Oil and gas operations have always required security teams to think differently. Pipelines stretch across hundreds of miles. Well pads sit in remote locations with limited staff. Refineries run continuously with no tolerance for unplanned downtime. Vendors and contractors connect regularly from outside the perimeter. These are the operational realities of the sector. In 2025, adversaries demonstrated they understand these operational realities well.
The 2026 Dragos OT/ICS Cybersecurity Year in Review, based on insights from across the Dragos Intelligence Fabric, documents how threat groups are exploiting the distributed, remote-access-dependent nature of oil and gas infrastructure to gain persistent footholds, map operational processes, and position for disruption. At the same time, it shows the sector lagging all others in several key vulnerability and detection gap metrics. Together, these findings define what oil and gas OT defenders need to prioritize now.
The most significant confirmed cyber threat activity against oil and gas OT environments in 2025 came from VOLTZITE, which Dragos elevated to a Stage 2 threat group based on what it was observed doing inside victim networks. VOLTZITE compromised cellular gateways across U.S. midstream operations, extending to upstream and downstream environments. These devices often sit at unmonitored OT edges, bypassing traditional network perimeter controls, and IT teams frequently have no visibility into their existence. Once inside, VOLTZITE pivoted to engineering workstations and manipulated software to dump configuration files and alarm data, intelligence that informs what conditions would trigger operational processes to stop.
AZURITE, a newly designated Stage 2 threat group, adds a separate but related dimension. AZURITE targets oil and gas engineering workstations to exfiltrate alarm data, configuration files, process information, and operator credentials. It has not been observed disrupting operations. Its intent, assessed with moderate confidence, is to collect OT intelligence that supports developing OT-specific attack capability. AZURITE is not a current threat to operations, but it is building the capability to become one.
What makes the oil and gas threat picture particularly concerning is the gap between adversary capability and defender visibility. Across the Dragos Intelligence Fabric, oil and gas consistently showed some of the most significant security findings of any sector.
Oil and gas had the highest prevalence of malware protection and detection gaps of any sector, appearing in 37 percent of findings. The core issue is not simply missing tools. Solutions deployed in OT environments that rely only on signature-based detection and have no awareness of ICS-specific protocols or adversary behavior, are not effective at detecting ICS Cyber Kill Chain Stage 2 adversary activity inside industrial systems. In 13 percent of 2025 Dragos incident response cases, malware operated silently without triggering any alerts, executing without a visible interface or process that traditional detection tools could identify. The answer the report points to is ICS-aware network monitoring: visibility into how assets communicate, what protocols are in use, and when behavior deviates from established operational baselines.
Vulnerability management findings hit oil and gas hardest across all sectors, at 31 percent of findings. The challenge in oil and gas is rarely awareness that vulnerabilities exist. It is that patching is constrained by operational continuity requirements, vendor qualification processes, and the realities of managing assets across remote, geographically distributed environments. The result is that known vulnerabilities coexist with internet exposure and remote access pathways for extended periods, a combination that adversaries exploit.
Poor IT/OT segmentation appeared in 29 percent of oil and gas findings, the highest share of any sector. Flat network architectures in oil and gas environments allow adversaries and ransomware to move laterally with minimal resistance once access is established. Default or weak credentials, while declining overall, remained elevated at 26 percent in oil and gas.
The 2026 Dragos OT/ICS Cybersecurity Year in Review reinforces that the SANS Five ICS Critical Controls remain the most direct path to reducing operational risk. For oil and gas, the data points clearly to where those controls matter most.
- OT/ICS Incident Response: TTX results make this the most urgent priority for O&G specifically. Major Challenges in Communicate, Contain, and Document mean that when an incident occurs, the sector is not prepared to manage it effectively. O&G incident response plans need to account for geographically distributed assets, IT/OT organizational boundaries, and scenarios where operational anomalies are the first and only indicator of adversary activity.
- Defensible Architecture: With poor IT/OT segmentation as the leading architectural finding and flat network architectures enabling lateral movement, segmentation is foundational. Cellular gateways, vendor connections, and remote access pathways need to terminate in monitored, controlled zones, not directly into OT networks. VOLTZITE’s entry through Sierra Wireless gateways illustrates exactly what happens when they don’t.
- ICS Network Visibility and Monitoring: Oil and gas leads all sectors in OT visibility and detection gaps, and VOLTZITE exploited exactly those gaps in 2025, moving through cellular gateways and into engineering workstations undetected. IT-centric detection tools lack the ICS protocol awareness needed to identify adversary behavior inside operational networks. Meaningful visibility requires ICS-native network monitoring and telemetry that extends to the remote sites and field devices where oil and gas operations, and adversaries, actually operate.
- Secure Remote Access: Remote access is operationally essential in oil and gas, and it is the primary pathway adversaries use to enter. The combination of internet-facing systems at 26 percent, insecure remote access configurations, and default credentials means this attack surface is both wide and well-understood by adversaries. MFA, jump hosts, and strict access governance are not optional controls in this environment.
- Risk-Based Vulnerability Management: Leading all sectors with 31 percent of vulnerability management findings, oil and gas needs an approach grounded in operational context. The question is not whether a vulnerability is rated critical. It is whether the affected system is internet-reachable, remotely managed, and tied to processes that cannot tolerate disruption.
The oil and gas sector is not facing a hypothetical threat. VOLTZITE was inside U.S. pipeline operations in 2025, learning what would cause them to stop. AZURITE is collecting the operational intelligence needed to develop disruptive capability. And the sector’s own TTX data shows that when an incident occurs, most organizations are not prepared to communicate, contain, or document it effectively.
Ready to go deeper? Our on-demand 2026 Oil & Gas OT Threat Trends and Defensive Priorities briefing to walk through the findings with Dragos experts is available below.
