| Ashburn / NoVa Data Center Alley | 24,258 |
| Pittsylvania County, VA hub | 0 |
| Henry Hub area (Erath, LA) | 0 |
| Corpus Christi LNG corridor | 14 |
| Sabine Pass / Cameron LNG | 37 |
| Permian / Waha (Pecos, TX) | 0 |
| Cheniere Bay (Plaquemines, LA) | 0 |
| Leidy Hub area (Clinton Co., PA) | 0 |
| Forest City, NC (Meta + MVP) | 0 |
| New Albany, OH (Meta Socrates) | 1,401 |
| Operator | Hostname matches | Own-ASN matches |
|---|---|---|
| Williams | 258 | (no own ASN) |
| TC Energy | 54 | 0 |
| Enbridge | 32 | 0 |
| Kinder Morgan | 25 | (no own ASN) |
| Boardwalk | 21 | (no own ASN) |
| Cheniere | 20 | (no own ASN) |
| Energy Transfer | 18 | (no own ASN) |
| Tallgrass | 1 | (no own ASN) |
| MPLX | 0 | (no own ASN) |
Hostname = Shodan-indexed services whose hostname includes the operator's corporate domain (catches cloud / CDN-hosted). Own-ASN = devices on the operator's registered ASN (smaller, ~3–8K IPs each). Most operators don't have their own ASN.
| Banner | US | Global |
|---|---|---|
| OASyS | 11 | 83 |
| OSIsoft PI | 0 | 1 |
| iFIX | 62 | 170 |
| Wonderware | 2 | 3 |
| Ovation | 24 | 47 |
| DeltaV | 28 | 57 |
| Symphony | -1 | -1 |
| ClearSCADA | 0 | 13 |
| Cygnet | 69 | 98 |
1. Where to focus your monitoring
2. MITRE ATT&CK for ICS — primary TTPs to detect against
| ID | Technique | Why it lands here |
|---|---|---|
| T0883 | Internet Accessible Device | Already realized — the count of exposed ICS *is* this technique pre-staged. Auditing those endpoints is the first defensive task. |
| T0859 | Valid Accounts | Colonial Pipeline (2021) succeeded via one re-used VPN credential. Audit shared/legacy accounts in operator and contractor populations. |
| T0867 | Lateral Tool Transfer | How an attacker moves from a compromised BMS at a data center into a gas-plant network. Segment + monitor east-west traffic. |
| T0826 | Loss of Availability | Trip a compressor station or gas-turbine controller → fuel disruption → cascading power loss to dependent data centers. |
| T0832 | Manipulation of View | Operators see false safe state while real-state diverges. Triton precedent. Cross-check HMI readings against independent sensors. |
| T0879 | Damage to Property | Targeted attack on Safety Instrumented Systems (SIS) — Triconex, ESD logic. Air-gap SIS networks from BPCS at every site. |
| T0814 | Denial of Service | Modbus/DNP3 floods against publicly reachable controllers. Filter inbound ICS-protocol traffic at the perimeter. |
| T0884 | Connection Proxy | Adversary uses a compromised BMS host to relay C2 in/out. Egress filtering matters as much as ingress. |
| T0858 | Change Operating Mode | Force a controller into programming/maintenance mode. Detect by alerting on out-of-window mode changes. |
| T0809 | Data Destruction | Wiper malware on historians (OSIsoft PI etc.) destroys both visibility and audit trail. Offline historian backups are mandatory. |
3. MITRE ATT&CK Enterprise — the IT side that gets you to OT
| ID | Technique | Where it lands |
|---|---|---|
| T1566 | Phishing | Initial access into a pipeline contractor or hyperscaler vendor. The least-defended human in the supply chain is the door. |
| T1190 | Exploit Public-Facing Application | VPN appliances, Citrix, jump-hosts, web-based HMIs. Hostname-match hits (Williams 270, KMI 67) are roughly this surface. |
| T1133 | External Remote Services | RDP, SSH, vendor remote-support tunnels. Many ICS vendors keep these on for "remote maintenance" by default. |
| T1486 | Data Encrypted for Impact | Ransomware on IT forces OT shutdown precautionarily — exactly the Colonial 2021 sequence. |
| T1078 | Valid Accounts | Stolen / phished operator and contractor credentials. Single shared MFA-free accounts are still common at smaller sites. |
4. MITRE ATLAS — AI/ML attack surface at converged data-center sites
| ID | Technique | Why it matters here |
|---|---|---|
| AML.T0010 | ML Supply Chain Compromise | Poisoned base models / containers reach hyperscaler workloads via package or model registry compromise. Verify provenance. |
| AML.T0019 | Publish Poisoned Datasets | Long-horizon training-set attacks. Particularly relevant to Project Socrates–class training campuses. |
| AML.T0024 | Exfiltration via Cyber Means (model weights) | Frontier-model weights are the marquee target. Site-local OT disruption could be a *distraction* enabling exfil during recovery. |
| AML.T0040 | ML Model Inference API Access | Model-distillation via abused inference endpoints. Rate-limit and watermark inference outputs. |
| AML.T0049 | Exploit Public-Facing Application | Inference APIs and fine-tuning endpoints are now attack surfaces of equal weight to traditional web apps. |
5. Consequences if exposures are not mitigated
Physical
Virtual
6. Defensive priorities (do these this quarter)
Sources / further reading: MITRE ATT&CK for ICS (attack.mitre.org/matrices/ics), MITRE ATLAS (atlas.mitre.org), CISA Known Exploited Vulnerabilities catalog, TSA SD Pipeline-2021-01G, Dragos OT-CERT advisories.
Source: Shodan public index (defensive use only). Updated when shodan_pipelines.py is rerun.
No advisories matched tracked operators/vendors in the last 7 days.
This notice announces that the Transportation Security Administration (TSA) has forwarded the new Information Collection Request (ICR) abstracted below to the Office of Management and Budget (OMB) for review and approval under the Paperwork Reduction Act (PRA). The ICR describes …
No change. 13 pipeline directives currently listed.
No new flagged entries since last run. 1793 total rows in queue.
Fri, 17 Jul 2026 10:36:28 GMTHourly demand by ISO — last 7 days vs. same week last year:
| ISO | Avg now (MW) | Avg YoY (MW) | Avg Δ% | Peak now (MW) | Peak YoY (MW) | Peak Δ% |
|---|---|---|---|---|---|---|
| PJM (incl. NoVa Dominion Zone) | 119,096 | 117,480 | +1.4% | 159,046 | 144,933 | +9.7% |
| ERCOT (TX) | 63,999 | 63,580 | +0.7% | 82,406 | 78,536 | +4.9% |
| MISO (Midcontinent) | 94,320 | 89,527 | +5.4% | 117,514 | 113,489 | +3.5% |
Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.
4 new matched item(s) from DCD / Bisnow / dgtlinfra (filtered to hyperscaler, AI, gas-DC convergence, and tracked operators):
No new eminent-domain / shadow-grid articles since last run.
3 tracked condemnation dockets total; 3 still active.
1 FERC notice(s), 0 naming tracked operators: - 2026-07-17 [Docket No. CP26-548-000] Guardian Pipeline, LLC; Notice of Application and Establishing Intervention Deadline
Regulations.gov module not loaded.
Open States module not loaded.
USASpending module not loaded.
Drop a PHMSA gas-transmission incident file (.xlsx/.zip) in snapshots/phmsa/ — PHMSA has no API and its files are bot-blocked, so it's a manual download (see phmsa.py header).
2 recent CSB items touching refineries / gas / pipelines — new activity at the kind of sites the map tracks:
INVESTIGATION OPENED — U.S. Chemical Safety Board Opens Investigation into Fatal Chemical Incident at Catalyst Refiners Facility in West VirginiaSAFETY ADVISORY — U.S. Chemical Safety Board Commends AFPM for Voluntary Action to Improve Refinery Safety2 posts on pipelines / eminent domain / FERC — commentary and leads, verify before acting:
32 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:
| State | Bill | Title | Last action | Date |
|---|---|---|---|---|
| PA | SB1345 | In zoning, providing for optional temporary moratorium on acceptance or consider | Second consideration | 2026-07-12 |
| PA | SB1384 | In tax credit and tax benefit administration, further providing for definitions; | Referred to Finance | 2026-07-10 |
| PA | HB2650 | In tax credit and tax benefit administration, further providing for definitions; | Referred to Finance | 2026-06-25 |
| OH | HB646 | Create the Data Center Study Commission | Informally passed | 2026-06-10 |
| NC | S730 | Ratepayer Protection Act | Ref To Com On Rules and Operations of the Senate | 2026-06-08 |
| PA | SB1359 | Imposing a Statewide moratorium on hyperscale data center development and permit | Referred to Local Government | 2026-06-04 |
| PA | HB2533 | In zoning, providing for optional moratorium on filing or consideration of new a | Referred to Local Government | 2026-05-27 |
| PA | SB1323 | Providing for the regulation of commercial data centers; imposing duties on the | Referred to Consumer Protection & Professional Licensure | 2026-05-20 |
| NC | S1026 | Power Bill Protection/Large Load Tariff | Re-ref Com On Appropriations/Base Budget | 2026-05-05 |
| NC | H1180 | Data Center Amendments | Ref To Com On Rules, Calendar, and Operations of the House | 2026-05-04 |
| NC | H1063 | Ratepayer and Resource Protection Act | Ref To Com On Rules, Calendar, and Operations of the House | 2026-04-28 |
| IA | SSB3181 | A bill for an act making certain sales and use tax exemptions relating to nuclea | Committee report approving bill, renumbered as SF 2498. | 2026-04-14 |
| VA | SB94 | Data centers; site assessment, sound profile of the high energy use facility. | Acts of Assembly Chapter text (CHAP0568) | 2026-04-13 |
| PA | HB1834 | Providing for the regulation of commercial data centers; imposing duties on the | Referred to Consumer Protection & Professional Licensure | 2026-03-31 |
| PA | SB724 | Providing for regulation of large load customers and public utilities and for co | Referred to Consumer Protection & Professional Licensure | 2026-03-31 |
| OH | SB381 | Require PUCO approval to connect data centers to electrical grid | Referred to committee: Public Utilities | 2026-03-25 |
| OH | SB378 | Enact the Responsible Water Use by Data Centers Act | Referred to committee: Public Utilities | 2026-03-25 |
| WI | SB1061 | Moratorium on data centers. | Failed to pass pursuant to Senate Joint Resolution 1 | 2026-03-23 |
| WI | AB1099 | Moratorium on data centers. | Failed to pass pursuant to Senate Joint Resolution 1 | 2026-03-23 |
| GA | SB410 | State Sales and Use Taxes; the data center equipment sales and use tax exemption | House Second Readers | 2026-03-10 |
| OH | HB706 | Impose certain minimum requirements on data center customers | Referred to committee: Energy | 2026-02-25 |
| OH | HB710 | Prohibit public support, limit construction of, new data centers | Referred to committee: General Government | 2026-02-25 |
| GA | SB34 | Public Service Commission; costs incurred by an electric utility as a result of | Senate Committee Favorably Reported By Substitute | 2026-02-25 |
| VA | HB658 | State Corporation Commission; cost allocation proceedings for certain electric u | Left in Labor and Commerce | 2026-02-18 |
| VA | HB503 | Electric utilities; cost recovery, costs substantially related to serving data c | Continued to next session in Labor and Commerce (Voice Vote) | 2026-02-12 |
… plus 7 more bills not shown.
No FERC docket matches this run.
4 tracked docket(s) show content changes — review and update the YAML if status has changed:
Credits remaining: 70 / 100 query, 100 / 100 scan (plan: dev).
Exposed ICS protocol endpoints by port:
| Port | Protocol | US devices | Notes |
|---|---|---|---|
| 502 | Modbus | 64,468 | No native auth; pipeline & gas-plant SCADA. |
| 20000 | DNP3 | 200,440 | Common in electric + gas SCADA. |
| 2404 | IEC 60870-5-104 | 53,908 | Power/telecontrol. |
| 102 | Siemens S7 | 48,315 | Siemens PLC programming. |
| 47808 | BACnet | 25,482 | Building automation; also pipeline aux systems. |
| 44818 | EtherNet/IP CIP | 55,772 | Rockwell / Allen-Bradley PLCs. |
| 1911 | Niagara Fox | 43,725 | Tridium Niagara, building management. |
| 1962 | PCWorx | 32,777 | Phoenix Contact ILC PLCs. |
| 789 | Red Lion Crimson3 | 33,453 | Red Lion controllers. |
| 9600 | Omron FINS | 62,510 | Omron PLCs. |
ICS vendor banner counts (US):
| Vendor | Devices |
|---|---|
| Tridium | 1,624 |
| Rockwell | 1,349 |
| Allen-Bradley | 1,296 |
| Honeywell | 328 |
| Red Lion | 294 |
| Siemens | 88 |
| Emerson | 15 |
| ABB | 3 |
| Schneider Electric | 1 |
| Omron | 1 |
All counts via Shodan /host/count (free, no credits charged). Defensive use only.
Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.
| Project | Status | Properties |
|---|---|---|
| Georgia Power Ashley Park–Wansley 500kV (Project Sail) Georgia Power · GA stale · 26d (2026-06-21) AJC↗ · FOX5 Atlanta—Coweta approves Project Sail↗ · 11Alive—Coweta homeowner eminent-domain dispute↗ | condemnation_active litigation | 330 |
| Dominion Golden to Mars 500kV (Loudoun) Dominion Energy Virginia · VA stale · 26d (2026-06-21) Patch—SCC sets school-board easement deadline↗ · Virginia Mercury—SCC approves Loudoun line↗ · Virginia Mercury—Loudoun neighbors fight lines↗ | certificate_granted litigation | contingent—fallback Route 3a (~182 homes within 500 ft); condemnation not executed |
| Enbridge Chatham County gas pipeline (Siler City–Moncure, NC) Enbridge · NC stale · 26d (2026-06-21) Chatham Journal—Enbridge pipeline debate↗ · Inside Climate News↗ · Canary Media↗ · PHMSA #4060↗ | condemnation_active litigation | Chatham County landowners receiving condemnation-warning letters (e.g. John Alderman); count not yet public |
| ANR Pipeline—Heartland Project condemnations (N. Illinois) ANR Pipeline Company, LLC · IL, WI stale · 26d (2026-06-21) CourtListener (RECAP / PACER)↗ · U.S. District Court, N.D. Illinois↗ · U.S. District Court, N.D. Illinois↗ · PHMSA #405↗ | condemnation_active litigation | estimated_>3 |
| Transco—Northeast Supply Enhancement (Compressor Station 206, NJ) Transcontinental Gas Pipe Line Company, LLC · PA, NJ, NY stale · 26d (2026-06-21) CourtListener (RECAP / PACER)↗ · Federal Register—NESE Notice of Application (FERC CP17-101)↗ · FERC docket↗ · U.S. District Court, D. New Jersey↗ · PHMSA #19570↗ | condemnation_active litigation | estimated_>1 |
| Columbia Gas—Virginia Reliability Project (VA) + Seville Loop (OH) Columbia Gas Transmission, LLC · VA, OH stale · 26d (2026-06-21) CourtListener (RECAP / PACER)↗ · Federal Register—VRP Final EIS notice (FERC CP22-502)↗ · FERC docket↗ · U.S. District Court, N.D. Ohio↗ · U.S. District Court, E.D. Virginia↗ · PHMSA #2616↗ | condemnation_active litigation | estimated_>2 |
| Google + Crusoe North Texas Gas Plant Crusoe Energy · TX stale · 26d (2026-06-21) PGJ↗ | construction | 1 |
| Meta Hyperion (Richland Parish, LA) Meta Platforms · LA stale · 26d (2026-06-21) DCD↗ | construction | 3 |
| OpenAI / Project Stargate Abilene Gas Plant (Crusoe) Crusoe Energy / Oracle · TX stale · 26d (2026-06-21) no link | construction | 1 |
| Williams Project Socrates (New Albany, OH) Williams Companies · OH stale · 26d (2026-06-21) no link | construction | 18 |
| Meta Beaver Dam Site Transmission + Substation (Dodge County Interconnection) American Transmission Company (ATC) · WI stale · 26d (2026-06-21) PSC of Wisconsin—Dodge County Distribution Interconnection (Docket 137-CE-210)↗ · ABC30↗ · Wisconsin PSC docket↗ | certificate_granted | unconfirmed (no condemnation filing found) |
| MidAtlantic Resiliency Link NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA stale · 26d (2026-06-21) WV MetroNews—MARL evidentiary hearing set↗ · WESA↗ · Allegheny Front↗ · FERC docket↗ | certificate_filed | estimated_>500 |
| Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter Transwestern Pipeline Company (Energy Transfer subsidiary) · NM stale · 26d (2026-06-21) Pipeline & Gas Journal↗ · BLM—Green Chile right-of-way↗ · Source NM↗ · FERC docket↗ | certificate_filed | potential—FERC §7 authority; no private condemnation filed (route mostly federal BLM + state land) |
| Microsoft + Chevron + Engine No. 1 West Texas Gas Plant Chevron + Engine No. 1 · TX stale · 26d (2026-06-21) TechCrunch↗ | announced | minimal_industrial_site |
| Case (docket) | Latest filing / status |
|---|---|
| ANR Pipeline Company, LLC v. Haugh↗ U.S. District Court, N.D. Illinois · 3:26-cv-50202 · filed 2026-05-15 · 4 filings | COMPLAINT filed by ANR Pipeline Company, LLC 2026-05-15 |
| ANR Pipeline Company v. Brener↗ U.S. District Court, N.D. Illinois · 1:26-cv-05668 · filed 2026-05-15 · 4 filings | COMPLAINT filed by ANR Pipeline Company 2026-05-15 |
| ANR Pipeline Company, LLC v. Cooper↗ U.S. District Court, N.D. Illinois · 1:26-cv-05664 · filed 2026-05-15 · 5 filings | COMPLAINT filed by ANR Pipeline Company, LLC 2026-05-15 |
| TRANSCONTINENTAL GAS PIPE LINE COMPANY, LLC v. 1.451 ACRES OF PERMANEN↗ U.S. District Court, D. New Jersey · 3:26-cv-00018 · filed 2026-01-02 · 25 filings | OPINION filed. Signed by Judge Zahid N. Quraishi on 2/20/2026. (mlh) 2026-02-20 |
| Columbia Gas Transmission, LLC v. Gearing↗ U.S. District Court, N.D. Ohio · 1:25-cv-00181 · filed 2025-01-31 · 11 filings | Order [non-document] Counsel and the parties are hereby advised that this Court will not accept ex parte telephone calls to Chambers regardi 2025-01-31 |
| Columbia Gas Transmission, LLC v. 0.068 Acres of Land, Located in Ches↗ U.S. District Court, E.D. Virginia · 2:24-cv-00548 · filed 2024-09-09 · 1 filings | closed/terminated 2024-12-03 2024-12-03 |
| ANR Pipeline Company v. 1.92 Acres More or Less in Washington County W↗ U.S. District Court, E.D. Wisconsin (2024) · 2:24-cv-00530 · filed 2024-05-01 · 21 filings | closed/terminated 2024-07-24 2024-05-15 |
| State | Action | Status / Date |
|---|---|---|
| NC | NC S730—Ratepayer Protection Act↗ The bill NC reporting (WRAL) identifies as limiting data-center-driven eminent domain and ratepayer cost-shifting for transmission primarily serving data-center load; full text pending. Status: Ref to Senate Rules & Operations, 2026-06-08. | in Senate Rules committee 2026-06-08 |
| OH | OH SB381—PUCO approval to connect data centers to the grid↗ Requires Public Utilities Commission of Ohio approval of agreements to interconnect a data center to the electric grid (enacts R.C. ch. 4908). Referred to Senate Public Utilities, 2026-03-25. | in committee (Public Utilities) 2026-03-25 |
| GA | Review of Georgia Power eminent-domain authority↗ Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission. | legislative_review 2026-05 |
| WI | Data center energy-cost socialization carveout (under review)↗ Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers. | pre_introduction 2026-04 |
| VA | VA SB334—Conveyances of interests in real property; public hearing required↗ Would require a locality to hold a public hearing before disposing of any permanent easement or right-of-way for new >69 kV electric transmission/distribution or for data-center operations. Tabled in Appropriations 2026-02-16 (21-Y 0-N 1-A). | tabled in Appropriations 2026-02-16 |
| PA | PA SB1359—statewide hyperscale data-center moratorium↗ Imposes a statewide moratorium on hyperscale data-center development and permitting. Runs alongside the MARL transmission-line eminent-domain fight in western PA (WESA / Allegheny Front). Referred to Local Government, 2026-06-04. | referred to Local Government 2026-06-04 |
New cases + status changes are surfaced daily in the digest's Eminent Domain section from federal condemnation dockets (CourtListener / PACER, Natural Gas Act §717f(h)), FERC certificate notices (Federal Register), state PUC dockets, LegiScan, and local + trade press. Each row links out to its sources, dockets, and court cases; the date shows when the entry was last confirmed (entries > 14d are flagged stale).
| Year | All KEVs | Pipeline-rel. | % pipeline-rel. |
|---|---|---|---|
| 2026 | 231 | 1 | 0.43% |
| 2025 | 564 | 0 | 0.0% |
| 2024 | 662 | 1 | 0.15% |
| 2023 | 541 | 2 | 0.37% |
| 2022 | 477 | 3 | 0.63% |
| 2021 | 508 | 6 | 1.18% |
| 2020 | 377 | 2 | 0.53% |
| 2019 | 290 | 3 | 1.03% |
| 2018 | 259 | 4 | 1.54% |
| 2017 | 215 | 1 | 0.47% |
The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.
| Vendor | # CVEs |
|---|---|
| Schneider Electric | 9 |
| Siemens | 5 |
| Advantech | 3 |
| Rockwell Automation | 2 |
| Mitsubishi Electric | 2 |
| Inductive Automation | 1 |
| ABB | 1 |
| Honeywell | 1 |
| Emerson | 1 |
| Omron | 1 |
The HIGH table below is platform-specific (a named SCADA/DCS/HMI product). This list shows the newest pipeline-relevant KEV additions across all tiers—including vendor-level OT entries that confirm active exploitation but match a vendor name rather than a specific HIGH-tier platform, so recent OT activity stays visible without diluting what HIGH means.
| CVE | Vendor / Product | Tier | RW | Added to KEV | Exposure |
|---|---|---|---|---|---|
| CVE-2026-25939 [VC] | Frangoteam / Fuxa | LOW | 2026-06-12 | — | |
| CVE-2021-22681 [CISA] | Rockwell Automation / Multiple Products | MED | 2026-03-05 | — | |
| CVE-2017-7973 [VC] | Schneider Electric / U.motion Builder | MED | 2026-03-05 | — | |
| CVE-2024-6298 [VC] | ABB / ASPECT-Enterprise 12 Firmware | MED | 2025-02-02 | — | |
| CVE-2021-21801 [VC] | Advantech / R-SeeNet | HIGH | 2024-09-19 | — | |
| CVE-2014-2908 [VC] | Siemens / SIMATIC S7 CPU 1200 Firmware | HIGH | 2024-07-25 | — | |
| CVE-2023-3595 [VC] | Rockwell Automation / 1756-EN2F Series A Firmware | HIGH | 2024-02-20 | — | |
| CVE-2022-35871 [VC] | Inductive Automation / Ignition | HIGH | 2024-02-20 | — | |
| CVE-2021-22707 [VC] | Schneider Electric / Evlink City evc1s22p4 Firmware | MED | 2024-02-14 | — | |
| CVE-2023-3710 [VC] | Honeywell / PM43 Firmware | MED | 2024-02-06 | — |
The CVE ID year (e.g. CVE-2014-…) reflects when the vulnerability was first identified. The "Added to KEV" date is when CISA confirmed active exploitation. An old CVE freshly added to KEV means adversaries are still exploiting it — typical of SCADA where patching is slow.
| CVE | Vendor / Product | RW | Added to KEV | Exposure |
|---|---|---|---|---|
| CVE-2021-21801 [VC] | Advantech / R-SeeNet | 2024-09-19 | — | |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | ||||
| CVE-2014-2908 [VC] | Siemens / SIMATIC S7 CPU 1200 Firmware | 2024-07-25 | — | |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | ||||
| CVE-2023-3595 [VC] | Rockwell Automation / 1756-EN2F Series A Firmware | 2024-02-20 | — | |
| Out-of-bounds Write | ||||
| CVE-2022-35871 [VC] | Inductive Automation / Ignition | 2024-02-20 | — | |
| Missing Authentication for Critical Function | ||||
| CVE-2021-21805 [VC] | Advantech / R-SeeNet | 2023-12-24 | — | |
| Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | ||||
| CVE-2016-8562 [CISA] | Siemens / SIMATIC CP | 2022-03-03 | — | |
| 1543-1 Improper Privilege Management Vulnerability | ||||
| CVE-2012-3015 [VC] | Siemens / SIMATIC PCS7 | 2021-12-15 | — | |
| Untrusted Search Path | ||||
| CVE-2020-10621 [VC] | Advantech / WebAccess/NMS | 2020-08-27 | — | |
| Unrestricted Upload of File with Dangerous Type | ||||
| CVE-2019-14927 [VC] | Mitsubishi Electric / SmartRTU Firmware | 2019-12-17 | — | |
| Missing Authentication for Critical Function | ||||
| CVE-2019-14931 [VC] | Mitsubishi Electric / SmartRTU Firmware | 2019-12-13 | — | |
| Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | ||||
| CVE-2018-7522 [VC] | Schneider Electric / Triconex Tricon MP 3008 Firmware | 2018-12-20 | — | |
| Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation | ||||
| CVE-2018-8872 [VC] | Schneider Electric / Triconex Tricon MP 3008 Firmware | 2018-01-12 | — | |
| Improper Restriction of Operations within the Bounds of a Memory Buffer | ||||
| CVE-2010-2772 [VC] | Siemens / SIMATIC WinCC | 2010-10-01 | — | |
| Use of Hard-coded Credentials | ||||
[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked
Sources: CISA KEV catalog + VulnCheck KEV enriched feed. Cross-referenced against tracked SCADA banners (Symphony, Cygnet, iFIX, DeltaV, Ovation, OASyS, Wonderware, ClearSCADA) and US ICS vendors. Updated daily at 06:00 EDT.
A rotating selection of compromise-impact scenarios, anchored on numbers measurable on the live map today — exposed-endpoint counts and CISA KEV cross-references. The featured lineup rotates each daily build, and any platform with a fresh KEV in the last week leads. Each scenario uses the US military Five-Paragraph OPORD format (SMEAC). Defensive use only.
S — Situation
Siemens SIMATIC S7 controllers and WinCC SCADA run compressor stations, metering, and the gas-fired generation feeding data-center load; 5 Siemens CVEs sit on the KEV catalog today (CVE-2014-2908, CVE-2016-8562, CVE-2012-3015, CVE-2010-2772). S7 is the controller family Stuxnet was built to reprogram.
M — Mission
Adversary objective: reprogram or halt S7 logic controlling compression or generation in a chosen corridor, or falsify the WinCC operator view so the upset is not seen until it propagates.
E — Execution
Phase 1: exploit a KEV-listed S7/WinCC flaw reachable from an exposed HMI or remote-access path. Phase 2: pivot to the automation network. Phase 3: alter controller logic or HMI tags. Phase 4: synchronize disruption to peak demand and wipe the historian.
A — Administration & Logistics
Feasibility rests on (1) 5 unpatched Siemens CVEs; (2) WinCC stations bridged to corporate IT; (3) S7 controllers without RUN-mode key protection.
C — Command & Signal
Indicators: unexpected S7 STOP/PROGRAM transitions; WinCC tag changes with no work order; HMI traffic to unknown hosts. Defensive priorities: patch KEV CVEs, enforce controller key-switch protection, segment WinCC from IT. Reporting: CISA; TSA; ONG-ISAC; the relevant ISO security desk.
Physical:
Tripped or runaway compression and generating units in one load zone; data-center alley loses grid supply and falls to diesel within hours; ungraceful trips can damage rotating equipment and extend restart to weeks.
Market / financial:
Intraday wholesale power spikes to the administrative cap in the affected ISO; compute SLAs breach within the diesel-reserve window; multi-billion-dollar loss across operators, power buyers, and AI customers.
Regulatory / political:
FERC/NERC review of generator cyber readiness; accelerated TSA-style cyber rules for gas-fired generation; insurer repricing for measurable Siemens exposure.
S — Situation
Allen-Bradley ControlLogix PLCs and FactoryTalk run pump stations, tank farms, and liquids terminals across US midstream; 2 Rockwell CVEs are on the KEV catalog today (CVE-2023-3595, CVE-2021-22681).
M — Mission
Adversary objective: seize or crash ControlLogix processors governing pumping and tank-farm valves to force a liquids-pipeline shutdown or a tank overfill / pressure transient.
E — Execution
Phase 1: exploit a KEV-listed ControlLogix/FactoryTalk CVE from an exposed engineering or remote path. Phase 2: reach the controller. Phase 3: fault the processor or alter pump/valve logic. Phase 4: mask the change in FactoryTalk.
A — Administration & Logistics
Feasibility rests on (1) 2 unpatched Rockwell CVEs; (2) flat OT networks at terminals; (3) remote-access tools left exposed.
C — Command & Signal
Indicators: unexpected processor faults; logic edits with no change ticket; FactoryTalk access from new hosts. Defensive priorities: patch KEV CVEs, segment terminal OT, lock down remote access. Reporting: CISA; TSA; ONG-ISAC.
Physical:
Forced shutdown of a liquids pipeline or terminal; in the worst case a tank overfill or pressure transient with spill, fire, or environmental release.
Market / financial:
Regional product-supply disruption (gasoline, diesel, NGLs); price spikes at racks served by the affected terminals; cleanup and liability costs.
Regulatory / political:
PHMSA incident investigation; TSA review of terminal cyber controls; insurer scrutiny of operators on KEV-listed Rockwell versions.
S — Situation
Honeywell Experion PKS is a dominant distributed control system at US gas-processing plants, refineries, and LNG facilities; 1 Experion CVE on the KEV catalog today (CVE-2023-3710).
M — Mission
Adversary objective: take control of the Experion DCS at a gas-processing or LNG facility to drive units to an unsafe state or force a sustained outage.
E — Execution
Phase 1: exploit the KEV-listed Experion CVE from a reachable server or remote path. Phase 2: reach the C300 controllers and Experion servers. Phase 3: alter control strategy or force a unit trip. Phase 4: destroy the historian and backups.
A — Administration & Logistics
Feasibility rests on (1) 1 unpatched Experion CVE; (2) DCS servers bridged to plant IT; (3) deferred DCS patching tied to turnaround windows.
C — Command & Signal
Indicators: unscheduled control-strategy changes; Experion server traffic to unknown hosts; historian write failures. Defensive priorities: patch the KEV CVE, isolate the DCS, two-person change control. Reporting: CISA; TSA; ONG-ISAC.
Physical:
Loss of control or forced shutdown at a gas-processing plant or LNG train; potential release, fire, or explosion if units are driven unsafe; restart measured in days to weeks.
Market / financial:
Lost processing/export throughput tightens domestic supply and idles cargoes; multi-billion-dollar interruption and liability exposure.
Regulatory / political:
PHMSA/TSA investigation; likely CISA directive for Experion operators; insurer repricing for KEV-listed Experion exposure.
Framework: US military Five-Paragraph Operations Order (OPORD) / SMEAC. Data sources: Shodan ICS-protocol exposure scan, CISA KEV catalog + VulnCheck KEV enriched feed, EIA gas-pricing API, FERC interconnection-queue data, eminent_domain_projects.yaml (hand-curated). All exposure counts auto-refresh on the daily 06:00 EDT build.
WHOUS gas-pipeline operators (Williams, KMI, Enbridge, TC Energy), hyperscalers (Meta, Google, Microsoft, AWS, xAI, OpenAI/Stargate), and the AI labs leasing their compute (Anthropic on AWS+GCP).
WHATThe largest US natural-gas pipeline buildout since 2008—~18 Bcf/d new capacity in 2026—feeding gas-fired power plants that feed AI data centers and LNG exports.
WHENMost capacity online 2026–2028. Gulf Coast LNG and Northern Virginia are the biggest demand centers; PJM peak demand is up +4.4% YoY—the data-center signal.
SO WHATOperators segment their own networks well (TC Energy, Enbridge: 0 exposed devices). The risk lives where gas plants and data centers share neighborhoods—40,897 ICS endpoints within 25 km of Ashburn, 1,934 near Meta's New Albany (Project Socrates). A parallel “shadow grid” is being built for hyperscalers, often via eminent-domain seizure (Georgia Power Wansley, NextEra MidAtlantic Resiliency Link, Williams NESE). State legislatures are pushing back.
Anthropic doesn't operate its own data centers.
Claude runs on AWS (primary partner; AWS Trainium / Bedrock) and Google Cloud (per the Oct 2025 expanded agreement).
To see where Anthropic's compute physically lives, enable the AWS / Azure / GCP regions layers and look at AWS us-east-1 (Virginia), us-west-2 (Oregon), and GCP us-east4 / us-central1.