This review systematizes cyber situational awareness (CSA) for oil & gas pipeline networks with an application-oriented workflow spanning data inputs, processing pipelines, and decision outputs. Building on recent literature, we distill three recurrent strands into reusable engineering dimensions-representative evidence, methods, constraints, and evaluation: (i) joint communication–process anomaly identification that fuses cyber telemetry with process signals; (ii) cross-domain situation modeling capable of spanning OT/IT boundaries under cloudified and remote O&M; and (iii) knowledge-driven context fusion with event-to-process-impact scoring to link alerts to operational risk. We synthesize method families covering spatiotemporal graph/Transformer learning, semi/self-supervision for scarce labels, evidential risk aggregation (e.g., Dempster–Shafer), hierarchical indicators and weighting (AHP), and SOC-oriented visualization that couples algorithmic metrics with operational KPIs. A critical appraisal reveals persistent gaps: non-uniform indicator definitions and weightings, the lack of pipeline-specific OT/ICS benchmarks, fragile cross-domain generalization, and detection-centric designs that seldom progress into explainable, auditable, and cost-aware response. To bridge research and deployment, we propose a practical agenda: establish harmonized benchmarks and evaluation protocols aligned with O&M KPIs; adopt governance-first multi-source integration with an ontology/knowledge-graph backbone; co-design models and runtime for edge/regional constraints via compression, distillation, and event-driven inference; and advance toward closed-loop defense through policy learning and playbook-guided automation. The review consolidates fragmented advances into a transferable, scalable, and measurable pathway for CSA in real pipeline environments.

Cyber situational awareness, OT/ICS (SCADA) security, Spatiotemporal graph/transformer, Closed-loop defense