Pipeline + Energy + Cybersecurity Layers

Routes — color by demand (default)

Data Center / AI

LNG export

Power generation

LDC

Industrial

Storage

Other

Unspecified

Routes — color by basis (toggle on): destination citygate − Henry Hub

discount (≤ $0)

+$0 to +$1

+$1 to +$3

+$3 to +$6

+$6 and above

Data layers

Planned NG plant

Operating NG plant ≥200 MW

PeeringDB data center

Meta hyperscaler campus

Toggle "State NG-generation share" layer to see what % of each state's power comes from gas. Toggle "Routes by BASIS" to switch coloring from demand-served to live basis spread.

Shodan exposure brief

Pipeline-area cities (25 km radius)

Ashburn / NoVa Data Center Alley	37,259
Pittsylvania County, VA hub	0
Henry Hub area (Erath, LA)	1
Corpus Christi LNG corridor	10
Sabine Pass / Cameron LNG	40
Permian / Waha (Pecos, TX)	0
Cheniere Bay (Plaquemines, LA)	0
Leidy Hub area (Clinton Co., PA)	0
Forest City, NC (Meta + MVP)	0
New Albany, OH (Meta Socrates)	1,645

Pipeline-operator exposure (US)

Operator	Hostname matches	Own-ASN matches
Williams	283	(no own ASN)
Enbridge	80	0
Kinder Morgan	66	(no own ASN)
TC Energy	48	0
Energy Transfer	26	(no own ASN)
Cheniere	23	(no own ASN)
Boardwalk	22	(no own ASN)
Tallgrass	6	32
MPLX	0	(no own ASN)

Hostname = Shodan-indexed services whose hostname includes the operator's corporate domain (catches cloud / CDN-hosted). Own-ASN = devices on the operator's registered ASN (smaller, ~3–8K IPs each). Most operators don't have their own ASN.

SCADA banner counts

Banner	US	Global
OASyS	15	105
OSIsoft PI	0	0
iFIX	63	210
Wonderware	3	5
Ovation	27	44
DeltaV	48	65
Symphony	262	664
ClearSCADA	0	11
Cygnet	78	117

🛡️ Defense team commentary — read this before drawing conclusions

1. Where to focus your monitoring

NoVa (Ashburn) corridor — 40,897 ICS endpoints within 25 km. This is the highest-priority surface in the country. Building-management traffic (Niagara/BACnet) and pipeline OT traffic share physical neighborhoods and increasingly share carriers. Hunt for cross-segment lateral movement first.
New Albany, OH (Meta Project Socrates) — 1,934 ICS endpoints. Hyperscaler co-location site directly fed by a gas plant + dedicated pipeline. Treat as a single converged trust zone.
Sabine Pass / Cameron LNG — 42 ICS endpoints. Small but each one matters: LNG terminals concentrate enormous physical energy in tight footprints.
SCADA platforms with measurable US exposure (counts above): Symphony 224 → power-gen + petrochemical; Cygnet 81 → midstream pipelines specifically; iFIX 71, DeltaV 44, Ovation 22, OASyS 20. Patch lag on any of these = exploitable inventory tonight.

2. MITRE ATT&CK for ICS — primary TTPs to detect against

ID	Technique	Why it lands here
T0883	Internet Accessible Device	Already realized — the count of exposed ICS is this technique pre-staged. Auditing those endpoints is the first defensive task.
T0859	Valid Accounts	Colonial Pipeline (2021) succeeded via one re-used VPN credential. Audit shared/legacy accounts in operator and contractor populations.
T0867	Lateral Tool Transfer	How an attacker moves from a compromised BMS at a data center into a gas-plant network. Segment + monitor east-west traffic.
T0826	Loss of Availability	Trip a compressor station or gas-turbine controller → fuel disruption → cascading power loss to dependent data centers.
T0832	Manipulation of View	Operators see false safe state while real-state diverges. Triton precedent. Cross-check HMI readings against independent sensors.
T0879	Damage to Property	Targeted attack on Safety Instrumented Systems (SIS) — Triconex, ESD logic. Air-gap SIS networks from BPCS at every site.
T0814	Denial of Service	Modbus/DNP3 floods against publicly reachable controllers. Filter inbound ICS-protocol traffic at the perimeter.
T0884	Connection Proxy	Adversary uses a compromised BMS host to relay C2 in/out. Egress filtering matters as much as ingress.
T0858	Change Operating Mode	Force a controller into programming/maintenance mode. Detect by alerting on out-of-window mode changes.
T0809	Data Destruction	Wiper malware on historians (OSIsoft PI etc.) destroys both visibility and audit trail. Offline historian backups are mandatory.

3. MITRE ATT&CK Enterprise — the IT side that gets you to OT

ID	Technique	Where it lands
T1566	Phishing	Initial access into a pipeline contractor or hyperscaler vendor. The least-defended human in the supply chain is the door.
T1190	Exploit Public-Facing Application	VPN appliances, Citrix, jump-hosts, web-based HMIs. Hostname-match hits (Williams 270, KMI 67) are roughly this surface.
T1133	External Remote Services	RDP, SSH, vendor remote-support tunnels. Many ICS vendors keep these on for "remote maintenance" by default.
T1486	Data Encrypted for Impact	Ransomware on IT forces OT shutdown precautionarily — exactly the Colonial 2021 sequence.
T1078	Valid Accounts	Stolen / phished operator and contractor credentials. Single shared MFA-free accounts are still common at smaller sites.

4. MITRE ATLAS — AI/ML attack surface at converged data-center sites

ID	Technique	Why it matters here
AML.T0010	ML Supply Chain Compromise	Poisoned base models / containers reach hyperscaler workloads via package or model registry compromise. Verify provenance.
AML.T0019	Publish Poisoned Datasets	Long-horizon training-set attacks. Particularly relevant to Project Socrates–class training campuses.
AML.T0024	Exfiltration via Cyber Means (model weights)	Frontier-model weights are the marquee target. Site-local OT disruption could be a distraction enabling exfil during recovery.
AML.T0040	ML Model Inference API Access	Model-distillation via abused inference endpoints. Rate-limit and watermark inference outputs.
AML.T0049	Exploit Public-Facing Application	Inference APIs and fine-tuning endpoints are now attack surfaces of equal weight to traditional web apps.

5. Consequences if exposures are not mitigated

Physical

Pipeline rupture, leak, or explosion from manipulated pressure/flow controls or disabled SIS (Triton precedent). Worst-case: fatality + evacuation + 9-figure remediation + criminal-liability investigation.
Gas-supply interruption to power plants → cascading grid loss → data centers running on diesel within minutes. NoVa data centers carry ~12–48h of on-site diesel; longer outages mean degraded internet services across the East Coast.
LNG-terminal safety event at Sabine Pass / Corpus Christi → fire / vapor cloud + global LNG-market price shock as US export capacity goes offline.
Environmental release — methane (a potent greenhouse gas) or condensate spill, regulatory and litigation exposure beyond the immediate damage.
Worker safety incidents — process-safety failures from manipulated controls put on-site staff and surrounding communities at risk.

Virtual

Multi-day operator shutdown (Colonial 2021 cost ~$4.4M ransom + days of fuel disruption to the US East Coast + executive testimony before Congress).
Frontier model weights or training data exfiltrated from a hyperscaler campus during OT-recovery confusion — irreversible IP loss valued in billions.
Cascading cloud-service degradation if data centers lose power and shed load nonuniformly; financial, healthcare, government services all dependent.
Gas-market price spike as physical disruption signals reach NYMEX. Henry Hub spikes propagate to every LNG cargo and every retail electricity bill in PJM.
Reputational and regulatory cascade — FERC, TSA, CISA, SEC disclosure requirements all activate. Pipeline-operator equity drops sharply on cyber events.
Erosion of public trust in critical infrastructure resilience — accelerates anti-AI-buildout regulatory headwinds politicians have already begun raising.

6. Defensive priorities (do these this quarter)

Audit every Shodan-indexed IP on a tracked operator hostname. Most should be reclassified as "expected" (websites, vendor portals); a handful will be misconfigured — close those.
Network-segment review at convergence sites (NoVa data centers, New Albany, LNG terminals): verify BMS, OT, and IT networks are physically or logically air-gapped with documented data-flow exceptions only.
SIS isolation audit: confirm Triconex / safety logic is on a dedicated network with no routable IP, no remote-support tunnel, no shared workstation.
TSA Pipeline Security Directive compliance verification (current version 2021-01G, January 2026 update) including MFA, segmentation, incident-reporting workflows.
Subscribe to CISA KEV catalog and auto-route advisories matching the SCADA banners above to the operator with measurable inventory.
Threat-hunt for known APT activity targeting energy sector: VOLTZITE / Volt Typhoon (T0883, T0859, T1133), GRAPHITE / APT44, ELECTRUM. Their TTPs are the realized versions of the techniques listed above.
Tabletop a "Colonial + Triton" composite: ransomware on IT *and* SIS manipulation on OT, simultaneously. The pipeline-data-center convergence makes this less hypothetical than it was in 2022.

Sources / further reading: MITRE ATT&CK for ICS (attack.mitre.org/matrices/ics), MITRE ATLAS (atlas.mitre.org), CISA Known Exploited Vulnerabilities catalog, TSA SD Pipeline-2021-01G, Dragos OT-CERT advisories.

Source: Shodan public index (defensive use only). Updated when shodan_pipelines.py is rerun.

Daily digest — 2026-06-02

Pipeline + data-center buildout digest — 2026-06-02

🔒 CISA ICS advisories (last 7 days)

No advisories matched tracked operators/vendors in the last 7 days.

🏛️ Federal Register — FERC & TSA (last 14 days)

2026-05-28 | Rule | data center | Standards for Business Practices of Interstate Natural Gas Pipelines

The Federal Energy Regulatory Commission amends its regulations to incorporate by reference, as mandatory enforceable requirements, revisions to three of the Version 4.0 Standards for Business Practices of Interstate Natural Gas Pipelines adopted by the Wholesale Gas Quadrant (WG…
2026-05-27 | Notice | data center | Commission Information Collection Activities (FERC-725U)

In compliance with the requirements of the Paperwork Reduction Act of 1995, the Federal Energy Regulatory Commission (Commission or FERC) is soliciting public comments on the currently approved information collection, FERC-725U, Mandatory Reliability Standards for the Bulk Power …
2026-05-27 | Proposed Rule | pipeline security | Revisions to the Blanket Certificate Program

The Federal Energy Regulatory Commission (Commission) proposes to revise its blanket certificate regulations to expand the scope and scale of projects that interstate natural gas pipelines may construct without a case-specific authorization order and to increase the cost limits f…
2026-05-19 | Notice | pipeline security | Sunshine Act Meeting Notice

🛡️ TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

⚡ ERCOT interconnection queue (flagged new entries)

15 new entries flagged (gas-fueled OR ≥300 MW):

Queue ID	Project	County	MW	Fuel	Status	Completion
26INR0724	Monahans Power Gas	Ward	18.2	Gas	Active	2027-03-01 00:00:00
27INR0618	Prairie Point Energy Storage I	Wise	1044.8	Other	Active	2027-12-31 00:00:00
27INR0619	Prairie Point Energy Storage II	Wise	1044.8	Other	Active	2027-12-31 00:00:00
28INR0157	Axtell BESS	McLennan	306.94	Other	Active	2029-04-16 00:00:00
28INR0377	Wichita Creek Solar	Wichita	500.0	Solar	Active	2028-10-04 00:00:00
28INR0509	Thunder Bird 2 Gas	Jack	1273.8	Gas	Active	2031-06-14 00:00:00
29INR0154	Las Mujeres Solar	Jim Hogg	684.33	Solar	Active	2029-12-01 00:00:00
29INR0191	Black Mountain Fannin Gas	Fannin	990.6	Gas	Active	2029-09-28 00:00:00
29INR0264	Victory Ellis – Gas	Ellis	480.0	Gas	Active	2028-12-31 00:00:00
29INR0326	Montgomery Ranch 2 Wind	Foard	301.5	Wind	Active	2029-12-31 00:00:00
29INR0333	Tyler Rose Power Plant 1	Grimes	597.36	Gas	Active	2029-07-01 00:00:00
29INR0336	Tyler Rose Power Plant 2	Grimes	398.24	Gas	Active	2029-12-01 00:00:00
30INR0110	Thunder Bird 1 Gas	Jack	1272.8	Gas	Active	2030-06-14 00:00:00
30INR0113	The Giant Arc I	Pecos	1300.0	Gas	Active	2030-04-08 00:00:00
30INR0114	Longleaf II Power Station	Angelina	600.0	Gas	Active	2030-07-01 00:00:00

🌐 LBNL Empirical Queues (cross-ISO, quarterly)

Landing page last-modified: Tue, 02 Jun 2026 12:52:40 GMT
Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

📊 EIA market & demand snapshot

Henry Hub spot (2026-05-26): $3.10/MMBtu (was $2.79 a week earlier, ▲ +11.1%)
Lower-48 gas in storage (2026-05-22): 2,483 Bcf (weekly Δ +92 Bcf; YoY Δ +7 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO	Avg now (MW)	Avg YoY (MW)	Avg Δ%	Peak now (MW)	Peak YoY (MW)	Peak Δ%
PJM (incl. NoVa Dominion Zone)	89,699	79,765	+12.5%	114,860	94,829	+21.1%
ERCOT (TX)	60,928	57,061	+6.8%	78,356	76,162	+2.9%
MISO (Midcontinent)	72,464	68,183	+6.3%	93,859	90,659	+3.5%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

📰 Data-center & hyperscaler news (new since last run)

No new matched items since the last run. Sources: DCD, Bisnow, dgtlinfra.

🏘️ Eminent Domain Watch (new since last run)

No new eminent-domain / shadow-grid articles since last run.

🏛️ State legislative tracker (LegiScan)

29 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State	Bill	Title	Last action	Date
NC	S730	Ratepayer Protection Act	Re-ref to the Com on Commerce and Economic Development, if f	2026-05-28
PA	HB2535	Providing for the public safety regulation of large load users; requiring the su	Referred to Veterans Affairs & Emergency Preparedness	2026-05-27
PA	HB2533	In zoning, providing for optional moratorium on filing or consideration of new a	Referred to Local Government	2026-05-27
PA	SB1323	Providing for the regulation of commercial data centers; imposing duties on the	Referred to Consumer Protection & Professional Licensure	2026-05-20
NC	S1026	Power Bill Protection/Large Load Tariff	Re-ref Com On Appropriations/Base Budget	2026-05-05
NC	H1180	Data Center Amendments	Ref To Com On Rules, Calendar, and Operations of the House	2026-05-04
NC	H1063	Ratepayer and Resource Protection Act	Ref To Com On Rules, Calendar, and Operations of the House	2026-04-28
IA	SSB3181	A bill for an act making certain sales and use tax exemptions relating to nuclea	Committee report approving bill, renumbered as SF 2498.	2026-04-14
VA	SB94	Data centers; site assessment, sound profile of the high energy use facility.	Acts of Assembly Chapter text (CHAP0568)	2026-04-13
PA	HB1834	Providing for the regulation of commercial data centers; imposing duties on the	Referred to Consumer Protection & Professional Licensure	2026-03-31
PA	SB724	Providing for regulation of large load customers and public utilities and for co	Referred to Consumer Protection & Professional Licensure	2026-03-31
OH	SB381	Require PUCO approval to connect data centers to electrical grid	Referred to committee: Public Utilities	2026-03-25
OH	SB378	Enact the Responsible Water Use by Data Centers Act	Referred to committee: Public Utilities	2026-03-25
WI	SB1061	Moratorium on data centers.	Failed to pass pursuant to Senate Joint Resolution 1	2026-03-23
WI	AB1099	Moratorium on data centers.	Failed to pass pursuant to Senate Joint Resolution 1	2026-03-23
GA	SB410	State Sales and Use Taxes; the data center equipment sales and use tax exemption	House Second Readers	2026-03-10
OH	HB706	Impose certain minimum requirements on data center customers	Referred to committee: Energy	2026-02-25
OH	HB710	Prohibit public support, limit construction of, new data centers	Referred to committee: General Government	2026-02-25
GA	SB34	Public Service Commission; costs incurred by an electric utility as a result of	Senate Committee Favorably Reported By Substitute	2026-02-25
VA	HB658	State Corporation Commission; cost allocation proceedings for certain electric u	Left in Labor and Commerce	2026-02-18
VA	HB503	Electric utilities; cost recovery, costs substantially related to serving data c	Continued to next session in Labor and Commerce (Voice Vote)	2026-02-12
VA	SB466	Electric utilities; cost recovery, costs substantially related to serving data c	Continued to next session in Commerce and Labor (14-Y 0-N)	2026-02-12
VA	HB1515	Local approval of data centers; temporary moratorium.	Continued to next session in Rules (Voice Vote)	2026-02-06
GA	HB1059	Data Center Impact Assessment and Development Moratorium Act of 2026; enact	House Second Readers	2026-02-02
AZ	HB2467	Data centers; incentives repeal; requirements	House COM Committee action: Withdrawn, voting: (0-0-0-0-0-0)	2026-01-22

… plus 4 more bills not shown.

🏛️ FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

🔄 Docket-watch alerts (tracked project dockets with changed content)

No tracked docket content has changed since the last run.

🛰️ Shodan ICS exposure (US)

Credits remaining: 94 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port	Protocol	US devices	Notes
502	Modbus	72,301	No native auth; pipeline & gas-plant SCADA.
20000	DNP3	208,946	Common in electric + gas SCADA.
2404	IEC 60870-5-104	54,040	Power/telecontrol.
102	Siemens S7	52,206	Siemens PLC programming.
47808	BACnet	29,209	Building automation; also pipeline aux systems.
44818	EtherNet/IP CIP	57,738	Rockwell / Allen-Bradley PLCs.
1911	Niagara Fox	49,340	Tridium Niagara, building management.
1962	PCWorx	37,437	Phoenix Contact ILC PLCs.
789	Red Lion Crimson3	37,622	Red Lion controllers.
9600	Omron FINS	65,446	Omron PLCs.

ICS vendor banner counts (US):

Vendor	Devices
Rockwell	1,832
Allen-Bradley	1,663
Tridium	1,579
Honeywell	632
Siemens	397
Red Lion	365
Emerson	18
ABB	2
Omron	1
Schneider Electric	0

All counts via Shodan /host/count (free, no credits charged). Defensive use only.

Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

🏘️ Eminent Domain / Shadow Grid Watch

12 active projects 280 miles 1,140+ properties 14,593 MW BTM gas

Active projects (litigation-first, then by status)

Project	Status	Properties
Georgia Power Project Wansley Georgia Power · GA AJC↗ · Pravda Georgia↗ · Energy News Beat↗	condemnation_active ⚖ litigation	330
Dominion Northern Virginia Aerial Corridor Expansion Dominion Energy Virginia · VA Washington Post (placeholder)↗	certificate_filed ⚖ litigation	140
Meta Beaver Dam Site Transmission + Substation Extension We Energies (WEC) · WI ABC30↗	certificate_filed ⚖ litigation	47
Williams Northeast Supply Enhancement (NESE) Williams Companies (Transco subsidiary) · NJ, NY Reuters↗ · Bloomberg↗ · FERC docket↗	construction	primarily offshore + utility right-of-way
Google + Crusoe North Texas Gas Plant Crusoe Energy · TX PGJ↗	construction	1
Meta Hyperion (Richland Parish, LA) Meta Platforms · LA DCD↗	construction	3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe) Crusoe Energy / Oracle · TX no link	construction	1
Williams Project Socrates (New Albany, OH) Williams Companies · OH no link	construction	18
MidAtlantic Resiliency Link NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA WESA↗ · Allegheny Front↗ · FERC docket↗	certificate_filed	estimated_>500
Energy Transfer New Mexico AI Data Center Pipeline Energy Transfer LP · NM Pipeline & Gas Journal↗ · FERC docket↗	certificate_filed	12
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant Chevron + Engine No. 1 · TX TechCrunch↗	announced	minimal_industrial_site
Duke Energy Carolinas Data Center Corridor Expansion Duke Energy Carolinas · NC, SC WRAL↗	announced	88

State legislative pushback

State	Action	Status / Date
NC	NC HB-2026-XXX (Data Center Eminent Domain Restrictions)↗ Would bar utility use of eminent domain when transmission line is primarily serving identified data center customers.	introduced 2026-05
OH	Ohio behind-the-meter requirement proposal↗ Prohibits utilities from connecting a data center to the grid unless the data center provides its own BTM power OR pays full grid-impact costs.	committee 2026-03
GA	Review of Georgia Power eminent-domain authority↗ Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.	legislative_review 2026-05
WI	Data center energy-cost socialization carveout (under review)↗ Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.	pre_introduction 2026-04
VA	VA HB-2026-XX data-center grid-impact transparency Requires Dominion to publicly disclose how much new transmission/generation is being built specifically to serve hyperscaler data centers.	introduced 2026-02
PA	PA in-state-benefit standard for transmission eminent domain↗ Discussion of requiring meaningful in-state benefit before PA land can be condemned for transmission lines exporting power to other states.	discussion_phase 2026-04

Source: hand-curated from FERC eLibrary, state PUC dockets, local press (AJC, WESA, Allegheny Front, WRAL, Ohio Capital Journal), trade press (DCD, PGJ, Bisnow), and LegiScan (state bill tracking). Updated weekly by maintainer; news flagged automatically in the daily digest's Eminent Domain section.

About Anthropic
Anthropic doesn't operate its own data centers. Claude runs on AWS (primary partner; AWS Trainium / Bedrock infra) and Google Cloud (per the Oct 2025 expanded agreement). To see where Anthropic's compute physically lives, enable the "AWS / Azure / GCP regions" layer and look at AWS us-east-1 (Virginia), us-west-2 (Oregon), and GCP us-east4 / us-central1.

⚠️ KEV Analysis — Pipeline-Relevant Exploited Vulnerabilities

Total pipeline-relevant

HIGH (SCADA exposure)

Ransomware-flagged (3.4%)

VulnCheck-only (early warning)

0 new in last 7d · 0 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog

Year	All KEVs	Pipeline-rel.	% pipeline-rel.
2026	150	0	0.0%
2025	557	0	0.0%
2024	657	1	0.15%
2023	538	2	0.37%
2022	476	3	0.63%
2021	504	7	1.39%
2020	372	2	0.54%
2019	290	3	1.03%
2018	257	4	1.56%
2017	215	1	0.47%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.

Top vendors (pipeline-relevant)

Vendor	# CVEs
Schneider Electric	9
Siemens	5
Advantech	3
Rockwell Automation	2
Mitsubishi Electric	2
Inductive Automation	1
Thrive Themes	1
ABB	1
Honeywell	1
Emerson	1

HIGH-priority CVEs (top 20, most recently added to KEV first)

The CVE ID year (e.g. CVE-2014-…) reflects when the vulnerability was first identified. The "Added to KEV" date is when CISA confirmed active exploitation. An old CVE freshly added to KEV means adversaries are still exploiting it — typical of SCADA where patching is slow.

CVE	Vendor / Product	Added to KEV	Exposure
CVE-2021-21801 [VC]	Advantech / R-SeeNet	2024-09-19	—
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]	Siemens / SIMATIC S7 CPU 1200 Firmware	2024-07-25	—
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]	Rockwell Automation / 1756-EN2F Series A Firmware	2024-02-20	—
Out-of-bounds Write
CVE-2022-35871 [VC]	Inductive Automation / Ignition	2024-02-20	—
Missing Authentication for Critical Function
CVE-2021-21805 [VC]	Advantech / R-SeeNet	2023-12-24	—
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]	Siemens / SIMATIC CP	2022-03-03	—
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]	Siemens / SIMATIC PCS7	2021-12-15	—
Untrusted Search Path
CVE-2021-24219 [VC]	Thrive Themes / FocusBlog	2021-03-24	27
Improper Access Control
CVE-2020-10621 [VC]	Advantech / WebAccess/NMS	2020-08-27	—
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]	Mitsubishi Electric / SmartRTU Firmware	2019-12-17	—
Missing Authentication for Critical Function
CVE-2019-14931 [VC]	Mitsubishi Electric / SmartRTU Firmware	2019-12-13	—
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]	Schneider Electric / Triconex Tricon MP 3008 Firmware	2018-12-20	—
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]	Schneider Electric / Triconex Tricon MP 3008 Firmware	2018-01-12	—
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]	Siemens / SIMATIC WinCC	2010-10-01	—
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

Sources: CISA KEV catalog + VulnCheck KEV enriched feed. Cross-referenced against tracked SCADA banners (Symphony, Cygnet, iFIX, DeltaV, Ovation, OASyS, Wonderware, ClearSCADA) and US ICS vendors. Updated daily at 06:00 EDT.

💥 What If… — Compromise-Impact Warning (current state, 2026-06-02)

Five scenarios anchored on numbers measurable on the live map today. Four are HIGH-priority SCADA platforms ranked by current US exposure; the fifth is the Henry Hub composite. Each scenario uses the US military Five-Paragraph OPORD format (SMEAC). Defensive use only. Numbers update with each daily refresh.

ABB Symphony DCS — 262 US endpoints exposed (as of 2026-06-02)

Current exposure: 262 Symphony endpoints visible from the public US internet today

Live KEV cross-reference: CVE-2024-6298

Severity: HIGH — Power generation supply disruption to AI data center load

📋 Five-Paragraph OPORD (SMEAC)

S — Situation

ABB Symphony has the largest measurable US public-internet exposure of any pipeline-relevant SCADA / DCS platform — 262 endpoints visible as of 2026-06-02, against a deployed base that we estimate to be on the order of hundreds of installations. Symphony is the dominant DCS at large gas-fired combined-cycle power plants, including most of the new and planned gas plants being built to serve hyperscale AI data centers. KEV catalog entries currently affecting ABB platforms: CVE-2024-6298.

M — Mission

Adversary objective: simultaneous loss-of-control or unsafe-state at multiple gas-fired generating units feeding a specific load zone — most likely PJM Dominion (Northern Virginia data-center alley, where AI training load is concentrated) or the Southeast (where Meta Hyperion's 7.46 GW gas plant cluster feeds the Hyperion campus). Strategic intent: deny power to AI compute infrastructure at a moment chosen for maximum disruption, with deniable attribution.

E — Execution

Phase 1: harvest a contractor or vendor credential that grants engineering access to one or more of the 262 exposed endpoints — many of which are vendor-support jump hosts that bridge corporate IT to the OT engineering network. Phase 2: lateral movement to the Symphony engineering workstation. Phase 3: stage malicious configuration changes across the deployment, synchronized to execute at peak-demand hour. Phase 4: trigger drives unit-trip sequences on every unit reachable, simultaneous; concurrent wiper destroys the historian and configuration backup.

A — Administration & Logistics

Attack feasibility depends on three conditions visible in the public-exposure data today: (1) 262 endpoints reachable from the public internet — that number is a defensive failure on its own; (2) operator deployments that centralize engineering across multiple sites; (3) deferred patching of any published Symphony CVSS 8.0+ CVE due to outage-window constraints.

C — Command & Signal

Indicators: outbound traffic from any Symphony engineering workstation to non-vendor destinations; unscheduled configuration updates across multiple units in the same hour; historian write failures across multiple stations. Defensive priorities: enumerate the 262 exposed endpoints in your perimeter and prioritize firewall closure or VPN-only access; rotate all vendor and contractor credentials with hardware-token MFA; require any logic or configuration change to pass two-person integrity check during the change window. Reporting: TSA Surface Transportation Cybersecurity; CISA Hotline; Oil and Natural Gas ISAC; PJM RTEP Security working group.

⚠️ Consequences if unmitigated

Physical:

Simultaneous trips at multiple gas-fired generating units serving a data-center-heavy load zone. Within ~2 hours, hyperscale data centers in the affected zone exhaust grid power and shift to on-site diesel; diesel reserves typically run 12–48 hours. Possible thermal damage to rotating equipment during ungraceful trip sequences extends restart from hours to weeks per unit.

Market / financial:

Wholesale power prices in the affected ISO zone spike to administrative cap intraday. Hyperscaler-customer compute service-level agreements breach within the diesel-reserve window. Estimated combined economic loss across operator, downstream power buyers, and dependent cloud / AI customers: $10B–$50B in the first week.

Regulatory / political:

FERC and NERC special review of generator cybersecurity preparedness. Likely accelerated TSA-style cyber regulation extended to gas-fired generation feeding hyperscale customers. Insurance industry repricing for operators with measurable Symphony exposure on Shodan.

Cygnet SCADA — 78 US endpoints (pipeline-specific midstream)

Current exposure: 78 Cygnet midstream-pipeline SCADA endpoints visible today

Live KEV cross-reference: no KEV-listed CVEs currently affect this platform

Severity: HIGH — Direct compromise of pipeline operational visibility and control

📋 Five-Paragraph OPORD (SMEAC)

S — Situation

Cygnet is the SCADA platform most narrowly targeted at the US midstream oil-and-gas industry — it runs the supervisory layer at 78 measurable US sites, almost all of which are pipeline operators. Of the operators we track, several are confirmed Cygnet users by name in vendor case-studies and public filings.

M — Mission

Adversary objective: simultaneous loss-of-visibility and limited-write control of pipeline metering, valve, and flow-control points across a single operator's footprint. Strategic intent: position to manipulate gas deliveries — to LDCs, to power generators, or to LNG export terminals — at a chosen moment, with the operator unable to see or counter the action in real time.

E — Execution

Phase 1: access via a Cygnet engineering workstation reachable through vendor-support tunnels. Phase 2: harvest field-device topology and operator runbooks from the SCADA database. Phase 3: stage scheduled control commands that fire at a precipitating moment. Phase 4: optionally falsify operator-view telemetry to extend the response window.

A — Administration & Logistics

Attack feasibility depends on Cygnet's typical deployment pattern: many operators connect Cygnet to their corporate IT for reporting, then connect corporate IT to the public internet — a documented common pathway. The 78 exposed endpoints in our Shodan dataset are the visible portion of that pattern.

C — Command & Signal

Indicators: Cygnet engineering-workstation traffic to non-vendor destinations; configuration changes outside change-control hours; discrepancies between Cygnet-reported volumes and independent end-of-line meter reads. Defensive priorities: place Cygnet servers behind a jump-host with MFA; close direct internet exposure on all 78 endpoints; deploy independent secondary metering whose data does NOT flow through Cygnet.

⚠️ Consequences if unmitigated

Physical:

Manipulation of valve setpoints can cause unsafe pressure transients at downstream stations. Falsified metering allows undetected gas diversion or supply-cut to specific customers (e.g., a specific gas-fired power plant during a peak hour).

Market / financial:

If a Cygnet-driven event takes a specific compressor station offline during a peak demand window, the downstream basis (the local citygate price minus Henry Hub) can spike 200%+ in hours. LDC emergency curtailments. Power-gen fuel-supply force majeure to gas peakers serving data centers.

Regulatory / political:

Immediate FERC inquiry into operator cybersecurity. Possible TSA penalty action under PSR 2026-01. Operator's interstate transportation tariff put under audit.

GE iFIX HMI/SCADA — 63 US endpoints exposed

Current exposure: 63 GE iFIX HMI/SCADA endpoints visible today

Live KEV cross-reference: CVE-2014-0751

Severity: HIGH — Operator-view denial across gas-plant and pipeline-station HMI

📋 Five-Paragraph OPORD (SMEAC)

S — Situation

GE iFIX is a general-purpose HMI / SCADA platform with deep penetration in US gas plants, refineries, and pipeline compressor stations. Public US exposure today: 63 endpoints. KEV entries currently affecting GE platforms: CVE-2014-0751.

M — Mission

Adversary objective: deny operator visibility into the controlled process during a coincident attack — either cyber on the BPCS or kinetic on a physical asset. Strategic intent: extend the response window in the critical early minutes when operator action can avert physical damage.

E — Execution

Phase 1: access through internet-exposed iFIX terminal services / VPN. Phase 2: modify iFIX HMI screens to display canned 'nominal' values regardless of underlying tag data, OR disable HMI alarm escalation logic. Phase 3: hold capability until a coincident event — process upset, kinetic strike, or BPCS manipulation — at which point operators see normal screens while the physical process degrades.

A — Administration & Logistics

Attack feasibility increases when iFIX is deployed without segregation from corporate IT, when iFIX clients are reachable via remote-desktop services from the public internet (63 confirmed examples today), and when alarm-management audits are infrequent.

C — Command & Signal

Indicators: iFIX screen-version changes outside engineering change windows; HMI tag-display discrepancies vs. historian; alarm logs going abnormally quiet during normal operating variability. Defensive priorities: iFIX deployment audit (count vs. known inventory); HMI screen-checksum monitoring; independent secondary HMI that draws from a separate tag feed; close all 63 internet-exposed instances or move them behind MFA-required VPN.

⚠️ Consequences if unmitigated

Physical:

On its own, an iFIX-only attack does not cause damage — but during a coincident physical or BPCS attack, the 'normal-screens-while-process-degrades' window extends operator response from minutes to tens of minutes, multiplying the physical damage.

Market / financial:

When combined with a BPCS attack, an HMI-deception layer can extend an outage from one shift to several days as the recovery team has no trustworthy view of pre-event state. Multiplier effect on operator's economic damage: 2–5x.

Regulatory / political:

HMI integrity-verification becomes a required TSA compliance element. Vendor-side requirements for cryptographic HMI screen verification.

Emerson DeltaV + Ovation DCS — 75 US endpoints combined

Current exposure: 48 DeltaV + 27 Ovation US endpoints — total 75

Live KEV cross-reference: CVE-2021-45420

Severity: HIGH — Simultaneous compromise of LNG liquefaction AND gas-fired power generation

📋 Five-Paragraph OPORD (SMEAC)

S — Situation

Emerson runs two product lines with measurable US exposure: DeltaV (48 endpoints), the DCS for LNG liquefaction trains and refinery / petrochemical processes, and Ovation (27 endpoints), the DCS for fossil-fueled power generation. Combined US public exposure: 75 endpoints. KEV entries affecting Emerson: CVE-2021-45420.

M — Mission

Adversary objective: simultaneously disrupt LNG-export capacity AND gas-fired power generation by exploiting the same vendor's deployed platforms across the two industries — a single capability that reaches both demand sinks for US natural gas (LNG exports and AI/data-center power) at once. Strategic intent: dual-target economic disruption with shared toolchain.

E — Execution

Phase 1: gain access via an Emerson vendor-support credential — Emerson is one of the largest providers of process-control system service contracts in the US. Phase 2: deploy parallel implants against DeltaV at LNG terminals and Ovation at gas-fired plants. Phase 3: synchronized trigger at a chosen event.

A — Administration & Logistics

Attack feasibility hinges on whether the operator has accepted vendor persistent remote-support tunnels as a contractual requirement. Many DeltaV and Ovation operators have done so to maintain service-level guarantees. The 75 exposed endpoints visible today are the public portion of that pattern.

C — Command & Signal

Indicators: Emerson vendor-tunnel traffic outside scheduled service windows; configuration changes pushed to multiple sites within a single hour; unscheduled engineering-workstation logins. Defensive priorities: require Emerson vendor sessions to be initiated by the operator (not the vendor), with session recording and MFA; deploy egress monitoring on the DeltaV / Ovation engineering networks; require Emerson to publish per-product KEV applicability mapped to deployed firmware versions at each customer site.

⚠️ Consequences if unmitigated

Physical:

LNG terminal liquefaction trains unsafe-shutdown; coincident gas-fired generator trips across affected fleet. Possible thermal damage to liquefaction compressors extends LNG outage from days to months.

Market / financial:

Cargoes in the Sabine Pass / Cameron / Plaquemines / Corpus Christi loading queue declare force majeure within hours. European TTF gas price spikes; US Henry Hub price drops on reduced export demand AND spikes on domestic gas-to-power dislocation — both directions same day. Combined economic impact: $30B–$120B over the first quarter post-event.

Regulatory / political:

Coordinated DOE / FERC / TSA / DOC (export licensing) investigation. Possible suspension of Emerson DCS service contracts pending audit. Insurance industry repricing across all Emerson-platform-dependent operators.

Henry Hub Composite (Physical + Cyber) — current state

Current exposure: 13 interstate pipelines converge at Erath, LA · NYMEX settlement node · ~2 Bcf/d physical throughput · 1 ICS exposures within 25 km · 12 active eminent-domain projects in supply chain

Live KEV cross-reference: 9 Schneider Electric KEVs · 5 Siemens KEVs · 1 Emerson KEVs affect platforms a Sabine Pipe Line operator would actually run.

Severity: STRATEGIC — National-scale market and supply disruption

📋 Five-Paragraph OPORD (SMEAC)

S — Situation

Henry Hub today: 13 interstate pipelines converge at the Sabine Pipe Line LLC facility in Erath, Louisiana. The NYMEX Henry Hub futures contract settles here — the price benchmark for every US natural-gas trade, every LNG cargo loaded at Sabine Pass / Cameron / Plaquemines / Corpus Christi (≈14 Bcf/d combined LNG export capacity), and every gas-indexed power-purchase contract in PJM / SERC / Florida. Within 25 km of the hub, Shodan finds 1 exposed ICS endpoints; the operator's supply chain runs through platforms with 15 currently-KEV-listed CVEs across Schneider Electric, Siemens, and Emerson. The facility has no counter-UAS coverage (Vermilion Parish is outside designated military airspace) and no published joint OT/IT incident-command framework with downstream hyperscaler and federal partners.

M — Mission

Adversary objective: simultaneously disable physical throughput at Henry Hub for an extended window (weeks, not hours) AND destroy the operator's safety-system configuration files, so that even after physical repair the operator cannot safely restart. Strategic intent: suspend US natural-gas price discovery long enough to cascade through NYMEX, LNG cargo force majeure, power-grid load shedding during a peak-demand window, and financial-market liquidity events.

E — Execution

Phase 1 (months): cyber pre-positioning inside the Sabine Pipe Line OT network via a contracted-engineering credential — the same vector that has produced every confirmed US pipeline OT intrusion in the past five years. Phase 2 (days): adversary weaponizes a published CVSS 9.0+ CISA advisory affecting Schneider Telvent OASyS DNA or Triconex SIS, BEFORE the operator's change board approves the emergency patch. Phase 3 (D-Day, timed to coincide with polar vortex or hurricane-season demand peak): commercial-derivative drone strike against Compressor Units 1 and 2, simultaneously with cyber execution that disables the SIS, manipulates HMIs to display nominal state, vents high-pressure gas through stacks whose flare ignition has been pre-disabled. Phase 4 (D+1 through D+3): wiper malware destroys the historian, engineering workstation, and corporate IT backups, denying the recovery team the documentation needed to safely restart safety-instrumented systems.

A — Administration & Logistics

Attack feasibility depends on conditions present today: (1) 1 ICS endpoints within 25 km of the hub — the public attack surface; (2) absence of counter-UAS over Vermilion Parish; (3) the operator's change board having no pre-delegated authority to bypass normal review for CVSS 9+ items during weather-emergency windows; (4) no published joint incident-command structure across Sabine Pipe Line, FERC, TSA, CISA, FBI, DOE, and hyperscaler downstream customers. All four conditions exist as of 2026-06-02.

C — Command & Signal

Indicators: outbound traffic from any Sabine Pipe Line OT host to non-vendor destinations; Vermilion Parish law-enforcement reports of unusual UAS activity near the hub; any CISA advisory at CVSS 9+ affecting Schneider Electric / Siemens / Emerson platforms followed by Sabine Pipe Line change-board deferral. Defensive priorities (the four items above, each individually closable): (1) pre-delegate emergency-patch authority to senior security leadership without change-board veto for CVSS 9+ critical-asset platforms; (2) FAA + DOD counter-UAS authorization for FERC critical-asset compressor stations; (3) stand up the joint incident-command framework now, not after the event; (4) maintain air-gapped offline SIS configuration backups with quarterly recovery verification at every FERC critical site.

⚠️ Consequences if unmitigated

Physical:

Henry Hub physical throughput goes to 0 Bcf/d for 7–30+ days. Worker fatalities at Sabine Pipe Line during the kinetic event range 20–100 depending on shift composition and time of day. Downstream civilian fatalities during coincident cold-weather power loss could exceed 200 if the polar-vortex timing is hit. Adjacent communities evacuated; groundwater and surface water contamination from fuel-rich firefighting operations.

Market / financial:

NYMEX Henry Hub trading suspended for 20–60 trading days. Daily LNG cargo force majeure declarations from Sabine Pass / Cameron / Plaquemines / Corpus Christi terminals. European TTF and Asian JKM gas prices spike 150–400%. PJM and TVA emergency load-shedding affecting 5–20M customers during the polar vortex. Combined direct + cascading economic damage: $200B–$400B over twelve months. Insurance-industry catastrophe loss: $80B–$200B. Two-to-three mid-sized US gas trading firms in Chapter 11 within ten days.

Regulatory / political:

FERC and TSA replace existing Pipeline Security Directive framework with a true regulatory framework. DOE stands up a permanent Critical Energy Infrastructure Cyber Response Unit. FAA authorizes counter-UAS at all FERC critical-asset facilities. Federal Reserve emergency liquidity facility for energy-sector counterparty exposure. Hyperscaler / pipeline operator joint incident command mandated. ODNI issues attribution finding; coordinated multi-allied response.

Framework: US military Five-Paragraph Operations Order (OPORD) / SMEAC. Data sources: Shodan ICS-protocol exposure scan, CISA KEV catalog + VulnCheck KEV enriched feed, EIA gas-pricing API, FERC interconnection-queue data, eminent_domain_projects.yaml (hand-curated). All exposure counts auto-refresh on the daily 06:00 EDT build.

BLUF 2026-06-02 08:55 EDT

WHO — US gas-pipeline operators (Williams, KMI, Enbridge, TC Energy, etc.), hyperscalers (Meta, Google, Microsoft, AWS, xAI, OpenAI/Stargate), and the AI labs that lease their compute (Anthropic on AWS+GCP).

WHAT — The largest US natural gas pipeline buildout since 2008 (~18 Bcf/d new capacity in 2026), built to feed gas-fired power plants that in turn feed AI data centers and LNG exports.

WHEN — Most capacity online 2026–2028. Gulf Coast LNG and Northern Virginia are the two biggest demand centers right now. PJM peak demand is up +4.4% year-over-year; that's the data-center signal.

SO WHAT — Pipeline operators individually segment their networks well (TC Energy and Enbridge: 0 exposed devices on their own ASNs). The real risk lives where gas plants and data centers share neighborhoods — 40,897 ICS endpoints within 25 km of Ashburn and 1,934 near Meta's New Albany (Project Socrates) site. Layered on top: a parallel "shadow grid" of transmission lines and behind-the-meter gas plants is being built specifically to serve hyperscalers, often via eminent-domain seizure of private property (Georgia Power Project Wansley, NextEra MidAtlantic Resiliency Link, Williams NESE). State legislatures are starting to push back. Toggle the 🏘️ Eminent Domain layer to see active projects.

Cyber watch: 29 pipeline-relevant KEVs tracked (14 high-priority on SCADA platforms with US exposure; 1 ransomware-campaign flagged = 3.4%). 0 added in the last 7 days; 0 in the last 30. VulnCheck flags 26 additional CVEs as actively exploited that CISA has not yet added. Highest-exposure tracked CVE: CVE-2021-24219 (Thrive Themes / FocusBlog, ~27 US endpoints).