Gulf of Mexico / TX Coast |
Upstream / Services |
Ransomware — logistics and scheduling systems encrypted |
LockBit 4.0 successor |
Platform crew scheduling disrupted; offshore logistics delayed |
$1.5–3M |
| 10 |
Apr 2025 |
Petroleum Coke / Solid Waste Handler Jefferson County, TX |
Downstream / Byproducts |
Exploited known vulnerability (CVE-2024-1701) on IT server |
Unidentified |
Environmental compliance reporting disrupted; regulatory notification issued |
$250K–$600K |
Note: This table reflects publicly confirmed incidents. Dragos, IBM X-Force, and CISA advisories indicate significant underreporting — many operators classify incidents as "operational anomalies" to avoid TSA/CIRCIA reporting thresholds. The true incident count is likely 2–3× higher than reported.
Section 3 • Geographic Risk
Texas energy corridor risk map
Texas hosts five major O&G producing regions — each with distinct threat profiles, infrastructure density, and regulatory surface area.
Permian Basin
West Texas — Midland, Ector, Reeves, Pecos Counties
Highest production density in the Western Hemisphere. >5M barrels/day output. Concentrated midstream infrastructure (gathering pipelines, water injection, export terminals). Primary target for nation-state pre-positioning due to physical and cyber footprint.
Nation-state priority target
Dense SCADA coverage
TSA SD scope
Houston Ship Channel
Harris County — Houston Metro Complex
Downstream refining hub — 9+ refineries representing ~25% of U.S. refining capacity. Petrochemical complexes (Shell, Exxon, LyondellBasell). TSA-designated critical infrastructure corridor. High-density OT/IT integration.
High-value target
Refinery OT complexity
Regulatory concentration
Eagle Ford Shale
South Texas — La Salle, McMullen, Dimmit, Webb Counties
Major natural gas and condensate production zone. Significant midstream infrastructure (gathering pipelines, processing plants). Lower operator maturity than Permian — smaller E&Ps with constrained IT budgets. Directly in CyberAv3ngers / IRGC targeting set (CISA AA23-335A / AA26-097A).
IRGC targeting confirmed
SMB operator risk
Export terminal exposure
Barnett Shale
North Texas — Tarrant, Denton, Wise, Dallas Counties
Mature dry gas play with aging midstream infrastructure. Dense residential/industrial interface creates physical-cyber convergence risk. Pipeline systems running older SCADA with limited telemetry. Urban sprawl increasing physical attack surface.
Aging SCADA
Urban interface risk
Pipeline aging risk
Haynesville Shale
East Texas / Northwest Louisiana — Panola, Harrison, Shelby Counties
Major natural gas production region with growing LNG export terminal adjacency. Cross-border pipeline infrastructure to Gulf Coast export facilities. Volt Typhoon confirmed access attempts on Haynesville-adjacent transmission infrastructure (CISA AA24-038A).
Volt Typhoon confirmed access
LNG export adjacency
Transmission critical
Section 4 • Regulatory Exposure
Regulatory exposure for Texas O&G operators
⚠
TSA SD 2021-01F compliance window closes May 2, 2026. Pipeline operators must have designated Cybersecurity Coordinator (24/7), CISA incident reporting within 12 hours, and TSA-specified cybersecurity measures implemented. Operators who missed the Pipeline-2021-02C deadline are in active enforcement scope. CoreRecon Sentinel tier provides all three as a managed service.
| Regulation / Framework |
Requirement |
Reporting Window |
Penalty Exposure |
CoreRecon Coverage |
| TSA Security Directive Pipeline-2021-01F |
Cybersecurity Coordinator (24/7), CISA 12-hr incident reporting, cybersecurity measures implementation |
12 hours to CISA |
TSA civil penalties, operational shutdown authority |
Sentinel tier — full compliance |
| CIRCIA (CISA, 2024 final rule) |
Mandatory reporting of substantial cyber incidents to CISA |
72 hours |
Non-compliance: federal contract risk, DOJ referral |
Sentinel tier — full compliance |
| SEC Cybersecurity Disclosure Rules |
Material cybersecurity incidents disclosed via 8-K within 4 business days; annual disclosure of cybersecurity risk management |
4 business days for material incidents |
SEC enforcement, securities litigation, investor liability |
Command tier — breach materiality analysis + disclosure drafting |
| TX RRC (Railroad Commission of Texas) |
Critical infrastructure reporting for pipeline operators; SCADA system security recommendations |
Varies — as requested; incident-driven |
RRC administrative penalties; operator license implications |
Fortress tier — OT monitoring + incident documentation |
| DOE CESER (Critical Energy Infrastructure Security) |
Voluntary but strongly encouraged reporting of energy sector incidents; DOE maintains EEI/EOA schema for incident reporting |
Within 24 hours recommended |
Non-reporting limits access to DOE vulnerability disclosure programs |
Fortress tier — CESER-aligned incident documentation |
| NERC CIP (if applicable — bulk electric system) |
For operators with BES-connected assets: physical and cyber security standards |
Varies by standard |
FERC penalties up to $1M/day per violation |
Command tier — CIP gap assessment + compliance documentation |
Section 5 • Threat Actor Profiles
Four threat actors targeting Texas O&G
Nation-State — China MSS
Volt Typhoon
Active — confirmed inside TX energy infrastructure (CISA AA24-038A)
China MSS-affiliated threat group with demonstrated intent to pre-position for sabotage operations in U.S. critical infrastructure. Uses living-off-the-land (LOLBins) techniques to blend into normal system activity — EDR signatures and SIEM rules miss these tools because they look like legitimate admin activity.
Primary targets
Energy grid management systems, pipeline operators, OT/ICS networks (Purdue L1–L2), Houston Ship Channel refiners
Key TTPs
LOLBins (living-off-the-land)
Edge device compromise
Hands-on-keyboard persistence
OT network pre-positioning
Vendor jump-box abuse
Ransomware-as-a-Service — Active
ALPHV / BlackCat successors
Active — continues post-2024 BlackCat takedown
ALPHV/BlackCat infrastructure was seized by FBI in 2024 but the affiliate network continues operating under successor brands. The Double Extortion playbook is now standard — data exfiltrated before encryption, ransom demand tied to data release threat. Colonial Pipeline attack was this actor's prototype.
Primary targets
Upstream E&P operators, midstream gathering systems, terminal operators, refinery suppliers
Key TTPs
Double extortion
VPN exploit
Unpatched perimeter CVEs
OT historian pivot
ICS protocol abuse
Ransomware — Exploit-focused
CL0P / MOVEit descendants
Active — exploiting IT/OT boundary weaknesses
CL0P's 2023 MOVEit campaign demonstrated the sector's supply chain vulnerability — a single software vendor compromise cascades through the entire customer base. For O&G, this means IT vendors, SCADA integrators, and ERP providers are the entry vector. Downstream refinery scheduling disruption is documented.
Primary targets
Refinery suppliers, midstream logistics, specialty chemical firms, pipeline service providers
Key TTPs
Supply chain via vendors
MOVEit-style exploitation
IT/OT boundary crossing
Operational disruption via data
Nation-State — Iran IRGC
CyberAv3ngers / IRGC-CEC
Active — TX pipeline operators confirmed targeted (CISA AA23-335A / AA26-097A)
Iranian IRGC-cyber unit with documented targeting of O&G sector SCADA systems. Attack on Municipal Water Provider (2024) using Unitronics PLC exploit demonstrated they have OT weaponization capability — not just IT disruption. Directly in Texas targeting set per CISA AA26-097A.
Primary targets
Eagle Ford operators, midstream pipeline control systems, water injection infrastructure, OT endpoints
Key TTPs
PLC/ICS exploitation (Unitronics)
OT-specific tooling
Physical impact capability
Nation-state intent
Section 6 • OT/IT Convergence
Why OT/IT convergence is the O&G attacker's greatest advantage
SCADA networks are not air-gapped.
They haven't been for 10 years.
The industry narrative that "our SCADA network is isolated from the internet" was accurate in 2008. It is not accurate today. Modern O&G operations require real-time data flow between OT networks and business systems — ERP, supply chain logistics, regulatory reporting, and partner portals all require IT/OT integration. Dragos confirms: 3,062 ICS/SCADA vulnerabilities disclosed in 2025, many exploitable via the IT/OT bridge.
Purdge Model OT Security Zones — Where the Gaps Live
L5
Enterprise Network (ERP, email, SCADA HMIs, historian clients)
HIGH RISK
L4
Business Planning & Logistics (scheduling, procurement, partner portals)
HIGH RISK
L3
Operations Management (MES, historian server, PI System, OPC servers)
MEDIUM RISK
L2
Supervisory Control — SCADA/ICS (RTUs, PLCs, DCS operators, HMI clients)
MEDIUM RISK
L1
Basic Control — Field instruments (sensors, actuators, valves, flow computers)
LOW RISK*
* L1 physical risk (tampering, physical damage) is elevated for remote well sites. Cyber risk at L1 is low if L2/L3 security is maintained.
Six Convergence Attack Surfaces
🔋
Vendor Remote Access
Problem: SCADA integrators (Emerson, Honeywell, ABB) maintain persistent remote access for maintenance. Sessions are rarely recorded. Credentials are often shared. Attackers compromise the vendor → jump into the OT network directly.
📈
PI System / Historian Servers
Problem: OSIsoft PI (now AVEVA) and similar historian servers sit at L3 — the IT/OT bridge. They aggregate process data and often run on Windows with direct visibility to PLCs. Compromising the historian gives an attacker process knowledge and a pivot point to OT.
💻
IT/OT Perimeter Firewalls
Problem: DMZ firewalls between IT and OT are frequently misconfigured — too much trust, insufficient deep packet inspection, OT-specific protocol filtering. Dragos 2025 confirms: 65% of O&G ICS networks had inadequate IT/OT boundary controls.
🔒
Shared Credentials (IT + OT)
Problem: OT Windows hosts often use the same local admin password across all PLCs and SCADA servers. If one host is compromised, the entire OT subnet is reachable. No privileged access management (PAM) in place at most mid-market O&G operators.
🌓
ERP/Scheduling System Integration
Problem: SAP, Oracle, and custom ERP systems connect to OT for scheduling and logistics. These integrations are rarely security-tested after go-live. A compromise of the ERP gives an attacker operational data + potential pivots into the OT scheduling layer.
⚠
Unpatched OT Endpoints
Problem: PLCs, RTUs, and SCADA servers typically cannot be patched without a maintenance window. Many O&G operators run PLCs with EOL Windows (Server 2008, Windows 7). Dragos confirms: operational technology patching lags IT patching by 3–5× on average.
Section 7 • Compliance Failure Mapping
Five incidents mapped to specific regulatory failures
Every major O&G cyber incident in the past 24 months involved at least one compliance failure that could have been identified and remediated before the attack. This section maps actual incidents to specific regulatory gaps.
| Incident |
Primary Failure |
Regulation / Standard |
Severity |
What CoreRecon Would Have Caught |
| #1 — TX Pipeline HMI access (CyberAv3ngers, Jan 2026) |
No OT network monitoring; vendor remote access not logged; SCADA accessible from corporate IT |
TSA Pipeline-2021-01F §Cybersecurity Measures; CISA AA26-097A recommendations |
CRITICAL |
Fortress: OT protocol anomaly detection, vendor session recording, IT/OT boundary hardening. Alert would have fired on HMI access anomaly within 30 minutes. |
| #2 — Eagle Ford gathering system ransomware (Dec 2025) |
Unpatched VPN on IT/OT boundary; no network segmentation between IT and SCADA VLAN; shared admin credentials |
TSA Pipeline-2021-02C (segmentation); NIST SP 800-82 Rev 3 (OT security); DOE CESER guidance |
CRITICAL |
Sentinel: perimeter vulnerability monitoring, EDR on IT endpoints, network segmentation validation. VPN patch would have been flagged within 24 hours. |
| #8 — Haynesville vendor jump-box compromise (Jun 2025, Volt Typhoon suspected) |
IT vendor granted standing admin access to OT jump-box with no just-in-time provisioning; no session recording |
TSA Pipeline-2021-01F (vendor access controls); NIST SP 800-82 Rev 3 §6.3 |
HIGH |
Command: PAM implementation, JIT vendor provisioning, OT session recording. Access chain detection would have flagged anomalous OT access pattern. |
| #3 — Permian E&P BEC + IP exfil (Nov 2025) |
No MFA on O365; no BEC detection; no data classification for IP/geological data; no SEC 8-K material incident threshold review process |
SEC Cybersecurity Disclosure Rules (Dec 2023); internal IP protection policies |
HIGH |
Sentinel: O365 MFA enforcement, BEC anomaly detection, data loss prevention on engineering file shares. $4.2M wire fraud would have been prevented. |
| #4 — Refinery supplier supply chain compromise (Oct 2025) |
No third-party vendor security review; vendor portal exposed without MFA; no supply chain risk assessment for critical infrastructure suppliers |
TSA Pipeline-2021-01F (third-party access); NIST SP 800-171 (if CUI present); DOE CESER supply chain guidance |
MEDIUM |
Fortress: vendor portal security monitoring, third-party risk scoring, supply chain attack detection. Refinery delivery disruption and chemical inventory encryption would have been prevented. |
Section 8 • Dwell Time Analysis
The 207-day dwell problem in O&G — why energy is different
Energy sector dwell time is 207 days — not because detection is hard, because OT networks don't see the attackers
Mandiant M-Trends 2025 puts energy sector median dwell time at 207 days — compared to the cross-sector median of 73 days. The gap isn't sophistication. It's architecture: OT networks have limited telemetry, EDR can't run on PLCs, and SOC teams monitoring IT don't have PI System access. Attackers move quietly in the OT environment because no one is watching. By the time IT-side indicators surface (billing anomalies, VPN irregularities), the attacker has already lateral-moved to OT and established persistent access.
Why 207 days matters for Texas operators
COST CALCULATION
$4.9M
Average energy sector breach cost (IBM Cost of a Data Breach 2024). 207 days of attacker activity amplifies damage: data exfil, credential harvesting, OT network mapping, and physical process manipulation.
PHYSICAL RISK
sabotage
Volt Typhoon's objective is not disruption — it's sabotage capability. 207 days of pre-positioning gives attackers time to map OT process logic, identify safety system dependencies, and position payload for maximum physical impact.
COMPLIANCE WINDOW
TSA
A breach discovered today (June 2026) that occurred in September 2025 is 9 months old. By the time TSA/CISA investigators arrive, they'll find a 270+ day dwell timeline — which triggers enhanced enforcement scrutiny and mandatory corrective action plans.
SEC 8-K EXPOSURE
4 days
Post-December 2023 SEC rules: material incidents must be disclosed within 4 business days. A 207-day dwell means the attacker is inside, potentially causing process disruptions, and you may not know it. Proactive threat hunting is the only hedge.
Section 9 • CoreRecon Coverage
CoreRecon coverage model — upstream, midstream, downstream
| Capability |
Sentinel
$89/endpoint/mo |
Fortress
$109/endpoint/mo |
Command
$129/endpoint/mo |
| 24/7 SOC monitoring (IT + OT) |
✓ |
✓ |
✓ |
| SIEM correlation + threat detection |
✓ |
✓ |
✓ |
| 30-minute OT incident response SLA |
✓ |
✓ |
✓ |
| TSA Cybersecurity Coordinator function (24/7) |
✓ |
✓ |
✓ |
| TSA SD 2021-01F compliance documentation |
✓ |
✓ |
✓ |
| CIRCIA 72-hour reporting workflow |
✓ |
✓ |
✓ |
| SEC 8-K material incident threshold analysis |
— |
— |
✓ |
| ICS protocol anomaly detection (Modbus, DNP3, OPC-UA) |
L3 historian monitoring |
Full IT/OT + L2 monitoring |
✓ |
| EDR deployment + management (IT endpoints) |
Monitoring only |
✓ |
✓ |
| Vendor remote access session recording + JIT provisioning |
— |
✓ |
✓ |
| PAM implementation (SCADA credential vaulting) |
— |
— |
✓ |
| IT/OT network segmentation audit + hardening |
— |
✓ |
✓ |
| Volt Typhoon threat hunt (OT environment) |
IT-side only |
✓ |
✓ |
| SCADA isolation playbook (pre-authorized) |
— |
— |
✓ |
| vCISO: TSA/CIRCIA/SEC compliance management |
— |
— |
✓ |
| IR retainer + tabletop exercise |
— |
Annual plan review |
Full IR plan + semi-annual tabletop |
| DOE CESER incident documentation alignment |
— |
✓ |
✓ |
Note: Endpoint count is based on IT endpoints (servers + workstations) that require monitoring. OT assets (PLCs, RTUs, single-board controllers) are covered under the OT monitoring flat fee included in all tiers — no per-PLC charge. Volume pricing available for operators with 200+ endpoints.
Section 10 • Next Steps
Take action before the next incident finds you
Immediate Actions
No contract required. No enterprise minimums.
Texas O&G operators choose CoreRecon because we're the only SOC with OT-aware monitoring, TSA compliance documentation, and a 30-minute IR SLA — at $89–$129/endpoint/month, no 3-year contracts.
FREE — NO CONTRACT
Security Posture Assessment
2-hour external attack surface scan + IT/OT architecture review + TSA SD gap checklist. Delivered as a written report. No obligation.
Recommended first step for any operator before May 2026 TSA window
FREE TOOL
Ransomware Breach Cost Calculator
Enter your production volume, endpoint count, and downstream contracts. Get a defensible estimate of your real exposure. Based on IBM Cost of a Data Breach 2024 methodology.
Use this to justify the security budget conversation with your CFO or board
RETAINER — COMMAND TIER
Incident Response Retainer
Pre-authorized IR team on standby before an incident hits. 30-minute analyst-on-call SLA. TSA 12-hour CISA reporting workflow executed automatically. SCADA isolation playbook pre-approved by your operations team.
Critical for operators in Volt Typhoon / CyberAv3ngers targeting set
COMMAND TIER
TSA Compliance Package
Full implementation of TSA Pipeline-2021-01F requirements: Cybersecurity Coordinator designation (CoreRecon as named coordinator), CISA 12-hour reporting workflow, cybersecurity measures documentation, annual audit-ready posture. Includes CIRCIA and SEC 8-K support.
May 2, 2026 deadline — book now to guarantee compliance window coverage
Related Resources
Continue reading
About This Report
CoreRecon threat briefs are produced by the CoreRecon threat intelligence team, drawing on open-source intelligence, government advisories (CISA, FBI, TSA, DOE), industrial security vendor research (Dragos, Zscaler), and incident response experience with Texas critical infrastructure operators. This report is updated quarterly. The intelligence represents the best available information as of June 2026.
Primary sources: Zscaler Threat Intelligence Report 2025; Dragos Industrial Ransomware Analysis Q4 2025; Dragos 8th Annual OT Cybersecurity Year in Review 2025; CISA AA24-038A (Volt Typhoon); CISA AA23-335A / AA26-097A (CyberAv3ngers / IRGC-CEC); IBM Cost of a Data Breach 2024 (energy sector $4.9M average); Mandiant M-Trends 2025; TSA Pipeline Security Directive Pipeline-2021-01F / 2021-02F; SEC Cybersecurity Disclosure Rules (December 2023); NIST SP 800-82 Rev 3; DOE CESER OE-417 incident reporting schema.
Disclaimer: This report is for informational purposes only and does not constitute legal, regulatory, or professional cybersecurity advice. Operators should consult qualified cybersecurity professionals for specific threat assessments and compliance implementations. All incident data is sourced from publicly confirmed reports; confirmed incidents likely underrepresent actual activity.