Countdown — Pipeline Infrastructure Daily Archive

Five running histories — one per side panel — going back forever. Updated each morning at 06:00 EDT.

What If… — running history

latest
Rockwell ControlLogix / FactoryTalk — 2 pipeline-relevant KEV CVEs
Current exposure: 2 CISA KEV-listed CVEs currently affect Rockwell Allen-Bradley ControlLogix / FactoryTalk platforms
Live KEV cross-reference: CVE-2023-3595, CVE-2021-22681
Severity: HIGH — Pump-station and terminal control disruption across midstream
Five-Paragraph OPORD (SMEAC)

S — Situation

Allen-Bradley ControlLogix PLCs and FactoryTalk run pump stations, tank farms, and liquids terminals across US midstream; 2 Rockwell CVEs are on the KEV catalog today (CVE-2023-3595, CVE-2021-22681).

M — Mission

Adversary objective: seize or crash ControlLogix processors governing pumping and tank-farm valves to force a liquids-pipeline shutdown or a tank overfill / pressure transient.

E — Execution

Phase 1: exploit a KEV-listed ControlLogix/FactoryTalk CVE from an exposed engineering or remote path. Phase 2: reach the controller. Phase 3: fault the processor or alter pump/valve logic. Phase 4: mask the change in FactoryTalk.

A — Administration & Logistics

Feasibility rests on (1) 2 unpatched Rockwell CVEs; (2) flat OT networks at terminals; (3) remote-access tools left exposed.

C — Command & Signal

Indicators: unexpected processor faults; logic edits with no change ticket; FactoryTalk access from new hosts. Defensive priorities: patch KEV CVEs, segment terminal OT, lock down remote access. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Forced shutdown of a liquids pipeline or terminal; in the worst case a tank overfill or pressure transient with spill, fire, or environmental release.

Market / financial:

Regional product-supply disruption (gasoline, diesel, NGLs); price spikes at racks served by the affected terminals; cleanup and liability costs.

Regulatory / political:

PHMSA incident investigation; TSA review of terminal cyber controls; insurer scrutiny of operators on KEV-listed Rockwell versions.

Honeywell Experion PKS — 1 pipeline-relevant KEV CVE
Current exposure: 1 CISA KEV-listed CVE currently affect Honeywell Experion PKS — a dominant DCS at US gas processing and LNG
Live KEV cross-reference: CVE-2023-3710
Severity: HIGH — Distributed-control compromise at gas processing and LNG
Five-Paragraph OPORD (SMEAC)

S — Situation

Honeywell Experion PKS is a dominant distributed control system at US gas-processing plants, refineries, and LNG facilities; 1 Experion CVE on the KEV catalog today (CVE-2023-3710).

M — Mission

Adversary objective: take control of the Experion DCS at a gas-processing or LNG facility to drive units to an unsafe state or force a sustained outage.

E — Execution

Phase 1: exploit the KEV-listed Experion CVE from a reachable server or remote path. Phase 2: reach the C300 controllers and Experion servers. Phase 3: alter control strategy or force a unit trip. Phase 4: destroy the historian and backups.

A — Administration & Logistics

Feasibility rests on (1) 1 unpatched Experion CVE; (2) DCS servers bridged to plant IT; (3) deferred DCS patching tied to turnaround windows.

C — Command & Signal

Indicators: unscheduled control-strategy changes; Experion server traffic to unknown hosts; historian write failures. Defensive priorities: patch the KEV CVE, isolate the DCS, two-person change control. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Loss of control or forced shutdown at a gas-processing plant or LNG train; potential release, fire, or explosion if units are driven unsafe; restart measured in days to weeks.

Market / financial:

Lost processing/export throughput tightens domestic supply and idles cargoes; multi-billion-dollar interruption and liability exposure.

Regulatory / political:

PHMSA/TSA investigation; likely CISA directive for Experion operators; insurer repricing for KEV-listed Experion exposure.

ABB Symphony DCS — -1 US endpoints exposed (as of 2026-07-17)
Current exposure: -1 Symphony endpoints visible from the public US internet today
Live KEV cross-reference: CVE-2024-6298
Severity: HIGH — Power generation supply disruption to AI data center load
Five-Paragraph OPORD (SMEAC)

S — Situation

ABB Symphony has the largest measurable US public-internet exposure of any pipeline-relevant SCADA / DCS platform — -1 endpoints visible as of 2026-07-17, against a deployed base that we estimate to be on the order of hundreds of installations. Symphony is the dominant DCS at large gas-fired combined-cycle power plants, including most of the new and planned gas plants being built to serve hyperscale AI data centers. KEV catalog entries currently affecting ABB platforms: CVE-2024-6298.

M — Mission

Adversary objective: simultaneous loss-of-control or unsafe-state at multiple gas-fired generating units feeding a specific load zone — most likely PJM Dominion (Northern Virginia data-center alley, where AI training load is concentrated) or the Southeast (where Meta Hyperion's 7.46 GW gas plant cluster feeds the Hyperion campus). Strategic intent: deny power to AI compute infrastructure at a moment chosen for maximum disruption, with deniable attribution.

E — Execution

Phase 1: harvest a contractor or vendor credential that grants engineering access to one or more of the -1 exposed endpoints — many of which are vendor-support jump hosts that bridge corporate IT to the OT engineering network. Phase 2: lateral movement to the Symphony engineering workstation. Phase 3: stage malicious configuration changes across the deployment, synchronized to execute at peak-demand hour. Phase 4: trigger drives unit-trip sequences on every unit reachable, simultaneous; concurrent wiper destroys the historian and configuration backup.

A — Administration & Logistics

Attack feasibility depends on three conditions visible in the public-exposure data today: (1) -1 endpoints reachable from the public internet — that number is a defensive failure on its own; (2) operator deployments that centralize engineering across multiple sites; (3) deferred patching of any published Symphony CVSS 8.0+ CVE due to outage-window constraints.

C — Command & Signal

Indicators: outbound traffic from any Symphony engineering workstation to non-vendor destinations; unscheduled configuration updates across multiple units in the same hour; historian write failures across multiple stations. Defensive priorities: enumerate the -1 exposed endpoints in your perimeter and prioritize firewall closure or VPN-only access; rotate all vendor and contractor credentials with hardware-token MFA; require any logic or configuration change to pass two-person integrity check during the change window. Reporting: TSA Surface Transportation Cybersecurity; CISA Hotline; Oil and Natural Gas ISAC; PJM RTEP Security working group.

Consequences if unmitigated

Physical:

Simultaneous trips at multiple gas-fired generating units serving a data-center-heavy load zone. Within ~2 hours, hyperscale data centers in the affected zone exhaust grid power and shift to on-site diesel; diesel reserves typically run 12–48 hours. Possible thermal damage to rotating equipment during ungraceful trip sequences extends restart from hours to weeks per unit.

Market / financial:

Wholesale power prices in the affected ISO zone spike to administrative cap intraday. Hyperscaler-customer compute service-level agreements breach within the diesel-reserve window. Estimated combined economic loss across operator, downstream power buyers, and dependent cloud / AI customers: $10B–$50B in the first week.

Regulatory / political:

FERC and NERC special review of generator cybersecurity preparedness. Likely accelerated TSA-style cyber regulation extended to gas-fired generation feeding hyperscale customers. Insurance industry repricing for operators with measurable Symphony exposure on Shodan.

Cygnet SCADA — 69 US endpoints (pipeline-specific midstream)
Current exposure: 69 Cygnet midstream-pipeline SCADA endpoints visible today
Live KEV cross-reference: no KEV-listed CVEs currently affect this platform
Severity: HIGH — Direct compromise of pipeline operational visibility and control
Five-Paragraph OPORD (SMEAC)

S — Situation

Cygnet is the SCADA platform most narrowly targeted at the US midstream oil-and-gas industry — it runs the supervisory layer at 69 measurable US sites, almost all of which are pipeline operators. Of the operators we track, several are confirmed Cygnet users by name in vendor case-studies and public filings.

M — Mission

Adversary objective: simultaneous loss-of-visibility and limited-write control of pipeline metering, valve, and flow-control points across a single operator's footprint. Strategic intent: position to manipulate gas deliveries — to LDCs, to power generators, or to LNG export terminals — at a chosen moment, with the operator unable to see or counter the action in real time.

E — Execution

Phase 1: access via a Cygnet engineering workstation reachable through vendor-support tunnels. Phase 2: harvest field-device topology and operator runbooks from the SCADA database. Phase 3: stage scheduled control commands that fire at a precipitating moment. Phase 4: optionally falsify operator-view telemetry to extend the response window.

A — Administration & Logistics

Attack feasibility depends on Cygnet's typical deployment pattern: many operators connect Cygnet to their corporate IT for reporting, then connect corporate IT to the public internet — a documented common pathway. The 69 exposed endpoints in our Shodan dataset are the visible portion of that pattern.

C — Command & Signal

Indicators: Cygnet engineering-workstation traffic to non-vendor destinations; configuration changes outside change-control hours; discrepancies between Cygnet-reported volumes and independent end-of-line meter reads. Defensive priorities: place Cygnet servers behind a jump-host with MFA; close direct internet exposure on all 69 endpoints; deploy independent secondary metering whose data does NOT flow through Cygnet.

Consequences if unmitigated

Physical:

Manipulation of valve setpoints can cause unsafe pressure transients at downstream stations. Falsified metering allows undetected gas diversion or supply-cut to specific customers (e.g., a specific gas-fired power plant during a peak hour).

Market / financial:

If a Cygnet-driven event takes a specific compressor station offline during a peak demand window, the downstream basis (the local citygate price minus Henry Hub) can spike 200%+ in hours. LDC emergency curtailments. Power-gen fuel-supply force majeure to gas peakers serving data centers.

Regulatory / political:

Immediate FERC inquiry into operator cybersecurity. Possible TSA penalty action under PSR 2026-01. Operator's interstate transportation tariff put under audit.

GE iFIX HMI/SCADA — 62 US endpoints exposed
Current exposure: 62 GE iFIX HMI/SCADA endpoints visible today
Live KEV cross-reference: CVE-2014-0751
Severity: HIGH — Operator-view denial across gas-plant and pipeline-station HMI
Five-Paragraph OPORD (SMEAC)

S — Situation

GE iFIX is a general-purpose HMI / SCADA platform with deep penetration in US gas plants, refineries, and pipeline compressor stations. Public US exposure today: 62 endpoints. KEV entries currently affecting GE platforms: CVE-2014-0751.

M — Mission

Adversary objective: deny operator visibility into the controlled process during a coincident attack — either cyber on the BPCS or kinetic on a physical asset. Strategic intent: extend the response window in the critical early minutes when operator action can avert physical damage.

E — Execution

Phase 1: access through internet-exposed iFIX terminal services / VPN. Phase 2: modify iFIX HMI screens to display canned 'nominal' values regardless of underlying tag data, OR disable HMI alarm escalation logic. Phase 3: hold capability until a coincident event — process upset, kinetic strike, or BPCS manipulation — at which point operators see normal screens while the physical process degrades.

A — Administration & Logistics

Attack feasibility increases when iFIX is deployed without segregation from corporate IT, when iFIX clients are reachable via remote-desktop services from the public internet (62 confirmed examples today), and when alarm-management audits are infrequent.

C — Command & Signal

Indicators: iFIX screen-version changes outside engineering change windows; HMI tag-display discrepancies vs. historian; alarm logs going abnormally quiet during normal operating variability. Defensive priorities: iFIX deployment audit (count vs. known inventory); HMI screen-checksum monitoring; independent secondary HMI that draws from a separate tag feed; close all 62 internet-exposed instances or move them behind MFA-required VPN.

Consequences if unmitigated

Physical:

On its own, an iFIX-only attack does not cause damage — but during a coincident physical or BPCS attack, the 'normal-screens-while-process-degrades' window extends operator response from minutes to tens of minutes, multiplying the physical damage.

Market / financial:

When combined with a BPCS attack, an HMI-deception layer can extend an outage from one shift to several days as the recovery team has no trustworthy view of pre-event state. Multiplier effect on operator's economic damage: 2–5x.

Regulatory / political:

HMI integrity-verification becomes a required TSA compliance element. Vendor-side requirements for cryptographic HMI screen verification.

GE iFIX HMI/SCADA — 64 US endpoints exposed
Current exposure: 64 GE iFIX HMI/SCADA endpoints visible today
Live KEV cross-reference: CVE-2014-0751
Severity: HIGH — Operator-view denial across gas-plant and pipeline-station HMI
Five-Paragraph OPORD (SMEAC)

S — Situation

GE iFIX is a general-purpose HMI / SCADA platform with deep penetration in US gas plants, refineries, and pipeline compressor stations. Public US exposure today: 64 endpoints. KEV entries currently affecting GE platforms: CVE-2014-0751.

M — Mission

Adversary objective: deny operator visibility into the controlled process during a coincident attack — either cyber on the BPCS or kinetic on a physical asset. Strategic intent: extend the response window in the critical early minutes when operator action can avert physical damage.

E — Execution

Phase 1: access through internet-exposed iFIX terminal services / VPN. Phase 2: modify iFIX HMI screens to display canned 'nominal' values regardless of underlying tag data, OR disable HMI alarm escalation logic. Phase 3: hold capability until a coincident event — process upset, kinetic strike, or BPCS manipulation — at which point operators see normal screens while the physical process degrades.

A — Administration & Logistics

Attack feasibility increases when iFIX is deployed without segregation from corporate IT, when iFIX clients are reachable via remote-desktop services from the public internet (64 confirmed examples today), and when alarm-management audits are infrequent.

C — Command & Signal

Indicators: iFIX screen-version changes outside engineering change windows; HMI tag-display discrepancies vs. historian; alarm logs going abnormally quiet during normal operating variability. Defensive priorities: iFIX deployment audit (count vs. known inventory); HMI screen-checksum monitoring; independent secondary HMI that draws from a separate tag feed; close all 64 internet-exposed instances or move them behind MFA-required VPN.

Consequences if unmitigated

Physical:

On its own, an iFIX-only attack does not cause damage — but during a coincident physical or BPCS attack, the 'normal-screens-while-process-degrades' window extends operator response from minutes to tens of minutes, multiplying the physical damage.

Market / financial:

When combined with a BPCS attack, an HMI-deception layer can extend an outage from one shift to several days as the recovery team has no trustworthy view of pre-event state. Multiplier effect on operator's economic damage: 2–5x.

Regulatory / political:

HMI integrity-verification becomes a required TSA compliance element. Vendor-side requirements for cryptographic HMI screen verification.

Emerson DeltaV + Ovation DCS — 54 US endpoints combined
Current exposure: 29 DeltaV + 25 Ovation US endpoints — total 54
Live KEV cross-reference: CVE-2021-45420
Severity: HIGH — Simultaneous compromise of LNG liquefaction AND gas-fired power generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Emerson runs two product lines with measurable US exposure: DeltaV (29 endpoints), the DCS for LNG liquefaction trains and refinery / petrochemical processes, and Ovation (25 endpoints), the DCS for fossil-fueled power generation. Combined US public exposure: 54 endpoints. KEV entries affecting Emerson: CVE-2021-45420.

M — Mission

Adversary objective: simultaneously disrupt LNG-export capacity AND gas-fired power generation by exploiting the same vendor's deployed platforms across the two industries — a single capability that reaches both demand sinks for US natural gas (LNG exports and AI/data-center power) at once. Strategic intent: dual-target economic disruption with shared toolchain.

E — Execution

Phase 1: gain access via an Emerson vendor-support credential — Emerson is one of the largest providers of process-control system service contracts in the US. Phase 2: deploy parallel implants against DeltaV at LNG terminals and Ovation at gas-fired plants. Phase 3: synchronized trigger at a chosen event.

A — Administration & Logistics

Attack feasibility hinges on whether the operator has accepted vendor persistent remote-support tunnels as a contractual requirement. Many DeltaV and Ovation operators have done so to maintain service-level guarantees. The 54 exposed endpoints visible today are the public portion of that pattern.

C — Command & Signal

Indicators: Emerson vendor-tunnel traffic outside scheduled service windows; configuration changes pushed to multiple sites within a single hour; unscheduled engineering-workstation logins. Defensive priorities: require Emerson vendor sessions to be initiated by the operator (not the vendor), with session recording and MFA; deploy egress monitoring on the DeltaV / Ovation engineering networks; require Emerson to publish per-product KEV applicability mapped to deployed firmware versions at each customer site.

Consequences if unmitigated

Physical:

LNG terminal liquefaction trains unsafe-shutdown; coincident gas-fired generator trips across affected fleet. Possible thermal damage to liquefaction compressors extends LNG outage from days to months.

Market / financial:

Cargoes in the Sabine Pass / Cameron / Plaquemines / Corpus Christi loading queue declare force majeure within hours. European TTF gas price spikes; US Henry Hub price drops on reduced export demand AND spikes on domestic gas-to-power dislocation — both directions same day. Combined economic impact: $30B–$120B over the first quarter post-event.

Regulatory / political:

Coordinated DOE / FERC / TSA / DOC (export licensing) investigation. Possible suspension of Emerson DCS service contracts pending audit. Insurance industry repricing across all Emerson-platform-dependent operators.

Henry Hub Composite (Physical + Cyber) — current state
Current exposure: 13 interstate pipelines converge at Erath, LA · NYMEX settlement node · ~2 Bcf/d physical throughput · 0 ICS exposures within 25 km · 14 active eminent-domain projects in supply chain
Live KEV cross-reference: 9 Schneider Electric KEVs · 5 Siemens KEVs · 1 Emerson KEVs affect platforms a Sabine Pipe Line operator would actually run.
Severity: STRATEGIC — National-scale market and supply disruption
Five-Paragraph OPORD (SMEAC)

S — Situation

Henry Hub today: 13 interstate pipelines converge at the Sabine Pipe Line LLC facility in Erath, Louisiana. The NYMEX Henry Hub futures contract settles here — the price benchmark for every US natural-gas trade, every LNG cargo loaded at Sabine Pass / Cameron / Plaquemines / Corpus Christi (≈14 Bcf/d combined LNG export capacity), and every gas-indexed power-purchase contract in PJM / SERC / Florida. Within 25 km of the hub, Shodan finds 0 exposed ICS endpoints; the operator's supply chain runs through platforms with 15 currently-KEV-listed CVEs across Schneider Electric, Siemens, and Emerson. The facility has no counter-UAS coverage (Vermilion Parish is outside designated military airspace) and no published joint OT/IT incident-command framework with downstream hyperscaler and federal partners.

M — Mission

Adversary objective: simultaneously disable physical throughput at Henry Hub for an extended window (weeks, not hours) AND destroy the operator's safety-system configuration files, so that even after physical repair the operator cannot safely restart. Strategic intent: suspend US natural-gas price discovery long enough to cascade through NYMEX, LNG cargo force majeure, power-grid load shedding during a peak-demand window, and financial-market liquidity events.

E — Execution

Phase 1 (months): cyber pre-positioning inside the Sabine Pipe Line OT network via a contracted-engineering credential — the same vector that has produced every confirmed US pipeline OT intrusion in the past five years. Phase 2 (days): adversary weaponizes a published CVSS 9.0+ CISA advisory affecting Schneider Telvent OASyS DNA or Triconex SIS, BEFORE the operator's change board approves the emergency patch. Phase 3 (D-Day, timed to coincide with polar vortex or hurricane-season demand peak): commercial-derivative drone strike against Compressor Units 1 and 2, simultaneously with cyber execution that disables the SIS, manipulates HMIs to display nominal state, vents high-pressure gas through stacks whose flare ignition has been pre-disabled. Phase 4 (D+1 through D+3): wiper malware destroys the historian, engineering workstation, and corporate IT backups, denying the recovery team the documentation needed to safely restart safety-instrumented systems.

A — Administration & Logistics

Attack feasibility depends on conditions present today: (1) 0 ICS endpoints within 25 km of the hub — the public attack surface; (2) absence of counter-UAS over Vermilion Parish; (3) the operator's change board having no pre-delegated authority to bypass normal review for CVSS 9+ items during weather-emergency windows; (4) no published joint incident-command structure across Sabine Pipe Line, FERC, TSA, CISA, FBI, DOE, and hyperscaler downstream customers. All four conditions exist as of 2026-07-16.

C — Command & Signal

Indicators: outbound traffic from any Sabine Pipe Line OT host to non-vendor destinations; Vermilion Parish law-enforcement reports of unusual UAS activity near the hub; any CISA advisory at CVSS 9+ affecting Schneider Electric / Siemens / Emerson platforms followed by Sabine Pipe Line change-board deferral. Defensive priorities (the four items above, each individually closable): (1) pre-delegate emergency-patch authority to senior security leadership without change-board veto for CVSS 9+ critical-asset platforms; (2) FAA + DOD counter-UAS authorization for FERC critical-asset compressor stations; (3) stand up the joint incident-command framework now, not after the event; (4) maintain air-gapped offline SIS configuration backups with quarterly recovery verification at every FERC critical site.

Consequences if unmitigated

Physical:

Henry Hub physical throughput goes to 0 Bcf/d for 7–30+ days. Worker fatalities at Sabine Pipe Line during the kinetic event range 20–100 depending on shift composition and time of day. Downstream civilian fatalities during coincident cold-weather power loss could exceed 200 if the polar-vortex timing is hit. Adjacent communities evacuated; groundwater and surface water contamination from fuel-rich firefighting operations.

Market / financial:

NYMEX Henry Hub trading suspended for 20–60 trading days. Daily LNG cargo force majeure declarations from Sabine Pass / Cameron / Plaquemines / Corpus Christi terminals. European TTF and Asian JKM gas prices spike 150–400%. PJM and TVA emergency load-shedding affecting 5–20M customers during the polar vortex. Combined direct + cascading economic damage: $200B–$400B over twelve months. Insurance-industry catastrophe loss: $80B–$200B. Two-to-three mid-sized US gas trading firms in Chapter 11 within ten days.

Regulatory / political:

FERC and TSA replace existing Pipeline Security Directive framework with a true regulatory framework. DOE stands up a permanent Critical Energy Infrastructure Cyber Response Unit. FAA authorizes counter-UAS at all FERC critical-asset facilities. Federal Reserve emergency liquidity facility for energy-sector counterparty exposure. Hyperscaler / pipeline operator joint incident command mandated. ODNI issues attribution finding; coordinated multi-allied response.

Schneider Electric Modicon / Triconex — 9 pipeline-relevant KEV CVEs
Current exposure: 9 CISA KEV-listed CVEs currently affect Schneider OT platforms — the largest known-exploited footprint of any pipeline-relevant vendor today
Live KEV cross-reference: CVE-2018-7522, CVE-2018-8872, CVE-2017-7973, CVE-2021-22707
Severity: HIGH — Safety-instrumented-system bypass at gas processing and compression
Five-Paragraph OPORD (SMEAC)

S — Situation

Schneider Electric carries the largest set of actively-exploited CVEs of any pipeline-relevant vendor on the KEV catalog today — 9 entries (CVE-2018-7522, CVE-2018-8872, CVE-2017-7973, CVE-2021-22707). Modicon PLCs run valve and compressor logic across US midstream; Triconex is the dominant safety-instrumented system (SIS) at gas plants and LNG trains — the same SIS family targeted by the TRITON malware framework.

M — Mission

Adversary objective: defeat or blind the safety-instrumented layer at a gas-processing plant, LNG train, or major compressor station so a deliberately induced process upset is NOT tripped to a safe state — turning a recoverable fault into an overpressure or release event.

E — Execution

Phase 1: exploit one of the 9 known CVEs to gain a foothold on the engineering network. Phase 2: reach the Triconex/Modicon engineering workstation and load altered logic or disable SIS voting. Phase 3: drive the basic process control system to an unsafe setpoint while the safety layer is suppressed. Phase 4: erase the engineering audit trail.

A — Administration & Logistics

Feasibility today rests on (1) 9 unpatched, actively-exploited Schneider CVEs; (2) SIS and basic control logic that share engineering access in many deployments; (3) safety-system patch cycles tied to multi-year turnaround windows.

C — Command & Signal

Indicators: unscheduled logic downloads to any Triconex or Modicon controller; SIS voting or bypass changes outside a permitted-work window; engineering-station traffic to non-vendor destinations. Defensive priorities: patch the KEV-listed CVEs on a safety-critical schedule, enforce key-switch RUN mode on SIS controllers, require two-person authorization for any safety-logic change. Reporting: CISA; TSA Pipeline Security; ONG-ISAC.

Consequences if unmitigated

Physical:

A defeated safety-instrumented system removes the last automatic protection against overpressure, high temperature, or loss of containment at a gas plant or LNG train — from an emergency shutdown and days-long restart to a release, fire, or explosion if the basic control system is simultaneously driven unsafe.

Market / financial:

Loss of a single large gas-processing plant or LNG train removes major throughput; an LNG-train outage idles export cargoes and tightens domestic supply. Liability and business-interruption exposure runs to the billions.

Regulatory / political:

PHMSA and TSA scrutiny of OT cyber controls; likely CISA emergency directives for Schneider SIS operators; insurer repricing for sites running KEV-listed Triconex/Modicon.

Siemens SIMATIC S7 / WinCC — 5 pipeline-relevant KEV CVEs
Current exposure: 5 CISA KEV-listed CVEs currently affect Siemens SIMATIC / WinCC / Spectrum Power platforms
Live KEV cross-reference: CVE-2014-2908, CVE-2016-8562, CVE-2012-3015, CVE-2010-2772
Severity: HIGH — Loss of control at compression, metering, and gas-fired generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Siemens SIMATIC S7 controllers and WinCC SCADA run compressor stations, metering, and the gas-fired generation feeding data-center load; 5 Siemens CVEs sit on the KEV catalog today (CVE-2014-2908, CVE-2016-8562, CVE-2012-3015, CVE-2010-2772). S7 is the controller family Stuxnet was built to reprogram.

M — Mission

Adversary objective: reprogram or halt S7 logic controlling compression or generation in a chosen corridor, or falsify the WinCC operator view so the upset is not seen until it propagates.

E — Execution

Phase 1: exploit a KEV-listed S7/WinCC flaw reachable from an exposed HMI or remote-access path. Phase 2: pivot to the automation network. Phase 3: alter controller logic or HMI tags. Phase 4: synchronize disruption to peak demand and wipe the historian.

A — Administration & Logistics

Feasibility rests on (1) 5 unpatched Siemens CVEs; (2) WinCC stations bridged to corporate IT; (3) S7 controllers without RUN-mode key protection.

C — Command & Signal

Indicators: unexpected S7 STOP/PROGRAM transitions; WinCC tag changes with no work order; HMI traffic to unknown hosts. Defensive priorities: patch KEV CVEs, enforce controller key-switch protection, segment WinCC from IT. Reporting: CISA; TSA; ONG-ISAC; the relevant ISO security desk.

Consequences if unmitigated

Physical:

Tripped or runaway compression and generating units in one load zone; data-center alley loses grid supply and falls to diesel within hours; ungraceful trips can damage rotating equipment and extend restart to weeks.

Market / financial:

Intraday wholesale power spikes to the administrative cap in the affected ISO; compute SLAs breach within the diesel-reserve window; multi-billion-dollar loss across operators, power buyers, and AI customers.

Regulatory / political:

FERC/NERC review of generator cyber readiness; accelerated TSA-style cyber rules for gas-fired generation; insurer repricing for measurable Siemens exposure.

Siemens SIMATIC S7 / WinCC — 5 pipeline-relevant KEV CVEs
Current exposure: 5 CISA KEV-listed CVEs currently affect Siemens SIMATIC / WinCC / Spectrum Power platforms
Live KEV cross-reference: CVE-2014-2908, CVE-2016-8562, CVE-2012-3015, CVE-2010-2772
Severity: HIGH — Loss of control at compression, metering, and gas-fired generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Siemens SIMATIC S7 controllers and WinCC SCADA run compressor stations, metering, and the gas-fired generation feeding data-center load; 5 Siemens CVEs sit on the KEV catalog today (CVE-2014-2908, CVE-2016-8562, CVE-2012-3015, CVE-2010-2772). S7 is the controller family Stuxnet was built to reprogram.

M — Mission

Adversary objective: reprogram or halt S7 logic controlling compression or generation in a chosen corridor, or falsify the WinCC operator view so the upset is not seen until it propagates.

E — Execution

Phase 1: exploit a KEV-listed S7/WinCC flaw reachable from an exposed HMI or remote-access path. Phase 2: pivot to the automation network. Phase 3: alter controller logic or HMI tags. Phase 4: synchronize disruption to peak demand and wipe the historian.

A — Administration & Logistics

Feasibility rests on (1) 5 unpatched Siemens CVEs; (2) WinCC stations bridged to corporate IT; (3) S7 controllers without RUN-mode key protection.

C — Command & Signal

Indicators: unexpected S7 STOP/PROGRAM transitions; WinCC tag changes with no work order; HMI traffic to unknown hosts. Defensive priorities: patch KEV CVEs, enforce controller key-switch protection, segment WinCC from IT. Reporting: CISA; TSA; ONG-ISAC; the relevant ISO security desk.

Consequences if unmitigated

Physical:

Tripped or runaway compression and generating units in one load zone; data-center alley loses grid supply and falls to diesel within hours; ungraceful trips can damage rotating equipment and extend restart to weeks.

Market / financial:

Intraday wholesale power spikes to the administrative cap in the affected ISO; compute SLAs breach within the diesel-reserve window; multi-billion-dollar loss across operators, power buyers, and AI customers.

Regulatory / political:

FERC/NERC review of generator cyber readiness; accelerated TSA-style cyber rules for gas-fired generation; insurer repricing for measurable Siemens exposure.

Rockwell ControlLogix / FactoryTalk — 2 pipeline-relevant KEV CVEs
Current exposure: 2 CISA KEV-listed CVEs currently affect Rockwell Allen-Bradley ControlLogix / FactoryTalk platforms
Live KEV cross-reference: CVE-2023-3595, CVE-2021-22681
Severity: HIGH — Pump-station and terminal control disruption across midstream
Five-Paragraph OPORD (SMEAC)

S — Situation

Allen-Bradley ControlLogix PLCs and FactoryTalk run pump stations, tank farms, and liquids terminals across US midstream; 2 Rockwell CVEs are on the KEV catalog today (CVE-2023-3595, CVE-2021-22681).

M — Mission

Adversary objective: seize or crash ControlLogix processors governing pumping and tank-farm valves to force a liquids-pipeline shutdown or a tank overfill / pressure transient.

E — Execution

Phase 1: exploit a KEV-listed ControlLogix/FactoryTalk CVE from an exposed engineering or remote path. Phase 2: reach the controller. Phase 3: fault the processor or alter pump/valve logic. Phase 4: mask the change in FactoryTalk.

A — Administration & Logistics

Feasibility rests on (1) 2 unpatched Rockwell CVEs; (2) flat OT networks at terminals; (3) remote-access tools left exposed.

C — Command & Signal

Indicators: unexpected processor faults; logic edits with no change ticket; FactoryTalk access from new hosts. Defensive priorities: patch KEV CVEs, segment terminal OT, lock down remote access. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Forced shutdown of a liquids pipeline or terminal; in the worst case a tank overfill or pressure transient with spill, fire, or environmental release.

Market / financial:

Regional product-supply disruption (gasoline, diesel, NGLs); price spikes at racks served by the affected terminals; cleanup and liability costs.

Regulatory / political:

PHMSA incident investigation; TSA review of terminal cyber controls; insurer scrutiny of operators on KEV-listed Rockwell versions.

Honeywell Experion PKS — 1 pipeline-relevant KEV CVE
Current exposure: 1 CISA KEV-listed CVE currently affect Honeywell Experion PKS — a dominant DCS at US gas processing and LNG
Live KEV cross-reference: CVE-2023-3710
Severity: HIGH — Distributed-control compromise at gas processing and LNG
Five-Paragraph OPORD (SMEAC)

S — Situation

Honeywell Experion PKS is a dominant distributed control system at US gas-processing plants, refineries, and LNG facilities; 1 Experion CVE on the KEV catalog today (CVE-2023-3710).

M — Mission

Adversary objective: take control of the Experion DCS at a gas-processing or LNG facility to drive units to an unsafe state or force a sustained outage.

E — Execution

Phase 1: exploit the KEV-listed Experion CVE from a reachable server or remote path. Phase 2: reach the C300 controllers and Experion servers. Phase 3: alter control strategy or force a unit trip. Phase 4: destroy the historian and backups.

A — Administration & Logistics

Feasibility rests on (1) 1 unpatched Experion CVE; (2) DCS servers bridged to plant IT; (3) deferred DCS patching tied to turnaround windows.

C — Command & Signal

Indicators: unscheduled control-strategy changes; Experion server traffic to unknown hosts; historian write failures. Defensive priorities: patch the KEV CVE, isolate the DCS, two-person change control. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Loss of control or forced shutdown at a gas-processing plant or LNG train; potential release, fire, or explosion if units are driven unsafe; restart measured in days to weeks.

Market / financial:

Lost processing/export throughput tightens domestic supply and idles cargoes; multi-billion-dollar interruption and liability exposure.

Regulatory / political:

PHMSA/TSA investigation; likely CISA directive for Experion operators; insurer repricing for KEV-listed Experion exposure.

ABB Symphony DCS — 252 US endpoints exposed (as of 2026-07-15)
Current exposure: 252 Symphony endpoints visible from the public US internet today
Live KEV cross-reference: CVE-2024-6298
Severity: HIGH — Power generation supply disruption to AI data center load
Five-Paragraph OPORD (SMEAC)

S — Situation

ABB Symphony has the largest measurable US public-internet exposure of any pipeline-relevant SCADA / DCS platform — 252 endpoints visible as of 2026-07-15, against a deployed base that we estimate to be on the order of hundreds of installations. Symphony is the dominant DCS at large gas-fired combined-cycle power plants, including most of the new and planned gas plants being built to serve hyperscale AI data centers. KEV catalog entries currently affecting ABB platforms: CVE-2024-6298.

M — Mission

Adversary objective: simultaneous loss-of-control or unsafe-state at multiple gas-fired generating units feeding a specific load zone — most likely PJM Dominion (Northern Virginia data-center alley, where AI training load is concentrated) or the Southeast (where Meta Hyperion's 7.46 GW gas plant cluster feeds the Hyperion campus). Strategic intent: deny power to AI compute infrastructure at a moment chosen for maximum disruption, with deniable attribution.

E — Execution

Phase 1: harvest a contractor or vendor credential that grants engineering access to one or more of the 252 exposed endpoints — many of which are vendor-support jump hosts that bridge corporate IT to the OT engineering network. Phase 2: lateral movement to the Symphony engineering workstation. Phase 3: stage malicious configuration changes across the deployment, synchronized to execute at peak-demand hour. Phase 4: trigger drives unit-trip sequences on every unit reachable, simultaneous; concurrent wiper destroys the historian and configuration backup.

A — Administration & Logistics

Attack feasibility depends on three conditions visible in the public-exposure data today: (1) 252 endpoints reachable from the public internet — that number is a defensive failure on its own; (2) operator deployments that centralize engineering across multiple sites; (3) deferred patching of any published Symphony CVSS 8.0+ CVE due to outage-window constraints.

C — Command & Signal

Indicators: outbound traffic from any Symphony engineering workstation to non-vendor destinations; unscheduled configuration updates across multiple units in the same hour; historian write failures across multiple stations. Defensive priorities: enumerate the 252 exposed endpoints in your perimeter and prioritize firewall closure or VPN-only access; rotate all vendor and contractor credentials with hardware-token MFA; require any logic or configuration change to pass two-person integrity check during the change window. Reporting: TSA Surface Transportation Cybersecurity; CISA Hotline; Oil and Natural Gas ISAC; PJM RTEP Security working group.

Consequences if unmitigated

Physical:

Simultaneous trips at multiple gas-fired generating units serving a data-center-heavy load zone. Within ~2 hours, hyperscale data centers in the affected zone exhaust grid power and shift to on-site diesel; diesel reserves typically run 12–48 hours. Possible thermal damage to rotating equipment during ungraceful trip sequences extends restart from hours to weeks per unit.

Market / financial:

Wholesale power prices in the affected ISO zone spike to administrative cap intraday. Hyperscaler-customer compute service-level agreements breach within the diesel-reserve window. Estimated combined economic loss across operator, downstream power buyers, and dependent cloud / AI customers: $10B–$50B in the first week.

Regulatory / political:

FERC and NERC special review of generator cybersecurity preparedness. Likely accelerated TSA-style cyber regulation extended to gas-fired generation feeding hyperscale customers. Insurance industry repricing for operators with measurable Symphony exposure on Shodan.

Cygnet SCADA — 71 US endpoints (pipeline-specific midstream)
Current exposure: 71 Cygnet midstream-pipeline SCADA endpoints visible today
Live KEV cross-reference: no KEV-listed CVEs currently affect this platform
Severity: HIGH — Direct compromise of pipeline operational visibility and control
Five-Paragraph OPORD (SMEAC)

S — Situation

Cygnet is the SCADA platform most narrowly targeted at the US midstream oil-and-gas industry — it runs the supervisory layer at 71 measurable US sites, almost all of which are pipeline operators. Of the operators we track, several are confirmed Cygnet users by name in vendor case-studies and public filings.

M — Mission

Adversary objective: simultaneous loss-of-visibility and limited-write control of pipeline metering, valve, and flow-control points across a single operator's footprint. Strategic intent: position to manipulate gas deliveries — to LDCs, to power generators, or to LNG export terminals — at a chosen moment, with the operator unable to see or counter the action in real time.

E — Execution

Phase 1: access via a Cygnet engineering workstation reachable through vendor-support tunnels. Phase 2: harvest field-device topology and operator runbooks from the SCADA database. Phase 3: stage scheduled control commands that fire at a precipitating moment. Phase 4: optionally falsify operator-view telemetry to extend the response window.

A — Administration & Logistics

Attack feasibility depends on Cygnet's typical deployment pattern: many operators connect Cygnet to their corporate IT for reporting, then connect corporate IT to the public internet — a documented common pathway. The 71 exposed endpoints in our Shodan dataset are the visible portion of that pattern.

C — Command & Signal

Indicators: Cygnet engineering-workstation traffic to non-vendor destinations; configuration changes outside change-control hours; discrepancies between Cygnet-reported volumes and independent end-of-line meter reads. Defensive priorities: place Cygnet servers behind a jump-host with MFA; close direct internet exposure on all 71 endpoints; deploy independent secondary metering whose data does NOT flow through Cygnet.

Consequences if unmitigated

Physical:

Manipulation of valve setpoints can cause unsafe pressure transients at downstream stations. Falsified metering allows undetected gas diversion or supply-cut to specific customers (e.g., a specific gas-fired power plant during a peak hour).

Market / financial:

If a Cygnet-driven event takes a specific compressor station offline during a peak demand window, the downstream basis (the local citygate price minus Henry Hub) can spike 200%+ in hours. LDC emergency curtailments. Power-gen fuel-supply force majeure to gas peakers serving data centers.

Regulatory / political:

Immediate FERC inquiry into operator cybersecurity. Possible TSA penalty action under PSR 2026-01. Operator's interstate transportation tariff put under audit.

Cygnet SCADA — 71 US endpoints (pipeline-specific midstream)
Current exposure: 71 Cygnet midstream-pipeline SCADA endpoints visible today
Live KEV cross-reference: no KEV-listed CVEs currently affect this platform
Severity: HIGH — Direct compromise of pipeline operational visibility and control
Five-Paragraph OPORD (SMEAC)

S — Situation

Cygnet is the SCADA platform most narrowly targeted at the US midstream oil-and-gas industry — it runs the supervisory layer at 71 measurable US sites, almost all of which are pipeline operators. Of the operators we track, several are confirmed Cygnet users by name in vendor case-studies and public filings.

M — Mission

Adversary objective: simultaneous loss-of-visibility and limited-write control of pipeline metering, valve, and flow-control points across a single operator's footprint. Strategic intent: position to manipulate gas deliveries — to LDCs, to power generators, or to LNG export terminals — at a chosen moment, with the operator unable to see or counter the action in real time.

E — Execution

Phase 1: access via a Cygnet engineering workstation reachable through vendor-support tunnels. Phase 2: harvest field-device topology and operator runbooks from the SCADA database. Phase 3: stage scheduled control commands that fire at a precipitating moment. Phase 4: optionally falsify operator-view telemetry to extend the response window.

A — Administration & Logistics

Attack feasibility depends on Cygnet's typical deployment pattern: many operators connect Cygnet to their corporate IT for reporting, then connect corporate IT to the public internet — a documented common pathway. The 71 exposed endpoints in our Shodan dataset are the visible portion of that pattern.

C — Command & Signal

Indicators: Cygnet engineering-workstation traffic to non-vendor destinations; configuration changes outside change-control hours; discrepancies between Cygnet-reported volumes and independent end-of-line meter reads. Defensive priorities: place Cygnet servers behind a jump-host with MFA; close direct internet exposure on all 71 endpoints; deploy independent secondary metering whose data does NOT flow through Cygnet.

Consequences if unmitigated

Physical:

Manipulation of valve setpoints can cause unsafe pressure transients at downstream stations. Falsified metering allows undetected gas diversion or supply-cut to specific customers (e.g., a specific gas-fired power plant during a peak hour).

Market / financial:

If a Cygnet-driven event takes a specific compressor station offline during a peak demand window, the downstream basis (the local citygate price minus Henry Hub) can spike 200%+ in hours. LDC emergency curtailments. Power-gen fuel-supply force majeure to gas peakers serving data centers.

Regulatory / political:

Immediate FERC inquiry into operator cybersecurity. Possible TSA penalty action under PSR 2026-01. Operator's interstate transportation tariff put under audit.

GE iFIX HMI/SCADA — 63 US endpoints exposed
Current exposure: 63 GE iFIX HMI/SCADA endpoints visible today
Live KEV cross-reference: no KEV-listed CVEs currently affect this platform
Severity: HIGH — Operator-view denial across gas-plant and pipeline-station HMI
Five-Paragraph OPORD (SMEAC)

S — Situation

GE iFIX is a general-purpose HMI / SCADA platform with deep penetration in US gas plants, refineries, and pipeline compressor stations. Public US exposure today: 63 endpoints. KEV entries currently affecting GE platforms: no KEV-listed CVEs currently affect this platform.

M — Mission

Adversary objective: deny operator visibility into the controlled process during a coincident attack — either cyber on the BPCS or kinetic on a physical asset. Strategic intent: extend the response window in the critical early minutes when operator action can avert physical damage.

E — Execution

Phase 1: access through internet-exposed iFIX terminal services / VPN. Phase 2: modify iFIX HMI screens to display canned 'nominal' values regardless of underlying tag data, OR disable HMI alarm escalation logic. Phase 3: hold capability until a coincident event — process upset, kinetic strike, or BPCS manipulation — at which point operators see normal screens while the physical process degrades.

A — Administration & Logistics

Attack feasibility increases when iFIX is deployed without segregation from corporate IT, when iFIX clients are reachable via remote-desktop services from the public internet (63 confirmed examples today), and when alarm-management audits are infrequent.

C — Command & Signal

Indicators: iFIX screen-version changes outside engineering change windows; HMI tag-display discrepancies vs. historian; alarm logs going abnormally quiet during normal operating variability. Defensive priorities: iFIX deployment audit (count vs. known inventory); HMI screen-checksum monitoring; independent secondary HMI that draws from a separate tag feed; close all 63 internet-exposed instances or move them behind MFA-required VPN.

Consequences if unmitigated

Physical:

On its own, an iFIX-only attack does not cause damage — but during a coincident physical or BPCS attack, the 'normal-screens-while-process-degrades' window extends operator response from minutes to tens of minutes, multiplying the physical damage.

Market / financial:

When combined with a BPCS attack, an HMI-deception layer can extend an outage from one shift to several days as the recovery team has no trustworthy view of pre-event state. Multiplier effect on operator's economic damage: 2–5x.

Regulatory / political:

HMI integrity-verification becomes a required TSA compliance element. Vendor-side requirements for cryptographic HMI screen verification.

Emerson DeltaV + Ovation DCS — 51 US endpoints combined
Current exposure: 32 DeltaV + 19 Ovation US endpoints — total 51
Live KEV cross-reference: CVE-2021-45420
Severity: HIGH — Simultaneous compromise of LNG liquefaction AND gas-fired power generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Emerson runs two product lines with measurable US exposure: DeltaV (32 endpoints), the DCS for LNG liquefaction trains and refinery / petrochemical processes, and Ovation (19 endpoints), the DCS for fossil-fueled power generation. Combined US public exposure: 51 endpoints. KEV entries affecting Emerson: CVE-2021-45420.

M — Mission

Adversary objective: simultaneously disrupt LNG-export capacity AND gas-fired power generation by exploiting the same vendor's deployed platforms across the two industries — a single capability that reaches both demand sinks for US natural gas (LNG exports and AI/data-center power) at once. Strategic intent: dual-target economic disruption with shared toolchain.

E — Execution

Phase 1: gain access via an Emerson vendor-support credential — Emerson is one of the largest providers of process-control system service contracts in the US. Phase 2: deploy parallel implants against DeltaV at LNG terminals and Ovation at gas-fired plants. Phase 3: synchronized trigger at a chosen event.

A — Administration & Logistics

Attack feasibility hinges on whether the operator has accepted vendor persistent remote-support tunnels as a contractual requirement. Many DeltaV and Ovation operators have done so to maintain service-level guarantees. The 51 exposed endpoints visible today are the public portion of that pattern.

C — Command & Signal

Indicators: Emerson vendor-tunnel traffic outside scheduled service windows; configuration changes pushed to multiple sites within a single hour; unscheduled engineering-workstation logins. Defensive priorities: require Emerson vendor sessions to be initiated by the operator (not the vendor), with session recording and MFA; deploy egress monitoring on the DeltaV / Ovation engineering networks; require Emerson to publish per-product KEV applicability mapped to deployed firmware versions at each customer site.

Consequences if unmitigated

Physical:

LNG terminal liquefaction trains unsafe-shutdown; coincident gas-fired generator trips across affected fleet. Possible thermal damage to liquefaction compressors extends LNG outage from days to months.

Market / financial:

Cargoes in the Sabine Pass / Cameron / Plaquemines / Corpus Christi loading queue declare force majeure within hours. European TTF gas price spikes; US Henry Hub price drops on reduced export demand AND spikes on domestic gas-to-power dislocation — both directions same day. Combined economic impact: $30B–$120B over the first quarter post-event.

Regulatory / political:

Coordinated DOE / FERC / TSA / DOC (export licensing) investigation. Possible suspension of Emerson DCS service contracts pending audit. Insurance industry repricing across all Emerson-platform-dependent operators.

Henry Hub Composite (Physical + Cyber) — current state
Current exposure: 13 interstate pipelines converge at Erath, LA · NYMEX settlement node · ~2 Bcf/d physical throughput · -1 ICS exposures within 25 km · 14 active eminent-domain projects in supply chain
Live KEV cross-reference: 4 Schneider Electric KEVs · 1 Siemens KEVs · 1 Emerson KEVs affect platforms a Sabine Pipe Line operator would actually run.
Severity: STRATEGIC — National-scale market and supply disruption
Five-Paragraph OPORD (SMEAC)

S — Situation

Henry Hub today: 13 interstate pipelines converge at the Sabine Pipe Line LLC facility in Erath, Louisiana. The NYMEX Henry Hub futures contract settles here — the price benchmark for every US natural-gas trade, every LNG cargo loaded at Sabine Pass / Cameron / Plaquemines / Corpus Christi (≈14 Bcf/d combined LNG export capacity), and every gas-indexed power-purchase contract in PJM / SERC / Florida. Within 25 km of the hub, Shodan finds -1 exposed ICS endpoints; the operator's supply chain runs through platforms with 6 currently-KEV-listed CVEs across Schneider Electric, Siemens, and Emerson. The facility has no counter-UAS coverage (Vermilion Parish is outside designated military airspace) and no published joint OT/IT incident-command framework with downstream hyperscaler and federal partners.

M — Mission

Adversary objective: simultaneously disable physical throughput at Henry Hub for an extended window (weeks, not hours) AND destroy the operator's safety-system configuration files, so that even after physical repair the operator cannot safely restart. Strategic intent: suspend US natural-gas price discovery long enough to cascade through NYMEX, LNG cargo force majeure, power-grid load shedding during a peak-demand window, and financial-market liquidity events.

E — Execution

Phase 1 (months): cyber pre-positioning inside the Sabine Pipe Line OT network via a contracted-engineering credential — the same vector that has produced every confirmed US pipeline OT intrusion in the past five years. Phase 2 (days): adversary weaponizes a published CVSS 9.0+ CISA advisory affecting Schneider Telvent OASyS DNA or Triconex SIS, BEFORE the operator's change board approves the emergency patch. Phase 3 (D-Day, timed to coincide with polar vortex or hurricane-season demand peak): commercial-derivative drone strike against Compressor Units 1 and 2, simultaneously with cyber execution that disables the SIS, manipulates HMIs to display nominal state, vents high-pressure gas through stacks whose flare ignition has been pre-disabled. Phase 4 (D+1 through D+3): wiper malware destroys the historian, engineering workstation, and corporate IT backups, denying the recovery team the documentation needed to safely restart safety-instrumented systems.

A — Administration & Logistics

Attack feasibility depends on conditions present today: (1) -1 ICS endpoints within 25 km of the hub — the public attack surface; (2) absence of counter-UAS over Vermilion Parish; (3) the operator's change board having no pre-delegated authority to bypass normal review for CVSS 9+ items during weather-emergency windows; (4) no published joint incident-command structure across Sabine Pipe Line, FERC, TSA, CISA, FBI, DOE, and hyperscaler downstream customers. All four conditions exist as of 2026-07-14.

C — Command & Signal

Indicators: outbound traffic from any Sabine Pipe Line OT host to non-vendor destinations; Vermilion Parish law-enforcement reports of unusual UAS activity near the hub; any CISA advisory at CVSS 9+ affecting Schneider Electric / Siemens / Emerson platforms followed by Sabine Pipe Line change-board deferral. Defensive priorities (the four items above, each individually closable): (1) pre-delegate emergency-patch authority to senior security leadership without change-board veto for CVSS 9+ critical-asset platforms; (2) FAA + DOD counter-UAS authorization for FERC critical-asset compressor stations; (3) stand up the joint incident-command framework now, not after the event; (4) maintain air-gapped offline SIS configuration backups with quarterly recovery verification at every FERC critical site.

Consequences if unmitigated

Physical:

Henry Hub physical throughput goes to 0 Bcf/d for 7–30+ days. Worker fatalities at Sabine Pipe Line during the kinetic event range 20–100 depending on shift composition and time of day. Downstream civilian fatalities during coincident cold-weather power loss could exceed 200 if the polar-vortex timing is hit. Adjacent communities evacuated; groundwater and surface water contamination from fuel-rich firefighting operations.

Market / financial:

NYMEX Henry Hub trading suspended for 20–60 trading days. Daily LNG cargo force majeure declarations from Sabine Pass / Cameron / Plaquemines / Corpus Christi terminals. European TTF and Asian JKM gas prices spike 150–400%. PJM and TVA emergency load-shedding affecting 5–20M customers during the polar vortex. Combined direct + cascading economic damage: $200B–$400B over twelve months. Insurance-industry catastrophe loss: $80B–$200B. Two-to-three mid-sized US gas trading firms in Chapter 11 within ten days.

Regulatory / political:

FERC and TSA replace existing Pipeline Security Directive framework with a true regulatory framework. DOE stands up a permanent Critical Energy Infrastructure Cyber Response Unit. FAA authorizes counter-UAS at all FERC critical-asset facilities. Federal Reserve emergency liquidity facility for energy-sector counterparty exposure. Hyperscaler / pipeline operator joint incident command mandated. ODNI issues attribution finding; coordinated multi-allied response.

Schneider Electric Modicon / Triconex — 4 pipeline-relevant KEV CVEs
Current exposure: 4 CISA KEV-listed CVEs currently affect Schneider OT platforms — the largest known-exploited footprint of any pipeline-relevant vendor today
Live KEV cross-reference: CVE-2021-22707, CVE-2022-34753, CVE-2021-22713, CVE-2018-7841
Severity: HIGH — Safety-instrumented-system bypass at gas processing and compression
Five-Paragraph OPORD (SMEAC)

S — Situation

Schneider Electric carries the largest set of actively-exploited CVEs of any pipeline-relevant vendor on the KEV catalog today — 4 entries (CVE-2021-22707, CVE-2022-34753, CVE-2021-22713, CVE-2018-7841). Modicon PLCs run valve and compressor logic across US midstream; Triconex is the dominant safety-instrumented system (SIS) at gas plants and LNG trains — the same SIS family targeted by the TRITON malware framework.

M — Mission

Adversary objective: defeat or blind the safety-instrumented layer at a gas-processing plant, LNG train, or major compressor station so a deliberately induced process upset is NOT tripped to a safe state — turning a recoverable fault into an overpressure or release event.

E — Execution

Phase 1: exploit one of the 4 known CVEs to gain a foothold on the engineering network. Phase 2: reach the Triconex/Modicon engineering workstation and load altered logic or disable SIS voting. Phase 3: drive the basic process control system to an unsafe setpoint while the safety layer is suppressed. Phase 4: erase the engineering audit trail.

A — Administration & Logistics

Feasibility today rests on (1) 4 unpatched, actively-exploited Schneider CVEs; (2) SIS and basic control logic that share engineering access in many deployments; (3) safety-system patch cycles tied to multi-year turnaround windows.

C — Command & Signal

Indicators: unscheduled logic downloads to any Triconex or Modicon controller; SIS voting or bypass changes outside a permitted-work window; engineering-station traffic to non-vendor destinations. Defensive priorities: patch the KEV-listed CVEs on a safety-critical schedule, enforce key-switch RUN mode on SIS controllers, require two-person authorization for any safety-logic change. Reporting: CISA; TSA Pipeline Security; ONG-ISAC.

Consequences if unmitigated

Physical:

A defeated safety-instrumented system removes the last automatic protection against overpressure, high temperature, or loss of containment at a gas plant or LNG train — from an emergency shutdown and days-long restart to a release, fire, or explosion if the basic control system is simultaneously driven unsafe.

Market / financial:

Loss of a single large gas-processing plant or LNG train removes major throughput; an LNG-train outage idles export cargoes and tightens domestic supply. Liability and business-interruption exposure runs to the billions.

Regulatory / political:

PHMSA and TSA scrutiny of OT cyber controls; likely CISA emergency directives for Schneider SIS operators; insurer repricing for sites running KEV-listed Triconex/Modicon.

Schneider Electric Modicon / Triconex — 9 pipeline-relevant KEV CVEs
Current exposure: 9 CISA KEV-listed CVEs currently affect Schneider OT platforms — the largest known-exploited footprint of any pipeline-relevant vendor today
Live KEV cross-reference: CVE-2018-7522, CVE-2018-8872, CVE-2017-7973, CVE-2021-22707
Severity: HIGH — Safety-instrumented-system bypass at gas processing and compression
Five-Paragraph OPORD (SMEAC)

S — Situation

Schneider Electric carries the largest set of actively-exploited CVEs of any pipeline-relevant vendor on the KEV catalog today — 9 entries (CVE-2018-7522, CVE-2018-8872, CVE-2017-7973, CVE-2021-22707). Modicon PLCs run valve and compressor logic across US midstream; Triconex is the dominant safety-instrumented system (SIS) at gas plants and LNG trains — the same SIS family targeted by the TRITON malware framework.

M — Mission

Adversary objective: defeat or blind the safety-instrumented layer at a gas-processing plant, LNG train, or major compressor station so a deliberately induced process upset is NOT tripped to a safe state — turning a recoverable fault into an overpressure or release event.

E — Execution

Phase 1: exploit one of the 9 known CVEs to gain a foothold on the engineering network. Phase 2: reach the Triconex/Modicon engineering workstation and load altered logic or disable SIS voting. Phase 3: drive the basic process control system to an unsafe setpoint while the safety layer is suppressed. Phase 4: erase the engineering audit trail.

A — Administration & Logistics

Feasibility today rests on (1) 9 unpatched, actively-exploited Schneider CVEs; (2) SIS and basic control logic that share engineering access in many deployments; (3) safety-system patch cycles tied to multi-year turnaround windows.

C — Command & Signal

Indicators: unscheduled logic downloads to any Triconex or Modicon controller; SIS voting or bypass changes outside a permitted-work window; engineering-station traffic to non-vendor destinations. Defensive priorities: patch the KEV-listed CVEs on a safety-critical schedule, enforce key-switch RUN mode on SIS controllers, require two-person authorization for any safety-logic change. Reporting: CISA; TSA Pipeline Security; ONG-ISAC.

Consequences if unmitigated

Physical:

A defeated safety-instrumented system removes the last automatic protection against overpressure, high temperature, or loss of containment at a gas plant or LNG train — from an emergency shutdown and days-long restart to a release, fire, or explosion if the basic control system is simultaneously driven unsafe.

Market / financial:

Loss of a single large gas-processing plant or LNG train removes major throughput; an LNG-train outage idles export cargoes and tightens domestic supply. Liability and business-interruption exposure runs to the billions.

Regulatory / political:

PHMSA and TSA scrutiny of OT cyber controls; likely CISA emergency directives for Schneider SIS operators; insurer repricing for sites running KEV-listed Triconex/Modicon.

Siemens SIMATIC S7 / WinCC — 5 pipeline-relevant KEV CVEs
Current exposure: 5 CISA KEV-listed CVEs currently affect Siemens SIMATIC / WinCC / Spectrum Power platforms
Live KEV cross-reference: CVE-2014-2908, CVE-2016-8562, CVE-2012-3015, CVE-2010-2772
Severity: HIGH — Loss of control at compression, metering, and gas-fired generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Siemens SIMATIC S7 controllers and WinCC SCADA run compressor stations, metering, and the gas-fired generation feeding data-center load; 5 Siemens CVEs sit on the KEV catalog today (CVE-2014-2908, CVE-2016-8562, CVE-2012-3015, CVE-2010-2772). S7 is the controller family Stuxnet was built to reprogram.

M — Mission

Adversary objective: reprogram or halt S7 logic controlling compression or generation in a chosen corridor, or falsify the WinCC operator view so the upset is not seen until it propagates.

E — Execution

Phase 1: exploit a KEV-listed S7/WinCC flaw reachable from an exposed HMI or remote-access path. Phase 2: pivot to the automation network. Phase 3: alter controller logic or HMI tags. Phase 4: synchronize disruption to peak demand and wipe the historian.

A — Administration & Logistics

Feasibility rests on (1) 5 unpatched Siemens CVEs; (2) WinCC stations bridged to corporate IT; (3) S7 controllers without RUN-mode key protection.

C — Command & Signal

Indicators: unexpected S7 STOP/PROGRAM transitions; WinCC tag changes with no work order; HMI traffic to unknown hosts. Defensive priorities: patch KEV CVEs, enforce controller key-switch protection, segment WinCC from IT. Reporting: CISA; TSA; ONG-ISAC; the relevant ISO security desk.

Consequences if unmitigated

Physical:

Tripped or runaway compression and generating units in one load zone; data-center alley loses grid supply and falls to diesel within hours; ungraceful trips can damage rotating equipment and extend restart to weeks.

Market / financial:

Intraday wholesale power spikes to the administrative cap in the affected ISO; compute SLAs breach within the diesel-reserve window; multi-billion-dollar loss across operators, power buyers, and AI customers.

Regulatory / political:

FERC/NERC review of generator cyber readiness; accelerated TSA-style cyber rules for gas-fired generation; insurer repricing for measurable Siemens exposure.

Rockwell ControlLogix / FactoryTalk — 2 pipeline-relevant KEV CVEs
Current exposure: 2 CISA KEV-listed CVEs currently affect Rockwell Allen-Bradley ControlLogix / FactoryTalk platforms
Live KEV cross-reference: CVE-2023-3595, CVE-2021-22681
Severity: HIGH — Pump-station and terminal control disruption across midstream
Five-Paragraph OPORD (SMEAC)

S — Situation

Allen-Bradley ControlLogix PLCs and FactoryTalk run pump stations, tank farms, and liquids terminals across US midstream; 2 Rockwell CVEs are on the KEV catalog today (CVE-2023-3595, CVE-2021-22681).

M — Mission

Adversary objective: seize or crash ControlLogix processors governing pumping and tank-farm valves to force a liquids-pipeline shutdown or a tank overfill / pressure transient.

E — Execution

Phase 1: exploit a KEV-listed ControlLogix/FactoryTalk CVE from an exposed engineering or remote path. Phase 2: reach the controller. Phase 3: fault the processor or alter pump/valve logic. Phase 4: mask the change in FactoryTalk.

A — Administration & Logistics

Feasibility rests on (1) 2 unpatched Rockwell CVEs; (2) flat OT networks at terminals; (3) remote-access tools left exposed.

C — Command & Signal

Indicators: unexpected processor faults; logic edits with no change ticket; FactoryTalk access from new hosts. Defensive priorities: patch KEV CVEs, segment terminal OT, lock down remote access. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Forced shutdown of a liquids pipeline or terminal; in the worst case a tank overfill or pressure transient with spill, fire, or environmental release.

Market / financial:

Regional product-supply disruption (gasoline, diesel, NGLs); price spikes at racks served by the affected terminals; cleanup and liability costs.

Regulatory / political:

PHMSA incident investigation; TSA review of terminal cyber controls; insurer scrutiny of operators on KEV-listed Rockwell versions.

Honeywell Experion PKS — 1 pipeline-relevant KEV CVE
Current exposure: 1 CISA KEV-listed CVE currently affect Honeywell Experion PKS — a dominant DCS at US gas processing and LNG
Live KEV cross-reference: CVE-2023-3710
Severity: HIGH — Distributed-control compromise at gas processing and LNG
Five-Paragraph OPORD (SMEAC)

S — Situation

Honeywell Experion PKS is a dominant distributed control system at US gas-processing plants, refineries, and LNG facilities; 1 Experion CVE on the KEV catalog today (CVE-2023-3710).

M — Mission

Adversary objective: take control of the Experion DCS at a gas-processing or LNG facility to drive units to an unsafe state or force a sustained outage.

E — Execution

Phase 1: exploit the KEV-listed Experion CVE from a reachable server or remote path. Phase 2: reach the C300 controllers and Experion servers. Phase 3: alter control strategy or force a unit trip. Phase 4: destroy the historian and backups.

A — Administration & Logistics

Feasibility rests on (1) 1 unpatched Experion CVE; (2) DCS servers bridged to plant IT; (3) deferred DCS patching tied to turnaround windows.

C — Command & Signal

Indicators: unscheduled control-strategy changes; Experion server traffic to unknown hosts; historian write failures. Defensive priorities: patch the KEV CVE, isolate the DCS, two-person change control. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Loss of control or forced shutdown at a gas-processing plant or LNG train; potential release, fire, or explosion if units are driven unsafe; restart measured in days to weeks.

Market / financial:

Lost processing/export throughput tightens domestic supply and idles cargoes; multi-billion-dollar interruption and liability exposure.

Regulatory / political:

PHMSA/TSA investigation; likely CISA directive for Experion operators; insurer repricing for KEV-listed Experion exposure.

ABB Symphony DCS — 264 US endpoints exposed (as of 2026-07-13)
Current exposure: 264 Symphony endpoints visible from the public US internet today
Live KEV cross-reference: CVE-2024-6298
Severity: HIGH — Power generation supply disruption to AI data center load
Five-Paragraph OPORD (SMEAC)

S — Situation

ABB Symphony has the largest measurable US public-internet exposure of any pipeline-relevant SCADA / DCS platform — 264 endpoints visible as of 2026-07-13, against a deployed base that we estimate to be on the order of hundreds of installations. Symphony is the dominant DCS at large gas-fired combined-cycle power plants, including most of the new and planned gas plants being built to serve hyperscale AI data centers. KEV catalog entries currently affecting ABB platforms: CVE-2024-6298.

M — Mission

Adversary objective: simultaneous loss-of-control or unsafe-state at multiple gas-fired generating units feeding a specific load zone — most likely PJM Dominion (Northern Virginia data-center alley, where AI training load is concentrated) or the Southeast (where Meta Hyperion's 7.46 GW gas plant cluster feeds the Hyperion campus). Strategic intent: deny power to AI compute infrastructure at a moment chosen for maximum disruption, with deniable attribution.

E — Execution

Phase 1: harvest a contractor or vendor credential that grants engineering access to one or more of the 264 exposed endpoints — many of which are vendor-support jump hosts that bridge corporate IT to the OT engineering network. Phase 2: lateral movement to the Symphony engineering workstation. Phase 3: stage malicious configuration changes across the deployment, synchronized to execute at peak-demand hour. Phase 4: trigger drives unit-trip sequences on every unit reachable, simultaneous; concurrent wiper destroys the historian and configuration backup.

A — Administration & Logistics

Attack feasibility depends on three conditions visible in the public-exposure data today: (1) 264 endpoints reachable from the public internet — that number is a defensive failure on its own; (2) operator deployments that centralize engineering across multiple sites; (3) deferred patching of any published Symphony CVSS 8.0+ CVE due to outage-window constraints.

C — Command & Signal

Indicators: outbound traffic from any Symphony engineering workstation to non-vendor destinations; unscheduled configuration updates across multiple units in the same hour; historian write failures across multiple stations. Defensive priorities: enumerate the 264 exposed endpoints in your perimeter and prioritize firewall closure or VPN-only access; rotate all vendor and contractor credentials with hardware-token MFA; require any logic or configuration change to pass two-person integrity check during the change window. Reporting: TSA Surface Transportation Cybersecurity; CISA Hotline; Oil and Natural Gas ISAC; PJM RTEP Security working group.

Consequences if unmitigated

Physical:

Simultaneous trips at multiple gas-fired generating units serving a data-center-heavy load zone. Within ~2 hours, hyperscale data centers in the affected zone exhaust grid power and shift to on-site diesel; diesel reserves typically run 12–48 hours. Possible thermal damage to rotating equipment during ungraceful trip sequences extends restart from hours to weeks per unit.

Market / financial:

Wholesale power prices in the affected ISO zone spike to administrative cap intraday. Hyperscaler-customer compute service-level agreements breach within the diesel-reserve window. Estimated combined economic loss across operator, downstream power buyers, and dependent cloud / AI customers: $10B–$50B in the first week.

Regulatory / political:

FERC and NERC special review of generator cybersecurity preparedness. Likely accelerated TSA-style cyber regulation extended to gas-fired generation feeding hyperscale customers. Insurance industry repricing for operators with measurable Symphony exposure on Shodan.

ABB Symphony DCS — 266 US endpoints exposed (as of 2026-07-12)
Current exposure: 266 Symphony endpoints visible from the public US internet today
Live KEV cross-reference: CVE-2024-6298
Severity: HIGH — Power generation supply disruption to AI data center load
Five-Paragraph OPORD (SMEAC)

S — Situation

ABB Symphony has the largest measurable US public-internet exposure of any pipeline-relevant SCADA / DCS platform — 266 endpoints visible as of 2026-07-12, against a deployed base that we estimate to be on the order of hundreds of installations. Symphony is the dominant DCS at large gas-fired combined-cycle power plants, including most of the new and planned gas plants being built to serve hyperscale AI data centers. KEV catalog entries currently affecting ABB platforms: CVE-2024-6298.

M — Mission

Adversary objective: simultaneous loss-of-control or unsafe-state at multiple gas-fired generating units feeding a specific load zone — most likely PJM Dominion (Northern Virginia data-center alley, where AI training load is concentrated) or the Southeast (where Meta Hyperion's 7.46 GW gas plant cluster feeds the Hyperion campus). Strategic intent: deny power to AI compute infrastructure at a moment chosen for maximum disruption, with deniable attribution.

E — Execution

Phase 1: harvest a contractor or vendor credential that grants engineering access to one or more of the 266 exposed endpoints — many of which are vendor-support jump hosts that bridge corporate IT to the OT engineering network. Phase 2: lateral movement to the Symphony engineering workstation. Phase 3: stage malicious configuration changes across the deployment, synchronized to execute at peak-demand hour. Phase 4: trigger drives unit-trip sequences on every unit reachable, simultaneous; concurrent wiper destroys the historian and configuration backup.

A — Administration & Logistics

Attack feasibility depends on three conditions visible in the public-exposure data today: (1) 266 endpoints reachable from the public internet — that number is a defensive failure on its own; (2) operator deployments that centralize engineering across multiple sites; (3) deferred patching of any published Symphony CVSS 8.0+ CVE due to outage-window constraints.

C — Command & Signal

Indicators: outbound traffic from any Symphony engineering workstation to non-vendor destinations; unscheduled configuration updates across multiple units in the same hour; historian write failures across multiple stations. Defensive priorities: enumerate the 266 exposed endpoints in your perimeter and prioritize firewall closure or VPN-only access; rotate all vendor and contractor credentials with hardware-token MFA; require any logic or configuration change to pass two-person integrity check during the change window. Reporting: TSA Surface Transportation Cybersecurity; CISA Hotline; Oil and Natural Gas ISAC; PJM RTEP Security working group.

Consequences if unmitigated

Physical:

Simultaneous trips at multiple gas-fired generating units serving a data-center-heavy load zone. Within ~2 hours, hyperscale data centers in the affected zone exhaust grid power and shift to on-site diesel; diesel reserves typically run 12–48 hours. Possible thermal damage to rotating equipment during ungraceful trip sequences extends restart from hours to weeks per unit.

Market / financial:

Wholesale power prices in the affected ISO zone spike to administrative cap intraday. Hyperscaler-customer compute service-level agreements breach within the diesel-reserve window. Estimated combined economic loss across operator, downstream power buyers, and dependent cloud / AI customers: $10B–$50B in the first week.

Regulatory / political:

FERC and NERC special review of generator cybersecurity preparedness. Likely accelerated TSA-style cyber regulation extended to gas-fired generation feeding hyperscale customers. Insurance industry repricing for operators with measurable Symphony exposure on Shodan.

Cygnet SCADA — 68 US endpoints (pipeline-specific midstream)
Current exposure: 68 Cygnet midstream-pipeline SCADA endpoints visible today
Live KEV cross-reference: no KEV-listed CVEs currently affect this platform
Severity: HIGH — Direct compromise of pipeline operational visibility and control
Five-Paragraph OPORD (SMEAC)

S — Situation

Cygnet is the SCADA platform most narrowly targeted at the US midstream oil-and-gas industry — it runs the supervisory layer at 68 measurable US sites, almost all of which are pipeline operators. Of the operators we track, several are confirmed Cygnet users by name in vendor case-studies and public filings.

M — Mission

Adversary objective: simultaneous loss-of-visibility and limited-write control of pipeline metering, valve, and flow-control points across a single operator's footprint. Strategic intent: position to manipulate gas deliveries — to LDCs, to power generators, or to LNG export terminals — at a chosen moment, with the operator unable to see or counter the action in real time.

E — Execution

Phase 1: access via a Cygnet engineering workstation reachable through vendor-support tunnels. Phase 2: harvest field-device topology and operator runbooks from the SCADA database. Phase 3: stage scheduled control commands that fire at a precipitating moment. Phase 4: optionally falsify operator-view telemetry to extend the response window.

A — Administration & Logistics

Attack feasibility depends on Cygnet's typical deployment pattern: many operators connect Cygnet to their corporate IT for reporting, then connect corporate IT to the public internet — a documented common pathway. The 68 exposed endpoints in our Shodan dataset are the visible portion of that pattern.

C — Command & Signal

Indicators: Cygnet engineering-workstation traffic to non-vendor destinations; configuration changes outside change-control hours; discrepancies between Cygnet-reported volumes and independent end-of-line meter reads. Defensive priorities: place Cygnet servers behind a jump-host with MFA; close direct internet exposure on all 68 endpoints; deploy independent secondary metering whose data does NOT flow through Cygnet.

Consequences if unmitigated

Physical:

Manipulation of valve setpoints can cause unsafe pressure transients at downstream stations. Falsified metering allows undetected gas diversion or supply-cut to specific customers (e.g., a specific gas-fired power plant during a peak hour).

Market / financial:

If a Cygnet-driven event takes a specific compressor station offline during a peak demand window, the downstream basis (the local citygate price minus Henry Hub) can spike 200%+ in hours. LDC emergency curtailments. Power-gen fuel-supply force majeure to gas peakers serving data centers.

Regulatory / political:

Immediate FERC inquiry into operator cybersecurity. Possible TSA penalty action under PSR 2026-01. Operator's interstate transportation tariff put under audit.

GE iFIX HMI/SCADA — 65 US endpoints exposed
Current exposure: 65 GE iFIX HMI/SCADA endpoints visible today
Live KEV cross-reference: CVE-2014-0751
Severity: HIGH — Operator-view denial across gas-plant and pipeline-station HMI
Five-Paragraph OPORD (SMEAC)

S — Situation

GE iFIX is a general-purpose HMI / SCADA platform with deep penetration in US gas plants, refineries, and pipeline compressor stations. Public US exposure today: 65 endpoints. KEV entries currently affecting GE platforms: CVE-2014-0751.

M — Mission

Adversary objective: deny operator visibility into the controlled process during a coincident attack — either cyber on the BPCS or kinetic on a physical asset. Strategic intent: extend the response window in the critical early minutes when operator action can avert physical damage.

E — Execution

Phase 1: access through internet-exposed iFIX terminal services / VPN. Phase 2: modify iFIX HMI screens to display canned 'nominal' values regardless of underlying tag data, OR disable HMI alarm escalation logic. Phase 3: hold capability until a coincident event — process upset, kinetic strike, or BPCS manipulation — at which point operators see normal screens while the physical process degrades.

A — Administration & Logistics

Attack feasibility increases when iFIX is deployed without segregation from corporate IT, when iFIX clients are reachable via remote-desktop services from the public internet (65 confirmed examples today), and when alarm-management audits are infrequent.

C — Command & Signal

Indicators: iFIX screen-version changes outside engineering change windows; HMI tag-display discrepancies vs. historian; alarm logs going abnormally quiet during normal operating variability. Defensive priorities: iFIX deployment audit (count vs. known inventory); HMI screen-checksum monitoring; independent secondary HMI that draws from a separate tag feed; close all 65 internet-exposed instances or move them behind MFA-required VPN.

Consequences if unmitigated

Physical:

On its own, an iFIX-only attack does not cause damage — but during a coincident physical or BPCS attack, the 'normal-screens-while-process-degrades' window extends operator response from minutes to tens of minutes, multiplying the physical damage.

Market / financial:

When combined with a BPCS attack, an HMI-deception layer can extend an outage from one shift to several days as the recovery team has no trustworthy view of pre-event state. Multiplier effect on operator's economic damage: 2–5x.

Regulatory / political:

HMI integrity-verification becomes a required TSA compliance element. Vendor-side requirements for cryptographic HMI screen verification.

Emerson DeltaV + Ovation DCS — 57 US endpoints combined
Current exposure: 34 DeltaV + 23 Ovation US endpoints — total 57
Live KEV cross-reference: CVE-2021-45420
Severity: HIGH — Simultaneous compromise of LNG liquefaction AND gas-fired power generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Emerson runs two product lines with measurable US exposure: DeltaV (34 endpoints), the DCS for LNG liquefaction trains and refinery / petrochemical processes, and Ovation (23 endpoints), the DCS for fossil-fueled power generation. Combined US public exposure: 57 endpoints. KEV entries affecting Emerson: CVE-2021-45420.

M — Mission

Adversary objective: simultaneously disrupt LNG-export capacity AND gas-fired power generation by exploiting the same vendor's deployed platforms across the two industries — a single capability that reaches both demand sinks for US natural gas (LNG exports and AI/data-center power) at once. Strategic intent: dual-target economic disruption with shared toolchain.

E — Execution

Phase 1: gain access via an Emerson vendor-support credential — Emerson is one of the largest providers of process-control system service contracts in the US. Phase 2: deploy parallel implants against DeltaV at LNG terminals and Ovation at gas-fired plants. Phase 3: synchronized trigger at a chosen event.

A — Administration & Logistics

Attack feasibility hinges on whether the operator has accepted vendor persistent remote-support tunnels as a contractual requirement. Many DeltaV and Ovation operators have done so to maintain service-level guarantees. The 57 exposed endpoints visible today are the public portion of that pattern.

C — Command & Signal

Indicators: Emerson vendor-tunnel traffic outside scheduled service windows; configuration changes pushed to multiple sites within a single hour; unscheduled engineering-workstation logins. Defensive priorities: require Emerson vendor sessions to be initiated by the operator (not the vendor), with session recording and MFA; deploy egress monitoring on the DeltaV / Ovation engineering networks; require Emerson to publish per-product KEV applicability mapped to deployed firmware versions at each customer site.

Consequences if unmitigated

Physical:

LNG terminal liquefaction trains unsafe-shutdown; coincident gas-fired generator trips across affected fleet. Possible thermal damage to liquefaction compressors extends LNG outage from days to months.

Market / financial:

Cargoes in the Sabine Pass / Cameron / Plaquemines / Corpus Christi loading queue declare force majeure within hours. European TTF gas price spikes; US Henry Hub price drops on reduced export demand AND spikes on domestic gas-to-power dislocation — both directions same day. Combined economic impact: $30B–$120B over the first quarter post-event.

Regulatory / political:

Coordinated DOE / FERC / TSA / DOC (export licensing) investigation. Possible suspension of Emerson DCS service contracts pending audit. Insurance industry repricing across all Emerson-platform-dependent operators.

Henry Hub Composite (Physical + Cyber) — current state
Current exposure: 13 interstate pipelines converge at Erath, LA · NYMEX settlement node · ~2 Bcf/d physical throughput · 1 ICS exposures within 25 km · 14 active eminent-domain projects in supply chain
Live KEV cross-reference: 9 Schneider Electric KEVs · 5 Siemens KEVs · 1 Emerson KEVs affect platforms a Sabine Pipe Line operator would actually run.
Severity: STRATEGIC — National-scale market and supply disruption
Five-Paragraph OPORD (SMEAC)

S — Situation

Henry Hub today: 13 interstate pipelines converge at the Sabine Pipe Line LLC facility in Erath, Louisiana. The NYMEX Henry Hub futures contract settles here — the price benchmark for every US natural-gas trade, every LNG cargo loaded at Sabine Pass / Cameron / Plaquemines / Corpus Christi (≈14 Bcf/d combined LNG export capacity), and every gas-indexed power-purchase contract in PJM / SERC / Florida. Within 25 km of the hub, Shodan finds 1 exposed ICS endpoints; the operator's supply chain runs through platforms with 15 currently-KEV-listed CVEs across Schneider Electric, Siemens, and Emerson. The facility has no counter-UAS coverage (Vermilion Parish is outside designated military airspace) and no published joint OT/IT incident-command framework with downstream hyperscaler and federal partners.

M — Mission

Adversary objective: simultaneously disable physical throughput at Henry Hub for an extended window (weeks, not hours) AND destroy the operator's safety-system configuration files, so that even after physical repair the operator cannot safely restart. Strategic intent: suspend US natural-gas price discovery long enough to cascade through NYMEX, LNG cargo force majeure, power-grid load shedding during a peak-demand window, and financial-market liquidity events.

E — Execution

Phase 1 (months): cyber pre-positioning inside the Sabine Pipe Line OT network via a contracted-engineering credential — the same vector that has produced every confirmed US pipeline OT intrusion in the past five years. Phase 2 (days): adversary weaponizes a published CVSS 9.0+ CISA advisory affecting Schneider Telvent OASyS DNA or Triconex SIS, BEFORE the operator's change board approves the emergency patch. Phase 3 (D-Day, timed to coincide with polar vortex or hurricane-season demand peak): commercial-derivative drone strike against Compressor Units 1 and 2, simultaneously with cyber execution that disables the SIS, manipulates HMIs to display nominal state, vents high-pressure gas through stacks whose flare ignition has been pre-disabled. Phase 4 (D+1 through D+3): wiper malware destroys the historian, engineering workstation, and corporate IT backups, denying the recovery team the documentation needed to safely restart safety-instrumented systems.

A — Administration & Logistics

Attack feasibility depends on conditions present today: (1) 1 ICS endpoints within 25 km of the hub — the public attack surface; (2) absence of counter-UAS over Vermilion Parish; (3) the operator's change board having no pre-delegated authority to bypass normal review for CVSS 9+ items during weather-emergency windows; (4) no published joint incident-command structure across Sabine Pipe Line, FERC, TSA, CISA, FBI, DOE, and hyperscaler downstream customers. All four conditions exist as of 2026-07-12.

C — Command & Signal

Indicators: outbound traffic from any Sabine Pipe Line OT host to non-vendor destinations; Vermilion Parish law-enforcement reports of unusual UAS activity near the hub; any CISA advisory at CVSS 9+ affecting Schneider Electric / Siemens / Emerson platforms followed by Sabine Pipe Line change-board deferral. Defensive priorities (the four items above, each individually closable): (1) pre-delegate emergency-patch authority to senior security leadership without change-board veto for CVSS 9+ critical-asset platforms; (2) FAA + DOD counter-UAS authorization for FERC critical-asset compressor stations; (3) stand up the joint incident-command framework now, not after the event; (4) maintain air-gapped offline SIS configuration backups with quarterly recovery verification at every FERC critical site.

Consequences if unmitigated

Physical:

Henry Hub physical throughput goes to 0 Bcf/d for 7–30+ days. Worker fatalities at Sabine Pipe Line during the kinetic event range 20–100 depending on shift composition and time of day. Downstream civilian fatalities during coincident cold-weather power loss could exceed 200 if the polar-vortex timing is hit. Adjacent communities evacuated; groundwater and surface water contamination from fuel-rich firefighting operations.

Market / financial:

NYMEX Henry Hub trading suspended for 20–60 trading days. Daily LNG cargo force majeure declarations from Sabine Pass / Cameron / Plaquemines / Corpus Christi terminals. European TTF and Asian JKM gas prices spike 150–400%. PJM and TVA emergency load-shedding affecting 5–20M customers during the polar vortex. Combined direct + cascading economic damage: $200B–$400B over twelve months. Insurance-industry catastrophe loss: $80B–$200B. Two-to-three mid-sized US gas trading firms in Chapter 11 within ten days.

Regulatory / political:

FERC and TSA replace existing Pipeline Security Directive framework with a true regulatory framework. DOE stands up a permanent Critical Energy Infrastructure Cyber Response Unit. FAA authorizes counter-UAS at all FERC critical-asset facilities. Federal Reserve emergency liquidity facility for energy-sector counterparty exposure. Hyperscaler / pipeline operator joint incident command mandated. ODNI issues attribution finding; coordinated multi-allied response.

Henry Hub Composite (Physical + Cyber) — current state
Current exposure: 13 interstate pipelines converge at Erath, LA · NYMEX settlement node · ~2 Bcf/d physical throughput · -1 ICS exposures within 25 km · 14 active eminent-domain projects in supply chain
Live KEV cross-reference: 9 Schneider Electric KEVs · 5 Siemens KEVs · 1 Emerson KEVs affect platforms a Sabine Pipe Line operator would actually run.
Severity: STRATEGIC — National-scale market and supply disruption
Five-Paragraph OPORD (SMEAC)

S — Situation

Henry Hub today: 13 interstate pipelines converge at the Sabine Pipe Line LLC facility in Erath, Louisiana. The NYMEX Henry Hub futures contract settles here — the price benchmark for every US natural-gas trade, every LNG cargo loaded at Sabine Pass / Cameron / Plaquemines / Corpus Christi (≈14 Bcf/d combined LNG export capacity), and every gas-indexed power-purchase contract in PJM / SERC / Florida. Within 25 km of the hub, Shodan finds -1 exposed ICS endpoints; the operator's supply chain runs through platforms with 15 currently-KEV-listed CVEs across Schneider Electric, Siemens, and Emerson. The facility has no counter-UAS coverage (Vermilion Parish is outside designated military airspace) and no published joint OT/IT incident-command framework with downstream hyperscaler and federal partners.

M — Mission

Adversary objective: simultaneously disable physical throughput at Henry Hub for an extended window (weeks, not hours) AND destroy the operator's safety-system configuration files, so that even after physical repair the operator cannot safely restart. Strategic intent: suspend US natural-gas price discovery long enough to cascade through NYMEX, LNG cargo force majeure, power-grid load shedding during a peak-demand window, and financial-market liquidity events.

E — Execution

Phase 1 (months): cyber pre-positioning inside the Sabine Pipe Line OT network via a contracted-engineering credential — the same vector that has produced every confirmed US pipeline OT intrusion in the past five years. Phase 2 (days): adversary weaponizes a published CVSS 9.0+ CISA advisory affecting Schneider Telvent OASyS DNA or Triconex SIS, BEFORE the operator's change board approves the emergency patch. Phase 3 (D-Day, timed to coincide with polar vortex or hurricane-season demand peak): commercial-derivative drone strike against Compressor Units 1 and 2, simultaneously with cyber execution that disables the SIS, manipulates HMIs to display nominal state, vents high-pressure gas through stacks whose flare ignition has been pre-disabled. Phase 4 (D+1 through D+3): wiper malware destroys the historian, engineering workstation, and corporate IT backups, denying the recovery team the documentation needed to safely restart safety-instrumented systems.

A — Administration & Logistics

Attack feasibility depends on conditions present today: (1) -1 ICS endpoints within 25 km of the hub — the public attack surface; (2) absence of counter-UAS over Vermilion Parish; (3) the operator's change board having no pre-delegated authority to bypass normal review for CVSS 9+ items during weather-emergency windows; (4) no published joint incident-command structure across Sabine Pipe Line, FERC, TSA, CISA, FBI, DOE, and hyperscaler downstream customers. All four conditions exist as of 2026-07-11.

C — Command & Signal

Indicators: outbound traffic from any Sabine Pipe Line OT host to non-vendor destinations; Vermilion Parish law-enforcement reports of unusual UAS activity near the hub; any CISA advisory at CVSS 9+ affecting Schneider Electric / Siemens / Emerson platforms followed by Sabine Pipe Line change-board deferral. Defensive priorities (the four items above, each individually closable): (1) pre-delegate emergency-patch authority to senior security leadership without change-board veto for CVSS 9+ critical-asset platforms; (2) FAA + DOD counter-UAS authorization for FERC critical-asset compressor stations; (3) stand up the joint incident-command framework now, not after the event; (4) maintain air-gapped offline SIS configuration backups with quarterly recovery verification at every FERC critical site.

Consequences if unmitigated

Physical:

Henry Hub physical throughput goes to 0 Bcf/d for 7–30+ days. Worker fatalities at Sabine Pipe Line during the kinetic event range 20–100 depending on shift composition and time of day. Downstream civilian fatalities during coincident cold-weather power loss could exceed 200 if the polar-vortex timing is hit. Adjacent communities evacuated; groundwater and surface water contamination from fuel-rich firefighting operations.

Market / financial:

NYMEX Henry Hub trading suspended for 20–60 trading days. Daily LNG cargo force majeure declarations from Sabine Pass / Cameron / Plaquemines / Corpus Christi terminals. European TTF and Asian JKM gas prices spike 150–400%. PJM and TVA emergency load-shedding affecting 5–20M customers during the polar vortex. Combined direct + cascading economic damage: $200B–$400B over twelve months. Insurance-industry catastrophe loss: $80B–$200B. Two-to-three mid-sized US gas trading firms in Chapter 11 within ten days.

Regulatory / political:

FERC and TSA replace existing Pipeline Security Directive framework with a true regulatory framework. DOE stands up a permanent Critical Energy Infrastructure Cyber Response Unit. FAA authorizes counter-UAS at all FERC critical-asset facilities. Federal Reserve emergency liquidity facility for energy-sector counterparty exposure. Hyperscaler / pipeline operator joint incident command mandated. ODNI issues attribution finding; coordinated multi-allied response.

Schneider Electric Modicon / Triconex — 9 pipeline-relevant KEV CVEs
Current exposure: 9 CISA KEV-listed CVEs currently affect Schneider OT platforms — the largest known-exploited footprint of any pipeline-relevant vendor today
Live KEV cross-reference: CVE-2018-7522, CVE-2018-8872, CVE-2017-7973, CVE-2021-22707
Severity: HIGH — Safety-instrumented-system bypass at gas processing and compression
Five-Paragraph OPORD (SMEAC)

S — Situation

Schneider Electric carries the largest set of actively-exploited CVEs of any pipeline-relevant vendor on the KEV catalog today — 9 entries (CVE-2018-7522, CVE-2018-8872, CVE-2017-7973, CVE-2021-22707). Modicon PLCs run valve and compressor logic across US midstream; Triconex is the dominant safety-instrumented system (SIS) at gas plants and LNG trains — the same SIS family targeted by the TRITON malware framework.

M — Mission

Adversary objective: defeat or blind the safety-instrumented layer at a gas-processing plant, LNG train, or major compressor station so a deliberately induced process upset is NOT tripped to a safe state — turning a recoverable fault into an overpressure or release event.

E — Execution

Phase 1: exploit one of the 9 known CVEs to gain a foothold on the engineering network. Phase 2: reach the Triconex/Modicon engineering workstation and load altered logic or disable SIS voting. Phase 3: drive the basic process control system to an unsafe setpoint while the safety layer is suppressed. Phase 4: erase the engineering audit trail.

A — Administration & Logistics

Feasibility today rests on (1) 9 unpatched, actively-exploited Schneider CVEs; (2) SIS and basic control logic that share engineering access in many deployments; (3) safety-system patch cycles tied to multi-year turnaround windows.

C — Command & Signal

Indicators: unscheduled logic downloads to any Triconex or Modicon controller; SIS voting or bypass changes outside a permitted-work window; engineering-station traffic to non-vendor destinations. Defensive priorities: patch the KEV-listed CVEs on a safety-critical schedule, enforce key-switch RUN mode on SIS controllers, require two-person authorization for any safety-logic change. Reporting: CISA; TSA Pipeline Security; ONG-ISAC.

Consequences if unmitigated

Physical:

A defeated safety-instrumented system removes the last automatic protection against overpressure, high temperature, or loss of containment at a gas plant or LNG train — from an emergency shutdown and days-long restart to a release, fire, or explosion if the basic control system is simultaneously driven unsafe.

Market / financial:

Loss of a single large gas-processing plant or LNG train removes major throughput; an LNG-train outage idles export cargoes and tightens domestic supply. Liability and business-interruption exposure runs to the billions.

Regulatory / political:

PHMSA and TSA scrutiny of OT cyber controls; likely CISA emergency directives for Schneider SIS operators; insurer repricing for sites running KEV-listed Triconex/Modicon.

Siemens SIMATIC S7 / WinCC — 5 pipeline-relevant KEV CVEs
Current exposure: 5 CISA KEV-listed CVEs currently affect Siemens SIMATIC / WinCC / Spectrum Power platforms
Live KEV cross-reference: CVE-2014-2908, CVE-2016-8562, CVE-2012-3015, CVE-2010-2772
Severity: HIGH — Loss of control at compression, metering, and gas-fired generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Siemens SIMATIC S7 controllers and WinCC SCADA run compressor stations, metering, and the gas-fired generation feeding data-center load; 5 Siemens CVEs sit on the KEV catalog today (CVE-2014-2908, CVE-2016-8562, CVE-2012-3015, CVE-2010-2772). S7 is the controller family Stuxnet was built to reprogram.

M — Mission

Adversary objective: reprogram or halt S7 logic controlling compression or generation in a chosen corridor, or falsify the WinCC operator view so the upset is not seen until it propagates.

E — Execution

Phase 1: exploit a KEV-listed S7/WinCC flaw reachable from an exposed HMI or remote-access path. Phase 2: pivot to the automation network. Phase 3: alter controller logic or HMI tags. Phase 4: synchronize disruption to peak demand and wipe the historian.

A — Administration & Logistics

Feasibility rests on (1) 5 unpatched Siemens CVEs; (2) WinCC stations bridged to corporate IT; (3) S7 controllers without RUN-mode key protection.

C — Command & Signal

Indicators: unexpected S7 STOP/PROGRAM transitions; WinCC tag changes with no work order; HMI traffic to unknown hosts. Defensive priorities: patch KEV CVEs, enforce controller key-switch protection, segment WinCC from IT. Reporting: CISA; TSA; ONG-ISAC; the relevant ISO security desk.

Consequences if unmitigated

Physical:

Tripped or runaway compression and generating units in one load zone; data-center alley loses grid supply and falls to diesel within hours; ungraceful trips can damage rotating equipment and extend restart to weeks.

Market / financial:

Intraday wholesale power spikes to the administrative cap in the affected ISO; compute SLAs breach within the diesel-reserve window; multi-billion-dollar loss across operators, power buyers, and AI customers.

Regulatory / political:

FERC/NERC review of generator cyber readiness; accelerated TSA-style cyber rules for gas-fired generation; insurer repricing for measurable Siemens exposure.

Rockwell ControlLogix / FactoryTalk — 2 pipeline-relevant KEV CVEs
Current exposure: 2 CISA KEV-listed CVEs currently affect Rockwell Allen-Bradley ControlLogix / FactoryTalk platforms
Live KEV cross-reference: CVE-2023-3595, CVE-2021-22681
Severity: HIGH — Pump-station and terminal control disruption across midstream
Five-Paragraph OPORD (SMEAC)

S — Situation

Allen-Bradley ControlLogix PLCs and FactoryTalk run pump stations, tank farms, and liquids terminals across US midstream; 2 Rockwell CVEs are on the KEV catalog today (CVE-2023-3595, CVE-2021-22681).

M — Mission

Adversary objective: seize or crash ControlLogix processors governing pumping and tank-farm valves to force a liquids-pipeline shutdown or a tank overfill / pressure transient.

E — Execution

Phase 1: exploit a KEV-listed ControlLogix/FactoryTalk CVE from an exposed engineering or remote path. Phase 2: reach the controller. Phase 3: fault the processor or alter pump/valve logic. Phase 4: mask the change in FactoryTalk.

A — Administration & Logistics

Feasibility rests on (1) 2 unpatched Rockwell CVEs; (2) flat OT networks at terminals; (3) remote-access tools left exposed.

C — Command & Signal

Indicators: unexpected processor faults; logic edits with no change ticket; FactoryTalk access from new hosts. Defensive priorities: patch KEV CVEs, segment terminal OT, lock down remote access. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Forced shutdown of a liquids pipeline or terminal; in the worst case a tank overfill or pressure transient with spill, fire, or environmental release.

Market / financial:

Regional product-supply disruption (gasoline, diesel, NGLs); price spikes at racks served by the affected terminals; cleanup and liability costs.

Regulatory / political:

PHMSA incident investigation; TSA review of terminal cyber controls; insurer scrutiny of operators on KEV-listed Rockwell versions.

Honeywell Experion PKS — 1 pipeline-relevant KEV CVE
Current exposure: 1 CISA KEV-listed CVE currently affect Honeywell Experion PKS — a dominant DCS at US gas processing and LNG
Live KEV cross-reference: CVE-2023-3710
Severity: HIGH — Distributed-control compromise at gas processing and LNG
Five-Paragraph OPORD (SMEAC)

S — Situation

Honeywell Experion PKS is a dominant distributed control system at US gas-processing plants, refineries, and LNG facilities; 1 Experion CVE on the KEV catalog today (CVE-2023-3710).

M — Mission

Adversary objective: take control of the Experion DCS at a gas-processing or LNG facility to drive units to an unsafe state or force a sustained outage.

E — Execution

Phase 1: exploit the KEV-listed Experion CVE from a reachable server or remote path. Phase 2: reach the C300 controllers and Experion servers. Phase 3: alter control strategy or force a unit trip. Phase 4: destroy the historian and backups.

A — Administration & Logistics

Feasibility rests on (1) 1 unpatched Experion CVE; (2) DCS servers bridged to plant IT; (3) deferred DCS patching tied to turnaround windows.

C — Command & Signal

Indicators: unscheduled control-strategy changes; Experion server traffic to unknown hosts; historian write failures. Defensive priorities: patch the KEV CVE, isolate the DCS, two-person change control. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Loss of control or forced shutdown at a gas-processing plant or LNG train; potential release, fire, or explosion if units are driven unsafe; restart measured in days to weeks.

Market / financial:

Lost processing/export throughput tightens domestic supply and idles cargoes; multi-billion-dollar interruption and liability exposure.

Regulatory / political:

PHMSA/TSA investigation; likely CISA directive for Experion operators; insurer repricing for KEV-listed Experion exposure.

Honeywell Experion PKS — 1 pipeline-relevant KEV CVE
Current exposure: 1 CISA KEV-listed CVE currently affect Honeywell Experion PKS — a dominant DCS at US gas processing and LNG
Live KEV cross-reference: CVE-2023-3710
Severity: HIGH — Distributed-control compromise at gas processing and LNG
Five-Paragraph OPORD (SMEAC)

S — Situation

Honeywell Experion PKS is a dominant distributed control system at US gas-processing plants, refineries, and LNG facilities; 1 Experion CVE on the KEV catalog today (CVE-2023-3710).

M — Mission

Adversary objective: take control of the Experion DCS at a gas-processing or LNG facility to drive units to an unsafe state or force a sustained outage.

E — Execution

Phase 1: exploit the KEV-listed Experion CVE from a reachable server or remote path. Phase 2: reach the C300 controllers and Experion servers. Phase 3: alter control strategy or force a unit trip. Phase 4: destroy the historian and backups.

A — Administration & Logistics

Feasibility rests on (1) 1 unpatched Experion CVE; (2) DCS servers bridged to plant IT; (3) deferred DCS patching tied to turnaround windows.

C — Command & Signal

Indicators: unscheduled control-strategy changes; Experion server traffic to unknown hosts; historian write failures. Defensive priorities: patch the KEV CVE, isolate the DCS, two-person change control. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Loss of control or forced shutdown at a gas-processing plant or LNG train; potential release, fire, or explosion if units are driven unsafe; restart measured in days to weeks.

Market / financial:

Lost processing/export throughput tightens domestic supply and idles cargoes; multi-billion-dollar interruption and liability exposure.

Regulatory / political:

PHMSA/TSA investigation; likely CISA directive for Experion operators; insurer repricing for KEV-listed Experion exposure.

ABB Symphony DCS — 266 US endpoints exposed (as of 2026-07-10)
Current exposure: 266 Symphony endpoints visible from the public US internet today
Live KEV cross-reference: CVE-2024-6298
Severity: HIGH — Power generation supply disruption to AI data center load
Five-Paragraph OPORD (SMEAC)

S — Situation

ABB Symphony has the largest measurable US public-internet exposure of any pipeline-relevant SCADA / DCS platform — 266 endpoints visible as of 2026-07-10, against a deployed base that we estimate to be on the order of hundreds of installations. Symphony is the dominant DCS at large gas-fired combined-cycle power plants, including most of the new and planned gas plants being built to serve hyperscale AI data centers. KEV catalog entries currently affecting ABB platforms: CVE-2024-6298.

M — Mission

Adversary objective: simultaneous loss-of-control or unsafe-state at multiple gas-fired generating units feeding a specific load zone — most likely PJM Dominion (Northern Virginia data-center alley, where AI training load is concentrated) or the Southeast (where Meta Hyperion's 7.46 GW gas plant cluster feeds the Hyperion campus). Strategic intent: deny power to AI compute infrastructure at a moment chosen for maximum disruption, with deniable attribution.

E — Execution

Phase 1: harvest a contractor or vendor credential that grants engineering access to one or more of the 266 exposed endpoints — many of which are vendor-support jump hosts that bridge corporate IT to the OT engineering network. Phase 2: lateral movement to the Symphony engineering workstation. Phase 3: stage malicious configuration changes across the deployment, synchronized to execute at peak-demand hour. Phase 4: trigger drives unit-trip sequences on every unit reachable, simultaneous; concurrent wiper destroys the historian and configuration backup.

A — Administration & Logistics

Attack feasibility depends on three conditions visible in the public-exposure data today: (1) 266 endpoints reachable from the public internet — that number is a defensive failure on its own; (2) operator deployments that centralize engineering across multiple sites; (3) deferred patching of any published Symphony CVSS 8.0+ CVE due to outage-window constraints.

C — Command & Signal

Indicators: outbound traffic from any Symphony engineering workstation to non-vendor destinations; unscheduled configuration updates across multiple units in the same hour; historian write failures across multiple stations. Defensive priorities: enumerate the 266 exposed endpoints in your perimeter and prioritize firewall closure or VPN-only access; rotate all vendor and contractor credentials with hardware-token MFA; require any logic or configuration change to pass two-person integrity check during the change window. Reporting: TSA Surface Transportation Cybersecurity; CISA Hotline; Oil and Natural Gas ISAC; PJM RTEP Security working group.

Consequences if unmitigated

Physical:

Simultaneous trips at multiple gas-fired generating units serving a data-center-heavy load zone. Within ~2 hours, hyperscale data centers in the affected zone exhaust grid power and shift to on-site diesel; diesel reserves typically run 12–48 hours. Possible thermal damage to rotating equipment during ungraceful trip sequences extends restart from hours to weeks per unit.

Market / financial:

Wholesale power prices in the affected ISO zone spike to administrative cap intraday. Hyperscaler-customer compute service-level agreements breach within the diesel-reserve window. Estimated combined economic loss across operator, downstream power buyers, and dependent cloud / AI customers: $10B–$50B in the first week.

Regulatory / political:

FERC and NERC special review of generator cybersecurity preparedness. Likely accelerated TSA-style cyber regulation extended to gas-fired generation feeding hyperscale customers. Insurance industry repricing for operators with measurable Symphony exposure on Shodan.

Cygnet SCADA — 70 US endpoints (pipeline-specific midstream)
Current exposure: 70 Cygnet midstream-pipeline SCADA endpoints visible today
Live KEV cross-reference: no KEV-listed CVEs currently affect this platform
Severity: HIGH — Direct compromise of pipeline operational visibility and control
Five-Paragraph OPORD (SMEAC)

S — Situation

Cygnet is the SCADA platform most narrowly targeted at the US midstream oil-and-gas industry — it runs the supervisory layer at 70 measurable US sites, almost all of which are pipeline operators. Of the operators we track, several are confirmed Cygnet users by name in vendor case-studies and public filings.

M — Mission

Adversary objective: simultaneous loss-of-visibility and limited-write control of pipeline metering, valve, and flow-control points across a single operator's footprint. Strategic intent: position to manipulate gas deliveries — to LDCs, to power generators, or to LNG export terminals — at a chosen moment, with the operator unable to see or counter the action in real time.

E — Execution

Phase 1: access via a Cygnet engineering workstation reachable through vendor-support tunnels. Phase 2: harvest field-device topology and operator runbooks from the SCADA database. Phase 3: stage scheduled control commands that fire at a precipitating moment. Phase 4: optionally falsify operator-view telemetry to extend the response window.

A — Administration & Logistics

Attack feasibility depends on Cygnet's typical deployment pattern: many operators connect Cygnet to their corporate IT for reporting, then connect corporate IT to the public internet — a documented common pathway. The 70 exposed endpoints in our Shodan dataset are the visible portion of that pattern.

C — Command & Signal

Indicators: Cygnet engineering-workstation traffic to non-vendor destinations; configuration changes outside change-control hours; discrepancies between Cygnet-reported volumes and independent end-of-line meter reads. Defensive priorities: place Cygnet servers behind a jump-host with MFA; close direct internet exposure on all 70 endpoints; deploy independent secondary metering whose data does NOT flow through Cygnet.

Consequences if unmitigated

Physical:

Manipulation of valve setpoints can cause unsafe pressure transients at downstream stations. Falsified metering allows undetected gas diversion or supply-cut to specific customers (e.g., a specific gas-fired power plant during a peak hour).

Market / financial:

If a Cygnet-driven event takes a specific compressor station offline during a peak demand window, the downstream basis (the local citygate price minus Henry Hub) can spike 200%+ in hours. LDC emergency curtailments. Power-gen fuel-supply force majeure to gas peakers serving data centers.

Regulatory / political:

Immediate FERC inquiry into operator cybersecurity. Possible TSA penalty action under PSR 2026-01. Operator's interstate transportation tariff put under audit.

GE iFIX HMI/SCADA — 70 US endpoints exposed
Current exposure: 70 GE iFIX HMI/SCADA endpoints visible today
Live KEV cross-reference: no KEV-listed CVEs currently affect this platform
Severity: HIGH — Operator-view denial across gas-plant and pipeline-station HMI
Five-Paragraph OPORD (SMEAC)

S — Situation

GE iFIX is a general-purpose HMI / SCADA platform with deep penetration in US gas plants, refineries, and pipeline compressor stations. Public US exposure today: 70 endpoints. KEV entries currently affecting GE platforms: no KEV-listed CVEs currently affect this platform.

M — Mission

Adversary objective: deny operator visibility into the controlled process during a coincident attack — either cyber on the BPCS or kinetic on a physical asset. Strategic intent: extend the response window in the critical early minutes when operator action can avert physical damage.

E — Execution

Phase 1: access through internet-exposed iFIX terminal services / VPN. Phase 2: modify iFIX HMI screens to display canned 'nominal' values regardless of underlying tag data, OR disable HMI alarm escalation logic. Phase 3: hold capability until a coincident event — process upset, kinetic strike, or BPCS manipulation — at which point operators see normal screens while the physical process degrades.

A — Administration & Logistics

Attack feasibility increases when iFIX is deployed without segregation from corporate IT, when iFIX clients are reachable via remote-desktop services from the public internet (70 confirmed examples today), and when alarm-management audits are infrequent.

C — Command & Signal

Indicators: iFIX screen-version changes outside engineering change windows; HMI tag-display discrepancies vs. historian; alarm logs going abnormally quiet during normal operating variability. Defensive priorities: iFIX deployment audit (count vs. known inventory); HMI screen-checksum monitoring; independent secondary HMI that draws from a separate tag feed; close all 70 internet-exposed instances or move them behind MFA-required VPN.

Consequences if unmitigated

Physical:

On its own, an iFIX-only attack does not cause damage — but during a coincident physical or BPCS attack, the 'normal-screens-while-process-degrades' window extends operator response from minutes to tens of minutes, multiplying the physical damage.

Market / financial:

When combined with a BPCS attack, an HMI-deception layer can extend an outage from one shift to several days as the recovery team has no trustworthy view of pre-event state. Multiplier effect on operator's economic damage: 2–5x.

Regulatory / political:

HMI integrity-verification becomes a required TSA compliance element. Vendor-side requirements for cryptographic HMI screen verification.

Emerson DeltaV + Ovation DCS — 72 US endpoints combined
Current exposure: 40 DeltaV + 32 Ovation US endpoints — total 72
Live KEV cross-reference: CVE-2021-45420
Severity: HIGH — Simultaneous compromise of LNG liquefaction AND gas-fired power generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Emerson runs two product lines with measurable US exposure: DeltaV (40 endpoints), the DCS for LNG liquefaction trains and refinery / petrochemical processes, and Ovation (32 endpoints), the DCS for fossil-fueled power generation. Combined US public exposure: 72 endpoints. KEV entries affecting Emerson: CVE-2021-45420.

M — Mission

Adversary objective: simultaneously disrupt LNG-export capacity AND gas-fired power generation by exploiting the same vendor's deployed platforms across the two industries — a single capability that reaches both demand sinks for US natural gas (LNG exports and AI/data-center power) at once. Strategic intent: dual-target economic disruption with shared toolchain.

E — Execution

Phase 1: gain access via an Emerson vendor-support credential — Emerson is one of the largest providers of process-control system service contracts in the US. Phase 2: deploy parallel implants against DeltaV at LNG terminals and Ovation at gas-fired plants. Phase 3: synchronized trigger at a chosen event.

A — Administration & Logistics

Attack feasibility hinges on whether the operator has accepted vendor persistent remote-support tunnels as a contractual requirement. Many DeltaV and Ovation operators have done so to maintain service-level guarantees. The 72 exposed endpoints visible today are the public portion of that pattern.

C — Command & Signal

Indicators: Emerson vendor-tunnel traffic outside scheduled service windows; configuration changes pushed to multiple sites within a single hour; unscheduled engineering-workstation logins. Defensive priorities: require Emerson vendor sessions to be initiated by the operator (not the vendor), with session recording and MFA; deploy egress monitoring on the DeltaV / Ovation engineering networks; require Emerson to publish per-product KEV applicability mapped to deployed firmware versions at each customer site.

Consequences if unmitigated

Physical:

LNG terminal liquefaction trains unsafe-shutdown; coincident gas-fired generator trips across affected fleet. Possible thermal damage to liquefaction compressors extends LNG outage from days to months.

Market / financial:

Cargoes in the Sabine Pass / Cameron / Plaquemines / Corpus Christi loading queue declare force majeure within hours. European TTF gas price spikes; US Henry Hub price drops on reduced export demand AND spikes on domestic gas-to-power dislocation — both directions same day. Combined economic impact: $30B–$120B over the first quarter post-event.

Regulatory / political:

Coordinated DOE / FERC / TSA / DOC (export licensing) investigation. Possible suspension of Emerson DCS service contracts pending audit. Insurance industry repricing across all Emerson-platform-dependent operators.

Emerson DeltaV + Ovation DCS — 66 US endpoints combined
Current exposure: 40 DeltaV + 26 Ovation US endpoints — total 66
Live KEV cross-reference: no KEV-listed CVEs currently affect this platform
Severity: HIGH — Simultaneous compromise of LNG liquefaction AND gas-fired power generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Emerson runs two product lines with measurable US exposure: DeltaV (40 endpoints), the DCS for LNG liquefaction trains and refinery / petrochemical processes, and Ovation (26 endpoints), the DCS for fossil-fueled power generation. Combined US public exposure: 66 endpoints. KEV entries affecting Emerson: no KEV-listed CVEs currently affect this platform.

M — Mission

Adversary objective: simultaneously disrupt LNG-export capacity AND gas-fired power generation by exploiting the same vendor's deployed platforms across the two industries — a single capability that reaches both demand sinks for US natural gas (LNG exports and AI/data-center power) at once. Strategic intent: dual-target economic disruption with shared toolchain.

E — Execution

Phase 1: gain access via an Emerson vendor-support credential — Emerson is one of the largest providers of process-control system service contracts in the US. Phase 2: deploy parallel implants against DeltaV at LNG terminals and Ovation at gas-fired plants. Phase 3: synchronized trigger at a chosen event.

A — Administration & Logistics

Attack feasibility hinges on whether the operator has accepted vendor persistent remote-support tunnels as a contractual requirement. Many DeltaV and Ovation operators have done so to maintain service-level guarantees. The 66 exposed endpoints visible today are the public portion of that pattern.

C — Command & Signal

Indicators: Emerson vendor-tunnel traffic outside scheduled service windows; configuration changes pushed to multiple sites within a single hour; unscheduled engineering-workstation logins. Defensive priorities: require Emerson vendor sessions to be initiated by the operator (not the vendor), with session recording and MFA; deploy egress monitoring on the DeltaV / Ovation engineering networks; require Emerson to publish per-product KEV applicability mapped to deployed firmware versions at each customer site.

Consequences if unmitigated

Physical:

LNG terminal liquefaction trains unsafe-shutdown; coincident gas-fired generator trips across affected fleet. Possible thermal damage to liquefaction compressors extends LNG outage from days to months.

Market / financial:

Cargoes in the Sabine Pass / Cameron / Plaquemines / Corpus Christi loading queue declare force majeure within hours. European TTF gas price spikes; US Henry Hub price drops on reduced export demand AND spikes on domestic gas-to-power dislocation — both directions same day. Combined economic impact: $30B–$120B over the first quarter post-event.

Regulatory / political:

Coordinated DOE / FERC / TSA / DOC (export licensing) investigation. Possible suspension of Emerson DCS service contracts pending audit. Insurance industry repricing across all Emerson-platform-dependent operators.

Henry Hub Composite (Physical + Cyber) — current state
Current exposure: 13 interstate pipelines converge at Erath, LA · NYMEX settlement node · ~2 Bcf/d physical throughput · 1 ICS exposures within 25 km · 14 active eminent-domain projects in supply chain
Live KEV cross-reference: 1 Schneider Electric KEVs · 1 Siemens KEVs · 0 Emerson KEVs affect platforms a Sabine Pipe Line operator would actually run.
Severity: STRATEGIC — National-scale market and supply disruption
Five-Paragraph OPORD (SMEAC)

S — Situation

Henry Hub today: 13 interstate pipelines converge at the Sabine Pipe Line LLC facility in Erath, Louisiana. The NYMEX Henry Hub futures contract settles here — the price benchmark for every US natural-gas trade, every LNG cargo loaded at Sabine Pass / Cameron / Plaquemines / Corpus Christi (≈14 Bcf/d combined LNG export capacity), and every gas-indexed power-purchase contract in PJM / SERC / Florida. Within 25 km of the hub, Shodan finds 1 exposed ICS endpoints; the operator's supply chain runs through platforms with 2 currently-KEV-listed CVEs across Schneider Electric, Siemens, and Emerson. The facility has no counter-UAS coverage (Vermilion Parish is outside designated military airspace) and no published joint OT/IT incident-command framework with downstream hyperscaler and federal partners.

M — Mission

Adversary objective: simultaneously disable physical throughput at Henry Hub for an extended window (weeks, not hours) AND destroy the operator's safety-system configuration files, so that even after physical repair the operator cannot safely restart. Strategic intent: suspend US natural-gas price discovery long enough to cascade through NYMEX, LNG cargo force majeure, power-grid load shedding during a peak-demand window, and financial-market liquidity events.

E — Execution

Phase 1 (months): cyber pre-positioning inside the Sabine Pipe Line OT network via a contracted-engineering credential — the same vector that has produced every confirmed US pipeline OT intrusion in the past five years. Phase 2 (days): adversary weaponizes a published CVSS 9.0+ CISA advisory affecting Schneider Telvent OASyS DNA or Triconex SIS, BEFORE the operator's change board approves the emergency patch. Phase 3 (D-Day, timed to coincide with polar vortex or hurricane-season demand peak): commercial-derivative drone strike against Compressor Units 1 and 2, simultaneously with cyber execution that disables the SIS, manipulates HMIs to display nominal state, vents high-pressure gas through stacks whose flare ignition has been pre-disabled. Phase 4 (D+1 through D+3): wiper malware destroys the historian, engineering workstation, and corporate IT backups, denying the recovery team the documentation needed to safely restart safety-instrumented systems.

A — Administration & Logistics

Attack feasibility depends on conditions present today: (1) 1 ICS endpoints within 25 km of the hub — the public attack surface; (2) absence of counter-UAS over Vermilion Parish; (3) the operator's change board having no pre-delegated authority to bypass normal review for CVSS 9+ items during weather-emergency windows; (4) no published joint incident-command structure across Sabine Pipe Line, FERC, TSA, CISA, FBI, DOE, and hyperscaler downstream customers. All four conditions exist as of 2026-07-09.

C — Command & Signal

Indicators: outbound traffic from any Sabine Pipe Line OT host to non-vendor destinations; Vermilion Parish law-enforcement reports of unusual UAS activity near the hub; any CISA advisory at CVSS 9+ affecting Schneider Electric / Siemens / Emerson platforms followed by Sabine Pipe Line change-board deferral. Defensive priorities (the four items above, each individually closable): (1) pre-delegate emergency-patch authority to senior security leadership without change-board veto for CVSS 9+ critical-asset platforms; (2) FAA + DOD counter-UAS authorization for FERC critical-asset compressor stations; (3) stand up the joint incident-command framework now, not after the event; (4) maintain air-gapped offline SIS configuration backups with quarterly recovery verification at every FERC critical site.

Consequences if unmitigated

Physical:

Henry Hub physical throughput goes to 0 Bcf/d for 7–30+ days. Worker fatalities at Sabine Pipe Line during the kinetic event range 20–100 depending on shift composition and time of day. Downstream civilian fatalities during coincident cold-weather power loss could exceed 200 if the polar-vortex timing is hit. Adjacent communities evacuated; groundwater and surface water contamination from fuel-rich firefighting operations.

Market / financial:

NYMEX Henry Hub trading suspended for 20–60 trading days. Daily LNG cargo force majeure declarations from Sabine Pass / Cameron / Plaquemines / Corpus Christi terminals. European TTF and Asian JKM gas prices spike 150–400%. PJM and TVA emergency load-shedding affecting 5–20M customers during the polar vortex. Combined direct + cascading economic damage: $200B–$400B over twelve months. Insurance-industry catastrophe loss: $80B–$200B. Two-to-three mid-sized US gas trading firms in Chapter 11 within ten days.

Regulatory / political:

FERC and TSA replace existing Pipeline Security Directive framework with a true regulatory framework. DOE stands up a permanent Critical Energy Infrastructure Cyber Response Unit. FAA authorizes counter-UAS at all FERC critical-asset facilities. Federal Reserve emergency liquidity facility for energy-sector counterparty exposure. Hyperscaler / pipeline operator joint incident command mandated. ODNI issues attribution finding; coordinated multi-allied response.

Schneider Electric Modicon / Triconex — 1 pipeline-relevant KEV CVEs
Current exposure: 1 CISA KEV-listed CVEs currently affect Schneider OT platforms — the largest known-exploited footprint of any pipeline-relevant vendor today
Live KEV cross-reference: CVE-2018-7841
Severity: HIGH — Safety-instrumented-system bypass at gas processing and compression
Five-Paragraph OPORD (SMEAC)

S — Situation

Schneider Electric carries the largest set of actively-exploited CVEs of any pipeline-relevant vendor on the KEV catalog today — 1 entries (CVE-2018-7841). Modicon PLCs run valve and compressor logic across US midstream; Triconex is the dominant safety-instrumented system (SIS) at gas plants and LNG trains — the same SIS family targeted by the TRITON malware framework.

M — Mission

Adversary objective: defeat or blind the safety-instrumented layer at a gas-processing plant, LNG train, or major compressor station so a deliberately induced process upset is NOT tripped to a safe state — turning a recoverable fault into an overpressure or release event.

E — Execution

Phase 1: exploit one of the 1 known CVEs to gain a foothold on the engineering network. Phase 2: reach the Triconex/Modicon engineering workstation and load altered logic or disable SIS voting. Phase 3: drive the basic process control system to an unsafe setpoint while the safety layer is suppressed. Phase 4: erase the engineering audit trail.

A — Administration & Logistics

Feasibility today rests on (1) 1 unpatched, actively-exploited Schneider CVEs; (2) SIS and basic control logic that share engineering access in many deployments; (3) safety-system patch cycles tied to multi-year turnaround windows.

C — Command & Signal

Indicators: unscheduled logic downloads to any Triconex or Modicon controller; SIS voting or bypass changes outside a permitted-work window; engineering-station traffic to non-vendor destinations. Defensive priorities: patch the KEV-listed CVEs on a safety-critical schedule, enforce key-switch RUN mode on SIS controllers, require two-person authorization for any safety-logic change. Reporting: CISA; TSA Pipeline Security; ONG-ISAC.

Consequences if unmitigated

Physical:

A defeated safety-instrumented system removes the last automatic protection against overpressure, high temperature, or loss of containment at a gas plant or LNG train — from an emergency shutdown and days-long restart to a release, fire, or explosion if the basic control system is simultaneously driven unsafe.

Market / financial:

Loss of a single large gas-processing plant or LNG train removes major throughput; an LNG-train outage idles export cargoes and tightens domestic supply. Liability and business-interruption exposure runs to the billions.

Regulatory / political:

PHMSA and TSA scrutiny of OT cyber controls; likely CISA emergency directives for Schneider SIS operators; insurer repricing for sites running KEV-listed Triconex/Modicon.

Siemens SIMATIC S7 / WinCC — 1 pipeline-relevant KEV CVEs
Current exposure: 1 CISA KEV-listed CVEs currently affect Siemens SIMATIC / WinCC / Spectrum Power platforms
Live KEV cross-reference: CVE-2016-8562
Severity: HIGH — Loss of control at compression, metering, and gas-fired generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Siemens SIMATIC S7 controllers and WinCC SCADA run compressor stations, metering, and the gas-fired generation feeding data-center load; 1 Siemens CVEs sit on the KEV catalog today (CVE-2016-8562). S7 is the controller family Stuxnet was built to reprogram.

M — Mission

Adversary objective: reprogram or halt S7 logic controlling compression or generation in a chosen corridor, or falsify the WinCC operator view so the upset is not seen until it propagates.

E — Execution

Phase 1: exploit a KEV-listed S7/WinCC flaw reachable from an exposed HMI or remote-access path. Phase 2: pivot to the automation network. Phase 3: alter controller logic or HMI tags. Phase 4: synchronize disruption to peak demand and wipe the historian.

A — Administration & Logistics

Feasibility rests on (1) 1 unpatched Siemens CVEs; (2) WinCC stations bridged to corporate IT; (3) S7 controllers without RUN-mode key protection.

C — Command & Signal

Indicators: unexpected S7 STOP/PROGRAM transitions; WinCC tag changes with no work order; HMI traffic to unknown hosts. Defensive priorities: patch KEV CVEs, enforce controller key-switch protection, segment WinCC from IT. Reporting: CISA; TSA; ONG-ISAC; the relevant ISO security desk.

Consequences if unmitigated

Physical:

Tripped or runaway compression and generating units in one load zone; data-center alley loses grid supply and falls to diesel within hours; ungraceful trips can damage rotating equipment and extend restart to weeks.

Market / financial:

Intraday wholesale power spikes to the administrative cap in the affected ISO; compute SLAs breach within the diesel-reserve window; multi-billion-dollar loss across operators, power buyers, and AI customers.

Regulatory / political:

FERC/NERC review of generator cyber readiness; accelerated TSA-style cyber rules for gas-fired generation; insurer repricing for measurable Siemens exposure.

Rockwell ControlLogix / FactoryTalk — 1 pipeline-relevant KEV CVEs
Current exposure: 1 CISA KEV-listed CVEs currently affect Rockwell Allen-Bradley ControlLogix / FactoryTalk platforms
Live KEV cross-reference: CVE-2021-22681
Severity: HIGH — Pump-station and terminal control disruption across midstream
Five-Paragraph OPORD (SMEAC)

S — Situation

Allen-Bradley ControlLogix PLCs and FactoryTalk run pump stations, tank farms, and liquids terminals across US midstream; 1 Rockwell CVEs are on the KEV catalog today (CVE-2021-22681).

M — Mission

Adversary objective: seize or crash ControlLogix processors governing pumping and tank-farm valves to force a liquids-pipeline shutdown or a tank overfill / pressure transient.

E — Execution

Phase 1: exploit a KEV-listed ControlLogix/FactoryTalk CVE from an exposed engineering or remote path. Phase 2: reach the controller. Phase 3: fault the processor or alter pump/valve logic. Phase 4: mask the change in FactoryTalk.

A — Administration & Logistics

Feasibility rests on (1) 1 unpatched Rockwell CVEs; (2) flat OT networks at terminals; (3) remote-access tools left exposed.

C — Command & Signal

Indicators: unexpected processor faults; logic edits with no change ticket; FactoryTalk access from new hosts. Defensive priorities: patch KEV CVEs, segment terminal OT, lock down remote access. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Forced shutdown of a liquids pipeline or terminal; in the worst case a tank overfill or pressure transient with spill, fire, or environmental release.

Market / financial:

Regional product-supply disruption (gasoline, diesel, NGLs); price spikes at racks served by the affected terminals; cleanup and liability costs.

Regulatory / political:

PHMSA incident investigation; TSA review of terminal cyber controls; insurer scrutiny of operators on KEV-listed Rockwell versions.

Rockwell ControlLogix / FactoryTalk — 2 pipeline-relevant KEV CVEs
Current exposure: 2 CISA KEV-listed CVEs currently affect Rockwell Allen-Bradley ControlLogix / FactoryTalk platforms
Live KEV cross-reference: CVE-2023-3595, CVE-2021-22681
Severity: HIGH — Pump-station and terminal control disruption across midstream
Five-Paragraph OPORD (SMEAC)

S — Situation

Allen-Bradley ControlLogix PLCs and FactoryTalk run pump stations, tank farms, and liquids terminals across US midstream; 2 Rockwell CVEs are on the KEV catalog today (CVE-2023-3595, CVE-2021-22681).

M — Mission

Adversary objective: seize or crash ControlLogix processors governing pumping and tank-farm valves to force a liquids-pipeline shutdown or a tank overfill / pressure transient.

E — Execution

Phase 1: exploit a KEV-listed ControlLogix/FactoryTalk CVE from an exposed engineering or remote path. Phase 2: reach the controller. Phase 3: fault the processor or alter pump/valve logic. Phase 4: mask the change in FactoryTalk.

A — Administration & Logistics

Feasibility rests on (1) 2 unpatched Rockwell CVEs; (2) flat OT networks at terminals; (3) remote-access tools left exposed.

C — Command & Signal

Indicators: unexpected processor faults; logic edits with no change ticket; FactoryTalk access from new hosts. Defensive priorities: patch KEV CVEs, segment terminal OT, lock down remote access. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Forced shutdown of a liquids pipeline or terminal; in the worst case a tank overfill or pressure transient with spill, fire, or environmental release.

Market / financial:

Regional product-supply disruption (gasoline, diesel, NGLs); price spikes at racks served by the affected terminals; cleanup and liability costs.

Regulatory / political:

PHMSA incident investigation; TSA review of terminal cyber controls; insurer scrutiny of operators on KEV-listed Rockwell versions.

Honeywell Experion PKS — 1 pipeline-relevant KEV CVE
Current exposure: 1 CISA KEV-listed CVE currently affect Honeywell Experion PKS — a dominant DCS at US gas processing and LNG
Live KEV cross-reference: CVE-2023-3710
Severity: HIGH — Distributed-control compromise at gas processing and LNG
Five-Paragraph OPORD (SMEAC)

S — Situation

Honeywell Experion PKS is a dominant distributed control system at US gas-processing plants, refineries, and LNG facilities; 1 Experion CVE on the KEV catalog today (CVE-2023-3710).

M — Mission

Adversary objective: take control of the Experion DCS at a gas-processing or LNG facility to drive units to an unsafe state or force a sustained outage.

E — Execution

Phase 1: exploit the KEV-listed Experion CVE from a reachable server or remote path. Phase 2: reach the C300 controllers and Experion servers. Phase 3: alter control strategy or force a unit trip. Phase 4: destroy the historian and backups.

A — Administration & Logistics

Feasibility rests on (1) 1 unpatched Experion CVE; (2) DCS servers bridged to plant IT; (3) deferred DCS patching tied to turnaround windows.

C — Command & Signal

Indicators: unscheduled control-strategy changes; Experion server traffic to unknown hosts; historian write failures. Defensive priorities: patch the KEV CVE, isolate the DCS, two-person change control. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Loss of control or forced shutdown at a gas-processing plant or LNG train; potential release, fire, or explosion if units are driven unsafe; restart measured in days to weeks.

Market / financial:

Lost processing/export throughput tightens domestic supply and idles cargoes; multi-billion-dollar interruption and liability exposure.

Regulatory / political:

PHMSA/TSA investigation; likely CISA directive for Experion operators; insurer repricing for KEV-listed Experion exposure.

ABB Symphony DCS — 269 US endpoints exposed (as of 2026-07-08)
Current exposure: 269 Symphony endpoints visible from the public US internet today
Live KEV cross-reference: CVE-2024-6298
Severity: HIGH — Power generation supply disruption to AI data center load
Five-Paragraph OPORD (SMEAC)

S — Situation

ABB Symphony has the largest measurable US public-internet exposure of any pipeline-relevant SCADA / DCS platform — 269 endpoints visible as of 2026-07-08, against a deployed base that we estimate to be on the order of hundreds of installations. Symphony is the dominant DCS at large gas-fired combined-cycle power plants, including most of the new and planned gas plants being built to serve hyperscale AI data centers. KEV catalog entries currently affecting ABB platforms: CVE-2024-6298.

M — Mission

Adversary objective: simultaneous loss-of-control or unsafe-state at multiple gas-fired generating units feeding a specific load zone — most likely PJM Dominion (Northern Virginia data-center alley, where AI training load is concentrated) or the Southeast (where Meta Hyperion's 7.46 GW gas plant cluster feeds the Hyperion campus). Strategic intent: deny power to AI compute infrastructure at a moment chosen for maximum disruption, with deniable attribution.

E — Execution

Phase 1: harvest a contractor or vendor credential that grants engineering access to one or more of the 269 exposed endpoints — many of which are vendor-support jump hosts that bridge corporate IT to the OT engineering network. Phase 2: lateral movement to the Symphony engineering workstation. Phase 3: stage malicious configuration changes across the deployment, synchronized to execute at peak-demand hour. Phase 4: trigger drives unit-trip sequences on every unit reachable, simultaneous; concurrent wiper destroys the historian and configuration backup.

A — Administration & Logistics

Attack feasibility depends on three conditions visible in the public-exposure data today: (1) 269 endpoints reachable from the public internet — that number is a defensive failure on its own; (2) operator deployments that centralize engineering across multiple sites; (3) deferred patching of any published Symphony CVSS 8.0+ CVE due to outage-window constraints.

C — Command & Signal

Indicators: outbound traffic from any Symphony engineering workstation to non-vendor destinations; unscheduled configuration updates across multiple units in the same hour; historian write failures across multiple stations. Defensive priorities: enumerate the 269 exposed endpoints in your perimeter and prioritize firewall closure or VPN-only access; rotate all vendor and contractor credentials with hardware-token MFA; require any logic or configuration change to pass two-person integrity check during the change window. Reporting: TSA Surface Transportation Cybersecurity; CISA Hotline; Oil and Natural Gas ISAC; PJM RTEP Security working group.

Consequences if unmitigated

Physical:

Simultaneous trips at multiple gas-fired generating units serving a data-center-heavy load zone. Within ~2 hours, hyperscale data centers in the affected zone exhaust grid power and shift to on-site diesel; diesel reserves typically run 12–48 hours. Possible thermal damage to rotating equipment during ungraceful trip sequences extends restart from hours to weeks per unit.

Market / financial:

Wholesale power prices in the affected ISO zone spike to administrative cap intraday. Hyperscaler-customer compute service-level agreements breach within the diesel-reserve window. Estimated combined economic loss across operator, downstream power buyers, and dependent cloud / AI customers: $10B–$50B in the first week.

Regulatory / political:

FERC and NERC special review of generator cybersecurity preparedness. Likely accelerated TSA-style cyber regulation extended to gas-fired generation feeding hyperscale customers. Insurance industry repricing for operators with measurable Symphony exposure on Shodan.

Cygnet SCADA — 71 US endpoints (pipeline-specific midstream)
Current exposure: 71 Cygnet midstream-pipeline SCADA endpoints visible today
Live KEV cross-reference: no KEV-listed CVEs currently affect this platform
Severity: HIGH — Direct compromise of pipeline operational visibility and control
Five-Paragraph OPORD (SMEAC)

S — Situation

Cygnet is the SCADA platform most narrowly targeted at the US midstream oil-and-gas industry — it runs the supervisory layer at 71 measurable US sites, almost all of which are pipeline operators. Of the operators we track, several are confirmed Cygnet users by name in vendor case-studies and public filings.

M — Mission

Adversary objective: simultaneous loss-of-visibility and limited-write control of pipeline metering, valve, and flow-control points across a single operator's footprint. Strategic intent: position to manipulate gas deliveries — to LDCs, to power generators, or to LNG export terminals — at a chosen moment, with the operator unable to see or counter the action in real time.

E — Execution

Phase 1: access via a Cygnet engineering workstation reachable through vendor-support tunnels. Phase 2: harvest field-device topology and operator runbooks from the SCADA database. Phase 3: stage scheduled control commands that fire at a precipitating moment. Phase 4: optionally falsify operator-view telemetry to extend the response window.

A — Administration & Logistics

Attack feasibility depends on Cygnet's typical deployment pattern: many operators connect Cygnet to their corporate IT for reporting, then connect corporate IT to the public internet — a documented common pathway. The 71 exposed endpoints in our Shodan dataset are the visible portion of that pattern.

C — Command & Signal

Indicators: Cygnet engineering-workstation traffic to non-vendor destinations; configuration changes outside change-control hours; discrepancies between Cygnet-reported volumes and independent end-of-line meter reads. Defensive priorities: place Cygnet servers behind a jump-host with MFA; close direct internet exposure on all 71 endpoints; deploy independent secondary metering whose data does NOT flow through Cygnet.

Consequences if unmitigated

Physical:

Manipulation of valve setpoints can cause unsafe pressure transients at downstream stations. Falsified metering allows undetected gas diversion or supply-cut to specific customers (e.g., a specific gas-fired power plant during a peak hour).

Market / financial:

If a Cygnet-driven event takes a specific compressor station offline during a peak demand window, the downstream basis (the local citygate price minus Henry Hub) can spike 200%+ in hours. LDC emergency curtailments. Power-gen fuel-supply force majeure to gas peakers serving data centers.

Regulatory / political:

Immediate FERC inquiry into operator cybersecurity. Possible TSA penalty action under PSR 2026-01. Operator's interstate transportation tariff put under audit.

GE iFIX HMI/SCADA — 65 US endpoints exposed
Current exposure: 65 GE iFIX HMI/SCADA endpoints visible today
Live KEV cross-reference: CVE-2014-0751
Severity: HIGH — Operator-view denial across gas-plant and pipeline-station HMI
Five-Paragraph OPORD (SMEAC)

S — Situation

GE iFIX is a general-purpose HMI / SCADA platform with deep penetration in US gas plants, refineries, and pipeline compressor stations. Public US exposure today: 65 endpoints. KEV entries currently affecting GE platforms: CVE-2014-0751.

M — Mission

Adversary objective: deny operator visibility into the controlled process during a coincident attack — either cyber on the BPCS or kinetic on a physical asset. Strategic intent: extend the response window in the critical early minutes when operator action can avert physical damage.

E — Execution

Phase 1: access through internet-exposed iFIX terminal services / VPN. Phase 2: modify iFIX HMI screens to display canned 'nominal' values regardless of underlying tag data, OR disable HMI alarm escalation logic. Phase 3: hold capability until a coincident event — process upset, kinetic strike, or BPCS manipulation — at which point operators see normal screens while the physical process degrades.

A — Administration & Logistics

Attack feasibility increases when iFIX is deployed without segregation from corporate IT, when iFIX clients are reachable via remote-desktop services from the public internet (65 confirmed examples today), and when alarm-management audits are infrequent.

C — Command & Signal

Indicators: iFIX screen-version changes outside engineering change windows; HMI tag-display discrepancies vs. historian; alarm logs going abnormally quiet during normal operating variability. Defensive priorities: iFIX deployment audit (count vs. known inventory); HMI screen-checksum monitoring; independent secondary HMI that draws from a separate tag feed; close all 65 internet-exposed instances or move them behind MFA-required VPN.

Consequences if unmitigated

Physical:

On its own, an iFIX-only attack does not cause damage — but during a coincident physical or BPCS attack, the 'normal-screens-while-process-degrades' window extends operator response from minutes to tens of minutes, multiplying the physical damage.

Market / financial:

When combined with a BPCS attack, an HMI-deception layer can extend an outage from one shift to several days as the recovery team has no trustworthy view of pre-event state. Multiplier effect on operator's economic damage: 2–5x.

Regulatory / political:

HMI integrity-verification becomes a required TSA compliance element. Vendor-side requirements for cryptographic HMI screen verification.

GE iFIX HMI/SCADA — 65 US endpoints exposed
Current exposure: 65 GE iFIX HMI/SCADA endpoints visible today
Live KEV cross-reference: CVE-2014-0751
Severity: HIGH — Operator-view denial across gas-plant and pipeline-station HMI
Five-Paragraph OPORD (SMEAC)

S — Situation

GE iFIX is a general-purpose HMI / SCADA platform with deep penetration in US gas plants, refineries, and pipeline compressor stations. Public US exposure today: 65 endpoints. KEV entries currently affecting GE platforms: CVE-2014-0751.

M — Mission

Adversary objective: deny operator visibility into the controlled process during a coincident attack — either cyber on the BPCS or kinetic on a physical asset. Strategic intent: extend the response window in the critical early minutes when operator action can avert physical damage.

E — Execution

Phase 1: access through internet-exposed iFIX terminal services / VPN. Phase 2: modify iFIX HMI screens to display canned 'nominal' values regardless of underlying tag data, OR disable HMI alarm escalation logic. Phase 3: hold capability until a coincident event — process upset, kinetic strike, or BPCS manipulation — at which point operators see normal screens while the physical process degrades.

A — Administration & Logistics

Attack feasibility increases when iFIX is deployed without segregation from corporate IT, when iFIX clients are reachable via remote-desktop services from the public internet (65 confirmed examples today), and when alarm-management audits are infrequent.

C — Command & Signal

Indicators: iFIX screen-version changes outside engineering change windows; HMI tag-display discrepancies vs. historian; alarm logs going abnormally quiet during normal operating variability. Defensive priorities: iFIX deployment audit (count vs. known inventory); HMI screen-checksum monitoring; independent secondary HMI that draws from a separate tag feed; close all 65 internet-exposed instances or move them behind MFA-required VPN.

Consequences if unmitigated

Physical:

On its own, an iFIX-only attack does not cause damage — but during a coincident physical or BPCS attack, the 'normal-screens-while-process-degrades' window extends operator response from minutes to tens of minutes, multiplying the physical damage.

Market / financial:

When combined with a BPCS attack, an HMI-deception layer can extend an outage from one shift to several days as the recovery team has no trustworthy view of pre-event state. Multiplier effect on operator's economic damage: 2–5x.

Regulatory / political:

HMI integrity-verification becomes a required TSA compliance element. Vendor-side requirements for cryptographic HMI screen verification.

Emerson DeltaV + Ovation DCS — 66 US endpoints combined
Current exposure: 38 DeltaV + 28 Ovation US endpoints — total 66
Live KEV cross-reference: CVE-2021-45420
Severity: HIGH — Simultaneous compromise of LNG liquefaction AND gas-fired power generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Emerson runs two product lines with measurable US exposure: DeltaV (38 endpoints), the DCS for LNG liquefaction trains and refinery / petrochemical processes, and Ovation (28 endpoints), the DCS for fossil-fueled power generation. Combined US public exposure: 66 endpoints. KEV entries affecting Emerson: CVE-2021-45420.

M — Mission

Adversary objective: simultaneously disrupt LNG-export capacity AND gas-fired power generation by exploiting the same vendor's deployed platforms across the two industries — a single capability that reaches both demand sinks for US natural gas (LNG exports and AI/data-center power) at once. Strategic intent: dual-target economic disruption with shared toolchain.

E — Execution

Phase 1: gain access via an Emerson vendor-support credential — Emerson is one of the largest providers of process-control system service contracts in the US. Phase 2: deploy parallel implants against DeltaV at LNG terminals and Ovation at gas-fired plants. Phase 3: synchronized trigger at a chosen event.

A — Administration & Logistics

Attack feasibility hinges on whether the operator has accepted vendor persistent remote-support tunnels as a contractual requirement. Many DeltaV and Ovation operators have done so to maintain service-level guarantees. The 66 exposed endpoints visible today are the public portion of that pattern.

C — Command & Signal

Indicators: Emerson vendor-tunnel traffic outside scheduled service windows; configuration changes pushed to multiple sites within a single hour; unscheduled engineering-workstation logins. Defensive priorities: require Emerson vendor sessions to be initiated by the operator (not the vendor), with session recording and MFA; deploy egress monitoring on the DeltaV / Ovation engineering networks; require Emerson to publish per-product KEV applicability mapped to deployed firmware versions at each customer site.

Consequences if unmitigated

Physical:

LNG terminal liquefaction trains unsafe-shutdown; coincident gas-fired generator trips across affected fleet. Possible thermal damage to liquefaction compressors extends LNG outage from days to months.

Market / financial:

Cargoes in the Sabine Pass / Cameron / Plaquemines / Corpus Christi loading queue declare force majeure within hours. European TTF gas price spikes; US Henry Hub price drops on reduced export demand AND spikes on domestic gas-to-power dislocation — both directions same day. Combined economic impact: $30B–$120B over the first quarter post-event.

Regulatory / political:

Coordinated DOE / FERC / TSA / DOC (export licensing) investigation. Possible suspension of Emerson DCS service contracts pending audit. Insurance industry repricing across all Emerson-platform-dependent operators.

Henry Hub Composite (Physical + Cyber) — current state
Current exposure: 13 interstate pipelines converge at Erath, LA · NYMEX settlement node · ~2 Bcf/d physical throughput · 1 ICS exposures within 25 km · 14 active eminent-domain projects in supply chain
Live KEV cross-reference: 9 Schneider Electric KEVs · 5 Siemens KEVs · 1 Emerson KEVs affect platforms a Sabine Pipe Line operator would actually run.
Severity: STRATEGIC — National-scale market and supply disruption
Five-Paragraph OPORD (SMEAC)

S — Situation

Henry Hub today: 13 interstate pipelines converge at the Sabine Pipe Line LLC facility in Erath, Louisiana. The NYMEX Henry Hub futures contract settles here — the price benchmark for every US natural-gas trade, every LNG cargo loaded at Sabine Pass / Cameron / Plaquemines / Corpus Christi (≈14 Bcf/d combined LNG export capacity), and every gas-indexed power-purchase contract in PJM / SERC / Florida. Within 25 km of the hub, Shodan finds 1 exposed ICS endpoints; the operator's supply chain runs through platforms with 15 currently-KEV-listed CVEs across Schneider Electric, Siemens, and Emerson. The facility has no counter-UAS coverage (Vermilion Parish is outside designated military airspace) and no published joint OT/IT incident-command framework with downstream hyperscaler and federal partners.

M — Mission

Adversary objective: simultaneously disable physical throughput at Henry Hub for an extended window (weeks, not hours) AND destroy the operator's safety-system configuration files, so that even after physical repair the operator cannot safely restart. Strategic intent: suspend US natural-gas price discovery long enough to cascade through NYMEX, LNG cargo force majeure, power-grid load shedding during a peak-demand window, and financial-market liquidity events.

E — Execution

Phase 1 (months): cyber pre-positioning inside the Sabine Pipe Line OT network via a contracted-engineering credential — the same vector that has produced every confirmed US pipeline OT intrusion in the past five years. Phase 2 (days): adversary weaponizes a published CVSS 9.0+ CISA advisory affecting Schneider Telvent OASyS DNA or Triconex SIS, BEFORE the operator's change board approves the emergency patch. Phase 3 (D-Day, timed to coincide with polar vortex or hurricane-season demand peak): commercial-derivative drone strike against Compressor Units 1 and 2, simultaneously with cyber execution that disables the SIS, manipulates HMIs to display nominal state, vents high-pressure gas through stacks whose flare ignition has been pre-disabled. Phase 4 (D+1 through D+3): wiper malware destroys the historian, engineering workstation, and corporate IT backups, denying the recovery team the documentation needed to safely restart safety-instrumented systems.

A — Administration & Logistics

Attack feasibility depends on conditions present today: (1) 1 ICS endpoints within 25 km of the hub — the public attack surface; (2) absence of counter-UAS over Vermilion Parish; (3) the operator's change board having no pre-delegated authority to bypass normal review for CVSS 9+ items during weather-emergency windows; (4) no published joint incident-command structure across Sabine Pipe Line, FERC, TSA, CISA, FBI, DOE, and hyperscaler downstream customers. All four conditions exist as of 2026-07-07.

C — Command & Signal

Indicators: outbound traffic from any Sabine Pipe Line OT host to non-vendor destinations; Vermilion Parish law-enforcement reports of unusual UAS activity near the hub; any CISA advisory at CVSS 9+ affecting Schneider Electric / Siemens / Emerson platforms followed by Sabine Pipe Line change-board deferral. Defensive priorities (the four items above, each individually closable): (1) pre-delegate emergency-patch authority to senior security leadership without change-board veto for CVSS 9+ critical-asset platforms; (2) FAA + DOD counter-UAS authorization for FERC critical-asset compressor stations; (3) stand up the joint incident-command framework now, not after the event; (4) maintain air-gapped offline SIS configuration backups with quarterly recovery verification at every FERC critical site.

Consequences if unmitigated

Physical:

Henry Hub physical throughput goes to 0 Bcf/d for 7–30+ days. Worker fatalities at Sabine Pipe Line during the kinetic event range 20–100 depending on shift composition and time of day. Downstream civilian fatalities during coincident cold-weather power loss could exceed 200 if the polar-vortex timing is hit. Adjacent communities evacuated; groundwater and surface water contamination from fuel-rich firefighting operations.

Market / financial:

NYMEX Henry Hub trading suspended for 20–60 trading days. Daily LNG cargo force majeure declarations from Sabine Pass / Cameron / Plaquemines / Corpus Christi terminals. European TTF and Asian JKM gas prices spike 150–400%. PJM and TVA emergency load-shedding affecting 5–20M customers during the polar vortex. Combined direct + cascading economic damage: $200B–$400B over twelve months. Insurance-industry catastrophe loss: $80B–$200B. Two-to-three mid-sized US gas trading firms in Chapter 11 within ten days.

Regulatory / political:

FERC and TSA replace existing Pipeline Security Directive framework with a true regulatory framework. DOE stands up a permanent Critical Energy Infrastructure Cyber Response Unit. FAA authorizes counter-UAS at all FERC critical-asset facilities. Federal Reserve emergency liquidity facility for energy-sector counterparty exposure. Hyperscaler / pipeline operator joint incident command mandated. ODNI issues attribution finding; coordinated multi-allied response.

Schneider Electric Modicon / Triconex — 9 pipeline-relevant KEV CVEs
Current exposure: 9 CISA KEV-listed CVEs currently affect Schneider OT platforms — the largest known-exploited footprint of any pipeline-relevant vendor today
Live KEV cross-reference: CVE-2018-7522, CVE-2018-8872, CVE-2017-7973, CVE-2021-22707
Severity: HIGH — Safety-instrumented-system bypass at gas processing and compression
Five-Paragraph OPORD (SMEAC)

S — Situation

Schneider Electric carries the largest set of actively-exploited CVEs of any pipeline-relevant vendor on the KEV catalog today — 9 entries (CVE-2018-7522, CVE-2018-8872, CVE-2017-7973, CVE-2021-22707). Modicon PLCs run valve and compressor logic across US midstream; Triconex is the dominant safety-instrumented system (SIS) at gas plants and LNG trains — the same SIS family targeted by the TRITON malware framework.

M — Mission

Adversary objective: defeat or blind the safety-instrumented layer at a gas-processing plant, LNG train, or major compressor station so a deliberately induced process upset is NOT tripped to a safe state — turning a recoverable fault into an overpressure or release event.

E — Execution

Phase 1: exploit one of the 9 known CVEs to gain a foothold on the engineering network. Phase 2: reach the Triconex/Modicon engineering workstation and load altered logic or disable SIS voting. Phase 3: drive the basic process control system to an unsafe setpoint while the safety layer is suppressed. Phase 4: erase the engineering audit trail.

A — Administration & Logistics

Feasibility today rests on (1) 9 unpatched, actively-exploited Schneider CVEs; (2) SIS and basic control logic that share engineering access in many deployments; (3) safety-system patch cycles tied to multi-year turnaround windows.

C — Command & Signal

Indicators: unscheduled logic downloads to any Triconex or Modicon controller; SIS voting or bypass changes outside a permitted-work window; engineering-station traffic to non-vendor destinations. Defensive priorities: patch the KEV-listed CVEs on a safety-critical schedule, enforce key-switch RUN mode on SIS controllers, require two-person authorization for any safety-logic change. Reporting: CISA; TSA Pipeline Security; ONG-ISAC.

Consequences if unmitigated

Physical:

A defeated safety-instrumented system removes the last automatic protection against overpressure, high temperature, or loss of containment at a gas plant or LNG train — from an emergency shutdown and days-long restart to a release, fire, or explosion if the basic control system is simultaneously driven unsafe.

Market / financial:

Loss of a single large gas-processing plant or LNG train removes major throughput; an LNG-train outage idles export cargoes and tightens domestic supply. Liability and business-interruption exposure runs to the billions.

Regulatory / political:

PHMSA and TSA scrutiny of OT cyber controls; likely CISA emergency directives for Schneider SIS operators; insurer repricing for sites running KEV-listed Triconex/Modicon.

Siemens SIMATIC S7 / WinCC — 5 pipeline-relevant KEV CVEs
Current exposure: 5 CISA KEV-listed CVEs currently affect Siemens SIMATIC / WinCC / Spectrum Power platforms
Live KEV cross-reference: CVE-2014-2908, CVE-2016-8562, CVE-2012-3015, CVE-2010-2772
Severity: HIGH — Loss of control at compression, metering, and gas-fired generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Siemens SIMATIC S7 controllers and WinCC SCADA run compressor stations, metering, and the gas-fired generation feeding data-center load; 5 Siemens CVEs sit on the KEV catalog today (CVE-2014-2908, CVE-2016-8562, CVE-2012-3015, CVE-2010-2772). S7 is the controller family Stuxnet was built to reprogram.

M — Mission

Adversary objective: reprogram or halt S7 logic controlling compression or generation in a chosen corridor, or falsify the WinCC operator view so the upset is not seen until it propagates.

E — Execution

Phase 1: exploit a KEV-listed S7/WinCC flaw reachable from an exposed HMI or remote-access path. Phase 2: pivot to the automation network. Phase 3: alter controller logic or HMI tags. Phase 4: synchronize disruption to peak demand and wipe the historian.

A — Administration & Logistics

Feasibility rests on (1) 5 unpatched Siemens CVEs; (2) WinCC stations bridged to corporate IT; (3) S7 controllers without RUN-mode key protection.

C — Command & Signal

Indicators: unexpected S7 STOP/PROGRAM transitions; WinCC tag changes with no work order; HMI traffic to unknown hosts. Defensive priorities: patch KEV CVEs, enforce controller key-switch protection, segment WinCC from IT. Reporting: CISA; TSA; ONG-ISAC; the relevant ISO security desk.

Consequences if unmitigated

Physical:

Tripped or runaway compression and generating units in one load zone; data-center alley loses grid supply and falls to diesel within hours; ungraceful trips can damage rotating equipment and extend restart to weeks.

Market / financial:

Intraday wholesale power spikes to the administrative cap in the affected ISO; compute SLAs breach within the diesel-reserve window; multi-billion-dollar loss across operators, power buyers, and AI customers.

Regulatory / political:

FERC/NERC review of generator cyber readiness; accelerated TSA-style cyber rules for gas-fired generation; insurer repricing for measurable Siemens exposure.

Siemens SIMATIC S7 / WinCC — 5 pipeline-relevant KEV CVEs
Current exposure: 5 CISA KEV-listed CVEs currently affect Siemens SIMATIC / WinCC / Spectrum Power platforms
Live KEV cross-reference: CVE-2014-2908, CVE-2016-8562, CVE-2012-3015, CVE-2010-2772
Severity: HIGH — Loss of control at compression, metering, and gas-fired generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Siemens SIMATIC S7 controllers and WinCC SCADA run compressor stations, metering, and the gas-fired generation feeding data-center load; 5 Siemens CVEs sit on the KEV catalog today (CVE-2014-2908, CVE-2016-8562, CVE-2012-3015, CVE-2010-2772). S7 is the controller family Stuxnet was built to reprogram.

M — Mission

Adversary objective: reprogram or halt S7 logic controlling compression or generation in a chosen corridor, or falsify the WinCC operator view so the upset is not seen until it propagates.

E — Execution

Phase 1: exploit a KEV-listed S7/WinCC flaw reachable from an exposed HMI or remote-access path. Phase 2: pivot to the automation network. Phase 3: alter controller logic or HMI tags. Phase 4: synchronize disruption to peak demand and wipe the historian.

A — Administration & Logistics

Feasibility rests on (1) 5 unpatched Siemens CVEs; (2) WinCC stations bridged to corporate IT; (3) S7 controllers without RUN-mode key protection.

C — Command & Signal

Indicators: unexpected S7 STOP/PROGRAM transitions; WinCC tag changes with no work order; HMI traffic to unknown hosts. Defensive priorities: patch KEV CVEs, enforce controller key-switch protection, segment WinCC from IT. Reporting: CISA; TSA; ONG-ISAC; the relevant ISO security desk.

Consequences if unmitigated

Physical:

Tripped or runaway compression and generating units in one load zone; data-center alley loses grid supply and falls to diesel within hours; ungraceful trips can damage rotating equipment and extend restart to weeks.

Market / financial:

Intraday wholesale power spikes to the administrative cap in the affected ISO; compute SLAs breach within the diesel-reserve window; multi-billion-dollar loss across operators, power buyers, and AI customers.

Regulatory / political:

FERC/NERC review of generator cyber readiness; accelerated TSA-style cyber rules for gas-fired generation; insurer repricing for measurable Siemens exposure.

Rockwell ControlLogix / FactoryTalk — 2 pipeline-relevant KEV CVEs
Current exposure: 2 CISA KEV-listed CVEs currently affect Rockwell Allen-Bradley ControlLogix / FactoryTalk platforms
Live KEV cross-reference: CVE-2023-3595, CVE-2021-22681
Severity: HIGH — Pump-station and terminal control disruption across midstream
Five-Paragraph OPORD (SMEAC)

S — Situation

Allen-Bradley ControlLogix PLCs and FactoryTalk run pump stations, tank farms, and liquids terminals across US midstream; 2 Rockwell CVEs are on the KEV catalog today (CVE-2023-3595, CVE-2021-22681).

M — Mission

Adversary objective: seize or crash ControlLogix processors governing pumping and tank-farm valves to force a liquids-pipeline shutdown or a tank overfill / pressure transient.

E — Execution

Phase 1: exploit a KEV-listed ControlLogix/FactoryTalk CVE from an exposed engineering or remote path. Phase 2: reach the controller. Phase 3: fault the processor or alter pump/valve logic. Phase 4: mask the change in FactoryTalk.

A — Administration & Logistics

Feasibility rests on (1) 2 unpatched Rockwell CVEs; (2) flat OT networks at terminals; (3) remote-access tools left exposed.

C — Command & Signal

Indicators: unexpected processor faults; logic edits with no change ticket; FactoryTalk access from new hosts. Defensive priorities: patch KEV CVEs, segment terminal OT, lock down remote access. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Forced shutdown of a liquids pipeline or terminal; in the worst case a tank overfill or pressure transient with spill, fire, or environmental release.

Market / financial:

Regional product-supply disruption (gasoline, diesel, NGLs); price spikes at racks served by the affected terminals; cleanup and liability costs.

Regulatory / political:

PHMSA incident investigation; TSA review of terminal cyber controls; insurer scrutiny of operators on KEV-listed Rockwell versions.

Honeywell Experion PKS — 1 pipeline-relevant KEV CVE
Current exposure: 1 CISA KEV-listed CVE currently affect Honeywell Experion PKS — a dominant DCS at US gas processing and LNG
Live KEV cross-reference: CVE-2023-3710
Severity: HIGH — Distributed-control compromise at gas processing and LNG
Five-Paragraph OPORD (SMEAC)

S — Situation

Honeywell Experion PKS is a dominant distributed control system at US gas-processing plants, refineries, and LNG facilities; 1 Experion CVE on the KEV catalog today (CVE-2023-3710).

M — Mission

Adversary objective: take control of the Experion DCS at a gas-processing or LNG facility to drive units to an unsafe state or force a sustained outage.

E — Execution

Phase 1: exploit the KEV-listed Experion CVE from a reachable server or remote path. Phase 2: reach the C300 controllers and Experion servers. Phase 3: alter control strategy or force a unit trip. Phase 4: destroy the historian and backups.

A — Administration & Logistics

Feasibility rests on (1) 1 unpatched Experion CVE; (2) DCS servers bridged to plant IT; (3) deferred DCS patching tied to turnaround windows.

C — Command & Signal

Indicators: unscheduled control-strategy changes; Experion server traffic to unknown hosts; historian write failures. Defensive priorities: patch the KEV CVE, isolate the DCS, two-person change control. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Loss of control or forced shutdown at a gas-processing plant or LNG train; potential release, fire, or explosion if units are driven unsafe; restart measured in days to weeks.

Market / financial:

Lost processing/export throughput tightens domestic supply and idles cargoes; multi-billion-dollar interruption and liability exposure.

Regulatory / political:

PHMSA/TSA investigation; likely CISA directive for Experion operators; insurer repricing for KEV-listed Experion exposure.

ABB Symphony DCS — 270 US endpoints exposed (as of 2026-07-06)
Current exposure: 270 Symphony endpoints visible from the public US internet today
Live KEV cross-reference: CVE-2024-6298
Severity: HIGH — Power generation supply disruption to AI data center load
Five-Paragraph OPORD (SMEAC)

S — Situation

ABB Symphony has the largest measurable US public-internet exposure of any pipeline-relevant SCADA / DCS platform — 270 endpoints visible as of 2026-07-06, against a deployed base that we estimate to be on the order of hundreds of installations. Symphony is the dominant DCS at large gas-fired combined-cycle power plants, including most of the new and planned gas plants being built to serve hyperscale AI data centers. KEV catalog entries currently affecting ABB platforms: CVE-2024-6298.

M — Mission

Adversary objective: simultaneous loss-of-control or unsafe-state at multiple gas-fired generating units feeding a specific load zone — most likely PJM Dominion (Northern Virginia data-center alley, where AI training load is concentrated) or the Southeast (where Meta Hyperion's 7.46 GW gas plant cluster feeds the Hyperion campus). Strategic intent: deny power to AI compute infrastructure at a moment chosen for maximum disruption, with deniable attribution.

E — Execution

Phase 1: harvest a contractor or vendor credential that grants engineering access to one or more of the 270 exposed endpoints — many of which are vendor-support jump hosts that bridge corporate IT to the OT engineering network. Phase 2: lateral movement to the Symphony engineering workstation. Phase 3: stage malicious configuration changes across the deployment, synchronized to execute at peak-demand hour. Phase 4: trigger drives unit-trip sequences on every unit reachable, simultaneous; concurrent wiper destroys the historian and configuration backup.

A — Administration & Logistics

Attack feasibility depends on three conditions visible in the public-exposure data today: (1) 270 endpoints reachable from the public internet — that number is a defensive failure on its own; (2) operator deployments that centralize engineering across multiple sites; (3) deferred patching of any published Symphony CVSS 8.0+ CVE due to outage-window constraints.

C — Command & Signal

Indicators: outbound traffic from any Symphony engineering workstation to non-vendor destinations; unscheduled configuration updates across multiple units in the same hour; historian write failures across multiple stations. Defensive priorities: enumerate the 270 exposed endpoints in your perimeter and prioritize firewall closure or VPN-only access; rotate all vendor and contractor credentials with hardware-token MFA; require any logic or configuration change to pass two-person integrity check during the change window. Reporting: TSA Surface Transportation Cybersecurity; CISA Hotline; Oil and Natural Gas ISAC; PJM RTEP Security working group.

Consequences if unmitigated

Physical:

Simultaneous trips at multiple gas-fired generating units serving a data-center-heavy load zone. Within ~2 hours, hyperscale data centers in the affected zone exhaust grid power and shift to on-site diesel; diesel reserves typically run 12–48 hours. Possible thermal damage to rotating equipment during ungraceful trip sequences extends restart from hours to weeks per unit.

Market / financial:

Wholesale power prices in the affected ISO zone spike to administrative cap intraday. Hyperscaler-customer compute service-level agreements breach within the diesel-reserve window. Estimated combined economic loss across operator, downstream power buyers, and dependent cloud / AI customers: $10B–$50B in the first week.

Regulatory / political:

FERC and NERC special review of generator cybersecurity preparedness. Likely accelerated TSA-style cyber regulation extended to gas-fired generation feeding hyperscale customers. Insurance industry repricing for operators with measurable Symphony exposure on Shodan.

Cygnet SCADA — 72 US endpoints (pipeline-specific midstream)
Current exposure: 72 Cygnet midstream-pipeline SCADA endpoints visible today
Live KEV cross-reference: no KEV-listed CVEs currently affect this platform
Severity: HIGH — Direct compromise of pipeline operational visibility and control
Five-Paragraph OPORD (SMEAC)

S — Situation

Cygnet is the SCADA platform most narrowly targeted at the US midstream oil-and-gas industry — it runs the supervisory layer at 72 measurable US sites, almost all of which are pipeline operators. Of the operators we track, several are confirmed Cygnet users by name in vendor case-studies and public filings.

M — Mission

Adversary objective: simultaneous loss-of-visibility and limited-write control of pipeline metering, valve, and flow-control points across a single operator's footprint. Strategic intent: position to manipulate gas deliveries — to LDCs, to power generators, or to LNG export terminals — at a chosen moment, with the operator unable to see or counter the action in real time.

E — Execution

Phase 1: access via a Cygnet engineering workstation reachable through vendor-support tunnels. Phase 2: harvest field-device topology and operator runbooks from the SCADA database. Phase 3: stage scheduled control commands that fire at a precipitating moment. Phase 4: optionally falsify operator-view telemetry to extend the response window.

A — Administration & Logistics

Attack feasibility depends on Cygnet's typical deployment pattern: many operators connect Cygnet to their corporate IT for reporting, then connect corporate IT to the public internet — a documented common pathway. The 72 exposed endpoints in our Shodan dataset are the visible portion of that pattern.

C — Command & Signal

Indicators: Cygnet engineering-workstation traffic to non-vendor destinations; configuration changes outside change-control hours; discrepancies between Cygnet-reported volumes and independent end-of-line meter reads. Defensive priorities: place Cygnet servers behind a jump-host with MFA; close direct internet exposure on all 72 endpoints; deploy independent secondary metering whose data does NOT flow through Cygnet.

Consequences if unmitigated

Physical:

Manipulation of valve setpoints can cause unsafe pressure transients at downstream stations. Falsified metering allows undetected gas diversion or supply-cut to specific customers (e.g., a specific gas-fired power plant during a peak hour).

Market / financial:

If a Cygnet-driven event takes a specific compressor station offline during a peak demand window, the downstream basis (the local citygate price minus Henry Hub) can spike 200%+ in hours. LDC emergency curtailments. Power-gen fuel-supply force majeure to gas peakers serving data centers.

Regulatory / political:

Immediate FERC inquiry into operator cybersecurity. Possible TSA penalty action under PSR 2026-01. Operator's interstate transportation tariff put under audit.

Cygnet SCADA — 72 US endpoints (pipeline-specific midstream)
Current exposure: 72 Cygnet midstream-pipeline SCADA endpoints visible today
Live KEV cross-reference: no KEV-listed CVEs currently affect this platform
Severity: HIGH — Direct compromise of pipeline operational visibility and control
Five-Paragraph OPORD (SMEAC)

S — Situation

Cygnet is the SCADA platform most narrowly targeted at the US midstream oil-and-gas industry — it runs the supervisory layer at 72 measurable US sites, almost all of which are pipeline operators. Of the operators we track, several are confirmed Cygnet users by name in vendor case-studies and public filings.

M — Mission

Adversary objective: simultaneous loss-of-visibility and limited-write control of pipeline metering, valve, and flow-control points across a single operator's footprint. Strategic intent: position to manipulate gas deliveries — to LDCs, to power generators, or to LNG export terminals — at a chosen moment, with the operator unable to see or counter the action in real time.

E — Execution

Phase 1: access via a Cygnet engineering workstation reachable through vendor-support tunnels. Phase 2: harvest field-device topology and operator runbooks from the SCADA database. Phase 3: stage scheduled control commands that fire at a precipitating moment. Phase 4: optionally falsify operator-view telemetry to extend the response window.

A — Administration & Logistics

Attack feasibility depends on Cygnet's typical deployment pattern: many operators connect Cygnet to their corporate IT for reporting, then connect corporate IT to the public internet — a documented common pathway. The 72 exposed endpoints in our Shodan dataset are the visible portion of that pattern.

C — Command & Signal

Indicators: Cygnet engineering-workstation traffic to non-vendor destinations; configuration changes outside change-control hours; discrepancies between Cygnet-reported volumes and independent end-of-line meter reads. Defensive priorities: place Cygnet servers behind a jump-host with MFA; close direct internet exposure on all 72 endpoints; deploy independent secondary metering whose data does NOT flow through Cygnet.

Consequences if unmitigated

Physical:

Manipulation of valve setpoints can cause unsafe pressure transients at downstream stations. Falsified metering allows undetected gas diversion or supply-cut to specific customers (e.g., a specific gas-fired power plant during a peak hour).

Market / financial:

If a Cygnet-driven event takes a specific compressor station offline during a peak demand window, the downstream basis (the local citygate price minus Henry Hub) can spike 200%+ in hours. LDC emergency curtailments. Power-gen fuel-supply force majeure to gas peakers serving data centers.

Regulatory / political:

Immediate FERC inquiry into operator cybersecurity. Possible TSA penalty action under PSR 2026-01. Operator's interstate transportation tariff put under audit.

GE iFIX HMI/SCADA — 61 US endpoints exposed
Current exposure: 61 GE iFIX HMI/SCADA endpoints visible today
Live KEV cross-reference: CVE-2014-0751
Severity: HIGH — Operator-view denial across gas-plant and pipeline-station HMI
Five-Paragraph OPORD (SMEAC)

S — Situation

GE iFIX is a general-purpose HMI / SCADA platform with deep penetration in US gas plants, refineries, and pipeline compressor stations. Public US exposure today: 61 endpoints. KEV entries currently affecting GE platforms: CVE-2014-0751.

M — Mission

Adversary objective: deny operator visibility into the controlled process during a coincident attack — either cyber on the BPCS or kinetic on a physical asset. Strategic intent: extend the response window in the critical early minutes when operator action can avert physical damage.

E — Execution

Phase 1: access through internet-exposed iFIX terminal services / VPN. Phase 2: modify iFIX HMI screens to display canned 'nominal' values regardless of underlying tag data, OR disable HMI alarm escalation logic. Phase 3: hold capability until a coincident event — process upset, kinetic strike, or BPCS manipulation — at which point operators see normal screens while the physical process degrades.

A — Administration & Logistics

Attack feasibility increases when iFIX is deployed without segregation from corporate IT, when iFIX clients are reachable via remote-desktop services from the public internet (61 confirmed examples today), and when alarm-management audits are infrequent.

C — Command & Signal

Indicators: iFIX screen-version changes outside engineering change windows; HMI tag-display discrepancies vs. historian; alarm logs going abnormally quiet during normal operating variability. Defensive priorities: iFIX deployment audit (count vs. known inventory); HMI screen-checksum monitoring; independent secondary HMI that draws from a separate tag feed; close all 61 internet-exposed instances or move them behind MFA-required VPN.

Consequences if unmitigated

Physical:

On its own, an iFIX-only attack does not cause damage — but during a coincident physical or BPCS attack, the 'normal-screens-while-process-degrades' window extends operator response from minutes to tens of minutes, multiplying the physical damage.

Market / financial:

When combined with a BPCS attack, an HMI-deception layer can extend an outage from one shift to several days as the recovery team has no trustworthy view of pre-event state. Multiplier effect on operator's economic damage: 2–5x.

Regulatory / political:

HMI integrity-verification becomes a required TSA compliance element. Vendor-side requirements for cryptographic HMI screen verification.

Emerson DeltaV + Ovation DCS — 65 US endpoints combined
Current exposure: 38 DeltaV + 27 Ovation US endpoints — total 65
Live KEV cross-reference: CVE-2021-45420
Severity: HIGH — Simultaneous compromise of LNG liquefaction AND gas-fired power generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Emerson runs two product lines with measurable US exposure: DeltaV (38 endpoints), the DCS for LNG liquefaction trains and refinery / petrochemical processes, and Ovation (27 endpoints), the DCS for fossil-fueled power generation. Combined US public exposure: 65 endpoints. KEV entries affecting Emerson: CVE-2021-45420.

M — Mission

Adversary objective: simultaneously disrupt LNG-export capacity AND gas-fired power generation by exploiting the same vendor's deployed platforms across the two industries — a single capability that reaches both demand sinks for US natural gas (LNG exports and AI/data-center power) at once. Strategic intent: dual-target economic disruption with shared toolchain.

E — Execution

Phase 1: gain access via an Emerson vendor-support credential — Emerson is one of the largest providers of process-control system service contracts in the US. Phase 2: deploy parallel implants against DeltaV at LNG terminals and Ovation at gas-fired plants. Phase 3: synchronized trigger at a chosen event.

A — Administration & Logistics

Attack feasibility hinges on whether the operator has accepted vendor persistent remote-support tunnels as a contractual requirement. Many DeltaV and Ovation operators have done so to maintain service-level guarantees. The 65 exposed endpoints visible today are the public portion of that pattern.

C — Command & Signal

Indicators: Emerson vendor-tunnel traffic outside scheduled service windows; configuration changes pushed to multiple sites within a single hour; unscheduled engineering-workstation logins. Defensive priorities: require Emerson vendor sessions to be initiated by the operator (not the vendor), with session recording and MFA; deploy egress monitoring on the DeltaV / Ovation engineering networks; require Emerson to publish per-product KEV applicability mapped to deployed firmware versions at each customer site.

Consequences if unmitigated

Physical:

LNG terminal liquefaction trains unsafe-shutdown; coincident gas-fired generator trips across affected fleet. Possible thermal damage to liquefaction compressors extends LNG outage from days to months.

Market / financial:

Cargoes in the Sabine Pass / Cameron / Plaquemines / Corpus Christi loading queue declare force majeure within hours. European TTF gas price spikes; US Henry Hub price drops on reduced export demand AND spikes on domestic gas-to-power dislocation — both directions same day. Combined economic impact: $30B–$120B over the first quarter post-event.

Regulatory / political:

Coordinated DOE / FERC / TSA / DOC (export licensing) investigation. Possible suspension of Emerson DCS service contracts pending audit. Insurance industry repricing across all Emerson-platform-dependent operators.

Henry Hub Composite (Physical + Cyber) — current state
Current exposure: 13 interstate pipelines converge at Erath, LA · NYMEX settlement node · ~2 Bcf/d physical throughput · -1 ICS exposures within 25 km · 14 active eminent-domain projects in supply chain
Live KEV cross-reference: 9 Schneider Electric KEVs · 5 Siemens KEVs · 1 Emerson KEVs affect platforms a Sabine Pipe Line operator would actually run.
Severity: STRATEGIC — National-scale market and supply disruption
Five-Paragraph OPORD (SMEAC)

S — Situation

Henry Hub today: 13 interstate pipelines converge at the Sabine Pipe Line LLC facility in Erath, Louisiana. The NYMEX Henry Hub futures contract settles here — the price benchmark for every US natural-gas trade, every LNG cargo loaded at Sabine Pass / Cameron / Plaquemines / Corpus Christi (≈14 Bcf/d combined LNG export capacity), and every gas-indexed power-purchase contract in PJM / SERC / Florida. Within 25 km of the hub, Shodan finds -1 exposed ICS endpoints; the operator's supply chain runs through platforms with 15 currently-KEV-listed CVEs across Schneider Electric, Siemens, and Emerson. The facility has no counter-UAS coverage (Vermilion Parish is outside designated military airspace) and no published joint OT/IT incident-command framework with downstream hyperscaler and federal partners.

M — Mission

Adversary objective: simultaneously disable physical throughput at Henry Hub for an extended window (weeks, not hours) AND destroy the operator's safety-system configuration files, so that even after physical repair the operator cannot safely restart. Strategic intent: suspend US natural-gas price discovery long enough to cascade through NYMEX, LNG cargo force majeure, power-grid load shedding during a peak-demand window, and financial-market liquidity events.

E — Execution

Phase 1 (months): cyber pre-positioning inside the Sabine Pipe Line OT network via a contracted-engineering credential — the same vector that has produced every confirmed US pipeline OT intrusion in the past five years. Phase 2 (days): adversary weaponizes a published CVSS 9.0+ CISA advisory affecting Schneider Telvent OASyS DNA or Triconex SIS, BEFORE the operator's change board approves the emergency patch. Phase 3 (D-Day, timed to coincide with polar vortex or hurricane-season demand peak): commercial-derivative drone strike against Compressor Units 1 and 2, simultaneously with cyber execution that disables the SIS, manipulates HMIs to display nominal state, vents high-pressure gas through stacks whose flare ignition has been pre-disabled. Phase 4 (D+1 through D+3): wiper malware destroys the historian, engineering workstation, and corporate IT backups, denying the recovery team the documentation needed to safely restart safety-instrumented systems.

A — Administration & Logistics

Attack feasibility depends on conditions present today: (1) -1 ICS endpoints within 25 km of the hub — the public attack surface; (2) absence of counter-UAS over Vermilion Parish; (3) the operator's change board having no pre-delegated authority to bypass normal review for CVSS 9+ items during weather-emergency windows; (4) no published joint incident-command structure across Sabine Pipe Line, FERC, TSA, CISA, FBI, DOE, and hyperscaler downstream customers. All four conditions exist as of 2026-07-05.

C — Command & Signal

Indicators: outbound traffic from any Sabine Pipe Line OT host to non-vendor destinations; Vermilion Parish law-enforcement reports of unusual UAS activity near the hub; any CISA advisory at CVSS 9+ affecting Schneider Electric / Siemens / Emerson platforms followed by Sabine Pipe Line change-board deferral. Defensive priorities (the four items above, each individually closable): (1) pre-delegate emergency-patch authority to senior security leadership without change-board veto for CVSS 9+ critical-asset platforms; (2) FAA + DOD counter-UAS authorization for FERC critical-asset compressor stations; (3) stand up the joint incident-command framework now, not after the event; (4) maintain air-gapped offline SIS configuration backups with quarterly recovery verification at every FERC critical site.

Consequences if unmitigated

Physical:

Henry Hub physical throughput goes to 0 Bcf/d for 7–30+ days. Worker fatalities at Sabine Pipe Line during the kinetic event range 20–100 depending on shift composition and time of day. Downstream civilian fatalities during coincident cold-weather power loss could exceed 200 if the polar-vortex timing is hit. Adjacent communities evacuated; groundwater and surface water contamination from fuel-rich firefighting operations.

Market / financial:

NYMEX Henry Hub trading suspended for 20–60 trading days. Daily LNG cargo force majeure declarations from Sabine Pass / Cameron / Plaquemines / Corpus Christi terminals. European TTF and Asian JKM gas prices spike 150–400%. PJM and TVA emergency load-shedding affecting 5–20M customers during the polar vortex. Combined direct + cascading economic damage: $200B–$400B over twelve months. Insurance-industry catastrophe loss: $80B–$200B. Two-to-three mid-sized US gas trading firms in Chapter 11 within ten days.

Regulatory / political:

FERC and TSA replace existing Pipeline Security Directive framework with a true regulatory framework. DOE stands up a permanent Critical Energy Infrastructure Cyber Response Unit. FAA authorizes counter-UAS at all FERC critical-asset facilities. Federal Reserve emergency liquidity facility for energy-sector counterparty exposure. Hyperscaler / pipeline operator joint incident command mandated. ODNI issues attribution finding; coordinated multi-allied response.

Schneider Electric Modicon / Triconex — 9 pipeline-relevant KEV CVEs
Current exposure: 9 CISA KEV-listed CVEs currently affect Schneider OT platforms — the largest known-exploited footprint of any pipeline-relevant vendor today
Live KEV cross-reference: CVE-2018-7522, CVE-2018-8872, CVE-2017-7973, CVE-2021-22707
Severity: HIGH — Safety-instrumented-system bypass at gas processing and compression
Five-Paragraph OPORD (SMEAC)

S — Situation

Schneider Electric carries the largest set of actively-exploited CVEs of any pipeline-relevant vendor on the KEV catalog today — 9 entries (CVE-2018-7522, CVE-2018-8872, CVE-2017-7973, CVE-2021-22707). Modicon PLCs run valve and compressor logic across US midstream; Triconex is the dominant safety-instrumented system (SIS) at gas plants and LNG trains — the same SIS family targeted by the TRITON malware framework.

M — Mission

Adversary objective: defeat or blind the safety-instrumented layer at a gas-processing plant, LNG train, or major compressor station so a deliberately induced process upset is NOT tripped to a safe state — turning a recoverable fault into an overpressure or release event.

E — Execution

Phase 1: exploit one of the 9 known CVEs to gain a foothold on the engineering network. Phase 2: reach the Triconex/Modicon engineering workstation and load altered logic or disable SIS voting. Phase 3: drive the basic process control system to an unsafe setpoint while the safety layer is suppressed. Phase 4: erase the engineering audit trail.

A — Administration & Logistics

Feasibility today rests on (1) 9 unpatched, actively-exploited Schneider CVEs; (2) SIS and basic control logic that share engineering access in many deployments; (3) safety-system patch cycles tied to multi-year turnaround windows.

C — Command & Signal

Indicators: unscheduled logic downloads to any Triconex or Modicon controller; SIS voting or bypass changes outside a permitted-work window; engineering-station traffic to non-vendor destinations. Defensive priorities: patch the KEV-listed CVEs on a safety-critical schedule, enforce key-switch RUN mode on SIS controllers, require two-person authorization for any safety-logic change. Reporting: CISA; TSA Pipeline Security; ONG-ISAC.

Consequences if unmitigated

Physical:

A defeated safety-instrumented system removes the last automatic protection against overpressure, high temperature, or loss of containment at a gas plant or LNG train — from an emergency shutdown and days-long restart to a release, fire, or explosion if the basic control system is simultaneously driven unsafe.

Market / financial:

Loss of a single large gas-processing plant or LNG train removes major throughput; an LNG-train outage idles export cargoes and tightens domestic supply. Liability and business-interruption exposure runs to the billions.

Regulatory / political:

PHMSA and TSA scrutiny of OT cyber controls; likely CISA emergency directives for Schneider SIS operators; insurer repricing for sites running KEV-listed Triconex/Modicon.

Schneider Electric Modicon / Triconex — 1 pipeline-relevant KEV CVEs
Current exposure: 1 CISA KEV-listed CVEs currently affect Schneider OT platforms — the largest known-exploited footprint of any pipeline-relevant vendor today
Live KEV cross-reference: CVE-2018-7841
Severity: HIGH — Safety-instrumented-system bypass at gas processing and compression
Five-Paragraph OPORD (SMEAC)

S — Situation

Schneider Electric carries the largest set of actively-exploited CVEs of any pipeline-relevant vendor on the KEV catalog today — 1 entries (CVE-2018-7841). Modicon PLCs run valve and compressor logic across US midstream; Triconex is the dominant safety-instrumented system (SIS) at gas plants and LNG trains — the same SIS family targeted by the TRITON malware framework.

M — Mission

Adversary objective: defeat or blind the safety-instrumented layer at a gas-processing plant, LNG train, or major compressor station so a deliberately induced process upset is NOT tripped to a safe state — turning a recoverable fault into an overpressure or release event.

E — Execution

Phase 1: exploit one of the 1 known CVEs to gain a foothold on the engineering network. Phase 2: reach the Triconex/Modicon engineering workstation and load altered logic or disable SIS voting. Phase 3: drive the basic process control system to an unsafe setpoint while the safety layer is suppressed. Phase 4: erase the engineering audit trail.

A — Administration & Logistics

Feasibility today rests on (1) 1 unpatched, actively-exploited Schneider CVEs; (2) SIS and basic control logic that share engineering access in many deployments; (3) safety-system patch cycles tied to multi-year turnaround windows.

C — Command & Signal

Indicators: unscheduled logic downloads to any Triconex or Modicon controller; SIS voting or bypass changes outside a permitted-work window; engineering-station traffic to non-vendor destinations. Defensive priorities: patch the KEV-listed CVEs on a safety-critical schedule, enforce key-switch RUN mode on SIS controllers, require two-person authorization for any safety-logic change. Reporting: CISA; TSA Pipeline Security; ONG-ISAC.

Consequences if unmitigated

Physical:

A defeated safety-instrumented system removes the last automatic protection against overpressure, high temperature, or loss of containment at a gas plant or LNG train — from an emergency shutdown and days-long restart to a release, fire, or explosion if the basic control system is simultaneously driven unsafe.

Market / financial:

Loss of a single large gas-processing plant or LNG train removes major throughput; an LNG-train outage idles export cargoes and tightens domestic supply. Liability and business-interruption exposure runs to the billions.

Regulatory / political:

PHMSA and TSA scrutiny of OT cyber controls; likely CISA emergency directives for Schneider SIS operators; insurer repricing for sites running KEV-listed Triconex/Modicon.

Siemens SIMATIC S7 / WinCC — 1 pipeline-relevant KEV CVEs
Current exposure: 1 CISA KEV-listed CVEs currently affect Siemens SIMATIC / WinCC / Spectrum Power platforms
Live KEV cross-reference: CVE-2016-8562
Severity: HIGH — Loss of control at compression, metering, and gas-fired generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Siemens SIMATIC S7 controllers and WinCC SCADA run compressor stations, metering, and the gas-fired generation feeding data-center load; 1 Siemens CVEs sit on the KEV catalog today (CVE-2016-8562). S7 is the controller family Stuxnet was built to reprogram.

M — Mission

Adversary objective: reprogram or halt S7 logic controlling compression or generation in a chosen corridor, or falsify the WinCC operator view so the upset is not seen until it propagates.

E — Execution

Phase 1: exploit a KEV-listed S7/WinCC flaw reachable from an exposed HMI or remote-access path. Phase 2: pivot to the automation network. Phase 3: alter controller logic or HMI tags. Phase 4: synchronize disruption to peak demand and wipe the historian.

A — Administration & Logistics

Feasibility rests on (1) 1 unpatched Siemens CVEs; (2) WinCC stations bridged to corporate IT; (3) S7 controllers without RUN-mode key protection.

C — Command & Signal

Indicators: unexpected S7 STOP/PROGRAM transitions; WinCC tag changes with no work order; HMI traffic to unknown hosts. Defensive priorities: patch KEV CVEs, enforce controller key-switch protection, segment WinCC from IT. Reporting: CISA; TSA; ONG-ISAC; the relevant ISO security desk.

Consequences if unmitigated

Physical:

Tripped or runaway compression and generating units in one load zone; data-center alley loses grid supply and falls to diesel within hours; ungraceful trips can damage rotating equipment and extend restart to weeks.

Market / financial:

Intraday wholesale power spikes to the administrative cap in the affected ISO; compute SLAs breach within the diesel-reserve window; multi-billion-dollar loss across operators, power buyers, and AI customers.

Regulatory / political:

FERC/NERC review of generator cyber readiness; accelerated TSA-style cyber rules for gas-fired generation; insurer repricing for measurable Siemens exposure.

Rockwell ControlLogix / FactoryTalk — 1 pipeline-relevant KEV CVEs
Current exposure: 1 CISA KEV-listed CVEs currently affect Rockwell Allen-Bradley ControlLogix / FactoryTalk platforms
Live KEV cross-reference: CVE-2021-22681
Severity: HIGH — Pump-station and terminal control disruption across midstream
Five-Paragraph OPORD (SMEAC)

S — Situation

Allen-Bradley ControlLogix PLCs and FactoryTalk run pump stations, tank farms, and liquids terminals across US midstream; 1 Rockwell CVEs are on the KEV catalog today (CVE-2021-22681).

M — Mission

Adversary objective: seize or crash ControlLogix processors governing pumping and tank-farm valves to force a liquids-pipeline shutdown or a tank overfill / pressure transient.

E — Execution

Phase 1: exploit a KEV-listed ControlLogix/FactoryTalk CVE from an exposed engineering or remote path. Phase 2: reach the controller. Phase 3: fault the processor or alter pump/valve logic. Phase 4: mask the change in FactoryTalk.

A — Administration & Logistics

Feasibility rests on (1) 1 unpatched Rockwell CVEs; (2) flat OT networks at terminals; (3) remote-access tools left exposed.

C — Command & Signal

Indicators: unexpected processor faults; logic edits with no change ticket; FactoryTalk access from new hosts. Defensive priorities: patch KEV CVEs, segment terminal OT, lock down remote access. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Forced shutdown of a liquids pipeline or terminal; in the worst case a tank overfill or pressure transient with spill, fire, or environmental release.

Market / financial:

Regional product-supply disruption (gasoline, diesel, NGLs); price spikes at racks served by the affected terminals; cleanup and liability costs.

Regulatory / political:

PHMSA incident investigation; TSA review of terminal cyber controls; insurer scrutiny of operators on KEV-listed Rockwell versions.

Honeywell Experion PKS — 0 pipeline-relevant KEV CVEs
Current exposure: 0 CISA KEV-listed CVEs currently affect Honeywell Experion PKS — a dominant DCS at US gas processing and LNG
Live KEV cross-reference: no KEV-listed CVEs currently affect this platform
Severity: HIGH — Distributed-control compromise at gas processing and LNG
Five-Paragraph OPORD (SMEAC)

S — Situation

Honeywell Experion PKS is a dominant distributed control system at US gas-processing plants, refineries, and LNG facilities; 0 Experion CVEs on the KEV catalog today (no KEV-listed CVEs currently affect this platform).

M — Mission

Adversary objective: take control of the Experion DCS at a gas-processing or LNG facility to drive units to an unsafe state or force a sustained outage.

E — Execution

Phase 1: exploit the KEV-listed Experion CVE from a reachable server or remote path. Phase 2: reach the C300 controllers and Experion servers. Phase 3: alter control strategy or force a unit trip. Phase 4: destroy the historian and backups.

A — Administration & Logistics

Feasibility rests on (1) 0 unpatched Experion CVEs; (2) DCS servers bridged to plant IT; (3) deferred DCS patching tied to turnaround windows.

C — Command & Signal

Indicators: unscheduled control-strategy changes; Experion server traffic to unknown hosts; historian write failures. Defensive priorities: patch the KEV CVE, isolate the DCS, two-person change control. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Loss of control or forced shutdown at a gas-processing plant or LNG train; potential release, fire, or explosion if units are driven unsafe; restart measured in days to weeks.

Market / financial:

Lost processing/export throughput tightens domestic supply and idles cargoes; multi-billion-dollar interruption and liability exposure.

Regulatory / political:

PHMSA/TSA investigation; likely CISA directive for Experion operators; insurer repricing for KEV-listed Experion exposure.

ABB Symphony DCS — 272 US endpoints exposed (as of 2026-07-04)
Current exposure: 272 Symphony endpoints visible from the public US internet today
Live KEV cross-reference: no KEV-listed CVEs currently affect this platform
Severity: HIGH — Power generation supply disruption to AI data center load
Five-Paragraph OPORD (SMEAC)

S — Situation

ABB Symphony has the largest measurable US public-internet exposure of any pipeline-relevant SCADA / DCS platform — 272 endpoints visible as of 2026-07-04, against a deployed base that we estimate to be on the order of hundreds of installations. Symphony is the dominant DCS at large gas-fired combined-cycle power plants, including most of the new and planned gas plants being built to serve hyperscale AI data centers. KEV catalog entries currently affecting ABB platforms: no KEV-listed CVEs currently affect this platform.

M — Mission

Adversary objective: simultaneous loss-of-control or unsafe-state at multiple gas-fired generating units feeding a specific load zone — most likely PJM Dominion (Northern Virginia data-center alley, where AI training load is concentrated) or the Southeast (where Meta Hyperion's 7.46 GW gas plant cluster feeds the Hyperion campus). Strategic intent: deny power to AI compute infrastructure at a moment chosen for maximum disruption, with deniable attribution.

E — Execution

Phase 1: harvest a contractor or vendor credential that grants engineering access to one or more of the 272 exposed endpoints — many of which are vendor-support jump hosts that bridge corporate IT to the OT engineering network. Phase 2: lateral movement to the Symphony engineering workstation. Phase 3: stage malicious configuration changes across the deployment, synchronized to execute at peak-demand hour. Phase 4: trigger drives unit-trip sequences on every unit reachable, simultaneous; concurrent wiper destroys the historian and configuration backup.

A — Administration & Logistics

Attack feasibility depends on three conditions visible in the public-exposure data today: (1) 272 endpoints reachable from the public internet — that number is a defensive failure on its own; (2) operator deployments that centralize engineering across multiple sites; (3) deferred patching of any published Symphony CVSS 8.0+ CVE due to outage-window constraints.

C — Command & Signal

Indicators: outbound traffic from any Symphony engineering workstation to non-vendor destinations; unscheduled configuration updates across multiple units in the same hour; historian write failures across multiple stations. Defensive priorities: enumerate the 272 exposed endpoints in your perimeter and prioritize firewall closure or VPN-only access; rotate all vendor and contractor credentials with hardware-token MFA; require any logic or configuration change to pass two-person integrity check during the change window. Reporting: TSA Surface Transportation Cybersecurity; CISA Hotline; Oil and Natural Gas ISAC; PJM RTEP Security working group.

Consequences if unmitigated

Physical:

Simultaneous trips at multiple gas-fired generating units serving a data-center-heavy load zone. Within ~2 hours, hyperscale data centers in the affected zone exhaust grid power and shift to on-site diesel; diesel reserves typically run 12–48 hours. Possible thermal damage to rotating equipment during ungraceful trip sequences extends restart from hours to weeks per unit.

Market / financial:

Wholesale power prices in the affected ISO zone spike to administrative cap intraday. Hyperscaler-customer compute service-level agreements breach within the diesel-reserve window. Estimated combined economic loss across operator, downstream power buyers, and dependent cloud / AI customers: $10B–$50B in the first week.

Regulatory / political:

FERC and NERC special review of generator cybersecurity preparedness. Likely accelerated TSA-style cyber regulation extended to gas-fired generation feeding hyperscale customers. Insurance industry repricing for operators with measurable Symphony exposure on Shodan.

ABB Symphony DCS — 272 US endpoints exposed (as of 2026-07-03)
Current exposure: 272 Symphony endpoints visible from the public US internet today
Live KEV cross-reference: CVE-2024-6298
Severity: HIGH — Power generation supply disruption to AI data center load
Five-Paragraph OPORD (SMEAC)

S — Situation

ABB Symphony has the largest measurable US public-internet exposure of any pipeline-relevant SCADA / DCS platform — 272 endpoints visible as of 2026-07-03, against a deployed base that we estimate to be on the order of hundreds of installations. Symphony is the dominant DCS at large gas-fired combined-cycle power plants, including most of the new and planned gas plants being built to serve hyperscale AI data centers. KEV catalog entries currently affecting ABB platforms: CVE-2024-6298.

M — Mission

Adversary objective: simultaneous loss-of-control or unsafe-state at multiple gas-fired generating units feeding a specific load zone — most likely PJM Dominion (Northern Virginia data-center alley, where AI training load is concentrated) or the Southeast (where Meta Hyperion's 7.46 GW gas plant cluster feeds the Hyperion campus). Strategic intent: deny power to AI compute infrastructure at a moment chosen for maximum disruption, with deniable attribution.

E — Execution

Phase 1: harvest a contractor or vendor credential that grants engineering access to one or more of the 272 exposed endpoints — many of which are vendor-support jump hosts that bridge corporate IT to the OT engineering network. Phase 2: lateral movement to the Symphony engineering workstation. Phase 3: stage malicious configuration changes across the deployment, synchronized to execute at peak-demand hour. Phase 4: trigger drives unit-trip sequences on every unit reachable, simultaneous; concurrent wiper destroys the historian and configuration backup.

A — Administration & Logistics

Attack feasibility depends on three conditions visible in the public-exposure data today: (1) 272 endpoints reachable from the public internet — that number is a defensive failure on its own; (2) operator deployments that centralize engineering across multiple sites; (3) deferred patching of any published Symphony CVSS 8.0+ CVE due to outage-window constraints.

C — Command & Signal

Indicators: outbound traffic from any Symphony engineering workstation to non-vendor destinations; unscheduled configuration updates across multiple units in the same hour; historian write failures across multiple stations. Defensive priorities: enumerate the 272 exposed endpoints in your perimeter and prioritize firewall closure or VPN-only access; rotate all vendor and contractor credentials with hardware-token MFA; require any logic or configuration change to pass two-person integrity check during the change window. Reporting: TSA Surface Transportation Cybersecurity; CISA Hotline; Oil and Natural Gas ISAC; PJM RTEP Security working group.

Consequences if unmitigated

Physical:

Simultaneous trips at multiple gas-fired generating units serving a data-center-heavy load zone. Within ~2 hours, hyperscale data centers in the affected zone exhaust grid power and shift to on-site diesel; diesel reserves typically run 12–48 hours. Possible thermal damage to rotating equipment during ungraceful trip sequences extends restart from hours to weeks per unit.

Market / financial:

Wholesale power prices in the affected ISO zone spike to administrative cap intraday. Hyperscaler-customer compute service-level agreements breach within the diesel-reserve window. Estimated combined economic loss across operator, downstream power buyers, and dependent cloud / AI customers: $10B–$50B in the first week.

Regulatory / political:

FERC and NERC special review of generator cybersecurity preparedness. Likely accelerated TSA-style cyber regulation extended to gas-fired generation feeding hyperscale customers. Insurance industry repricing for operators with measurable Symphony exposure on Shodan.

Cygnet SCADA — 69 US endpoints (pipeline-specific midstream)
Current exposure: 69 Cygnet midstream-pipeline SCADA endpoints visible today
Live KEV cross-reference: no KEV-listed CVEs currently affect this platform
Severity: HIGH — Direct compromise of pipeline operational visibility and control
Five-Paragraph OPORD (SMEAC)

S — Situation

Cygnet is the SCADA platform most narrowly targeted at the US midstream oil-and-gas industry — it runs the supervisory layer at 69 measurable US sites, almost all of which are pipeline operators. Of the operators we track, several are confirmed Cygnet users by name in vendor case-studies and public filings.

M — Mission

Adversary objective: simultaneous loss-of-visibility and limited-write control of pipeline metering, valve, and flow-control points across a single operator's footprint. Strategic intent: position to manipulate gas deliveries — to LDCs, to power generators, or to LNG export terminals — at a chosen moment, with the operator unable to see or counter the action in real time.

E — Execution

Phase 1: access via a Cygnet engineering workstation reachable through vendor-support tunnels. Phase 2: harvest field-device topology and operator runbooks from the SCADA database. Phase 3: stage scheduled control commands that fire at a precipitating moment. Phase 4: optionally falsify operator-view telemetry to extend the response window.

A — Administration & Logistics

Attack feasibility depends on Cygnet's typical deployment pattern: many operators connect Cygnet to their corporate IT for reporting, then connect corporate IT to the public internet — a documented common pathway. The 69 exposed endpoints in our Shodan dataset are the visible portion of that pattern.

C — Command & Signal

Indicators: Cygnet engineering-workstation traffic to non-vendor destinations; configuration changes outside change-control hours; discrepancies between Cygnet-reported volumes and independent end-of-line meter reads. Defensive priorities: place Cygnet servers behind a jump-host with MFA; close direct internet exposure on all 69 endpoints; deploy independent secondary metering whose data does NOT flow through Cygnet.

Consequences if unmitigated

Physical:

Manipulation of valve setpoints can cause unsafe pressure transients at downstream stations. Falsified metering allows undetected gas diversion or supply-cut to specific customers (e.g., a specific gas-fired power plant during a peak hour).

Market / financial:

If a Cygnet-driven event takes a specific compressor station offline during a peak demand window, the downstream basis (the local citygate price minus Henry Hub) can spike 200%+ in hours. LDC emergency curtailments. Power-gen fuel-supply force majeure to gas peakers serving data centers.

Regulatory / political:

Immediate FERC inquiry into operator cybersecurity. Possible TSA penalty action under PSR 2026-01. Operator's interstate transportation tariff put under audit.

GE iFIX HMI/SCADA — 66 US endpoints exposed
Current exposure: 66 GE iFIX HMI/SCADA endpoints visible today
Live KEV cross-reference: CVE-2014-0751
Severity: HIGH — Operator-view denial across gas-plant and pipeline-station HMI
Five-Paragraph OPORD (SMEAC)

S — Situation

GE iFIX is a general-purpose HMI / SCADA platform with deep penetration in US gas plants, refineries, and pipeline compressor stations. Public US exposure today: 66 endpoints. KEV entries currently affecting GE platforms: CVE-2014-0751.

M — Mission

Adversary objective: deny operator visibility into the controlled process during a coincident attack — either cyber on the BPCS or kinetic on a physical asset. Strategic intent: extend the response window in the critical early minutes when operator action can avert physical damage.

E — Execution

Phase 1: access through internet-exposed iFIX terminal services / VPN. Phase 2: modify iFIX HMI screens to display canned 'nominal' values regardless of underlying tag data, OR disable HMI alarm escalation logic. Phase 3: hold capability until a coincident event — process upset, kinetic strike, or BPCS manipulation — at which point operators see normal screens while the physical process degrades.

A — Administration & Logistics

Attack feasibility increases when iFIX is deployed without segregation from corporate IT, when iFIX clients are reachable via remote-desktop services from the public internet (66 confirmed examples today), and when alarm-management audits are infrequent.

C — Command & Signal

Indicators: iFIX screen-version changes outside engineering change windows; HMI tag-display discrepancies vs. historian; alarm logs going abnormally quiet during normal operating variability. Defensive priorities: iFIX deployment audit (count vs. known inventory); HMI screen-checksum monitoring; independent secondary HMI that draws from a separate tag feed; close all 66 internet-exposed instances or move them behind MFA-required VPN.

Consequences if unmitigated

Physical:

On its own, an iFIX-only attack does not cause damage — but during a coincident physical or BPCS attack, the 'normal-screens-while-process-degrades' window extends operator response from minutes to tens of minutes, multiplying the physical damage.

Market / financial:

When combined with a BPCS attack, an HMI-deception layer can extend an outage from one shift to several days as the recovery team has no trustworthy view of pre-event state. Multiplier effect on operator's economic damage: 2–5x.

Regulatory / political:

HMI integrity-verification becomes a required TSA compliance element. Vendor-side requirements for cryptographic HMI screen verification.

Emerson DeltaV + Ovation DCS — 65 US endpoints combined
Current exposure: 38 DeltaV + 27 Ovation US endpoints — total 65
Live KEV cross-reference: CVE-2021-45420
Severity: HIGH — Simultaneous compromise of LNG liquefaction AND gas-fired power generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Emerson runs two product lines with measurable US exposure: DeltaV (38 endpoints), the DCS for LNG liquefaction trains and refinery / petrochemical processes, and Ovation (27 endpoints), the DCS for fossil-fueled power generation. Combined US public exposure: 65 endpoints. KEV entries affecting Emerson: CVE-2021-45420.

M — Mission

Adversary objective: simultaneously disrupt LNG-export capacity AND gas-fired power generation by exploiting the same vendor's deployed platforms across the two industries — a single capability that reaches both demand sinks for US natural gas (LNG exports and AI/data-center power) at once. Strategic intent: dual-target economic disruption with shared toolchain.

E — Execution

Phase 1: gain access via an Emerson vendor-support credential — Emerson is one of the largest providers of process-control system service contracts in the US. Phase 2: deploy parallel implants against DeltaV at LNG terminals and Ovation at gas-fired plants. Phase 3: synchronized trigger at a chosen event.

A — Administration & Logistics

Attack feasibility hinges on whether the operator has accepted vendor persistent remote-support tunnels as a contractual requirement. Many DeltaV and Ovation operators have done so to maintain service-level guarantees. The 65 exposed endpoints visible today are the public portion of that pattern.

C — Command & Signal

Indicators: Emerson vendor-tunnel traffic outside scheduled service windows; configuration changes pushed to multiple sites within a single hour; unscheduled engineering-workstation logins. Defensive priorities: require Emerson vendor sessions to be initiated by the operator (not the vendor), with session recording and MFA; deploy egress monitoring on the DeltaV / Ovation engineering networks; require Emerson to publish per-product KEV applicability mapped to deployed firmware versions at each customer site.

Consequences if unmitigated

Physical:

LNG terminal liquefaction trains unsafe-shutdown; coincident gas-fired generator trips across affected fleet. Possible thermal damage to liquefaction compressors extends LNG outage from days to months.

Market / financial:

Cargoes in the Sabine Pass / Cameron / Plaquemines / Corpus Christi loading queue declare force majeure within hours. European TTF gas price spikes; US Henry Hub price drops on reduced export demand AND spikes on domestic gas-to-power dislocation — both directions same day. Combined economic impact: $30B–$120B over the first quarter post-event.

Regulatory / political:

Coordinated DOE / FERC / TSA / DOC (export licensing) investigation. Possible suspension of Emerson DCS service contracts pending audit. Insurance industry repricing across all Emerson-platform-dependent operators.

Henry Hub Composite (Physical + Cyber) — current state
Current exposure: 13 interstate pipelines converge at Erath, LA · NYMEX settlement node · ~2 Bcf/d physical throughput · -1 ICS exposures within 25 km · 14 active eminent-domain projects in supply chain
Live KEV cross-reference: 9 Schneider Electric KEVs · 5 Siemens KEVs · 1 Emerson KEVs affect platforms a Sabine Pipe Line operator would actually run.
Severity: STRATEGIC — National-scale market and supply disruption
Five-Paragraph OPORD (SMEAC)

S — Situation

Henry Hub today: 13 interstate pipelines converge at the Sabine Pipe Line LLC facility in Erath, Louisiana. The NYMEX Henry Hub futures contract settles here — the price benchmark for every US natural-gas trade, every LNG cargo loaded at Sabine Pass / Cameron / Plaquemines / Corpus Christi (≈14 Bcf/d combined LNG export capacity), and every gas-indexed power-purchase contract in PJM / SERC / Florida. Within 25 km of the hub, Shodan finds -1 exposed ICS endpoints; the operator's supply chain runs through platforms with 15 currently-KEV-listed CVEs across Schneider Electric, Siemens, and Emerson. The facility has no counter-UAS coverage (Vermilion Parish is outside designated military airspace) and no published joint OT/IT incident-command framework with downstream hyperscaler and federal partners.

M — Mission

Adversary objective: simultaneously disable physical throughput at Henry Hub for an extended window (weeks, not hours) AND destroy the operator's safety-system configuration files, so that even after physical repair the operator cannot safely restart. Strategic intent: suspend US natural-gas price discovery long enough to cascade through NYMEX, LNG cargo force majeure, power-grid load shedding during a peak-demand window, and financial-market liquidity events.

E — Execution

Phase 1 (months): cyber pre-positioning inside the Sabine Pipe Line OT network via a contracted-engineering credential — the same vector that has produced every confirmed US pipeline OT intrusion in the past five years. Phase 2 (days): adversary weaponizes a published CVSS 9.0+ CISA advisory affecting Schneider Telvent OASyS DNA or Triconex SIS, BEFORE the operator's change board approves the emergency patch. Phase 3 (D-Day, timed to coincide with polar vortex or hurricane-season demand peak): commercial-derivative drone strike against Compressor Units 1 and 2, simultaneously with cyber execution that disables the SIS, manipulates HMIs to display nominal state, vents high-pressure gas through stacks whose flare ignition has been pre-disabled. Phase 4 (D+1 through D+3): wiper malware destroys the historian, engineering workstation, and corporate IT backups, denying the recovery team the documentation needed to safely restart safety-instrumented systems.

A — Administration & Logistics

Attack feasibility depends on conditions present today: (1) -1 ICS endpoints within 25 km of the hub — the public attack surface; (2) absence of counter-UAS over Vermilion Parish; (3) the operator's change board having no pre-delegated authority to bypass normal review for CVSS 9+ items during weather-emergency windows; (4) no published joint incident-command structure across Sabine Pipe Line, FERC, TSA, CISA, FBI, DOE, and hyperscaler downstream customers. All four conditions exist as of 2026-07-03.

C — Command & Signal

Indicators: outbound traffic from any Sabine Pipe Line OT host to non-vendor destinations; Vermilion Parish law-enforcement reports of unusual UAS activity near the hub; any CISA advisory at CVSS 9+ affecting Schneider Electric / Siemens / Emerson platforms followed by Sabine Pipe Line change-board deferral. Defensive priorities (the four items above, each individually closable): (1) pre-delegate emergency-patch authority to senior security leadership without change-board veto for CVSS 9+ critical-asset platforms; (2) FAA + DOD counter-UAS authorization for FERC critical-asset compressor stations; (3) stand up the joint incident-command framework now, not after the event; (4) maintain air-gapped offline SIS configuration backups with quarterly recovery verification at every FERC critical site.

Consequences if unmitigated

Physical:

Henry Hub physical throughput goes to 0 Bcf/d for 7–30+ days. Worker fatalities at Sabine Pipe Line during the kinetic event range 20–100 depending on shift composition and time of day. Downstream civilian fatalities during coincident cold-weather power loss could exceed 200 if the polar-vortex timing is hit. Adjacent communities evacuated; groundwater and surface water contamination from fuel-rich firefighting operations.

Market / financial:

NYMEX Henry Hub trading suspended for 20–60 trading days. Daily LNG cargo force majeure declarations from Sabine Pass / Cameron / Plaquemines / Corpus Christi terminals. European TTF and Asian JKM gas prices spike 150–400%. PJM and TVA emergency load-shedding affecting 5–20M customers during the polar vortex. Combined direct + cascading economic damage: $200B–$400B over twelve months. Insurance-industry catastrophe loss: $80B–$200B. Two-to-three mid-sized US gas trading firms in Chapter 11 within ten days.

Regulatory / political:

FERC and TSA replace existing Pipeline Security Directive framework with a true regulatory framework. DOE stands up a permanent Critical Energy Infrastructure Cyber Response Unit. FAA authorizes counter-UAS at all FERC critical-asset facilities. Federal Reserve emergency liquidity facility for energy-sector counterparty exposure. Hyperscaler / pipeline operator joint incident command mandated. ODNI issues attribution finding; coordinated multi-allied response.

Henry Hub Composite (Physical + Cyber) — current state
Current exposure: 13 interstate pipelines converge at Erath, LA · NYMEX settlement node · ~2 Bcf/d physical throughput · 1 ICS exposures within 25 km · 14 active eminent-domain projects in supply chain
Live KEV cross-reference: 9 Schneider Electric KEVs · 5 Siemens KEVs · 1 Emerson KEVs affect platforms a Sabine Pipe Line operator would actually run.
Severity: STRATEGIC — National-scale market and supply disruption
Five-Paragraph OPORD (SMEAC)

S — Situation

Henry Hub today: 13 interstate pipelines converge at the Sabine Pipe Line LLC facility in Erath, Louisiana. The NYMEX Henry Hub futures contract settles here — the price benchmark for every US natural-gas trade, every LNG cargo loaded at Sabine Pass / Cameron / Plaquemines / Corpus Christi (≈14 Bcf/d combined LNG export capacity), and every gas-indexed power-purchase contract in PJM / SERC / Florida. Within 25 km of the hub, Shodan finds 1 exposed ICS endpoints; the operator's supply chain runs through platforms with 15 currently-KEV-listed CVEs across Schneider Electric, Siemens, and Emerson. The facility has no counter-UAS coverage (Vermilion Parish is outside designated military airspace) and no published joint OT/IT incident-command framework with downstream hyperscaler and federal partners.

M — Mission

Adversary objective: simultaneously disable physical throughput at Henry Hub for an extended window (weeks, not hours) AND destroy the operator's safety-system configuration files, so that even after physical repair the operator cannot safely restart. Strategic intent: suspend US natural-gas price discovery long enough to cascade through NYMEX, LNG cargo force majeure, power-grid load shedding during a peak-demand window, and financial-market liquidity events.

E — Execution

Phase 1 (months): cyber pre-positioning inside the Sabine Pipe Line OT network via a contracted-engineering credential — the same vector that has produced every confirmed US pipeline OT intrusion in the past five years. Phase 2 (days): adversary weaponizes a published CVSS 9.0+ CISA advisory affecting Schneider Telvent OASyS DNA or Triconex SIS, BEFORE the operator's change board approves the emergency patch. Phase 3 (D-Day, timed to coincide with polar vortex or hurricane-season demand peak): commercial-derivative drone strike against Compressor Units 1 and 2, simultaneously with cyber execution that disables the SIS, manipulates HMIs to display nominal state, vents high-pressure gas through stacks whose flare ignition has been pre-disabled. Phase 4 (D+1 through D+3): wiper malware destroys the historian, engineering workstation, and corporate IT backups, denying the recovery team the documentation needed to safely restart safety-instrumented systems.

A — Administration & Logistics

Attack feasibility depends on conditions present today: (1) 1 ICS endpoints within 25 km of the hub — the public attack surface; (2) absence of counter-UAS over Vermilion Parish; (3) the operator's change board having no pre-delegated authority to bypass normal review for CVSS 9+ items during weather-emergency windows; (4) no published joint incident-command structure across Sabine Pipe Line, FERC, TSA, CISA, FBI, DOE, and hyperscaler downstream customers. All four conditions exist as of 2026-07-02.

C — Command & Signal

Indicators: outbound traffic from any Sabine Pipe Line OT host to non-vendor destinations; Vermilion Parish law-enforcement reports of unusual UAS activity near the hub; any CISA advisory at CVSS 9+ affecting Schneider Electric / Siemens / Emerson platforms followed by Sabine Pipe Line change-board deferral. Defensive priorities (the four items above, each individually closable): (1) pre-delegate emergency-patch authority to senior security leadership without change-board veto for CVSS 9+ critical-asset platforms; (2) FAA + DOD counter-UAS authorization for FERC critical-asset compressor stations; (3) stand up the joint incident-command framework now, not after the event; (4) maintain air-gapped offline SIS configuration backups with quarterly recovery verification at every FERC critical site.

Consequences if unmitigated

Physical:

Henry Hub physical throughput goes to 0 Bcf/d for 7–30+ days. Worker fatalities at Sabine Pipe Line during the kinetic event range 20–100 depending on shift composition and time of day. Downstream civilian fatalities during coincident cold-weather power loss could exceed 200 if the polar-vortex timing is hit. Adjacent communities evacuated; groundwater and surface water contamination from fuel-rich firefighting operations.

Market / financial:

NYMEX Henry Hub trading suspended for 20–60 trading days. Daily LNG cargo force majeure declarations from Sabine Pass / Cameron / Plaquemines / Corpus Christi terminals. European TTF and Asian JKM gas prices spike 150–400%. PJM and TVA emergency load-shedding affecting 5–20M customers during the polar vortex. Combined direct + cascading economic damage: $200B–$400B over twelve months. Insurance-industry catastrophe loss: $80B–$200B. Two-to-three mid-sized US gas trading firms in Chapter 11 within ten days.

Regulatory / political:

FERC and TSA replace existing Pipeline Security Directive framework with a true regulatory framework. DOE stands up a permanent Critical Energy Infrastructure Cyber Response Unit. FAA authorizes counter-UAS at all FERC critical-asset facilities. Federal Reserve emergency liquidity facility for energy-sector counterparty exposure. Hyperscaler / pipeline operator joint incident command mandated. ODNI issues attribution finding; coordinated multi-allied response.

Schneider Electric Modicon / Triconex — 9 pipeline-relevant KEV CVEs
Current exposure: 9 CISA KEV-listed CVEs currently affect Schneider OT platforms — the largest known-exploited footprint of any pipeline-relevant vendor today
Live KEV cross-reference: CVE-2018-7522, CVE-2018-8872, CVE-2017-7973, CVE-2021-22707
Severity: HIGH — Safety-instrumented-system bypass at gas processing and compression
Five-Paragraph OPORD (SMEAC)

S — Situation

Schneider Electric carries the largest set of actively-exploited CVEs of any pipeline-relevant vendor on the KEV catalog today — 9 entries (CVE-2018-7522, CVE-2018-8872, CVE-2017-7973, CVE-2021-22707). Modicon PLCs run valve and compressor logic across US midstream; Triconex is the dominant safety-instrumented system (SIS) at gas plants and LNG trains — the same SIS family targeted by the TRITON malware framework.

M — Mission

Adversary objective: defeat or blind the safety-instrumented layer at a gas-processing plant, LNG train, or major compressor station so a deliberately induced process upset is NOT tripped to a safe state — turning a recoverable fault into an overpressure or release event.

E — Execution

Phase 1: exploit one of the 9 known CVEs to gain a foothold on the engineering network. Phase 2: reach the Triconex/Modicon engineering workstation and load altered logic or disable SIS voting. Phase 3: drive the basic process control system to an unsafe setpoint while the safety layer is suppressed. Phase 4: erase the engineering audit trail.

A — Administration & Logistics

Feasibility today rests on (1) 9 unpatched, actively-exploited Schneider CVEs; (2) SIS and basic control logic that share engineering access in many deployments; (3) safety-system patch cycles tied to multi-year turnaround windows.

C — Command & Signal

Indicators: unscheduled logic downloads to any Triconex or Modicon controller; SIS voting or bypass changes outside a permitted-work window; engineering-station traffic to non-vendor destinations. Defensive priorities: patch the KEV-listed CVEs on a safety-critical schedule, enforce key-switch RUN mode on SIS controllers, require two-person authorization for any safety-logic change. Reporting: CISA; TSA Pipeline Security; ONG-ISAC.

Consequences if unmitigated

Physical:

A defeated safety-instrumented system removes the last automatic protection against overpressure, high temperature, or loss of containment at a gas plant or LNG train — from an emergency shutdown and days-long restart to a release, fire, or explosion if the basic control system is simultaneously driven unsafe.

Market / financial:

Loss of a single large gas-processing plant or LNG train removes major throughput; an LNG-train outage idles export cargoes and tightens domestic supply. Liability and business-interruption exposure runs to the billions.

Regulatory / political:

PHMSA and TSA scrutiny of OT cyber controls; likely CISA emergency directives for Schneider SIS operators; insurer repricing for sites running KEV-listed Triconex/Modicon.

Siemens SIMATIC S7 / WinCC — 5 pipeline-relevant KEV CVEs
Current exposure: 5 CISA KEV-listed CVEs currently affect Siemens SIMATIC / WinCC / Spectrum Power platforms
Live KEV cross-reference: CVE-2014-2908, CVE-2016-8562, CVE-2012-3015, CVE-2010-2772
Severity: HIGH — Loss of control at compression, metering, and gas-fired generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Siemens SIMATIC S7 controllers and WinCC SCADA run compressor stations, metering, and the gas-fired generation feeding data-center load; 5 Siemens CVEs sit on the KEV catalog today (CVE-2014-2908, CVE-2016-8562, CVE-2012-3015, CVE-2010-2772). S7 is the controller family Stuxnet was built to reprogram.

M — Mission

Adversary objective: reprogram or halt S7 logic controlling compression or generation in a chosen corridor, or falsify the WinCC operator view so the upset is not seen until it propagates.

E — Execution

Phase 1: exploit a KEV-listed S7/WinCC flaw reachable from an exposed HMI or remote-access path. Phase 2: pivot to the automation network. Phase 3: alter controller logic or HMI tags. Phase 4: synchronize disruption to peak demand and wipe the historian.

A — Administration & Logistics

Feasibility rests on (1) 5 unpatched Siemens CVEs; (2) WinCC stations bridged to corporate IT; (3) S7 controllers without RUN-mode key protection.

C — Command & Signal

Indicators: unexpected S7 STOP/PROGRAM transitions; WinCC tag changes with no work order; HMI traffic to unknown hosts. Defensive priorities: patch KEV CVEs, enforce controller key-switch protection, segment WinCC from IT. Reporting: CISA; TSA; ONG-ISAC; the relevant ISO security desk.

Consequences if unmitigated

Physical:

Tripped or runaway compression and generating units in one load zone; data-center alley loses grid supply and falls to diesel within hours; ungraceful trips can damage rotating equipment and extend restart to weeks.

Market / financial:

Intraday wholesale power spikes to the administrative cap in the affected ISO; compute SLAs breach within the diesel-reserve window; multi-billion-dollar loss across operators, power buyers, and AI customers.

Regulatory / political:

FERC/NERC review of generator cyber readiness; accelerated TSA-style cyber rules for gas-fired generation; insurer repricing for measurable Siemens exposure.

Rockwell ControlLogix / FactoryTalk — 2 pipeline-relevant KEV CVEs
Current exposure: 2 CISA KEV-listed CVEs currently affect Rockwell Allen-Bradley ControlLogix / FactoryTalk platforms
Live KEV cross-reference: CVE-2023-3595, CVE-2021-22681
Severity: HIGH — Pump-station and terminal control disruption across midstream
Five-Paragraph OPORD (SMEAC)

S — Situation

Allen-Bradley ControlLogix PLCs and FactoryTalk run pump stations, tank farms, and liquids terminals across US midstream; 2 Rockwell CVEs are on the KEV catalog today (CVE-2023-3595, CVE-2021-22681).

M — Mission

Adversary objective: seize or crash ControlLogix processors governing pumping and tank-farm valves to force a liquids-pipeline shutdown or a tank overfill / pressure transient.

E — Execution

Phase 1: exploit a KEV-listed ControlLogix/FactoryTalk CVE from an exposed engineering or remote path. Phase 2: reach the controller. Phase 3: fault the processor or alter pump/valve logic. Phase 4: mask the change in FactoryTalk.

A — Administration & Logistics

Feasibility rests on (1) 2 unpatched Rockwell CVEs; (2) flat OT networks at terminals; (3) remote-access tools left exposed.

C — Command & Signal

Indicators: unexpected processor faults; logic edits with no change ticket; FactoryTalk access from new hosts. Defensive priorities: patch KEV CVEs, segment terminal OT, lock down remote access. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Forced shutdown of a liquids pipeline or terminal; in the worst case a tank overfill or pressure transient with spill, fire, or environmental release.

Market / financial:

Regional product-supply disruption (gasoline, diesel, NGLs); price spikes at racks served by the affected terminals; cleanup and liability costs.

Regulatory / political:

PHMSA incident investigation; TSA review of terminal cyber controls; insurer scrutiny of operators on KEV-listed Rockwell versions.

Honeywell Experion PKS — 1 pipeline-relevant KEV CVE
Current exposure: 1 CISA KEV-listed CVE currently affect Honeywell Experion PKS — a dominant DCS at US gas processing and LNG
Live KEV cross-reference: CVE-2023-3710
Severity: HIGH — Distributed-control compromise at gas processing and LNG
Five-Paragraph OPORD (SMEAC)

S — Situation

Honeywell Experion PKS is a dominant distributed control system at US gas-processing plants, refineries, and LNG facilities; 1 Experion CVE on the KEV catalog today (CVE-2023-3710).

M — Mission

Adversary objective: take control of the Experion DCS at a gas-processing or LNG facility to drive units to an unsafe state or force a sustained outage.

E — Execution

Phase 1: exploit the KEV-listed Experion CVE from a reachable server or remote path. Phase 2: reach the C300 controllers and Experion servers. Phase 3: alter control strategy or force a unit trip. Phase 4: destroy the historian and backups.

A — Administration & Logistics

Feasibility rests on (1) 1 unpatched Experion CVE; (2) DCS servers bridged to plant IT; (3) deferred DCS patching tied to turnaround windows.

C — Command & Signal

Indicators: unscheduled control-strategy changes; Experion server traffic to unknown hosts; historian write failures. Defensive priorities: patch the KEV CVE, isolate the DCS, two-person change control. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Loss of control or forced shutdown at a gas-processing plant or LNG train; potential release, fire, or explosion if units are driven unsafe; restart measured in days to weeks.

Market / financial:

Lost processing/export throughput tightens domestic supply and idles cargoes; multi-billion-dollar interruption and liability exposure.

Regulatory / political:

PHMSA/TSA investigation; likely CISA directive for Experion operators; insurer repricing for KEV-listed Experion exposure.

Honeywell Experion PKS — 1 pipeline-relevant KEV CVE
Current exposure: 1 CISA KEV-listed CVE currently affect Honeywell Experion PKS — a dominant DCS at US gas processing and LNG
Live KEV cross-reference: CVE-2023-3710
Severity: HIGH — Distributed-control compromise at gas processing and LNG
Five-Paragraph OPORD (SMEAC)

S — Situation

Honeywell Experion PKS is a dominant distributed control system at US gas-processing plants, refineries, and LNG facilities; 1 Experion CVE on the KEV catalog today (CVE-2023-3710).

M — Mission

Adversary objective: take control of the Experion DCS at a gas-processing or LNG facility to drive units to an unsafe state or force a sustained outage.

E — Execution

Phase 1: exploit the KEV-listed Experion CVE from a reachable server or remote path. Phase 2: reach the C300 controllers and Experion servers. Phase 3: alter control strategy or force a unit trip. Phase 4: destroy the historian and backups.

A — Administration & Logistics

Feasibility rests on (1) 1 unpatched Experion CVE; (2) DCS servers bridged to plant IT; (3) deferred DCS patching tied to turnaround windows.

C — Command & Signal

Indicators: unscheduled control-strategy changes; Experion server traffic to unknown hosts; historian write failures. Defensive priorities: patch the KEV CVE, isolate the DCS, two-person change control. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Loss of control or forced shutdown at a gas-processing plant or LNG train; potential release, fire, or explosion if units are driven unsafe; restart measured in days to weeks.

Market / financial:

Lost processing/export throughput tightens domestic supply and idles cargoes; multi-billion-dollar interruption and liability exposure.

Regulatory / political:

PHMSA/TSA investigation; likely CISA directive for Experion operators; insurer repricing for KEV-listed Experion exposure.

ABB Symphony DCS — 260 US endpoints exposed (as of 2026-07-01)
Current exposure: 260 Symphony endpoints visible from the public US internet today
Live KEV cross-reference: CVE-2024-6298
Severity: HIGH — Power generation supply disruption to AI data center load
Five-Paragraph OPORD (SMEAC)

S — Situation

ABB Symphony has the largest measurable US public-internet exposure of any pipeline-relevant SCADA / DCS platform — 260 endpoints visible as of 2026-07-01, against a deployed base that we estimate to be on the order of hundreds of installations. Symphony is the dominant DCS at large gas-fired combined-cycle power plants, including most of the new and planned gas plants being built to serve hyperscale AI data centers. KEV catalog entries currently affecting ABB platforms: CVE-2024-6298.

M — Mission

Adversary objective: simultaneous loss-of-control or unsafe-state at multiple gas-fired generating units feeding a specific load zone — most likely PJM Dominion (Northern Virginia data-center alley, where AI training load is concentrated) or the Southeast (where Meta Hyperion's 7.46 GW gas plant cluster feeds the Hyperion campus). Strategic intent: deny power to AI compute infrastructure at a moment chosen for maximum disruption, with deniable attribution.

E — Execution

Phase 1: harvest a contractor or vendor credential that grants engineering access to one or more of the 260 exposed endpoints — many of which are vendor-support jump hosts that bridge corporate IT to the OT engineering network. Phase 2: lateral movement to the Symphony engineering workstation. Phase 3: stage malicious configuration changes across the deployment, synchronized to execute at peak-demand hour. Phase 4: trigger drives unit-trip sequences on every unit reachable, simultaneous; concurrent wiper destroys the historian and configuration backup.

A — Administration & Logistics

Attack feasibility depends on three conditions visible in the public-exposure data today: (1) 260 endpoints reachable from the public internet — that number is a defensive failure on its own; (2) operator deployments that centralize engineering across multiple sites; (3) deferred patching of any published Symphony CVSS 8.0+ CVE due to outage-window constraints.

C — Command & Signal

Indicators: outbound traffic from any Symphony engineering workstation to non-vendor destinations; unscheduled configuration updates across multiple units in the same hour; historian write failures across multiple stations. Defensive priorities: enumerate the 260 exposed endpoints in your perimeter and prioritize firewall closure or VPN-only access; rotate all vendor and contractor credentials with hardware-token MFA; require any logic or configuration change to pass two-person integrity check during the change window. Reporting: TSA Surface Transportation Cybersecurity; CISA Hotline; Oil and Natural Gas ISAC; PJM RTEP Security working group.

Consequences if unmitigated

Physical:

Simultaneous trips at multiple gas-fired generating units serving a data-center-heavy load zone. Within ~2 hours, hyperscale data centers in the affected zone exhaust grid power and shift to on-site diesel; diesel reserves typically run 12–48 hours. Possible thermal damage to rotating equipment during ungraceful trip sequences extends restart from hours to weeks per unit.

Market / financial:

Wholesale power prices in the affected ISO zone spike to administrative cap intraday. Hyperscaler-customer compute service-level agreements breach within the diesel-reserve window. Estimated combined economic loss across operator, downstream power buyers, and dependent cloud / AI customers: $10B–$50B in the first week.

Regulatory / political:

FERC and NERC special review of generator cybersecurity preparedness. Likely accelerated TSA-style cyber regulation extended to gas-fired generation feeding hyperscale customers. Insurance industry repricing for operators with measurable Symphony exposure on Shodan.

Cygnet SCADA — 71 US endpoints (pipeline-specific midstream)
Current exposure: 71 Cygnet midstream-pipeline SCADA endpoints visible today
Live KEV cross-reference: no KEV-listed CVEs currently affect this platform
Severity: HIGH — Direct compromise of pipeline operational visibility and control
Five-Paragraph OPORD (SMEAC)

S — Situation

Cygnet is the SCADA platform most narrowly targeted at the US midstream oil-and-gas industry — it runs the supervisory layer at 71 measurable US sites, almost all of which are pipeline operators. Of the operators we track, several are confirmed Cygnet users by name in vendor case-studies and public filings.

M — Mission

Adversary objective: simultaneous loss-of-visibility and limited-write control of pipeline metering, valve, and flow-control points across a single operator's footprint. Strategic intent: position to manipulate gas deliveries — to LDCs, to power generators, or to LNG export terminals — at a chosen moment, with the operator unable to see or counter the action in real time.

E — Execution

Phase 1: access via a Cygnet engineering workstation reachable through vendor-support tunnels. Phase 2: harvest field-device topology and operator runbooks from the SCADA database. Phase 3: stage scheduled control commands that fire at a precipitating moment. Phase 4: optionally falsify operator-view telemetry to extend the response window.

A — Administration & Logistics

Attack feasibility depends on Cygnet's typical deployment pattern: many operators connect Cygnet to their corporate IT for reporting, then connect corporate IT to the public internet — a documented common pathway. The 71 exposed endpoints in our Shodan dataset are the visible portion of that pattern.

C — Command & Signal

Indicators: Cygnet engineering-workstation traffic to non-vendor destinations; configuration changes outside change-control hours; discrepancies between Cygnet-reported volumes and independent end-of-line meter reads. Defensive priorities: place Cygnet servers behind a jump-host with MFA; close direct internet exposure on all 71 endpoints; deploy independent secondary metering whose data does NOT flow through Cygnet.

Consequences if unmitigated

Physical:

Manipulation of valve setpoints can cause unsafe pressure transients at downstream stations. Falsified metering allows undetected gas diversion or supply-cut to specific customers (e.g., a specific gas-fired power plant during a peak hour).

Market / financial:

If a Cygnet-driven event takes a specific compressor station offline during a peak demand window, the downstream basis (the local citygate price minus Henry Hub) can spike 200%+ in hours. LDC emergency curtailments. Power-gen fuel-supply force majeure to gas peakers serving data centers.

Regulatory / political:

Immediate FERC inquiry into operator cybersecurity. Possible TSA penalty action under PSR 2026-01. Operator's interstate transportation tariff put under audit.

GE iFIX HMI/SCADA — 67 US endpoints exposed
Current exposure: 67 GE iFIX HMI/SCADA endpoints visible today
Live KEV cross-reference: CVE-2014-0751
Severity: HIGH — Operator-view denial across gas-plant and pipeline-station HMI
Five-Paragraph OPORD (SMEAC)

S — Situation

GE iFIX is a general-purpose HMI / SCADA platform with deep penetration in US gas plants, refineries, and pipeline compressor stations. Public US exposure today: 67 endpoints. KEV entries currently affecting GE platforms: CVE-2014-0751.

M — Mission

Adversary objective: deny operator visibility into the controlled process during a coincident attack — either cyber on the BPCS or kinetic on a physical asset. Strategic intent: extend the response window in the critical early minutes when operator action can avert physical damage.

E — Execution

Phase 1: access through internet-exposed iFIX terminal services / VPN. Phase 2: modify iFIX HMI screens to display canned 'nominal' values regardless of underlying tag data, OR disable HMI alarm escalation logic. Phase 3: hold capability until a coincident event — process upset, kinetic strike, or BPCS manipulation — at which point operators see normal screens while the physical process degrades.

A — Administration & Logistics

Attack feasibility increases when iFIX is deployed without segregation from corporate IT, when iFIX clients are reachable via remote-desktop services from the public internet (67 confirmed examples today), and when alarm-management audits are infrequent.

C — Command & Signal

Indicators: iFIX screen-version changes outside engineering change windows; HMI tag-display discrepancies vs. historian; alarm logs going abnormally quiet during normal operating variability. Defensive priorities: iFIX deployment audit (count vs. known inventory); HMI screen-checksum monitoring; independent secondary HMI that draws from a separate tag feed; close all 67 internet-exposed instances or move them behind MFA-required VPN.

Consequences if unmitigated

Physical:

On its own, an iFIX-only attack does not cause damage — but during a coincident physical or BPCS attack, the 'normal-screens-while-process-degrades' window extends operator response from minutes to tens of minutes, multiplying the physical damage.

Market / financial:

When combined with a BPCS attack, an HMI-deception layer can extend an outage from one shift to several days as the recovery team has no trustworthy view of pre-event state. Multiplier effect on operator's economic damage: 2–5x.

Regulatory / political:

HMI integrity-verification becomes a required TSA compliance element. Vendor-side requirements for cryptographic HMI screen verification.

Emerson DeltaV + Ovation DCS — 59 US endpoints combined
Current exposure: 37 DeltaV + 22 Ovation US endpoints — total 59
Live KEV cross-reference: CVE-2021-45420
Severity: HIGH — Simultaneous compromise of LNG liquefaction AND gas-fired power generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Emerson runs two product lines with measurable US exposure: DeltaV (37 endpoints), the DCS for LNG liquefaction trains and refinery / petrochemical processes, and Ovation (22 endpoints), the DCS for fossil-fueled power generation. Combined US public exposure: 59 endpoints. KEV entries affecting Emerson: CVE-2021-45420.

M — Mission

Adversary objective: simultaneously disrupt LNG-export capacity AND gas-fired power generation by exploiting the same vendor's deployed platforms across the two industries — a single capability that reaches both demand sinks for US natural gas (LNG exports and AI/data-center power) at once. Strategic intent: dual-target economic disruption with shared toolchain.

E — Execution

Phase 1: gain access via an Emerson vendor-support credential — Emerson is one of the largest providers of process-control system service contracts in the US. Phase 2: deploy parallel implants against DeltaV at LNG terminals and Ovation at gas-fired plants. Phase 3: synchronized trigger at a chosen event.

A — Administration & Logistics

Attack feasibility hinges on whether the operator has accepted vendor persistent remote-support tunnels as a contractual requirement. Many DeltaV and Ovation operators have done so to maintain service-level guarantees. The 59 exposed endpoints visible today are the public portion of that pattern.

C — Command & Signal

Indicators: Emerson vendor-tunnel traffic outside scheduled service windows; configuration changes pushed to multiple sites within a single hour; unscheduled engineering-workstation logins. Defensive priorities: require Emerson vendor sessions to be initiated by the operator (not the vendor), with session recording and MFA; deploy egress monitoring on the DeltaV / Ovation engineering networks; require Emerson to publish per-product KEV applicability mapped to deployed firmware versions at each customer site.

Consequences if unmitigated

Physical:

LNG terminal liquefaction trains unsafe-shutdown; coincident gas-fired generator trips across affected fleet. Possible thermal damage to liquefaction compressors extends LNG outage from days to months.

Market / financial:

Cargoes in the Sabine Pass / Cameron / Plaquemines / Corpus Christi loading queue declare force majeure within hours. European TTF gas price spikes; US Henry Hub price drops on reduced export demand AND spikes on domestic gas-to-power dislocation — both directions same day. Combined economic impact: $30B–$120B over the first quarter post-event.

Regulatory / political:

Coordinated DOE / FERC / TSA / DOC (export licensing) investigation. Possible suspension of Emerson DCS service contracts pending audit. Insurance industry repricing across all Emerson-platform-dependent operators.

Emerson DeltaV + Ovation DCS — 57 US endpoints combined
Current exposure: 36 DeltaV + 21 Ovation US endpoints — total 57
Live KEV cross-reference: CVE-2021-45420
Severity: HIGH — Simultaneous compromise of LNG liquefaction AND gas-fired power generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Emerson runs two product lines with measurable US exposure: DeltaV (36 endpoints), the DCS for LNG liquefaction trains and refinery / petrochemical processes, and Ovation (21 endpoints), the DCS for fossil-fueled power generation. Combined US public exposure: 57 endpoints. KEV entries affecting Emerson: CVE-2021-45420.

M — Mission

Adversary objective: simultaneously disrupt LNG-export capacity AND gas-fired power generation by exploiting the same vendor's deployed platforms across the two industries — a single capability that reaches both demand sinks for US natural gas (LNG exports and AI/data-center power) at once. Strategic intent: dual-target economic disruption with shared toolchain.

E — Execution

Phase 1: gain access via an Emerson vendor-support credential — Emerson is one of the largest providers of process-control system service contracts in the US. Phase 2: deploy parallel implants against DeltaV at LNG terminals and Ovation at gas-fired plants. Phase 3: synchronized trigger at a chosen event.

A — Administration & Logistics

Attack feasibility hinges on whether the operator has accepted vendor persistent remote-support tunnels as a contractual requirement. Many DeltaV and Ovation operators have done so to maintain service-level guarantees. The 57 exposed endpoints visible today are the public portion of that pattern.

C — Command & Signal

Indicators: Emerson vendor-tunnel traffic outside scheduled service windows; configuration changes pushed to multiple sites within a single hour; unscheduled engineering-workstation logins. Defensive priorities: require Emerson vendor sessions to be initiated by the operator (not the vendor), with session recording and MFA; deploy egress monitoring on the DeltaV / Ovation engineering networks; require Emerson to publish per-product KEV applicability mapped to deployed firmware versions at each customer site.

Consequences if unmitigated

Physical:

LNG terminal liquefaction trains unsafe-shutdown; coincident gas-fired generator trips across affected fleet. Possible thermal damage to liquefaction compressors extends LNG outage from days to months.

Market / financial:

Cargoes in the Sabine Pass / Cameron / Plaquemines / Corpus Christi loading queue declare force majeure within hours. European TTF gas price spikes; US Henry Hub price drops on reduced export demand AND spikes on domestic gas-to-power dislocation — both directions same day. Combined economic impact: $30B–$120B over the first quarter post-event.

Regulatory / political:

Coordinated DOE / FERC / TSA / DOC (export licensing) investigation. Possible suspension of Emerson DCS service contracts pending audit. Insurance industry repricing across all Emerson-platform-dependent operators.

Henry Hub Composite (Physical + Cyber) — current state
Current exposure: 13 interstate pipelines converge at Erath, LA · NYMEX settlement node · ~2 Bcf/d physical throughput · 1 ICS exposures within 25 km · 14 active eminent-domain projects in supply chain
Live KEV cross-reference: 9 Schneider Electric KEVs · 5 Siemens KEVs · 1 Emerson KEVs affect platforms a Sabine Pipe Line operator would actually run.
Severity: STRATEGIC — National-scale market and supply disruption
Five-Paragraph OPORD (SMEAC)

S — Situation

Henry Hub today: 13 interstate pipelines converge at the Sabine Pipe Line LLC facility in Erath, Louisiana. The NYMEX Henry Hub futures contract settles here — the price benchmark for every US natural-gas trade, every LNG cargo loaded at Sabine Pass / Cameron / Plaquemines / Corpus Christi (≈14 Bcf/d combined LNG export capacity), and every gas-indexed power-purchase contract in PJM / SERC / Florida. Within 25 km of the hub, Shodan finds 1 exposed ICS endpoints; the operator's supply chain runs through platforms with 15 currently-KEV-listed CVEs across Schneider Electric, Siemens, and Emerson. The facility has no counter-UAS coverage (Vermilion Parish is outside designated military airspace) and no published joint OT/IT incident-command framework with downstream hyperscaler and federal partners.

M — Mission

Adversary objective: simultaneously disable physical throughput at Henry Hub for an extended window (weeks, not hours) AND destroy the operator's safety-system configuration files, so that even after physical repair the operator cannot safely restart. Strategic intent: suspend US natural-gas price discovery long enough to cascade through NYMEX, LNG cargo force majeure, power-grid load shedding during a peak-demand window, and financial-market liquidity events.

E — Execution

Phase 1 (months): cyber pre-positioning inside the Sabine Pipe Line OT network via a contracted-engineering credential — the same vector that has produced every confirmed US pipeline OT intrusion in the past five years. Phase 2 (days): adversary weaponizes a published CVSS 9.0+ CISA advisory affecting Schneider Telvent OASyS DNA or Triconex SIS, BEFORE the operator's change board approves the emergency patch. Phase 3 (D-Day, timed to coincide with polar vortex or hurricane-season demand peak): commercial-derivative drone strike against Compressor Units 1 and 2, simultaneously with cyber execution that disables the SIS, manipulates HMIs to display nominal state, vents high-pressure gas through stacks whose flare ignition has been pre-disabled. Phase 4 (D+1 through D+3): wiper malware destroys the historian, engineering workstation, and corporate IT backups, denying the recovery team the documentation needed to safely restart safety-instrumented systems.

A — Administration & Logistics

Attack feasibility depends on conditions present today: (1) 1 ICS endpoints within 25 km of the hub — the public attack surface; (2) absence of counter-UAS over Vermilion Parish; (3) the operator's change board having no pre-delegated authority to bypass normal review for CVSS 9+ items during weather-emergency windows; (4) no published joint incident-command structure across Sabine Pipe Line, FERC, TSA, CISA, FBI, DOE, and hyperscaler downstream customers. All four conditions exist as of 2026-06-30.

C — Command & Signal

Indicators: outbound traffic from any Sabine Pipe Line OT host to non-vendor destinations; Vermilion Parish law-enforcement reports of unusual UAS activity near the hub; any CISA advisory at CVSS 9+ affecting Schneider Electric / Siemens / Emerson platforms followed by Sabine Pipe Line change-board deferral. Defensive priorities (the four items above, each individually closable): (1) pre-delegate emergency-patch authority to senior security leadership without change-board veto for CVSS 9+ critical-asset platforms; (2) FAA + DOD counter-UAS authorization for FERC critical-asset compressor stations; (3) stand up the joint incident-command framework now, not after the event; (4) maintain air-gapped offline SIS configuration backups with quarterly recovery verification at every FERC critical site.

Consequences if unmitigated

Physical:

Henry Hub physical throughput goes to 0 Bcf/d for 7–30+ days. Worker fatalities at Sabine Pipe Line during the kinetic event range 20–100 depending on shift composition and time of day. Downstream civilian fatalities during coincident cold-weather power loss could exceed 200 if the polar-vortex timing is hit. Adjacent communities evacuated; groundwater and surface water contamination from fuel-rich firefighting operations.

Market / financial:

NYMEX Henry Hub trading suspended for 20–60 trading days. Daily LNG cargo force majeure declarations from Sabine Pass / Cameron / Plaquemines / Corpus Christi terminals. European TTF and Asian JKM gas prices spike 150–400%. PJM and TVA emergency load-shedding affecting 5–20M customers during the polar vortex. Combined direct + cascading economic damage: $200B–$400B over twelve months. Insurance-industry catastrophe loss: $80B–$200B. Two-to-three mid-sized US gas trading firms in Chapter 11 within ten days.

Regulatory / political:

FERC and TSA replace existing Pipeline Security Directive framework with a true regulatory framework. DOE stands up a permanent Critical Energy Infrastructure Cyber Response Unit. FAA authorizes counter-UAS at all FERC critical-asset facilities. Federal Reserve emergency liquidity facility for energy-sector counterparty exposure. Hyperscaler / pipeline operator joint incident command mandated. ODNI issues attribution finding; coordinated multi-allied response.

Schneider Electric Modicon / Triconex — 9 pipeline-relevant KEV CVEs
Current exposure: 9 CISA KEV-listed CVEs currently affect Schneider OT platforms — the largest known-exploited footprint of any pipeline-relevant vendor today
Live KEV cross-reference: CVE-2018-7522, CVE-2018-8872, CVE-2017-7973, CVE-2021-22707
Severity: HIGH — Safety-instrumented-system bypass at gas processing and compression
Five-Paragraph OPORD (SMEAC)

S — Situation

Schneider Electric carries the largest set of actively-exploited CVEs of any pipeline-relevant vendor on the KEV catalog today — 9 entries (CVE-2018-7522, CVE-2018-8872, CVE-2017-7973, CVE-2021-22707). Modicon PLCs run valve and compressor logic across US midstream; Triconex is the dominant safety-instrumented system (SIS) at gas plants and LNG trains — the same SIS family targeted by the TRITON malware framework.

M — Mission

Adversary objective: defeat or blind the safety-instrumented layer at a gas-processing plant, LNG train, or major compressor station so a deliberately induced process upset is NOT tripped to a safe state — turning a recoverable fault into an overpressure or release event.

E — Execution

Phase 1: exploit one of the 9 known CVEs to gain a foothold on the engineering network. Phase 2: reach the Triconex/Modicon engineering workstation and load altered logic or disable SIS voting. Phase 3: drive the basic process control system to an unsafe setpoint while the safety layer is suppressed. Phase 4: erase the engineering audit trail.

A — Administration & Logistics

Feasibility today rests on (1) 9 unpatched, actively-exploited Schneider CVEs; (2) SIS and basic control logic that share engineering access in many deployments; (3) safety-system patch cycles tied to multi-year turnaround windows.

C — Command & Signal

Indicators: unscheduled logic downloads to any Triconex or Modicon controller; SIS voting or bypass changes outside a permitted-work window; engineering-station traffic to non-vendor destinations. Defensive priorities: patch the KEV-listed CVEs on a safety-critical schedule, enforce key-switch RUN mode on SIS controllers, require two-person authorization for any safety-logic change. Reporting: CISA; TSA Pipeline Security; ONG-ISAC.

Consequences if unmitigated

Physical:

A defeated safety-instrumented system removes the last automatic protection against overpressure, high temperature, or loss of containment at a gas plant or LNG train — from an emergency shutdown and days-long restart to a release, fire, or explosion if the basic control system is simultaneously driven unsafe.

Market / financial:

Loss of a single large gas-processing plant or LNG train removes major throughput; an LNG-train outage idles export cargoes and tightens domestic supply. Liability and business-interruption exposure runs to the billions.

Regulatory / political:

PHMSA and TSA scrutiny of OT cyber controls; likely CISA emergency directives for Schneider SIS operators; insurer repricing for sites running KEV-listed Triconex/Modicon.

Siemens SIMATIC S7 / WinCC — 5 pipeline-relevant KEV CVEs
Current exposure: 5 CISA KEV-listed CVEs currently affect Siemens SIMATIC / WinCC / Spectrum Power platforms
Live KEV cross-reference: CVE-2014-2908, CVE-2016-8562, CVE-2012-3015, CVE-2010-2772
Severity: HIGH — Loss of control at compression, metering, and gas-fired generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Siemens SIMATIC S7 controllers and WinCC SCADA run compressor stations, metering, and the gas-fired generation feeding data-center load; 5 Siemens CVEs sit on the KEV catalog today (CVE-2014-2908, CVE-2016-8562, CVE-2012-3015, CVE-2010-2772). S7 is the controller family Stuxnet was built to reprogram.

M — Mission

Adversary objective: reprogram or halt S7 logic controlling compression or generation in a chosen corridor, or falsify the WinCC operator view so the upset is not seen until it propagates.

E — Execution

Phase 1: exploit a KEV-listed S7/WinCC flaw reachable from an exposed HMI or remote-access path. Phase 2: pivot to the automation network. Phase 3: alter controller logic or HMI tags. Phase 4: synchronize disruption to peak demand and wipe the historian.

A — Administration & Logistics

Feasibility rests on (1) 5 unpatched Siemens CVEs; (2) WinCC stations bridged to corporate IT; (3) S7 controllers without RUN-mode key protection.

C — Command & Signal

Indicators: unexpected S7 STOP/PROGRAM transitions; WinCC tag changes with no work order; HMI traffic to unknown hosts. Defensive priorities: patch KEV CVEs, enforce controller key-switch protection, segment WinCC from IT. Reporting: CISA; TSA; ONG-ISAC; the relevant ISO security desk.

Consequences if unmitigated

Physical:

Tripped or runaway compression and generating units in one load zone; data-center alley loses grid supply and falls to diesel within hours; ungraceful trips can damage rotating equipment and extend restart to weeks.

Market / financial:

Intraday wholesale power spikes to the administrative cap in the affected ISO; compute SLAs breach within the diesel-reserve window; multi-billion-dollar loss across operators, power buyers, and AI customers.

Regulatory / political:

FERC/NERC review of generator cyber readiness; accelerated TSA-style cyber rules for gas-fired generation; insurer repricing for measurable Siemens exposure.

Rockwell ControlLogix / FactoryTalk — 2 pipeline-relevant KEV CVEs
Current exposure: 2 CISA KEV-listed CVEs currently affect Rockwell Allen-Bradley ControlLogix / FactoryTalk platforms
Live KEV cross-reference: CVE-2023-3595, CVE-2021-22681
Severity: HIGH — Pump-station and terminal control disruption across midstream
Five-Paragraph OPORD (SMEAC)

S — Situation

Allen-Bradley ControlLogix PLCs and FactoryTalk run pump stations, tank farms, and liquids terminals across US midstream; 2 Rockwell CVEs are on the KEV catalog today (CVE-2023-3595, CVE-2021-22681).

M — Mission

Adversary objective: seize or crash ControlLogix processors governing pumping and tank-farm valves to force a liquids-pipeline shutdown or a tank overfill / pressure transient.

E — Execution

Phase 1: exploit a KEV-listed ControlLogix/FactoryTalk CVE from an exposed engineering or remote path. Phase 2: reach the controller. Phase 3: fault the processor or alter pump/valve logic. Phase 4: mask the change in FactoryTalk.

A — Administration & Logistics

Feasibility rests on (1) 2 unpatched Rockwell CVEs; (2) flat OT networks at terminals; (3) remote-access tools left exposed.

C — Command & Signal

Indicators: unexpected processor faults; logic edits with no change ticket; FactoryTalk access from new hosts. Defensive priorities: patch KEV CVEs, segment terminal OT, lock down remote access. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Forced shutdown of a liquids pipeline or terminal; in the worst case a tank overfill or pressure transient with spill, fire, or environmental release.

Market / financial:

Regional product-supply disruption (gasoline, diesel, NGLs); price spikes at racks served by the affected terminals; cleanup and liability costs.

Regulatory / political:

PHMSA incident investigation; TSA review of terminal cyber controls; insurer scrutiny of operators on KEV-listed Rockwell versions.

Rockwell ControlLogix / FactoryTalk — 2 pipeline-relevant KEV CVEs
Current exposure: 2 CISA KEV-listed CVEs currently affect Rockwell Allen-Bradley ControlLogix / FactoryTalk platforms
Live KEV cross-reference: CVE-2023-3595, CVE-2021-22681
Severity: HIGH — Pump-station and terminal control disruption across midstream
Five-Paragraph OPORD (SMEAC)

S — Situation

Allen-Bradley ControlLogix PLCs and FactoryTalk run pump stations, tank farms, and liquids terminals across US midstream; 2 Rockwell CVEs are on the KEV catalog today (CVE-2023-3595, CVE-2021-22681).

M — Mission

Adversary objective: seize or crash ControlLogix processors governing pumping and tank-farm valves to force a liquids-pipeline shutdown or a tank overfill / pressure transient.

E — Execution

Phase 1: exploit a KEV-listed ControlLogix/FactoryTalk CVE from an exposed engineering or remote path. Phase 2: reach the controller. Phase 3: fault the processor or alter pump/valve logic. Phase 4: mask the change in FactoryTalk.

A — Administration & Logistics

Feasibility rests on (1) 2 unpatched Rockwell CVEs; (2) flat OT networks at terminals; (3) remote-access tools left exposed.

C — Command & Signal

Indicators: unexpected processor faults; logic edits with no change ticket; FactoryTalk access from new hosts. Defensive priorities: patch KEV CVEs, segment terminal OT, lock down remote access. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Forced shutdown of a liquids pipeline or terminal; in the worst case a tank overfill or pressure transient with spill, fire, or environmental release.

Market / financial:

Regional product-supply disruption (gasoline, diesel, NGLs); price spikes at racks served by the affected terminals; cleanup and liability costs.

Regulatory / political:

PHMSA incident investigation; TSA review of terminal cyber controls; insurer scrutiny of operators on KEV-listed Rockwell versions.

Honeywell Experion PKS — 1 pipeline-relevant KEV CVE
Current exposure: 1 CISA KEV-listed CVE currently affect Honeywell Experion PKS — a dominant DCS at US gas processing and LNG
Live KEV cross-reference: CVE-2023-3710
Severity: HIGH — Distributed-control compromise at gas processing and LNG
Five-Paragraph OPORD (SMEAC)

S — Situation

Honeywell Experion PKS is a dominant distributed control system at US gas-processing plants, refineries, and LNG facilities; 1 Experion CVE on the KEV catalog today (CVE-2023-3710).

M — Mission

Adversary objective: take control of the Experion DCS at a gas-processing or LNG facility to drive units to an unsafe state or force a sustained outage.

E — Execution

Phase 1: exploit the KEV-listed Experion CVE from a reachable server or remote path. Phase 2: reach the C300 controllers and Experion servers. Phase 3: alter control strategy or force a unit trip. Phase 4: destroy the historian and backups.

A — Administration & Logistics

Feasibility rests on (1) 1 unpatched Experion CVE; (2) DCS servers bridged to plant IT; (3) deferred DCS patching tied to turnaround windows.

C — Command & Signal

Indicators: unscheduled control-strategy changes; Experion server traffic to unknown hosts; historian write failures. Defensive priorities: patch the KEV CVE, isolate the DCS, two-person change control. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Loss of control or forced shutdown at a gas-processing plant or LNG train; potential release, fire, or explosion if units are driven unsafe; restart measured in days to weeks.

Market / financial:

Lost processing/export throughput tightens domestic supply and idles cargoes; multi-billion-dollar interruption and liability exposure.

Regulatory / political:

PHMSA/TSA investigation; likely CISA directive for Experion operators; insurer repricing for KEV-listed Experion exposure.

ABB Symphony DCS — 245 US endpoints exposed (as of 2026-06-29)
Current exposure: 245 Symphony endpoints visible from the public US internet today
Live KEV cross-reference: CVE-2024-6298
Severity: HIGH — Power generation supply disruption to AI data center load
Five-Paragraph OPORD (SMEAC)

S — Situation

ABB Symphony has the largest measurable US public-internet exposure of any pipeline-relevant SCADA / DCS platform — 245 endpoints visible as of 2026-06-29, against a deployed base that we estimate to be on the order of hundreds of installations. Symphony is the dominant DCS at large gas-fired combined-cycle power plants, including most of the new and planned gas plants being built to serve hyperscale AI data centers. KEV catalog entries currently affecting ABB platforms: CVE-2024-6298.

M — Mission

Adversary objective: simultaneous loss-of-control or unsafe-state at multiple gas-fired generating units feeding a specific load zone — most likely PJM Dominion (Northern Virginia data-center alley, where AI training load is concentrated) or the Southeast (where Meta Hyperion's 7.46 GW gas plant cluster feeds the Hyperion campus). Strategic intent: deny power to AI compute infrastructure at a moment chosen for maximum disruption, with deniable attribution.

E — Execution

Phase 1: harvest a contractor or vendor credential that grants engineering access to one or more of the 245 exposed endpoints — many of which are vendor-support jump hosts that bridge corporate IT to the OT engineering network. Phase 2: lateral movement to the Symphony engineering workstation. Phase 3: stage malicious configuration changes across the deployment, synchronized to execute at peak-demand hour. Phase 4: trigger drives unit-trip sequences on every unit reachable, simultaneous; concurrent wiper destroys the historian and configuration backup.

A — Administration & Logistics

Attack feasibility depends on three conditions visible in the public-exposure data today: (1) 245 endpoints reachable from the public internet — that number is a defensive failure on its own; (2) operator deployments that centralize engineering across multiple sites; (3) deferred patching of any published Symphony CVSS 8.0+ CVE due to outage-window constraints.

C — Command & Signal

Indicators: outbound traffic from any Symphony engineering workstation to non-vendor destinations; unscheduled configuration updates across multiple units in the same hour; historian write failures across multiple stations. Defensive priorities: enumerate the 245 exposed endpoints in your perimeter and prioritize firewall closure or VPN-only access; rotate all vendor and contractor credentials with hardware-token MFA; require any logic or configuration change to pass two-person integrity check during the change window. Reporting: TSA Surface Transportation Cybersecurity; CISA Hotline; Oil and Natural Gas ISAC; PJM RTEP Security working group.

Consequences if unmitigated

Physical:

Simultaneous trips at multiple gas-fired generating units serving a data-center-heavy load zone. Within ~2 hours, hyperscale data centers in the affected zone exhaust grid power and shift to on-site diesel; diesel reserves typically run 12–48 hours. Possible thermal damage to rotating equipment during ungraceful trip sequences extends restart from hours to weeks per unit.

Market / financial:

Wholesale power prices in the affected ISO zone spike to administrative cap intraday. Hyperscaler-customer compute service-level agreements breach within the diesel-reserve window. Estimated combined economic loss across operator, downstream power buyers, and dependent cloud / AI customers: $10B–$50B in the first week.

Regulatory / political:

FERC and NERC special review of generator cybersecurity preparedness. Likely accelerated TSA-style cyber regulation extended to gas-fired generation feeding hyperscale customers. Insurance industry repricing for operators with measurable Symphony exposure on Shodan.

Cygnet SCADA — 69 US endpoints (pipeline-specific midstream)
Current exposure: 69 Cygnet midstream-pipeline SCADA endpoints visible today
Live KEV cross-reference: no KEV-listed CVEs currently affect this platform
Severity: HIGH — Direct compromise of pipeline operational visibility and control
Five-Paragraph OPORD (SMEAC)

S — Situation

Cygnet is the SCADA platform most narrowly targeted at the US midstream oil-and-gas industry — it runs the supervisory layer at 69 measurable US sites, almost all of which are pipeline operators. Of the operators we track, several are confirmed Cygnet users by name in vendor case-studies and public filings.

M — Mission

Adversary objective: simultaneous loss-of-visibility and limited-write control of pipeline metering, valve, and flow-control points across a single operator's footprint. Strategic intent: position to manipulate gas deliveries — to LDCs, to power generators, or to LNG export terminals — at a chosen moment, with the operator unable to see or counter the action in real time.

E — Execution

Phase 1: access via a Cygnet engineering workstation reachable through vendor-support tunnels. Phase 2: harvest field-device topology and operator runbooks from the SCADA database. Phase 3: stage scheduled control commands that fire at a precipitating moment. Phase 4: optionally falsify operator-view telemetry to extend the response window.

A — Administration & Logistics

Attack feasibility depends on Cygnet's typical deployment pattern: many operators connect Cygnet to their corporate IT for reporting, then connect corporate IT to the public internet — a documented common pathway. The 69 exposed endpoints in our Shodan dataset are the visible portion of that pattern.

C — Command & Signal

Indicators: Cygnet engineering-workstation traffic to non-vendor destinations; configuration changes outside change-control hours; discrepancies between Cygnet-reported volumes and independent end-of-line meter reads. Defensive priorities: place Cygnet servers behind a jump-host with MFA; close direct internet exposure on all 69 endpoints; deploy independent secondary metering whose data does NOT flow through Cygnet.

Consequences if unmitigated

Physical:

Manipulation of valve setpoints can cause unsafe pressure transients at downstream stations. Falsified metering allows undetected gas diversion or supply-cut to specific customers (e.g., a specific gas-fired power plant during a peak hour).

Market / financial:

If a Cygnet-driven event takes a specific compressor station offline during a peak demand window, the downstream basis (the local citygate price minus Henry Hub) can spike 200%+ in hours. LDC emergency curtailments. Power-gen fuel-supply force majeure to gas peakers serving data centers.

Regulatory / political:

Immediate FERC inquiry into operator cybersecurity. Possible TSA penalty action under PSR 2026-01. Operator's interstate transportation tariff put under audit.

GE iFIX HMI/SCADA — 68 US endpoints exposed
Current exposure: 68 GE iFIX HMI/SCADA endpoints visible today
Live KEV cross-reference: CVE-2014-0751
Severity: HIGH — Operator-view denial across gas-plant and pipeline-station HMI
Five-Paragraph OPORD (SMEAC)

S — Situation

GE iFIX is a general-purpose HMI / SCADA platform with deep penetration in US gas plants, refineries, and pipeline compressor stations. Public US exposure today: 68 endpoints. KEV entries currently affecting GE platforms: CVE-2014-0751.

M — Mission

Adversary objective: deny operator visibility into the controlled process during a coincident attack — either cyber on the BPCS or kinetic on a physical asset. Strategic intent: extend the response window in the critical early minutes when operator action can avert physical damage.

E — Execution

Phase 1: access through internet-exposed iFIX terminal services / VPN. Phase 2: modify iFIX HMI screens to display canned 'nominal' values regardless of underlying tag data, OR disable HMI alarm escalation logic. Phase 3: hold capability until a coincident event — process upset, kinetic strike, or BPCS manipulation — at which point operators see normal screens while the physical process degrades.

A — Administration & Logistics

Attack feasibility increases when iFIX is deployed without segregation from corporate IT, when iFIX clients are reachable via remote-desktop services from the public internet (68 confirmed examples today), and when alarm-management audits are infrequent.

C — Command & Signal

Indicators: iFIX screen-version changes outside engineering change windows; HMI tag-display discrepancies vs. historian; alarm logs going abnormally quiet during normal operating variability. Defensive priorities: iFIX deployment audit (count vs. known inventory); HMI screen-checksum monitoring; independent secondary HMI that draws from a separate tag feed; close all 68 internet-exposed instances or move them behind MFA-required VPN.

Consequences if unmitigated

Physical:

On its own, an iFIX-only attack does not cause damage — but during a coincident physical or BPCS attack, the 'normal-screens-while-process-degrades' window extends operator response from minutes to tens of minutes, multiplying the physical damage.

Market / financial:

When combined with a BPCS attack, an HMI-deception layer can extend an outage from one shift to several days as the recovery team has no trustworthy view of pre-event state. Multiplier effect on operator's economic damage: 2–5x.

Regulatory / political:

HMI integrity-verification becomes a required TSA compliance element. Vendor-side requirements for cryptographic HMI screen verification.

GE iFIX HMI/SCADA — 69 US endpoints exposed
Current exposure: 69 GE iFIX HMI/SCADA endpoints visible today
Live KEV cross-reference: CVE-2014-0751
Severity: HIGH — Operator-view denial across gas-plant and pipeline-station HMI
Five-Paragraph OPORD (SMEAC)

S — Situation

GE iFIX is a general-purpose HMI / SCADA platform with deep penetration in US gas plants, refineries, and pipeline compressor stations. Public US exposure today: 69 endpoints. KEV entries currently affecting GE platforms: CVE-2014-0751.

M — Mission

Adversary objective: deny operator visibility into the controlled process during a coincident attack — either cyber on the BPCS or kinetic on a physical asset. Strategic intent: extend the response window in the critical early minutes when operator action can avert physical damage.

E — Execution

Phase 1: access through internet-exposed iFIX terminal services / VPN. Phase 2: modify iFIX HMI screens to display canned 'nominal' values regardless of underlying tag data, OR disable HMI alarm escalation logic. Phase 3: hold capability until a coincident event — process upset, kinetic strike, or BPCS manipulation — at which point operators see normal screens while the physical process degrades.

A — Administration & Logistics

Attack feasibility increases when iFIX is deployed without segregation from corporate IT, when iFIX clients are reachable via remote-desktop services from the public internet (69 confirmed examples today), and when alarm-management audits are infrequent.

C — Command & Signal

Indicators: iFIX screen-version changes outside engineering change windows; HMI tag-display discrepancies vs. historian; alarm logs going abnormally quiet during normal operating variability. Defensive priorities: iFIX deployment audit (count vs. known inventory); HMI screen-checksum monitoring; independent secondary HMI that draws from a separate tag feed; close all 69 internet-exposed instances or move them behind MFA-required VPN.

Consequences if unmitigated

Physical:

On its own, an iFIX-only attack does not cause damage — but during a coincident physical or BPCS attack, the 'normal-screens-while-process-degrades' window extends operator response from minutes to tens of minutes, multiplying the physical damage.

Market / financial:

When combined with a BPCS attack, an HMI-deception layer can extend an outage from one shift to several days as the recovery team has no trustworthy view of pre-event state. Multiplier effect on operator's economic damage: 2–5x.

Regulatory / political:

HMI integrity-verification becomes a required TSA compliance element. Vendor-side requirements for cryptographic HMI screen verification.

Emerson DeltaV + Ovation DCS — 65 US endpoints combined
Current exposure: 40 DeltaV + 25 Ovation US endpoints — total 65
Live KEV cross-reference: CVE-2021-45420
Severity: HIGH — Simultaneous compromise of LNG liquefaction AND gas-fired power generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Emerson runs two product lines with measurable US exposure: DeltaV (40 endpoints), the DCS for LNG liquefaction trains and refinery / petrochemical processes, and Ovation (25 endpoints), the DCS for fossil-fueled power generation. Combined US public exposure: 65 endpoints. KEV entries affecting Emerson: CVE-2021-45420.

M — Mission

Adversary objective: simultaneously disrupt LNG-export capacity AND gas-fired power generation by exploiting the same vendor's deployed platforms across the two industries — a single capability that reaches both demand sinks for US natural gas (LNG exports and AI/data-center power) at once. Strategic intent: dual-target economic disruption with shared toolchain.

E — Execution

Phase 1: gain access via an Emerson vendor-support credential — Emerson is one of the largest providers of process-control system service contracts in the US. Phase 2: deploy parallel implants against DeltaV at LNG terminals and Ovation at gas-fired plants. Phase 3: synchronized trigger at a chosen event.

A — Administration & Logistics

Attack feasibility hinges on whether the operator has accepted vendor persistent remote-support tunnels as a contractual requirement. Many DeltaV and Ovation operators have done so to maintain service-level guarantees. The 65 exposed endpoints visible today are the public portion of that pattern.

C — Command & Signal

Indicators: Emerson vendor-tunnel traffic outside scheduled service windows; configuration changes pushed to multiple sites within a single hour; unscheduled engineering-workstation logins. Defensive priorities: require Emerson vendor sessions to be initiated by the operator (not the vendor), with session recording and MFA; deploy egress monitoring on the DeltaV / Ovation engineering networks; require Emerson to publish per-product KEV applicability mapped to deployed firmware versions at each customer site.

Consequences if unmitigated

Physical:

LNG terminal liquefaction trains unsafe-shutdown; coincident gas-fired generator trips across affected fleet. Possible thermal damage to liquefaction compressors extends LNG outage from days to months.

Market / financial:

Cargoes in the Sabine Pass / Cameron / Plaquemines / Corpus Christi loading queue declare force majeure within hours. European TTF gas price spikes; US Henry Hub price drops on reduced export demand AND spikes on domestic gas-to-power dislocation — both directions same day. Combined economic impact: $30B–$120B over the first quarter post-event.

Regulatory / political:

Coordinated DOE / FERC / TSA / DOC (export licensing) investigation. Possible suspension of Emerson DCS service contracts pending audit. Insurance industry repricing across all Emerson-platform-dependent operators.

Henry Hub Composite (Physical + Cyber) — current state
Current exposure: 13 interstate pipelines converge at Erath, LA · NYMEX settlement node · ~2 Bcf/d physical throughput · 1 ICS exposures within 25 km · 14 active eminent-domain projects in supply chain
Live KEV cross-reference: 9 Schneider Electric KEVs · 5 Siemens KEVs · 1 Emerson KEVs affect platforms a Sabine Pipe Line operator would actually run.
Severity: STRATEGIC — National-scale market and supply disruption
Five-Paragraph OPORD (SMEAC)

S — Situation

Henry Hub today: 13 interstate pipelines converge at the Sabine Pipe Line LLC facility in Erath, Louisiana. The NYMEX Henry Hub futures contract settles here — the price benchmark for every US natural-gas trade, every LNG cargo loaded at Sabine Pass / Cameron / Plaquemines / Corpus Christi (≈14 Bcf/d combined LNG export capacity), and every gas-indexed power-purchase contract in PJM / SERC / Florida. Within 25 km of the hub, Shodan finds 1 exposed ICS endpoints; the operator's supply chain runs through platforms with 15 currently-KEV-listed CVEs across Schneider Electric, Siemens, and Emerson. The facility has no counter-UAS coverage (Vermilion Parish is outside designated military airspace) and no published joint OT/IT incident-command framework with downstream hyperscaler and federal partners.

M — Mission

Adversary objective: simultaneously disable physical throughput at Henry Hub for an extended window (weeks, not hours) AND destroy the operator's safety-system configuration files, so that even after physical repair the operator cannot safely restart. Strategic intent: suspend US natural-gas price discovery long enough to cascade through NYMEX, LNG cargo force majeure, power-grid load shedding during a peak-demand window, and financial-market liquidity events.

E — Execution

Phase 1 (months): cyber pre-positioning inside the Sabine Pipe Line OT network via a contracted-engineering credential — the same vector that has produced every confirmed US pipeline OT intrusion in the past five years. Phase 2 (days): adversary weaponizes a published CVSS 9.0+ CISA advisory affecting Schneider Telvent OASyS DNA or Triconex SIS, BEFORE the operator's change board approves the emergency patch. Phase 3 (D-Day, timed to coincide with polar vortex or hurricane-season demand peak): commercial-derivative drone strike against Compressor Units 1 and 2, simultaneously with cyber execution that disables the SIS, manipulates HMIs to display nominal state, vents high-pressure gas through stacks whose flare ignition has been pre-disabled. Phase 4 (D+1 through D+3): wiper malware destroys the historian, engineering workstation, and corporate IT backups, denying the recovery team the documentation needed to safely restart safety-instrumented systems.

A — Administration & Logistics

Attack feasibility depends on conditions present today: (1) 1 ICS endpoints within 25 km of the hub — the public attack surface; (2) absence of counter-UAS over Vermilion Parish; (3) the operator's change board having no pre-delegated authority to bypass normal review for CVSS 9+ items during weather-emergency windows; (4) no published joint incident-command structure across Sabine Pipe Line, FERC, TSA, CISA, FBI, DOE, and hyperscaler downstream customers. All four conditions exist as of 2026-06-28.

C — Command & Signal

Indicators: outbound traffic from any Sabine Pipe Line OT host to non-vendor destinations; Vermilion Parish law-enforcement reports of unusual UAS activity near the hub; any CISA advisory at CVSS 9+ affecting Schneider Electric / Siemens / Emerson platforms followed by Sabine Pipe Line change-board deferral. Defensive priorities (the four items above, each individually closable): (1) pre-delegate emergency-patch authority to senior security leadership without change-board veto for CVSS 9+ critical-asset platforms; (2) FAA + DOD counter-UAS authorization for FERC critical-asset compressor stations; (3) stand up the joint incident-command framework now, not after the event; (4) maintain air-gapped offline SIS configuration backups with quarterly recovery verification at every FERC critical site.

Consequences if unmitigated

Physical:

Henry Hub physical throughput goes to 0 Bcf/d for 7–30+ days. Worker fatalities at Sabine Pipe Line during the kinetic event range 20–100 depending on shift composition and time of day. Downstream civilian fatalities during coincident cold-weather power loss could exceed 200 if the polar-vortex timing is hit. Adjacent communities evacuated; groundwater and surface water contamination from fuel-rich firefighting operations.

Market / financial:

NYMEX Henry Hub trading suspended for 20–60 trading days. Daily LNG cargo force majeure declarations from Sabine Pass / Cameron / Plaquemines / Corpus Christi terminals. European TTF and Asian JKM gas prices spike 150–400%. PJM and TVA emergency load-shedding affecting 5–20M customers during the polar vortex. Combined direct + cascading economic damage: $200B–$400B over twelve months. Insurance-industry catastrophe loss: $80B–$200B. Two-to-three mid-sized US gas trading firms in Chapter 11 within ten days.

Regulatory / political:

FERC and TSA replace existing Pipeline Security Directive framework with a true regulatory framework. DOE stands up a permanent Critical Energy Infrastructure Cyber Response Unit. FAA authorizes counter-UAS at all FERC critical-asset facilities. Federal Reserve emergency liquidity facility for energy-sector counterparty exposure. Hyperscaler / pipeline operator joint incident command mandated. ODNI issues attribution finding; coordinated multi-allied response.

Schneider Electric Modicon / Triconex — 9 pipeline-relevant KEV CVEs
Current exposure: 9 CISA KEV-listed CVEs currently affect Schneider OT platforms — the largest known-exploited footprint of any pipeline-relevant vendor today
Live KEV cross-reference: CVE-2018-7522, CVE-2018-8872, CVE-2017-7973, CVE-2021-22707
Severity: HIGH — Safety-instrumented-system bypass at gas processing and compression
Five-Paragraph OPORD (SMEAC)

S — Situation

Schneider Electric carries the largest set of actively-exploited CVEs of any pipeline-relevant vendor on the KEV catalog today — 9 entries (CVE-2018-7522, CVE-2018-8872, CVE-2017-7973, CVE-2021-22707). Modicon PLCs run valve and compressor logic across US midstream; Triconex is the dominant safety-instrumented system (SIS) at gas plants and LNG trains — the same SIS family targeted by the TRITON malware framework.

M — Mission

Adversary objective: defeat or blind the safety-instrumented layer at a gas-processing plant, LNG train, or major compressor station so a deliberately induced process upset is NOT tripped to a safe state — turning a recoverable fault into an overpressure or release event.

E — Execution

Phase 1: exploit one of the 9 known CVEs to gain a foothold on the engineering network. Phase 2: reach the Triconex/Modicon engineering workstation and load altered logic or disable SIS voting. Phase 3: drive the basic process control system to an unsafe setpoint while the safety layer is suppressed. Phase 4: erase the engineering audit trail.

A — Administration & Logistics

Feasibility today rests on (1) 9 unpatched, actively-exploited Schneider CVEs; (2) SIS and basic control logic that share engineering access in many deployments; (3) safety-system patch cycles tied to multi-year turnaround windows.

C — Command & Signal

Indicators: unscheduled logic downloads to any Triconex or Modicon controller; SIS voting or bypass changes outside a permitted-work window; engineering-station traffic to non-vendor destinations. Defensive priorities: patch the KEV-listed CVEs on a safety-critical schedule, enforce key-switch RUN mode on SIS controllers, require two-person authorization for any safety-logic change. Reporting: CISA; TSA Pipeline Security; ONG-ISAC.

Consequences if unmitigated

Physical:

A defeated safety-instrumented system removes the last automatic protection against overpressure, high temperature, or loss of containment at a gas plant or LNG train — from an emergency shutdown and days-long restart to a release, fire, or explosion if the basic control system is simultaneously driven unsafe.

Market / financial:

Loss of a single large gas-processing plant or LNG train removes major throughput; an LNG-train outage idles export cargoes and tightens domestic supply. Liability and business-interruption exposure runs to the billions.

Regulatory / political:

PHMSA and TSA scrutiny of OT cyber controls; likely CISA emergency directives for Schneider SIS operators; insurer repricing for sites running KEV-listed Triconex/Modicon.

Siemens SIMATIC S7 / WinCC — 5 pipeline-relevant KEV CVEs
Current exposure: 5 CISA KEV-listed CVEs currently affect Siemens SIMATIC / WinCC / Spectrum Power platforms
Live KEV cross-reference: CVE-2014-2908, CVE-2016-8562, CVE-2012-3015, CVE-2010-2772
Severity: HIGH — Loss of control at compression, metering, and gas-fired generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Siemens SIMATIC S7 controllers and WinCC SCADA run compressor stations, metering, and the gas-fired generation feeding data-center load; 5 Siemens CVEs sit on the KEV catalog today (CVE-2014-2908, CVE-2016-8562, CVE-2012-3015, CVE-2010-2772). S7 is the controller family Stuxnet was built to reprogram.

M — Mission

Adversary objective: reprogram or halt S7 logic controlling compression or generation in a chosen corridor, or falsify the WinCC operator view so the upset is not seen until it propagates.

E — Execution

Phase 1: exploit a KEV-listed S7/WinCC flaw reachable from an exposed HMI or remote-access path. Phase 2: pivot to the automation network. Phase 3: alter controller logic or HMI tags. Phase 4: synchronize disruption to peak demand and wipe the historian.

A — Administration & Logistics

Feasibility rests on (1) 5 unpatched Siemens CVEs; (2) WinCC stations bridged to corporate IT; (3) S7 controllers without RUN-mode key protection.

C — Command & Signal

Indicators: unexpected S7 STOP/PROGRAM transitions; WinCC tag changes with no work order; HMI traffic to unknown hosts. Defensive priorities: patch KEV CVEs, enforce controller key-switch protection, segment WinCC from IT. Reporting: CISA; TSA; ONG-ISAC; the relevant ISO security desk.

Consequences if unmitigated

Physical:

Tripped or runaway compression and generating units in one load zone; data-center alley loses grid supply and falls to diesel within hours; ungraceful trips can damage rotating equipment and extend restart to weeks.

Market / financial:

Intraday wholesale power spikes to the administrative cap in the affected ISO; compute SLAs breach within the diesel-reserve window; multi-billion-dollar loss across operators, power buyers, and AI customers.

Regulatory / political:

FERC/NERC review of generator cyber readiness; accelerated TSA-style cyber rules for gas-fired generation; insurer repricing for measurable Siemens exposure.

Siemens SIMATIC S7 / WinCC — 5 pipeline-relevant KEV CVEs
Current exposure: 5 CISA KEV-listed CVEs currently affect Siemens SIMATIC / WinCC / Spectrum Power platforms
Live KEV cross-reference: CVE-2014-2908, CVE-2016-8562, CVE-2012-3015, CVE-2010-2772
Severity: HIGH — Loss of control at compression, metering, and gas-fired generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Siemens SIMATIC S7 controllers and WinCC SCADA run compressor stations, metering, and the gas-fired generation feeding data-center load; 5 Siemens CVEs sit on the KEV catalog today (CVE-2014-2908, CVE-2016-8562, CVE-2012-3015, CVE-2010-2772). S7 is the controller family Stuxnet was built to reprogram.

M — Mission

Adversary objective: reprogram or halt S7 logic controlling compression or generation in a chosen corridor, or falsify the WinCC operator view so the upset is not seen until it propagates.

E — Execution

Phase 1: exploit a KEV-listed S7/WinCC flaw reachable from an exposed HMI or remote-access path. Phase 2: pivot to the automation network. Phase 3: alter controller logic or HMI tags. Phase 4: synchronize disruption to peak demand and wipe the historian.

A — Administration & Logistics

Feasibility rests on (1) 5 unpatched Siemens CVEs; (2) WinCC stations bridged to corporate IT; (3) S7 controllers without RUN-mode key protection.

C — Command & Signal

Indicators: unexpected S7 STOP/PROGRAM transitions; WinCC tag changes with no work order; HMI traffic to unknown hosts. Defensive priorities: patch KEV CVEs, enforce controller key-switch protection, segment WinCC from IT. Reporting: CISA; TSA; ONG-ISAC; the relevant ISO security desk.

Consequences if unmitigated

Physical:

Tripped or runaway compression and generating units in one load zone; data-center alley loses grid supply and falls to diesel within hours; ungraceful trips can damage rotating equipment and extend restart to weeks.

Market / financial:

Intraday wholesale power spikes to the administrative cap in the affected ISO; compute SLAs breach within the diesel-reserve window; multi-billion-dollar loss across operators, power buyers, and AI customers.

Regulatory / political:

FERC/NERC review of generator cyber readiness; accelerated TSA-style cyber rules for gas-fired generation; insurer repricing for measurable Siemens exposure.

Rockwell ControlLogix / FactoryTalk — 2 pipeline-relevant KEV CVEs
Current exposure: 2 CISA KEV-listed CVEs currently affect Rockwell Allen-Bradley ControlLogix / FactoryTalk platforms
Live KEV cross-reference: CVE-2023-3595, CVE-2021-22681
Severity: HIGH — Pump-station and terminal control disruption across midstream
Five-Paragraph OPORD (SMEAC)

S — Situation

Allen-Bradley ControlLogix PLCs and FactoryTalk run pump stations, tank farms, and liquids terminals across US midstream; 2 Rockwell CVEs are on the KEV catalog today (CVE-2023-3595, CVE-2021-22681).

M — Mission

Adversary objective: seize or crash ControlLogix processors governing pumping and tank-farm valves to force a liquids-pipeline shutdown or a tank overfill / pressure transient.

E — Execution

Phase 1: exploit a KEV-listed ControlLogix/FactoryTalk CVE from an exposed engineering or remote path. Phase 2: reach the controller. Phase 3: fault the processor or alter pump/valve logic. Phase 4: mask the change in FactoryTalk.

A — Administration & Logistics

Feasibility rests on (1) 2 unpatched Rockwell CVEs; (2) flat OT networks at terminals; (3) remote-access tools left exposed.

C — Command & Signal

Indicators: unexpected processor faults; logic edits with no change ticket; FactoryTalk access from new hosts. Defensive priorities: patch KEV CVEs, segment terminal OT, lock down remote access. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Forced shutdown of a liquids pipeline or terminal; in the worst case a tank overfill or pressure transient with spill, fire, or environmental release.

Market / financial:

Regional product-supply disruption (gasoline, diesel, NGLs); price spikes at racks served by the affected terminals; cleanup and liability costs.

Regulatory / political:

PHMSA incident investigation; TSA review of terminal cyber controls; insurer scrutiny of operators on KEV-listed Rockwell versions.

Honeywell Experion PKS — 1 pipeline-relevant KEV CVE
Current exposure: 1 CISA KEV-listed CVE currently affect Honeywell Experion PKS — a dominant DCS at US gas processing and LNG
Live KEV cross-reference: CVE-2023-3710
Severity: HIGH — Distributed-control compromise at gas processing and LNG
Five-Paragraph OPORD (SMEAC)

S — Situation

Honeywell Experion PKS is a dominant distributed control system at US gas-processing plants, refineries, and LNG facilities; 1 Experion CVE on the KEV catalog today (CVE-2023-3710).

M — Mission

Adversary objective: take control of the Experion DCS at a gas-processing or LNG facility to drive units to an unsafe state or force a sustained outage.

E — Execution

Phase 1: exploit the KEV-listed Experion CVE from a reachable server or remote path. Phase 2: reach the C300 controllers and Experion servers. Phase 3: alter control strategy or force a unit trip. Phase 4: destroy the historian and backups.

A — Administration & Logistics

Feasibility rests on (1) 1 unpatched Experion CVE; (2) DCS servers bridged to plant IT; (3) deferred DCS patching tied to turnaround windows.

C — Command & Signal

Indicators: unscheduled control-strategy changes; Experion server traffic to unknown hosts; historian write failures. Defensive priorities: patch the KEV CVE, isolate the DCS, two-person change control. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Loss of control or forced shutdown at a gas-processing plant or LNG train; potential release, fire, or explosion if units are driven unsafe; restart measured in days to weeks.

Market / financial:

Lost processing/export throughput tightens domestic supply and idles cargoes; multi-billion-dollar interruption and liability exposure.

Regulatory / political:

PHMSA/TSA investigation; likely CISA directive for Experion operators; insurer repricing for KEV-listed Experion exposure.

ABB Symphony DCS — 245 US endpoints exposed (as of 2026-06-27)
Current exposure: 245 Symphony endpoints visible from the public US internet today
Live KEV cross-reference: CVE-2024-6298
Severity: HIGH — Power generation supply disruption to AI data center load
Five-Paragraph OPORD (SMEAC)

S — Situation

ABB Symphony has the largest measurable US public-internet exposure of any pipeline-relevant SCADA / DCS platform — 245 endpoints visible as of 2026-06-27, against a deployed base that we estimate to be on the order of hundreds of installations. Symphony is the dominant DCS at large gas-fired combined-cycle power plants, including most of the new and planned gas plants being built to serve hyperscale AI data centers. KEV catalog entries currently affecting ABB platforms: CVE-2024-6298.

M — Mission

Adversary objective: simultaneous loss-of-control or unsafe-state at multiple gas-fired generating units feeding a specific load zone — most likely PJM Dominion (Northern Virginia data-center alley, where AI training load is concentrated) or the Southeast (where Meta Hyperion's 7.46 GW gas plant cluster feeds the Hyperion campus). Strategic intent: deny power to AI compute infrastructure at a moment chosen for maximum disruption, with deniable attribution.

E — Execution

Phase 1: harvest a contractor or vendor credential that grants engineering access to one or more of the 245 exposed endpoints — many of which are vendor-support jump hosts that bridge corporate IT to the OT engineering network. Phase 2: lateral movement to the Symphony engineering workstation. Phase 3: stage malicious configuration changes across the deployment, synchronized to execute at peak-demand hour. Phase 4: trigger drives unit-trip sequences on every unit reachable, simultaneous; concurrent wiper destroys the historian and configuration backup.

A — Administration & Logistics

Attack feasibility depends on three conditions visible in the public-exposure data today: (1) 245 endpoints reachable from the public internet — that number is a defensive failure on its own; (2) operator deployments that centralize engineering across multiple sites; (3) deferred patching of any published Symphony CVSS 8.0+ CVE due to outage-window constraints.

C — Command & Signal

Indicators: outbound traffic from any Symphony engineering workstation to non-vendor destinations; unscheduled configuration updates across multiple units in the same hour; historian write failures across multiple stations. Defensive priorities: enumerate the 245 exposed endpoints in your perimeter and prioritize firewall closure or VPN-only access; rotate all vendor and contractor credentials with hardware-token MFA; require any logic or configuration change to pass two-person integrity check during the change window. Reporting: TSA Surface Transportation Cybersecurity; CISA Hotline; Oil and Natural Gas ISAC; PJM RTEP Security working group.

Consequences if unmitigated

Physical:

Simultaneous trips at multiple gas-fired generating units serving a data-center-heavy load zone. Within ~2 hours, hyperscale data centers in the affected zone exhaust grid power and shift to on-site diesel; diesel reserves typically run 12–48 hours. Possible thermal damage to rotating equipment during ungraceful trip sequences extends restart from hours to weeks per unit.

Market / financial:

Wholesale power prices in the affected ISO zone spike to administrative cap intraday. Hyperscaler-customer compute service-level agreements breach within the diesel-reserve window. Estimated combined economic loss across operator, downstream power buyers, and dependent cloud / AI customers: $10B–$50B in the first week.

Regulatory / political:

FERC and NERC special review of generator cybersecurity preparedness. Likely accelerated TSA-style cyber regulation extended to gas-fired generation feeding hyperscale customers. Insurance industry repricing for operators with measurable Symphony exposure on Shodan.

Cygnet SCADA — 70 US endpoints (pipeline-specific midstream)
Current exposure: 70 Cygnet midstream-pipeline SCADA endpoints visible today
Live KEV cross-reference: no KEV-listed CVEs currently affect this platform
Severity: HIGH — Direct compromise of pipeline operational visibility and control
Five-Paragraph OPORD (SMEAC)

S — Situation

Cygnet is the SCADA platform most narrowly targeted at the US midstream oil-and-gas industry — it runs the supervisory layer at 70 measurable US sites, almost all of which are pipeline operators. Of the operators we track, several are confirmed Cygnet users by name in vendor case-studies and public filings.

M — Mission

Adversary objective: simultaneous loss-of-visibility and limited-write control of pipeline metering, valve, and flow-control points across a single operator's footprint. Strategic intent: position to manipulate gas deliveries — to LDCs, to power generators, or to LNG export terminals — at a chosen moment, with the operator unable to see or counter the action in real time.

E — Execution

Phase 1: access via a Cygnet engineering workstation reachable through vendor-support tunnels. Phase 2: harvest field-device topology and operator runbooks from the SCADA database. Phase 3: stage scheduled control commands that fire at a precipitating moment. Phase 4: optionally falsify operator-view telemetry to extend the response window.

A — Administration & Logistics

Attack feasibility depends on Cygnet's typical deployment pattern: many operators connect Cygnet to their corporate IT for reporting, then connect corporate IT to the public internet — a documented common pathway. The 70 exposed endpoints in our Shodan dataset are the visible portion of that pattern.

C — Command & Signal

Indicators: Cygnet engineering-workstation traffic to non-vendor destinations; configuration changes outside change-control hours; discrepancies between Cygnet-reported volumes and independent end-of-line meter reads. Defensive priorities: place Cygnet servers behind a jump-host with MFA; close direct internet exposure on all 70 endpoints; deploy independent secondary metering whose data does NOT flow through Cygnet.

Consequences if unmitigated

Physical:

Manipulation of valve setpoints can cause unsafe pressure transients at downstream stations. Falsified metering allows undetected gas diversion or supply-cut to specific customers (e.g., a specific gas-fired power plant during a peak hour).

Market / financial:

If a Cygnet-driven event takes a specific compressor station offline during a peak demand window, the downstream basis (the local citygate price minus Henry Hub) can spike 200%+ in hours. LDC emergency curtailments. Power-gen fuel-supply force majeure to gas peakers serving data centers.

Regulatory / political:

Immediate FERC inquiry into operator cybersecurity. Possible TSA penalty action under PSR 2026-01. Operator's interstate transportation tariff put under audit.

Cygnet SCADA — 70 US endpoints (pipeline-specific midstream)
Current exposure: 70 Cygnet midstream-pipeline SCADA endpoints visible today
Live KEV cross-reference: no KEV-listed CVEs currently affect this platform
Severity: HIGH — Direct compromise of pipeline operational visibility and control
Five-Paragraph OPORD (SMEAC)

S — Situation

Cygnet is the SCADA platform most narrowly targeted at the US midstream oil-and-gas industry — it runs the supervisory layer at 70 measurable US sites, almost all of which are pipeline operators. Of the operators we track, several are confirmed Cygnet users by name in vendor case-studies and public filings.

M — Mission

Adversary objective: simultaneous loss-of-visibility and limited-write control of pipeline metering, valve, and flow-control points across a single operator's footprint. Strategic intent: position to manipulate gas deliveries — to LDCs, to power generators, or to LNG export terminals — at a chosen moment, with the operator unable to see or counter the action in real time.

E — Execution

Phase 1: access via a Cygnet engineering workstation reachable through vendor-support tunnels. Phase 2: harvest field-device topology and operator runbooks from the SCADA database. Phase 3: stage scheduled control commands that fire at a precipitating moment. Phase 4: optionally falsify operator-view telemetry to extend the response window.

A — Administration & Logistics

Attack feasibility depends on Cygnet's typical deployment pattern: many operators connect Cygnet to their corporate IT for reporting, then connect corporate IT to the public internet — a documented common pathway. The 70 exposed endpoints in our Shodan dataset are the visible portion of that pattern.

C — Command & Signal

Indicators: Cygnet engineering-workstation traffic to non-vendor destinations; configuration changes outside change-control hours; discrepancies between Cygnet-reported volumes and independent end-of-line meter reads. Defensive priorities: place Cygnet servers behind a jump-host with MFA; close direct internet exposure on all 70 endpoints; deploy independent secondary metering whose data does NOT flow through Cygnet.

Consequences if unmitigated

Physical:

Manipulation of valve setpoints can cause unsafe pressure transients at downstream stations. Falsified metering allows undetected gas diversion or supply-cut to specific customers (e.g., a specific gas-fired power plant during a peak hour).

Market / financial:

If a Cygnet-driven event takes a specific compressor station offline during a peak demand window, the downstream basis (the local citygate price minus Henry Hub) can spike 200%+ in hours. LDC emergency curtailments. Power-gen fuel-supply force majeure to gas peakers serving data centers.

Regulatory / political:

Immediate FERC inquiry into operator cybersecurity. Possible TSA penalty action under PSR 2026-01. Operator's interstate transportation tariff put under audit.

GE iFIX HMI/SCADA — 70 US endpoints exposed
Current exposure: 70 GE iFIX HMI/SCADA endpoints visible today
Live KEV cross-reference: CVE-2014-0751
Severity: HIGH — Operator-view denial across gas-plant and pipeline-station HMI
Five-Paragraph OPORD (SMEAC)

S — Situation

GE iFIX is a general-purpose HMI / SCADA platform with deep penetration in US gas plants, refineries, and pipeline compressor stations. Public US exposure today: 70 endpoints. KEV entries currently affecting GE platforms: CVE-2014-0751.

M — Mission

Adversary objective: deny operator visibility into the controlled process during a coincident attack — either cyber on the BPCS or kinetic on a physical asset. Strategic intent: extend the response window in the critical early minutes when operator action can avert physical damage.

E — Execution

Phase 1: access through internet-exposed iFIX terminal services / VPN. Phase 2: modify iFIX HMI screens to display canned 'nominal' values regardless of underlying tag data, OR disable HMI alarm escalation logic. Phase 3: hold capability until a coincident event — process upset, kinetic strike, or BPCS manipulation — at which point operators see normal screens while the physical process degrades.

A — Administration & Logistics

Attack feasibility increases when iFIX is deployed without segregation from corporate IT, when iFIX clients are reachable via remote-desktop services from the public internet (70 confirmed examples today), and when alarm-management audits are infrequent.

C — Command & Signal

Indicators: iFIX screen-version changes outside engineering change windows; HMI tag-display discrepancies vs. historian; alarm logs going abnormally quiet during normal operating variability. Defensive priorities: iFIX deployment audit (count vs. known inventory); HMI screen-checksum monitoring; independent secondary HMI that draws from a separate tag feed; close all 70 internet-exposed instances or move them behind MFA-required VPN.

Consequences if unmitigated

Physical:

On its own, an iFIX-only attack does not cause damage — but during a coincident physical or BPCS attack, the 'normal-screens-while-process-degrades' window extends operator response from minutes to tens of minutes, multiplying the physical damage.

Market / financial:

When combined with a BPCS attack, an HMI-deception layer can extend an outage from one shift to several days as the recovery team has no trustworthy view of pre-event state. Multiplier effect on operator's economic damage: 2–5x.

Regulatory / political:

HMI integrity-verification becomes a required TSA compliance element. Vendor-side requirements for cryptographic HMI screen verification.

Emerson DeltaV + Ovation DCS — 62 US endpoints combined
Current exposure: 40 DeltaV + 22 Ovation US endpoints — total 62
Live KEV cross-reference: CVE-2021-45420
Severity: HIGH — Simultaneous compromise of LNG liquefaction AND gas-fired power generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Emerson runs two product lines with measurable US exposure: DeltaV (40 endpoints), the DCS for LNG liquefaction trains and refinery / petrochemical processes, and Ovation (22 endpoints), the DCS for fossil-fueled power generation. Combined US public exposure: 62 endpoints. KEV entries affecting Emerson: CVE-2021-45420.

M — Mission

Adversary objective: simultaneously disrupt LNG-export capacity AND gas-fired power generation by exploiting the same vendor's deployed platforms across the two industries — a single capability that reaches both demand sinks for US natural gas (LNG exports and AI/data-center power) at once. Strategic intent: dual-target economic disruption with shared toolchain.

E — Execution

Phase 1: gain access via an Emerson vendor-support credential — Emerson is one of the largest providers of process-control system service contracts in the US. Phase 2: deploy parallel implants against DeltaV at LNG terminals and Ovation at gas-fired plants. Phase 3: synchronized trigger at a chosen event.

A — Administration & Logistics

Attack feasibility hinges on whether the operator has accepted vendor persistent remote-support tunnels as a contractual requirement. Many DeltaV and Ovation operators have done so to maintain service-level guarantees. The 62 exposed endpoints visible today are the public portion of that pattern.

C — Command & Signal

Indicators: Emerson vendor-tunnel traffic outside scheduled service windows; configuration changes pushed to multiple sites within a single hour; unscheduled engineering-workstation logins. Defensive priorities: require Emerson vendor sessions to be initiated by the operator (not the vendor), with session recording and MFA; deploy egress monitoring on the DeltaV / Ovation engineering networks; require Emerson to publish per-product KEV applicability mapped to deployed firmware versions at each customer site.

Consequences if unmitigated

Physical:

LNG terminal liquefaction trains unsafe-shutdown; coincident gas-fired generator trips across affected fleet. Possible thermal damage to liquefaction compressors extends LNG outage from days to months.

Market / financial:

Cargoes in the Sabine Pass / Cameron / Plaquemines / Corpus Christi loading queue declare force majeure within hours. European TTF gas price spikes; US Henry Hub price drops on reduced export demand AND spikes on domestic gas-to-power dislocation — both directions same day. Combined economic impact: $30B–$120B over the first quarter post-event.

Regulatory / political:

Coordinated DOE / FERC / TSA / DOC (export licensing) investigation. Possible suspension of Emerson DCS service contracts pending audit. Insurance industry repricing across all Emerson-platform-dependent operators.

Henry Hub Composite (Physical + Cyber) — current state
Current exposure: 13 interstate pipelines converge at Erath, LA · NYMEX settlement node · ~2 Bcf/d physical throughput · -1 ICS exposures within 25 km · 14 active eminent-domain projects in supply chain
Live KEV cross-reference: 9 Schneider Electric KEVs · 5 Siemens KEVs · 1 Emerson KEVs affect platforms a Sabine Pipe Line operator would actually run.
Severity: STRATEGIC — National-scale market and supply disruption
Five-Paragraph OPORD (SMEAC)

S — Situation

Henry Hub today: 13 interstate pipelines converge at the Sabine Pipe Line LLC facility in Erath, Louisiana. The NYMEX Henry Hub futures contract settles here — the price benchmark for every US natural-gas trade, every LNG cargo loaded at Sabine Pass / Cameron / Plaquemines / Corpus Christi (≈14 Bcf/d combined LNG export capacity), and every gas-indexed power-purchase contract in PJM / SERC / Florida. Within 25 km of the hub, Shodan finds -1 exposed ICS endpoints; the operator's supply chain runs through platforms with 15 currently-KEV-listed CVEs across Schneider Electric, Siemens, and Emerson. The facility has no counter-UAS coverage (Vermilion Parish is outside designated military airspace) and no published joint OT/IT incident-command framework with downstream hyperscaler and federal partners.

M — Mission

Adversary objective: simultaneously disable physical throughput at Henry Hub for an extended window (weeks, not hours) AND destroy the operator's safety-system configuration files, so that even after physical repair the operator cannot safely restart. Strategic intent: suspend US natural-gas price discovery long enough to cascade through NYMEX, LNG cargo force majeure, power-grid load shedding during a peak-demand window, and financial-market liquidity events.

E — Execution

Phase 1 (months): cyber pre-positioning inside the Sabine Pipe Line OT network via a contracted-engineering credential — the same vector that has produced every confirmed US pipeline OT intrusion in the past five years. Phase 2 (days): adversary weaponizes a published CVSS 9.0+ CISA advisory affecting Schneider Telvent OASyS DNA or Triconex SIS, BEFORE the operator's change board approves the emergency patch. Phase 3 (D-Day, timed to coincide with polar vortex or hurricane-season demand peak): commercial-derivative drone strike against Compressor Units 1 and 2, simultaneously with cyber execution that disables the SIS, manipulates HMIs to display nominal state, vents high-pressure gas through stacks whose flare ignition has been pre-disabled. Phase 4 (D+1 through D+3): wiper malware destroys the historian, engineering workstation, and corporate IT backups, denying the recovery team the documentation needed to safely restart safety-instrumented systems.

A — Administration & Logistics

Attack feasibility depends on conditions present today: (1) -1 ICS endpoints within 25 km of the hub — the public attack surface; (2) absence of counter-UAS over Vermilion Parish; (3) the operator's change board having no pre-delegated authority to bypass normal review for CVSS 9+ items during weather-emergency windows; (4) no published joint incident-command structure across Sabine Pipe Line, FERC, TSA, CISA, FBI, DOE, and hyperscaler downstream customers. All four conditions exist as of 2026-06-26.

C — Command & Signal

Indicators: outbound traffic from any Sabine Pipe Line OT host to non-vendor destinations; Vermilion Parish law-enforcement reports of unusual UAS activity near the hub; any CISA advisory at CVSS 9+ affecting Schneider Electric / Siemens / Emerson platforms followed by Sabine Pipe Line change-board deferral. Defensive priorities (the four items above, each individually closable): (1) pre-delegate emergency-patch authority to senior security leadership without change-board veto for CVSS 9+ critical-asset platforms; (2) FAA + DOD counter-UAS authorization for FERC critical-asset compressor stations; (3) stand up the joint incident-command framework now, not after the event; (4) maintain air-gapped offline SIS configuration backups with quarterly recovery verification at every FERC critical site.

Consequences if unmitigated

Physical:

Henry Hub physical throughput goes to 0 Bcf/d for 7–30+ days. Worker fatalities at Sabine Pipe Line during the kinetic event range 20–100 depending on shift composition and time of day. Downstream civilian fatalities during coincident cold-weather power loss could exceed 200 if the polar-vortex timing is hit. Adjacent communities evacuated; groundwater and surface water contamination from fuel-rich firefighting operations.

Market / financial:

NYMEX Henry Hub trading suspended for 20–60 trading days. Daily LNG cargo force majeure declarations from Sabine Pass / Cameron / Plaquemines / Corpus Christi terminals. European TTF and Asian JKM gas prices spike 150–400%. PJM and TVA emergency load-shedding affecting 5–20M customers during the polar vortex. Combined direct + cascading economic damage: $200B–$400B over twelve months. Insurance-industry catastrophe loss: $80B–$200B. Two-to-three mid-sized US gas trading firms in Chapter 11 within ten days.

Regulatory / political:

FERC and TSA replace existing Pipeline Security Directive framework with a true regulatory framework. DOE stands up a permanent Critical Energy Infrastructure Cyber Response Unit. FAA authorizes counter-UAS at all FERC critical-asset facilities. Federal Reserve emergency liquidity facility for energy-sector counterparty exposure. Hyperscaler / pipeline operator joint incident command mandated. ODNI issues attribution finding; coordinated multi-allied response.

Schneider Electric Modicon / Triconex — 9 pipeline-relevant KEV CVEs
Current exposure: 9 CISA KEV-listed CVEs currently affect Schneider OT platforms — the largest known-exploited footprint of any pipeline-relevant vendor today
Live KEV cross-reference: CVE-2018-7522, CVE-2018-8872, CVE-2017-7973, CVE-2021-22707
Severity: HIGH — Safety-instrumented-system bypass at gas processing and compression
Five-Paragraph OPORD (SMEAC)

S — Situation

Schneider Electric carries the largest set of actively-exploited CVEs of any pipeline-relevant vendor on the KEV catalog today — 9 entries (CVE-2018-7522, CVE-2018-8872, CVE-2017-7973, CVE-2021-22707). Modicon PLCs run valve and compressor logic across US midstream; Triconex is the dominant safety-instrumented system (SIS) at gas plants and LNG trains — the same SIS family targeted by the TRITON malware framework.

M — Mission

Adversary objective: defeat or blind the safety-instrumented layer at a gas-processing plant, LNG train, or major compressor station so a deliberately induced process upset is NOT tripped to a safe state — turning a recoverable fault into an overpressure or release event.

E — Execution

Phase 1: exploit one of the 9 known CVEs to gain a foothold on the engineering network. Phase 2: reach the Triconex/Modicon engineering workstation and load altered logic or disable SIS voting. Phase 3: drive the basic process control system to an unsafe setpoint while the safety layer is suppressed. Phase 4: erase the engineering audit trail.

A — Administration & Logistics

Feasibility today rests on (1) 9 unpatched, actively-exploited Schneider CVEs; (2) SIS and basic control logic that share engineering access in many deployments; (3) safety-system patch cycles tied to multi-year turnaround windows.

C — Command & Signal

Indicators: unscheduled logic downloads to any Triconex or Modicon controller; SIS voting or bypass changes outside a permitted-work window; engineering-station traffic to non-vendor destinations. Defensive priorities: patch the KEV-listed CVEs on a safety-critical schedule, enforce key-switch RUN mode on SIS controllers, require two-person authorization for any safety-logic change. Reporting: CISA; TSA Pipeline Security; ONG-ISAC.

Consequences if unmitigated

Physical:

A defeated safety-instrumented system removes the last automatic protection against overpressure, high temperature, or loss of containment at a gas plant or LNG train — from an emergency shutdown and days-long restart to a release, fire, or explosion if the basic control system is simultaneously driven unsafe.

Market / financial:

Loss of a single large gas-processing plant or LNG train removes major throughput; an LNG-train outage idles export cargoes and tightens domestic supply. Liability and business-interruption exposure runs to the billions.

Regulatory / political:

PHMSA and TSA scrutiny of OT cyber controls; likely CISA emergency directives for Schneider SIS operators; insurer repricing for sites running KEV-listed Triconex/Modicon.

Schneider Electric Modicon / Triconex — 9 pipeline-relevant KEV CVEs
Current exposure: 9 CISA KEV-listed CVEs currently affect Schneider OT platforms — the largest known-exploited footprint of any pipeline-relevant vendor today
Live KEV cross-reference: CVE-2018-7522, CVE-2018-8872, CVE-2017-7973, CVE-2021-22707
Severity: HIGH — Safety-instrumented-system bypass at gas processing and compression
Five-Paragraph OPORD (SMEAC)

S — Situation

Schneider Electric carries the largest set of actively-exploited CVEs of any pipeline-relevant vendor on the KEV catalog today — 9 entries (CVE-2018-7522, CVE-2018-8872, CVE-2017-7973, CVE-2021-22707). Modicon PLCs run valve and compressor logic across US midstream; Triconex is the dominant safety-instrumented system (SIS) at gas plants and LNG trains — the same SIS family targeted by the TRITON malware framework.

M — Mission

Adversary objective: defeat or blind the safety-instrumented layer at a gas-processing plant, LNG train, or major compressor station so a deliberately induced process upset is NOT tripped to a safe state — turning a recoverable fault into an overpressure or release event.

E — Execution

Phase 1: exploit one of the 9 known CVEs to gain a foothold on the engineering network. Phase 2: reach the Triconex/Modicon engineering workstation and load altered logic or disable SIS voting. Phase 3: drive the basic process control system to an unsafe setpoint while the safety layer is suppressed. Phase 4: erase the engineering audit trail.

A — Administration & Logistics

Feasibility today rests on (1) 9 unpatched, actively-exploited Schneider CVEs; (2) SIS and basic control logic that share engineering access in many deployments; (3) safety-system patch cycles tied to multi-year turnaround windows.

C — Command & Signal

Indicators: unscheduled logic downloads to any Triconex or Modicon controller; SIS voting or bypass changes outside a permitted-work window; engineering-station traffic to non-vendor destinations. Defensive priorities: patch the KEV-listed CVEs on a safety-critical schedule, enforce key-switch RUN mode on SIS controllers, require two-person authorization for any safety-logic change. Reporting: CISA; TSA Pipeline Security; ONG-ISAC.

Consequences if unmitigated

Physical:

A defeated safety-instrumented system removes the last automatic protection against overpressure, high temperature, or loss of containment at a gas plant or LNG train — from an emergency shutdown and days-long restart to a release, fire, or explosion if the basic control system is simultaneously driven unsafe.

Market / financial:

Loss of a single large gas-processing plant or LNG train removes major throughput; an LNG-train outage idles export cargoes and tightens domestic supply. Liability and business-interruption exposure runs to the billions.

Regulatory / political:

PHMSA and TSA scrutiny of OT cyber controls; likely CISA emergency directives for Schneider SIS operators; insurer repricing for sites running KEV-listed Triconex/Modicon.

Siemens SIMATIC S7 / WinCC — 5 pipeline-relevant KEV CVEs
Current exposure: 5 CISA KEV-listed CVEs currently affect Siemens SIMATIC / WinCC / Spectrum Power platforms
Live KEV cross-reference: CVE-2014-2908, CVE-2016-8562, CVE-2012-3015, CVE-2010-2772
Severity: HIGH — Loss of control at compression, metering, and gas-fired generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Siemens SIMATIC S7 controllers and WinCC SCADA run compressor stations, metering, and the gas-fired generation feeding data-center load; 5 Siemens CVEs sit on the KEV catalog today (CVE-2014-2908, CVE-2016-8562, CVE-2012-3015, CVE-2010-2772). S7 is the controller family Stuxnet was built to reprogram.

M — Mission

Adversary objective: reprogram or halt S7 logic controlling compression or generation in a chosen corridor, or falsify the WinCC operator view so the upset is not seen until it propagates.

E — Execution

Phase 1: exploit a KEV-listed S7/WinCC flaw reachable from an exposed HMI or remote-access path. Phase 2: pivot to the automation network. Phase 3: alter controller logic or HMI tags. Phase 4: synchronize disruption to peak demand and wipe the historian.

A — Administration & Logistics

Feasibility rests on (1) 5 unpatched Siemens CVEs; (2) WinCC stations bridged to corporate IT; (3) S7 controllers without RUN-mode key protection.

C — Command & Signal

Indicators: unexpected S7 STOP/PROGRAM transitions; WinCC tag changes with no work order; HMI traffic to unknown hosts. Defensive priorities: patch KEV CVEs, enforce controller key-switch protection, segment WinCC from IT. Reporting: CISA; TSA; ONG-ISAC; the relevant ISO security desk.

Consequences if unmitigated

Physical:

Tripped or runaway compression and generating units in one load zone; data-center alley loses grid supply and falls to diesel within hours; ungraceful trips can damage rotating equipment and extend restart to weeks.

Market / financial:

Intraday wholesale power spikes to the administrative cap in the affected ISO; compute SLAs breach within the diesel-reserve window; multi-billion-dollar loss across operators, power buyers, and AI customers.

Regulatory / political:

FERC/NERC review of generator cyber readiness; accelerated TSA-style cyber rules for gas-fired generation; insurer repricing for measurable Siemens exposure.

Rockwell ControlLogix / FactoryTalk — 2 pipeline-relevant KEV CVEs
Current exposure: 2 CISA KEV-listed CVEs currently affect Rockwell Allen-Bradley ControlLogix / FactoryTalk platforms
Live KEV cross-reference: CVE-2023-3595, CVE-2021-22681
Severity: HIGH — Pump-station and terminal control disruption across midstream
Five-Paragraph OPORD (SMEAC)

S — Situation

Allen-Bradley ControlLogix PLCs and FactoryTalk run pump stations, tank farms, and liquids terminals across US midstream; 2 Rockwell CVEs are on the KEV catalog today (CVE-2023-3595, CVE-2021-22681).

M — Mission

Adversary objective: seize or crash ControlLogix processors governing pumping and tank-farm valves to force a liquids-pipeline shutdown or a tank overfill / pressure transient.

E — Execution

Phase 1: exploit a KEV-listed ControlLogix/FactoryTalk CVE from an exposed engineering or remote path. Phase 2: reach the controller. Phase 3: fault the processor or alter pump/valve logic. Phase 4: mask the change in FactoryTalk.

A — Administration & Logistics

Feasibility rests on (1) 2 unpatched Rockwell CVEs; (2) flat OT networks at terminals; (3) remote-access tools left exposed.

C — Command & Signal

Indicators: unexpected processor faults; logic edits with no change ticket; FactoryTalk access from new hosts. Defensive priorities: patch KEV CVEs, segment terminal OT, lock down remote access. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Forced shutdown of a liquids pipeline or terminal; in the worst case a tank overfill or pressure transient with spill, fire, or environmental release.

Market / financial:

Regional product-supply disruption (gasoline, diesel, NGLs); price spikes at racks served by the affected terminals; cleanup and liability costs.

Regulatory / political:

PHMSA incident investigation; TSA review of terminal cyber controls; insurer scrutiny of operators on KEV-listed Rockwell versions.

Honeywell Experion PKS — 1 pipeline-relevant KEV CVE
Current exposure: 1 CISA KEV-listed CVE currently affect Honeywell Experion PKS — a dominant DCS at US gas processing and LNG
Live KEV cross-reference: CVE-2023-3710
Severity: HIGH — Distributed-control compromise at gas processing and LNG
Five-Paragraph OPORD (SMEAC)

S — Situation

Honeywell Experion PKS is a dominant distributed control system at US gas-processing plants, refineries, and LNG facilities; 1 Experion CVE on the KEV catalog today (CVE-2023-3710).

M — Mission

Adversary objective: take control of the Experion DCS at a gas-processing or LNG facility to drive units to an unsafe state or force a sustained outage.

E — Execution

Phase 1: exploit the KEV-listed Experion CVE from a reachable server or remote path. Phase 2: reach the C300 controllers and Experion servers. Phase 3: alter control strategy or force a unit trip. Phase 4: destroy the historian and backups.

A — Administration & Logistics

Feasibility rests on (1) 1 unpatched Experion CVE; (2) DCS servers bridged to plant IT; (3) deferred DCS patching tied to turnaround windows.

C — Command & Signal

Indicators: unscheduled control-strategy changes; Experion server traffic to unknown hosts; historian write failures. Defensive priorities: patch the KEV CVE, isolate the DCS, two-person change control. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Loss of control or forced shutdown at a gas-processing plant or LNG train; potential release, fire, or explosion if units are driven unsafe; restart measured in days to weeks.

Market / financial:

Lost processing/export throughput tightens domestic supply and idles cargoes; multi-billion-dollar interruption and liability exposure.

Regulatory / political:

PHMSA/TSA investigation; likely CISA directive for Experion operators; insurer repricing for KEV-listed Experion exposure.

ABB Symphony DCS — 238 US endpoints exposed (as of 2026-06-25)
Current exposure: 238 Symphony endpoints visible from the public US internet today
Live KEV cross-reference: CVE-2024-6298
Severity: HIGH — Power generation supply disruption to AI data center load
Five-Paragraph OPORD (SMEAC)

S — Situation

ABB Symphony has the largest measurable US public-internet exposure of any pipeline-relevant SCADA / DCS platform — 238 endpoints visible as of 2026-06-25, against a deployed base that we estimate to be on the order of hundreds of installations. Symphony is the dominant DCS at large gas-fired combined-cycle power plants, including most of the new and planned gas plants being built to serve hyperscale AI data centers. KEV catalog entries currently affecting ABB platforms: CVE-2024-6298.

M — Mission

Adversary objective: simultaneous loss-of-control or unsafe-state at multiple gas-fired generating units feeding a specific load zone — most likely PJM Dominion (Northern Virginia data-center alley, where AI training load is concentrated) or the Southeast (where Meta Hyperion's 7.46 GW gas plant cluster feeds the Hyperion campus). Strategic intent: deny power to AI compute infrastructure at a moment chosen for maximum disruption, with deniable attribution.

E — Execution

Phase 1: harvest a contractor or vendor credential that grants engineering access to one or more of the 238 exposed endpoints — many of which are vendor-support jump hosts that bridge corporate IT to the OT engineering network. Phase 2: lateral movement to the Symphony engineering workstation. Phase 3: stage malicious configuration changes across the deployment, synchronized to execute at peak-demand hour. Phase 4: trigger drives unit-trip sequences on every unit reachable, simultaneous; concurrent wiper destroys the historian and configuration backup.

A — Administration & Logistics

Attack feasibility depends on three conditions visible in the public-exposure data today: (1) 238 endpoints reachable from the public internet — that number is a defensive failure on its own; (2) operator deployments that centralize engineering across multiple sites; (3) deferred patching of any published Symphony CVSS 8.0+ CVE due to outage-window constraints.

C — Command & Signal

Indicators: outbound traffic from any Symphony engineering workstation to non-vendor destinations; unscheduled configuration updates across multiple units in the same hour; historian write failures across multiple stations. Defensive priorities: enumerate the 238 exposed endpoints in your perimeter and prioritize firewall closure or VPN-only access; rotate all vendor and contractor credentials with hardware-token MFA; require any logic or configuration change to pass two-person integrity check during the change window. Reporting: TSA Surface Transportation Cybersecurity; CISA Hotline; Oil and Natural Gas ISAC; PJM RTEP Security working group.

Consequences if unmitigated

Physical:

Simultaneous trips at multiple gas-fired generating units serving a data-center-heavy load zone. Within ~2 hours, hyperscale data centers in the affected zone exhaust grid power and shift to on-site diesel; diesel reserves typically run 12–48 hours. Possible thermal damage to rotating equipment during ungraceful trip sequences extends restart from hours to weeks per unit.

Market / financial:

Wholesale power prices in the affected ISO zone spike to administrative cap intraday. Hyperscaler-customer compute service-level agreements breach within the diesel-reserve window. Estimated combined economic loss across operator, downstream power buyers, and dependent cloud / AI customers: $10B–$50B in the first week.

Regulatory / political:

FERC and NERC special review of generator cybersecurity preparedness. Likely accelerated TSA-style cyber regulation extended to gas-fired generation feeding hyperscale customers. Insurance industry repricing for operators with measurable Symphony exposure on Shodan.

ABB Symphony DCS — 247 US endpoints exposed (as of 2026-06-24)
Current exposure: 247 Symphony endpoints visible from the public US internet today
Live KEV cross-reference: CVE-2024-6298
Severity: HIGH — Power generation supply disruption to AI data center load
Five-Paragraph OPORD (SMEAC)

S — Situation

ABB Symphony has the largest measurable US public-internet exposure of any pipeline-relevant SCADA / DCS platform — 247 endpoints visible as of 2026-06-24, against a deployed base that we estimate to be on the order of hundreds of installations. Symphony is the dominant DCS at large gas-fired combined-cycle power plants, including most of the new and planned gas plants being built to serve hyperscale AI data centers. KEV catalog entries currently affecting ABB platforms: CVE-2024-6298.

M — Mission

Adversary objective: simultaneous loss-of-control or unsafe-state at multiple gas-fired generating units feeding a specific load zone — most likely PJM Dominion (Northern Virginia data-center alley, where AI training load is concentrated) or the Southeast (where Meta Hyperion's 7.46 GW gas plant cluster feeds the Hyperion campus). Strategic intent: deny power to AI compute infrastructure at a moment chosen for maximum disruption, with deniable attribution.

E — Execution

Phase 1: harvest a contractor or vendor credential that grants engineering access to one or more of the 247 exposed endpoints — many of which are vendor-support jump hosts that bridge corporate IT to the OT engineering network. Phase 2: lateral movement to the Symphony engineering workstation. Phase 3: stage malicious configuration changes across the deployment, synchronized to execute at peak-demand hour. Phase 4: trigger drives unit-trip sequences on every unit reachable, simultaneous; concurrent wiper destroys the historian and configuration backup.

A — Administration & Logistics

Attack feasibility depends on three conditions visible in the public-exposure data today: (1) 247 endpoints reachable from the public internet — that number is a defensive failure on its own; (2) operator deployments that centralize engineering across multiple sites; (3) deferred patching of any published Symphony CVSS 8.0+ CVE due to outage-window constraints.

C — Command & Signal

Indicators: outbound traffic from any Symphony engineering workstation to non-vendor destinations; unscheduled configuration updates across multiple units in the same hour; historian write failures across multiple stations. Defensive priorities: enumerate the 247 exposed endpoints in your perimeter and prioritize firewall closure or VPN-only access; rotate all vendor and contractor credentials with hardware-token MFA; require any logic or configuration change to pass two-person integrity check during the change window. Reporting: TSA Surface Transportation Cybersecurity; CISA Hotline; Oil and Natural Gas ISAC; PJM RTEP Security working group.

Consequences if unmitigated

Physical:

Simultaneous trips at multiple gas-fired generating units serving a data-center-heavy load zone. Within ~2 hours, hyperscale data centers in the affected zone exhaust grid power and shift to on-site diesel; diesel reserves typically run 12–48 hours. Possible thermal damage to rotating equipment during ungraceful trip sequences extends restart from hours to weeks per unit.

Market / financial:

Wholesale power prices in the affected ISO zone spike to administrative cap intraday. Hyperscaler-customer compute service-level agreements breach within the diesel-reserve window. Estimated combined economic loss across operator, downstream power buyers, and dependent cloud / AI customers: $10B–$50B in the first week.

Regulatory / political:

FERC and NERC special review of generator cybersecurity preparedness. Likely accelerated TSA-style cyber regulation extended to gas-fired generation feeding hyperscale customers. Insurance industry repricing for operators with measurable Symphony exposure on Shodan.

Cygnet SCADA — 69 US endpoints (pipeline-specific midstream)
Current exposure: 69 Cygnet midstream-pipeline SCADA endpoints visible today
Live KEV cross-reference: no KEV-listed CVEs currently affect this platform
Severity: HIGH — Direct compromise of pipeline operational visibility and control
Five-Paragraph OPORD (SMEAC)

S — Situation

Cygnet is the SCADA platform most narrowly targeted at the US midstream oil-and-gas industry — it runs the supervisory layer at 69 measurable US sites, almost all of which are pipeline operators. Of the operators we track, several are confirmed Cygnet users by name in vendor case-studies and public filings.

M — Mission

Adversary objective: simultaneous loss-of-visibility and limited-write control of pipeline metering, valve, and flow-control points across a single operator's footprint. Strategic intent: position to manipulate gas deliveries — to LDCs, to power generators, or to LNG export terminals — at a chosen moment, with the operator unable to see or counter the action in real time.

E — Execution

Phase 1: access via a Cygnet engineering workstation reachable through vendor-support tunnels. Phase 2: harvest field-device topology and operator runbooks from the SCADA database. Phase 3: stage scheduled control commands that fire at a precipitating moment. Phase 4: optionally falsify operator-view telemetry to extend the response window.

A — Administration & Logistics

Attack feasibility depends on Cygnet's typical deployment pattern: many operators connect Cygnet to their corporate IT for reporting, then connect corporate IT to the public internet — a documented common pathway. The 69 exposed endpoints in our Shodan dataset are the visible portion of that pattern.

C — Command & Signal

Indicators: Cygnet engineering-workstation traffic to non-vendor destinations; configuration changes outside change-control hours; discrepancies between Cygnet-reported volumes and independent end-of-line meter reads. Defensive priorities: place Cygnet servers behind a jump-host with MFA; close direct internet exposure on all 69 endpoints; deploy independent secondary metering whose data does NOT flow through Cygnet.

Consequences if unmitigated

Physical:

Manipulation of valve setpoints can cause unsafe pressure transients at downstream stations. Falsified metering allows undetected gas diversion or supply-cut to specific customers (e.g., a specific gas-fired power plant during a peak hour).

Market / financial:

If a Cygnet-driven event takes a specific compressor station offline during a peak demand window, the downstream basis (the local citygate price minus Henry Hub) can spike 200%+ in hours. LDC emergency curtailments. Power-gen fuel-supply force majeure to gas peakers serving data centers.

Regulatory / political:

Immediate FERC inquiry into operator cybersecurity. Possible TSA penalty action under PSR 2026-01. Operator's interstate transportation tariff put under audit.

GE iFIX HMI/SCADA — 69 US endpoints exposed
Current exposure: 69 GE iFIX HMI/SCADA endpoints visible today
Live KEV cross-reference: CVE-2014-0751
Severity: HIGH — Operator-view denial across gas-plant and pipeline-station HMI
Five-Paragraph OPORD (SMEAC)

S — Situation

GE iFIX is a general-purpose HMI / SCADA platform with deep penetration in US gas plants, refineries, and pipeline compressor stations. Public US exposure today: 69 endpoints. KEV entries currently affecting GE platforms: CVE-2014-0751.

M — Mission

Adversary objective: deny operator visibility into the controlled process during a coincident attack — either cyber on the BPCS or kinetic on a physical asset. Strategic intent: extend the response window in the critical early minutes when operator action can avert physical damage.

E — Execution

Phase 1: access through internet-exposed iFIX terminal services / VPN. Phase 2: modify iFIX HMI screens to display canned 'nominal' values regardless of underlying tag data, OR disable HMI alarm escalation logic. Phase 3: hold capability until a coincident event — process upset, kinetic strike, or BPCS manipulation — at which point operators see normal screens while the physical process degrades.

A — Administration & Logistics

Attack feasibility increases when iFIX is deployed without segregation from corporate IT, when iFIX clients are reachable via remote-desktop services from the public internet (69 confirmed examples today), and when alarm-management audits are infrequent.

C — Command & Signal

Indicators: iFIX screen-version changes outside engineering change windows; HMI tag-display discrepancies vs. historian; alarm logs going abnormally quiet during normal operating variability. Defensive priorities: iFIX deployment audit (count vs. known inventory); HMI screen-checksum monitoring; independent secondary HMI that draws from a separate tag feed; close all 69 internet-exposed instances or move them behind MFA-required VPN.

Consequences if unmitigated

Physical:

On its own, an iFIX-only attack does not cause damage — but during a coincident physical or BPCS attack, the 'normal-screens-while-process-degrades' window extends operator response from minutes to tens of minutes, multiplying the physical damage.

Market / financial:

When combined with a BPCS attack, an HMI-deception layer can extend an outage from one shift to several days as the recovery team has no trustworthy view of pre-event state. Multiplier effect on operator's economic damage: 2–5x.

Regulatory / political:

HMI integrity-verification becomes a required TSA compliance element. Vendor-side requirements for cryptographic HMI screen verification.

Emerson DeltaV + Ovation DCS — 61 US endpoints combined
Current exposure: 40 DeltaV + 21 Ovation US endpoints — total 61
Live KEV cross-reference: CVE-2021-45420
Severity: HIGH — Simultaneous compromise of LNG liquefaction AND gas-fired power generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Emerson runs two product lines with measurable US exposure: DeltaV (40 endpoints), the DCS for LNG liquefaction trains and refinery / petrochemical processes, and Ovation (21 endpoints), the DCS for fossil-fueled power generation. Combined US public exposure: 61 endpoints. KEV entries affecting Emerson: CVE-2021-45420.

M — Mission

Adversary objective: simultaneously disrupt LNG-export capacity AND gas-fired power generation by exploiting the same vendor's deployed platforms across the two industries — a single capability that reaches both demand sinks for US natural gas (LNG exports and AI/data-center power) at once. Strategic intent: dual-target economic disruption with shared toolchain.

E — Execution

Phase 1: gain access via an Emerson vendor-support credential — Emerson is one of the largest providers of process-control system service contracts in the US. Phase 2: deploy parallel implants against DeltaV at LNG terminals and Ovation at gas-fired plants. Phase 3: synchronized trigger at a chosen event.

A — Administration & Logistics

Attack feasibility hinges on whether the operator has accepted vendor persistent remote-support tunnels as a contractual requirement. Many DeltaV and Ovation operators have done so to maintain service-level guarantees. The 61 exposed endpoints visible today are the public portion of that pattern.

C — Command & Signal

Indicators: Emerson vendor-tunnel traffic outside scheduled service windows; configuration changes pushed to multiple sites within a single hour; unscheduled engineering-workstation logins. Defensive priorities: require Emerson vendor sessions to be initiated by the operator (not the vendor), with session recording and MFA; deploy egress monitoring on the DeltaV / Ovation engineering networks; require Emerson to publish per-product KEV applicability mapped to deployed firmware versions at each customer site.

Consequences if unmitigated

Physical:

LNG terminal liquefaction trains unsafe-shutdown; coincident gas-fired generator trips across affected fleet. Possible thermal damage to liquefaction compressors extends LNG outage from days to months.

Market / financial:

Cargoes in the Sabine Pass / Cameron / Plaquemines / Corpus Christi loading queue declare force majeure within hours. European TTF gas price spikes; US Henry Hub price drops on reduced export demand AND spikes on domestic gas-to-power dislocation — both directions same day. Combined economic impact: $30B–$120B over the first quarter post-event.

Regulatory / political:

Coordinated DOE / FERC / TSA / DOC (export licensing) investigation. Possible suspension of Emerson DCS service contracts pending audit. Insurance industry repricing across all Emerson-platform-dependent operators.

Henry Hub Composite (Physical + Cyber) — current state
Current exposure: 13 interstate pipelines converge at Erath, LA · NYMEX settlement node · ~2 Bcf/d physical throughput · 1 ICS exposures within 25 km · 14 active eminent-domain projects in supply chain
Live KEV cross-reference: 9 Schneider Electric KEVs · 5 Siemens KEVs · 1 Emerson KEVs affect platforms a Sabine Pipe Line operator would actually run.
Severity: STRATEGIC — National-scale market and supply disruption
Five-Paragraph OPORD (SMEAC)

S — Situation

Henry Hub today: 13 interstate pipelines converge at the Sabine Pipe Line LLC facility in Erath, Louisiana. The NYMEX Henry Hub futures contract settles here — the price benchmark for every US natural-gas trade, every LNG cargo loaded at Sabine Pass / Cameron / Plaquemines / Corpus Christi (≈14 Bcf/d combined LNG export capacity), and every gas-indexed power-purchase contract in PJM / SERC / Florida. Within 25 km of the hub, Shodan finds 1 exposed ICS endpoints; the operator's supply chain runs through platforms with 15 currently-KEV-listed CVEs across Schneider Electric, Siemens, and Emerson. The facility has no counter-UAS coverage (Vermilion Parish is outside designated military airspace) and no published joint OT/IT incident-command framework with downstream hyperscaler and federal partners.

M — Mission

Adversary objective: simultaneously disable physical throughput at Henry Hub for an extended window (weeks, not hours) AND destroy the operator's safety-system configuration files, so that even after physical repair the operator cannot safely restart. Strategic intent: suspend US natural-gas price discovery long enough to cascade through NYMEX, LNG cargo force majeure, power-grid load shedding during a peak-demand window, and financial-market liquidity events.

E — Execution

Phase 1 (months): cyber pre-positioning inside the Sabine Pipe Line OT network via a contracted-engineering credential — the same vector that has produced every confirmed US pipeline OT intrusion in the past five years. Phase 2 (days): adversary weaponizes a published CVSS 9.0+ CISA advisory affecting Schneider Telvent OASyS DNA or Triconex SIS, BEFORE the operator's change board approves the emergency patch. Phase 3 (D-Day, timed to coincide with polar vortex or hurricane-season demand peak): commercial-derivative drone strike against Compressor Units 1 and 2, simultaneously with cyber execution that disables the SIS, manipulates HMIs to display nominal state, vents high-pressure gas through stacks whose flare ignition has been pre-disabled. Phase 4 (D+1 through D+3): wiper malware destroys the historian, engineering workstation, and corporate IT backups, denying the recovery team the documentation needed to safely restart safety-instrumented systems.

A — Administration & Logistics

Attack feasibility depends on conditions present today: (1) 1 ICS endpoints within 25 km of the hub — the public attack surface; (2) absence of counter-UAS over Vermilion Parish; (3) the operator's change board having no pre-delegated authority to bypass normal review for CVSS 9+ items during weather-emergency windows; (4) no published joint incident-command structure across Sabine Pipe Line, FERC, TSA, CISA, FBI, DOE, and hyperscaler downstream customers. All four conditions exist as of 2026-06-24.

C — Command & Signal

Indicators: outbound traffic from any Sabine Pipe Line OT host to non-vendor destinations; Vermilion Parish law-enforcement reports of unusual UAS activity near the hub; any CISA advisory at CVSS 9+ affecting Schneider Electric / Siemens / Emerson platforms followed by Sabine Pipe Line change-board deferral. Defensive priorities (the four items above, each individually closable): (1) pre-delegate emergency-patch authority to senior security leadership without change-board veto for CVSS 9+ critical-asset platforms; (2) FAA + DOD counter-UAS authorization for FERC critical-asset compressor stations; (3) stand up the joint incident-command framework now, not after the event; (4) maintain air-gapped offline SIS configuration backups with quarterly recovery verification at every FERC critical site.

Consequences if unmitigated

Physical:

Henry Hub physical throughput goes to 0 Bcf/d for 7–30+ days. Worker fatalities at Sabine Pipe Line during the kinetic event range 20–100 depending on shift composition and time of day. Downstream civilian fatalities during coincident cold-weather power loss could exceed 200 if the polar-vortex timing is hit. Adjacent communities evacuated; groundwater and surface water contamination from fuel-rich firefighting operations.

Market / financial:

NYMEX Henry Hub trading suspended for 20–60 trading days. Daily LNG cargo force majeure declarations from Sabine Pass / Cameron / Plaquemines / Corpus Christi terminals. European TTF and Asian JKM gas prices spike 150–400%. PJM and TVA emergency load-shedding affecting 5–20M customers during the polar vortex. Combined direct + cascading economic damage: $200B–$400B over twelve months. Insurance-industry catastrophe loss: $80B–$200B. Two-to-three mid-sized US gas trading firms in Chapter 11 within ten days.

Regulatory / political:

FERC and TSA replace existing Pipeline Security Directive framework with a true regulatory framework. DOE stands up a permanent Critical Energy Infrastructure Cyber Response Unit. FAA authorizes counter-UAS at all FERC critical-asset facilities. Federal Reserve emergency liquidity facility for energy-sector counterparty exposure. Hyperscaler / pipeline operator joint incident command mandated. ODNI issues attribution finding; coordinated multi-allied response.

Honeywell Experion PKS — 1 pipeline-relevant KEV CVE
Current exposure: 1 CISA KEV-listed CVE currently affect Honeywell Experion PKS — a dominant DCS at US gas processing and LNG
Live KEV cross-reference: CVE-2023-3710
Severity: HIGH — Distributed-control compromise at gas processing and LNG
Five-Paragraph OPORD (SMEAC)

S — Situation

Honeywell Experion PKS is a dominant distributed control system at US gas-processing plants, refineries, and LNG facilities; 1 Experion CVE on the KEV catalog today (CVE-2023-3710).

M — Mission

Adversary objective: take control of the Experion DCS at a gas-processing or LNG facility to drive units to an unsafe state or force a sustained outage.

E — Execution

Phase 1: exploit the KEV-listed Experion CVE from a reachable server or remote path. Phase 2: reach the C300 controllers and Experion servers. Phase 3: alter control strategy or force a unit trip. Phase 4: destroy the historian and backups.

A — Administration & Logistics

Feasibility rests on (1) 1 unpatched Experion CVE; (2) DCS servers bridged to plant IT; (3) deferred DCS patching tied to turnaround windows.

C — Command & Signal

Indicators: unscheduled control-strategy changes; Experion server traffic to unknown hosts; historian write failures. Defensive priorities: patch the KEV CVE, isolate the DCS, two-person change control. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Loss of control or forced shutdown at a gas-processing plant or LNG train; potential release, fire, or explosion if units are driven unsafe; restart measured in days to weeks.

Market / financial:

Lost processing/export throughput tightens domestic supply and idles cargoes; multi-billion-dollar interruption and liability exposure.

Regulatory / political:

PHMSA/TSA investigation; likely CISA directive for Experion operators; insurer repricing for KEV-listed Experion exposure.

ABB Symphony DCS — 247 US endpoints exposed (as of 2026-06-23)
Current exposure: 247 Symphony endpoints visible from the public US internet today
Live KEV cross-reference: CVE-2024-6298
Severity: HIGH — Power generation supply disruption to AI data center load
Five-Paragraph OPORD (SMEAC)

S — Situation

ABB Symphony has the largest measurable US public-internet exposure of any pipeline-relevant SCADA / DCS platform — 247 endpoints visible as of 2026-06-23, against a deployed base that we estimate to be on the order of hundreds of installations. Symphony is the dominant DCS at large gas-fired combined-cycle power plants, including most of the new and planned gas plants being built to serve hyperscale AI data centers. KEV catalog entries currently affecting ABB platforms: CVE-2024-6298.

M — Mission

Adversary objective: simultaneous loss-of-control or unsafe-state at multiple gas-fired generating units feeding a specific load zone — most likely PJM Dominion (Northern Virginia data-center alley, where AI training load is concentrated) or the Southeast (where Meta Hyperion's 7.46 GW gas plant cluster feeds the Hyperion campus). Strategic intent: deny power to AI compute infrastructure at a moment chosen for maximum disruption, with deniable attribution.

E — Execution

Phase 1: harvest a contractor or vendor credential that grants engineering access to one or more of the 247 exposed endpoints — many of which are vendor-support jump hosts that bridge corporate IT to the OT engineering network. Phase 2: lateral movement to the Symphony engineering workstation. Phase 3: stage malicious configuration changes across the deployment, synchronized to execute at peak-demand hour. Phase 4: trigger drives unit-trip sequences on every unit reachable, simultaneous; concurrent wiper destroys the historian and configuration backup.

A — Administration & Logistics

Attack feasibility depends on three conditions visible in the public-exposure data today: (1) 247 endpoints reachable from the public internet — that number is a defensive failure on its own; (2) operator deployments that centralize engineering across multiple sites; (3) deferred patching of any published Symphony CVSS 8.0+ CVE due to outage-window constraints.

C — Command & Signal

Indicators: outbound traffic from any Symphony engineering workstation to non-vendor destinations; unscheduled configuration updates across multiple units in the same hour; historian write failures across multiple stations. Defensive priorities: enumerate the 247 exposed endpoints in your perimeter and prioritize firewall closure or VPN-only access; rotate all vendor and contractor credentials with hardware-token MFA; require any logic or configuration change to pass two-person integrity check during the change window. Reporting: TSA Surface Transportation Cybersecurity; CISA Hotline; Oil and Natural Gas ISAC; PJM RTEP Security working group.

Consequences if unmitigated

Physical:

Simultaneous trips at multiple gas-fired generating units serving a data-center-heavy load zone. Within ~2 hours, hyperscale data centers in the affected zone exhaust grid power and shift to on-site diesel; diesel reserves typically run 12–48 hours. Possible thermal damage to rotating equipment during ungraceful trip sequences extends restart from hours to weeks per unit.

Market / financial:

Wholesale power prices in the affected ISO zone spike to administrative cap intraday. Hyperscaler-customer compute service-level agreements breach within the diesel-reserve window. Estimated combined economic loss across operator, downstream power buyers, and dependent cloud / AI customers: $10B–$50B in the first week.

Regulatory / political:

FERC and NERC special review of generator cybersecurity preparedness. Likely accelerated TSA-style cyber regulation extended to gas-fired generation feeding hyperscale customers. Insurance industry repricing for operators with measurable Symphony exposure on Shodan.

Cygnet SCADA — 68 US endpoints (pipeline-specific midstream)
Current exposure: 68 Cygnet midstream-pipeline SCADA endpoints visible today
Live KEV cross-reference: no KEV-listed CVEs currently affect this platform
Severity: HIGH — Direct compromise of pipeline operational visibility and control
Five-Paragraph OPORD (SMEAC)

S — Situation

Cygnet is the SCADA platform most narrowly targeted at the US midstream oil-and-gas industry — it runs the supervisory layer at 68 measurable US sites, almost all of which are pipeline operators. Of the operators we track, several are confirmed Cygnet users by name in vendor case-studies and public filings.

M — Mission

Adversary objective: simultaneous loss-of-visibility and limited-write control of pipeline metering, valve, and flow-control points across a single operator's footprint. Strategic intent: position to manipulate gas deliveries — to LDCs, to power generators, or to LNG export terminals — at a chosen moment, with the operator unable to see or counter the action in real time.

E — Execution

Phase 1: access via a Cygnet engineering workstation reachable through vendor-support tunnels. Phase 2: harvest field-device topology and operator runbooks from the SCADA database. Phase 3: stage scheduled control commands that fire at a precipitating moment. Phase 4: optionally falsify operator-view telemetry to extend the response window.

A — Administration & Logistics

Attack feasibility depends on Cygnet's typical deployment pattern: many operators connect Cygnet to their corporate IT for reporting, then connect corporate IT to the public internet — a documented common pathway. The 68 exposed endpoints in our Shodan dataset are the visible portion of that pattern.

C — Command & Signal

Indicators: Cygnet engineering-workstation traffic to non-vendor destinations; configuration changes outside change-control hours; discrepancies between Cygnet-reported volumes and independent end-of-line meter reads. Defensive priorities: place Cygnet servers behind a jump-host with MFA; close direct internet exposure on all 68 endpoints; deploy independent secondary metering whose data does NOT flow through Cygnet.

Consequences if unmitigated

Physical:

Manipulation of valve setpoints can cause unsafe pressure transients at downstream stations. Falsified metering allows undetected gas diversion or supply-cut to specific customers (e.g., a specific gas-fired power plant during a peak hour).

Market / financial:

If a Cygnet-driven event takes a specific compressor station offline during a peak demand window, the downstream basis (the local citygate price minus Henry Hub) can spike 200%+ in hours. LDC emergency curtailments. Power-gen fuel-supply force majeure to gas peakers serving data centers.

Regulatory / political:

Immediate FERC inquiry into operator cybersecurity. Possible TSA penalty action under PSR 2026-01. Operator's interstate transportation tariff put under audit.

GE iFIX HMI/SCADA — 67 US endpoints exposed
Current exposure: 67 GE iFIX HMI/SCADA endpoints visible today
Live KEV cross-reference: CVE-2014-0751
Severity: HIGH — Operator-view denial across gas-plant and pipeline-station HMI
Five-Paragraph OPORD (SMEAC)

S — Situation

GE iFIX is a general-purpose HMI / SCADA platform with deep penetration in US gas plants, refineries, and pipeline compressor stations. Public US exposure today: 67 endpoints. KEV entries currently affecting GE platforms: CVE-2014-0751.

M — Mission

Adversary objective: deny operator visibility into the controlled process during a coincident attack — either cyber on the BPCS or kinetic on a physical asset. Strategic intent: extend the response window in the critical early minutes when operator action can avert physical damage.

E — Execution

Phase 1: access through internet-exposed iFIX terminal services / VPN. Phase 2: modify iFIX HMI screens to display canned 'nominal' values regardless of underlying tag data, OR disable HMI alarm escalation logic. Phase 3: hold capability until a coincident event — process upset, kinetic strike, or BPCS manipulation — at which point operators see normal screens while the physical process degrades.

A — Administration & Logistics

Attack feasibility increases when iFIX is deployed without segregation from corporate IT, when iFIX clients are reachable via remote-desktop services from the public internet (67 confirmed examples today), and when alarm-management audits are infrequent.

C — Command & Signal

Indicators: iFIX screen-version changes outside engineering change windows; HMI tag-display discrepancies vs. historian; alarm logs going abnormally quiet during normal operating variability. Defensive priorities: iFIX deployment audit (count vs. known inventory); HMI screen-checksum monitoring; independent secondary HMI that draws from a separate tag feed; close all 67 internet-exposed instances or move them behind MFA-required VPN.

Consequences if unmitigated

Physical:

On its own, an iFIX-only attack does not cause damage — but during a coincident physical or BPCS attack, the 'normal-screens-while-process-degrades' window extends operator response from minutes to tens of minutes, multiplying the physical damage.

Market / financial:

When combined with a BPCS attack, an HMI-deception layer can extend an outage from one shift to several days as the recovery team has no trustworthy view of pre-event state. Multiplier effect on operator's economic damage: 2–5x.

Regulatory / political:

HMI integrity-verification becomes a required TSA compliance element. Vendor-side requirements for cryptographic HMI screen verification.

Emerson DeltaV + Ovation DCS — 63 US endpoints combined
Current exposure: 39 DeltaV + 24 Ovation US endpoints — total 63
Live KEV cross-reference: CVE-2021-45420
Severity: HIGH — Simultaneous compromise of LNG liquefaction AND gas-fired power generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Emerson runs two product lines with measurable US exposure: DeltaV (39 endpoints), the DCS for LNG liquefaction trains and refinery / petrochemical processes, and Ovation (24 endpoints), the DCS for fossil-fueled power generation. Combined US public exposure: 63 endpoints. KEV entries affecting Emerson: CVE-2021-45420.

M — Mission

Adversary objective: simultaneously disrupt LNG-export capacity AND gas-fired power generation by exploiting the same vendor's deployed platforms across the two industries — a single capability that reaches both demand sinks for US natural gas (LNG exports and AI/data-center power) at once. Strategic intent: dual-target economic disruption with shared toolchain.

E — Execution

Phase 1: gain access via an Emerson vendor-support credential — Emerson is one of the largest providers of process-control system service contracts in the US. Phase 2: deploy parallel implants against DeltaV at LNG terminals and Ovation at gas-fired plants. Phase 3: synchronized trigger at a chosen event.

A — Administration & Logistics

Attack feasibility hinges on whether the operator has accepted vendor persistent remote-support tunnels as a contractual requirement. Many DeltaV and Ovation operators have done so to maintain service-level guarantees. The 63 exposed endpoints visible today are the public portion of that pattern.

C — Command & Signal

Indicators: Emerson vendor-tunnel traffic outside scheduled service windows; configuration changes pushed to multiple sites within a single hour; unscheduled engineering-workstation logins. Defensive priorities: require Emerson vendor sessions to be initiated by the operator (not the vendor), with session recording and MFA; deploy egress monitoring on the DeltaV / Ovation engineering networks; require Emerson to publish per-product KEV applicability mapped to deployed firmware versions at each customer site.

Consequences if unmitigated

Physical:

LNG terminal liquefaction trains unsafe-shutdown; coincident gas-fired generator trips across affected fleet. Possible thermal damage to liquefaction compressors extends LNG outage from days to months.

Market / financial:

Cargoes in the Sabine Pass / Cameron / Plaquemines / Corpus Christi loading queue declare force majeure within hours. European TTF gas price spikes; US Henry Hub price drops on reduced export demand AND spikes on domestic gas-to-power dislocation — both directions same day. Combined economic impact: $30B–$120B over the first quarter post-event.

Regulatory / political:

Coordinated DOE / FERC / TSA / DOC (export licensing) investigation. Possible suspension of Emerson DCS service contracts pending audit. Insurance industry repricing across all Emerson-platform-dependent operators.

Rockwell ControlLogix / FactoryTalk — 2 pipeline-relevant KEV CVEs
Current exposure: 2 CISA KEV-listed CVEs currently affect Rockwell Allen-Bradley ControlLogix / FactoryTalk platforms
Live KEV cross-reference: CVE-2023-3595, CVE-2021-22681
Severity: HIGH — Pump-station and terminal control disruption across midstream
Five-Paragraph OPORD (SMEAC)

S — Situation

Allen-Bradley ControlLogix PLCs and FactoryTalk run pump stations, tank farms, and liquids terminals across US midstream; 2 Rockwell CVEs are on the KEV catalog today (CVE-2023-3595, CVE-2021-22681).

M — Mission

Adversary objective: seize or crash ControlLogix processors governing pumping and tank-farm valves to force a liquids-pipeline shutdown or a tank overfill / pressure transient.

E — Execution

Phase 1: exploit a KEV-listed ControlLogix/FactoryTalk CVE from an exposed engineering or remote path. Phase 2: reach the controller. Phase 3: fault the processor or alter pump/valve logic. Phase 4: mask the change in FactoryTalk.

A — Administration & Logistics

Feasibility rests on (1) 2 unpatched Rockwell CVEs; (2) flat OT networks at terminals; (3) remote-access tools left exposed.

C — Command & Signal

Indicators: unexpected processor faults; logic edits with no change ticket; FactoryTalk access from new hosts. Defensive priorities: patch KEV CVEs, segment terminal OT, lock down remote access. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Forced shutdown of a liquids pipeline or terminal; in the worst case a tank overfill or pressure transient with spill, fire, or environmental release.

Market / financial:

Regional product-supply disruption (gasoline, diesel, NGLs); price spikes at racks served by the affected terminals; cleanup and liability costs.

Regulatory / political:

PHMSA incident investigation; TSA review of terminal cyber controls; insurer scrutiny of operators on KEV-listed Rockwell versions.

Honeywell Experion PKS — 1 pipeline-relevant KEV CVE
Current exposure: 1 CISA KEV-listed CVE currently affect Honeywell Experion PKS — a dominant DCS at US gas processing and LNG
Live KEV cross-reference: CVE-2023-3710
Severity: HIGH — Distributed-control compromise at gas processing and LNG
Five-Paragraph OPORD (SMEAC)

S — Situation

Honeywell Experion PKS is a dominant distributed control system at US gas-processing plants, refineries, and LNG facilities; 1 Experion CVE on the KEV catalog today (CVE-2023-3710).

M — Mission

Adversary objective: take control of the Experion DCS at a gas-processing or LNG facility to drive units to an unsafe state or force a sustained outage.

E — Execution

Phase 1: exploit the KEV-listed Experion CVE from a reachable server or remote path. Phase 2: reach the C300 controllers and Experion servers. Phase 3: alter control strategy or force a unit trip. Phase 4: destroy the historian and backups.

A — Administration & Logistics

Feasibility rests on (1) 1 unpatched Experion CVE; (2) DCS servers bridged to plant IT; (3) deferred DCS patching tied to turnaround windows.

C — Command & Signal

Indicators: unscheduled control-strategy changes; Experion server traffic to unknown hosts; historian write failures. Defensive priorities: patch the KEV CVE, isolate the DCS, two-person change control. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Loss of control or forced shutdown at a gas-processing plant or LNG train; potential release, fire, or explosion if units are driven unsafe; restart measured in days to weeks.

Market / financial:

Lost processing/export throughput tightens domestic supply and idles cargoes; multi-billion-dollar interruption and liability exposure.

Regulatory / political:

PHMSA/TSA investigation; likely CISA directive for Experion operators; insurer repricing for KEV-listed Experion exposure.

ABB Symphony DCS — 245 US endpoints exposed (as of 2026-06-22)
Current exposure: 245 Symphony endpoints visible from the public US internet today
Live KEV cross-reference: CVE-2024-6298
Severity: HIGH — Power generation supply disruption to AI data center load
Five-Paragraph OPORD (SMEAC)

S — Situation

ABB Symphony has the largest measurable US public-internet exposure of any pipeline-relevant SCADA / DCS platform — 245 endpoints visible as of 2026-06-22, against a deployed base that we estimate to be on the order of hundreds of installations. Symphony is the dominant DCS at large gas-fired combined-cycle power plants, including most of the new and planned gas plants being built to serve hyperscale AI data centers. KEV catalog entries currently affecting ABB platforms: CVE-2024-6298.

M — Mission

Adversary objective: simultaneous loss-of-control or unsafe-state at multiple gas-fired generating units feeding a specific load zone — most likely PJM Dominion (Northern Virginia data-center alley, where AI training load is concentrated) or the Southeast (where Meta Hyperion's 7.46 GW gas plant cluster feeds the Hyperion campus). Strategic intent: deny power to AI compute infrastructure at a moment chosen for maximum disruption, with deniable attribution.

E — Execution

Phase 1: harvest a contractor or vendor credential that grants engineering access to one or more of the 245 exposed endpoints — many of which are vendor-support jump hosts that bridge corporate IT to the OT engineering network. Phase 2: lateral movement to the Symphony engineering workstation. Phase 3: stage malicious configuration changes across the deployment, synchronized to execute at peak-demand hour. Phase 4: trigger drives unit-trip sequences on every unit reachable, simultaneous; concurrent wiper destroys the historian and configuration backup.

A — Administration & Logistics

Attack feasibility depends on three conditions visible in the public-exposure data today: (1) 245 endpoints reachable from the public internet — that number is a defensive failure on its own; (2) operator deployments that centralize engineering across multiple sites; (3) deferred patching of any published Symphony CVSS 8.0+ CVE due to outage-window constraints.

C — Command & Signal

Indicators: outbound traffic from any Symphony engineering workstation to non-vendor destinations; unscheduled configuration updates across multiple units in the same hour; historian write failures across multiple stations. Defensive priorities: enumerate the 245 exposed endpoints in your perimeter and prioritize firewall closure or VPN-only access; rotate all vendor and contractor credentials with hardware-token MFA; require any logic or configuration change to pass two-person integrity check during the change window. Reporting: TSA Surface Transportation Cybersecurity; CISA Hotline; Oil and Natural Gas ISAC; PJM RTEP Security working group.

Consequences if unmitigated

Physical:

Simultaneous trips at multiple gas-fired generating units serving a data-center-heavy load zone. Within ~2 hours, hyperscale data centers in the affected zone exhaust grid power and shift to on-site diesel; diesel reserves typically run 12–48 hours. Possible thermal damage to rotating equipment during ungraceful trip sequences extends restart from hours to weeks per unit.

Market / financial:

Wholesale power prices in the affected ISO zone spike to administrative cap intraday. Hyperscaler-customer compute service-level agreements breach within the diesel-reserve window. Estimated combined economic loss across operator, downstream power buyers, and dependent cloud / AI customers: $10B–$50B in the first week.

Regulatory / political:

FERC and NERC special review of generator cybersecurity preparedness. Likely accelerated TSA-style cyber regulation extended to gas-fired generation feeding hyperscale customers. Insurance industry repricing for operators with measurable Symphony exposure on Shodan.

Cygnet SCADA — 70 US endpoints (pipeline-specific midstream)
Current exposure: 70 Cygnet midstream-pipeline SCADA endpoints visible today
Live KEV cross-reference: no KEV-listed CVEs currently affect this platform
Severity: HIGH — Direct compromise of pipeline operational visibility and control
Five-Paragraph OPORD (SMEAC)

S — Situation

Cygnet is the SCADA platform most narrowly targeted at the US midstream oil-and-gas industry — it runs the supervisory layer at 70 measurable US sites, almost all of which are pipeline operators. Of the operators we track, several are confirmed Cygnet users by name in vendor case-studies and public filings.

M — Mission

Adversary objective: simultaneous loss-of-visibility and limited-write control of pipeline metering, valve, and flow-control points across a single operator's footprint. Strategic intent: position to manipulate gas deliveries — to LDCs, to power generators, or to LNG export terminals — at a chosen moment, with the operator unable to see or counter the action in real time.

E — Execution

Phase 1: access via a Cygnet engineering workstation reachable through vendor-support tunnels. Phase 2: harvest field-device topology and operator runbooks from the SCADA database. Phase 3: stage scheduled control commands that fire at a precipitating moment. Phase 4: optionally falsify operator-view telemetry to extend the response window.

A — Administration & Logistics

Attack feasibility depends on Cygnet's typical deployment pattern: many operators connect Cygnet to their corporate IT for reporting, then connect corporate IT to the public internet — a documented common pathway. The 70 exposed endpoints in our Shodan dataset are the visible portion of that pattern.

C — Command & Signal

Indicators: Cygnet engineering-workstation traffic to non-vendor destinations; configuration changes outside change-control hours; discrepancies between Cygnet-reported volumes and independent end-of-line meter reads. Defensive priorities: place Cygnet servers behind a jump-host with MFA; close direct internet exposure on all 70 endpoints; deploy independent secondary metering whose data does NOT flow through Cygnet.

Consequences if unmitigated

Physical:

Manipulation of valve setpoints can cause unsafe pressure transients at downstream stations. Falsified metering allows undetected gas diversion or supply-cut to specific customers (e.g., a specific gas-fired power plant during a peak hour).

Market / financial:

If a Cygnet-driven event takes a specific compressor station offline during a peak demand window, the downstream basis (the local citygate price minus Henry Hub) can spike 200%+ in hours. LDC emergency curtailments. Power-gen fuel-supply force majeure to gas peakers serving data centers.

Regulatory / political:

Immediate FERC inquiry into operator cybersecurity. Possible TSA penalty action under PSR 2026-01. Operator's interstate transportation tariff put under audit.

GE iFIX HMI/SCADA — 71 US endpoints exposed
Current exposure: 71 GE iFIX HMI/SCADA endpoints visible today
Live KEV cross-reference: CVE-2014-0751
Severity: HIGH — Operator-view denial across gas-plant and pipeline-station HMI
Five-Paragraph OPORD (SMEAC)

S — Situation

GE iFIX is a general-purpose HMI / SCADA platform with deep penetration in US gas plants, refineries, and pipeline compressor stations. Public US exposure today: 71 endpoints. KEV entries currently affecting GE platforms: CVE-2014-0751.

M — Mission

Adversary objective: deny operator visibility into the controlled process during a coincident attack — either cyber on the BPCS or kinetic on a physical asset. Strategic intent: extend the response window in the critical early minutes when operator action can avert physical damage.

E — Execution

Phase 1: access through internet-exposed iFIX terminal services / VPN. Phase 2: modify iFIX HMI screens to display canned 'nominal' values regardless of underlying tag data, OR disable HMI alarm escalation logic. Phase 3: hold capability until a coincident event — process upset, kinetic strike, or BPCS manipulation — at which point operators see normal screens while the physical process degrades.

A — Administration & Logistics

Attack feasibility increases when iFIX is deployed without segregation from corporate IT, when iFIX clients are reachable via remote-desktop services from the public internet (71 confirmed examples today), and when alarm-management audits are infrequent.

C — Command & Signal

Indicators: iFIX screen-version changes outside engineering change windows; HMI tag-display discrepancies vs. historian; alarm logs going abnormally quiet during normal operating variability. Defensive priorities: iFIX deployment audit (count vs. known inventory); HMI screen-checksum monitoring; independent secondary HMI that draws from a separate tag feed; close all 71 internet-exposed instances or move them behind MFA-required VPN.

Consequences if unmitigated

Physical:

On its own, an iFIX-only attack does not cause damage — but during a coincident physical or BPCS attack, the 'normal-screens-while-process-degrades' window extends operator response from minutes to tens of minutes, multiplying the physical damage.

Market / financial:

When combined with a BPCS attack, an HMI-deception layer can extend an outage from one shift to several days as the recovery team has no trustworthy view of pre-event state. Multiplier effect on operator's economic damage: 2–5x.

Regulatory / political:

HMI integrity-verification becomes a required TSA compliance element. Vendor-side requirements for cryptographic HMI screen verification.

Siemens SIMATIC S7 / WinCC — 5 pipeline-relevant KEV CVEs
Current exposure: 5 CISA KEV-listed CVEs currently affect Siemens SIMATIC / WinCC / Spectrum Power platforms
Live KEV cross-reference: CVE-2014-2908, CVE-2016-8562, CVE-2012-3015, CVE-2010-2772
Severity: HIGH — Loss of control at compression, metering, and gas-fired generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Siemens SIMATIC S7 controllers and WinCC SCADA run compressor stations, metering, and the gas-fired generation feeding data-center load; 5 Siemens CVEs sit on the KEV catalog today (CVE-2014-2908, CVE-2016-8562, CVE-2012-3015, CVE-2010-2772). S7 is the controller family Stuxnet was built to reprogram.

M — Mission

Adversary objective: reprogram or halt S7 logic controlling compression or generation in a chosen corridor, or falsify the WinCC operator view so the upset is not seen until it propagates.

E — Execution

Phase 1: exploit a KEV-listed S7/WinCC flaw reachable from an exposed HMI or remote-access path. Phase 2: pivot to the automation network. Phase 3: alter controller logic or HMI tags. Phase 4: synchronize disruption to peak demand and wipe the historian.

A — Administration & Logistics

Feasibility rests on (1) 5 unpatched Siemens CVEs; (2) WinCC stations bridged to corporate IT; (3) S7 controllers without RUN-mode key protection.

C — Command & Signal

Indicators: unexpected S7 STOP/PROGRAM transitions; WinCC tag changes with no work order; HMI traffic to unknown hosts. Defensive priorities: patch KEV CVEs, enforce controller key-switch protection, segment WinCC from IT. Reporting: CISA; TSA; ONG-ISAC; the relevant ISO security desk.

Consequences if unmitigated

Physical:

Tripped or runaway compression and generating units in one load zone; data-center alley loses grid supply and falls to diesel within hours; ungraceful trips can damage rotating equipment and extend restart to weeks.

Market / financial:

Intraday wholesale power spikes to the administrative cap in the affected ISO; compute SLAs breach within the diesel-reserve window; multi-billion-dollar loss across operators, power buyers, and AI customers.

Regulatory / political:

FERC/NERC review of generator cyber readiness; accelerated TSA-style cyber rules for gas-fired generation; insurer repricing for measurable Siemens exposure.

Rockwell ControlLogix / FactoryTalk — 2 pipeline-relevant KEV CVEs
Current exposure: 2 CISA KEV-listed CVEs currently affect Rockwell Allen-Bradley ControlLogix / FactoryTalk platforms
Live KEV cross-reference: CVE-2023-3595, CVE-2021-22681
Severity: HIGH — Pump-station and terminal control disruption across midstream
Five-Paragraph OPORD (SMEAC)

S — Situation

Allen-Bradley ControlLogix PLCs and FactoryTalk run pump stations, tank farms, and liquids terminals across US midstream; 2 Rockwell CVEs are on the KEV catalog today (CVE-2023-3595, CVE-2021-22681).

M — Mission

Adversary objective: seize or crash ControlLogix processors governing pumping and tank-farm valves to force a liquids-pipeline shutdown or a tank overfill / pressure transient.

E — Execution

Phase 1: exploit a KEV-listed ControlLogix/FactoryTalk CVE from an exposed engineering or remote path. Phase 2: reach the controller. Phase 3: fault the processor or alter pump/valve logic. Phase 4: mask the change in FactoryTalk.

A — Administration & Logistics

Feasibility rests on (1) 2 unpatched Rockwell CVEs; (2) flat OT networks at terminals; (3) remote-access tools left exposed.

C — Command & Signal

Indicators: unexpected processor faults; logic edits with no change ticket; FactoryTalk access from new hosts. Defensive priorities: patch KEV CVEs, segment terminal OT, lock down remote access. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Forced shutdown of a liquids pipeline or terminal; in the worst case a tank overfill or pressure transient with spill, fire, or environmental release.

Market / financial:

Regional product-supply disruption (gasoline, diesel, NGLs); price spikes at racks served by the affected terminals; cleanup and liability costs.

Regulatory / political:

PHMSA incident investigation; TSA review of terminal cyber controls; insurer scrutiny of operators on KEV-listed Rockwell versions.

Honeywell Experion PKS — 1 pipeline-relevant KEV CVE
Current exposure: 1 CISA KEV-listed CVE currently affect Honeywell Experion PKS — a dominant DCS at US gas processing and LNG
Live KEV cross-reference: CVE-2023-3710
Severity: HIGH — Distributed-control compromise at gas processing and LNG
Five-Paragraph OPORD (SMEAC)

S — Situation

Honeywell Experion PKS is a dominant distributed control system at US gas-processing plants, refineries, and LNG facilities; 1 Experion CVE on the KEV catalog today (CVE-2023-3710).

M — Mission

Adversary objective: take control of the Experion DCS at a gas-processing or LNG facility to drive units to an unsafe state or force a sustained outage.

E — Execution

Phase 1: exploit the KEV-listed Experion CVE from a reachable server or remote path. Phase 2: reach the C300 controllers and Experion servers. Phase 3: alter control strategy or force a unit trip. Phase 4: destroy the historian and backups.

A — Administration & Logistics

Feasibility rests on (1) 1 unpatched Experion CVE; (2) DCS servers bridged to plant IT; (3) deferred DCS patching tied to turnaround windows.

C — Command & Signal

Indicators: unscheduled control-strategy changes; Experion server traffic to unknown hosts; historian write failures. Defensive priorities: patch the KEV CVE, isolate the DCS, two-person change control. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Loss of control or forced shutdown at a gas-processing plant or LNG train; potential release, fire, or explosion if units are driven unsafe; restart measured in days to weeks.

Market / financial:

Lost processing/export throughput tightens domestic supply and idles cargoes; multi-billion-dollar interruption and liability exposure.

Regulatory / political:

PHMSA/TSA investigation; likely CISA directive for Experion operators; insurer repricing for KEV-listed Experion exposure.

ABB Symphony DCS — 252 US endpoints exposed (as of 2026-06-21)
Current exposure: 252 Symphony endpoints visible from the public US internet today
Live KEV cross-reference: CVE-2024-6298
Severity: HIGH — Power generation supply disruption to AI data center load
Five-Paragraph OPORD (SMEAC)

S — Situation

ABB Symphony has the largest measurable US public-internet exposure of any pipeline-relevant SCADA / DCS platform — 252 endpoints visible as of 2026-06-21, against a deployed base that we estimate to be on the order of hundreds of installations. Symphony is the dominant DCS at large gas-fired combined-cycle power plants, including most of the new and planned gas plants being built to serve hyperscale AI data centers. KEV catalog entries currently affecting ABB platforms: CVE-2024-6298.

M — Mission

Adversary objective: simultaneous loss-of-control or unsafe-state at multiple gas-fired generating units feeding a specific load zone — most likely PJM Dominion (Northern Virginia data-center alley, where AI training load is concentrated) or the Southeast (where Meta Hyperion's 7.46 GW gas plant cluster feeds the Hyperion campus). Strategic intent: deny power to AI compute infrastructure at a moment chosen for maximum disruption, with deniable attribution.

E — Execution

Phase 1: harvest a contractor or vendor credential that grants engineering access to one or more of the 252 exposed endpoints — many of which are vendor-support jump hosts that bridge corporate IT to the OT engineering network. Phase 2: lateral movement to the Symphony engineering workstation. Phase 3: stage malicious configuration changes across the deployment, synchronized to execute at peak-demand hour. Phase 4: trigger drives unit-trip sequences on every unit reachable, simultaneous; concurrent wiper destroys the historian and configuration backup.

A — Administration & Logistics

Attack feasibility depends on three conditions visible in the public-exposure data today: (1) 252 endpoints reachable from the public internet — that number is a defensive failure on its own; (2) operator deployments that centralize engineering across multiple sites; (3) deferred patching of any published Symphony CVSS 8.0+ CVE due to outage-window constraints.

C — Command & Signal

Indicators: outbound traffic from any Symphony engineering workstation to non-vendor destinations; unscheduled configuration updates across multiple units in the same hour; historian write failures across multiple stations. Defensive priorities: enumerate the 252 exposed endpoints in your perimeter and prioritize firewall closure or VPN-only access; rotate all vendor and contractor credentials with hardware-token MFA; require any logic or configuration change to pass two-person integrity check during the change window. Reporting: TSA Surface Transportation Cybersecurity; CISA Hotline; Oil and Natural Gas ISAC; PJM RTEP Security working group.

Consequences if unmitigated

Physical:

Simultaneous trips at multiple gas-fired generating units serving a data-center-heavy load zone. Within ~2 hours, hyperscale data centers in the affected zone exhaust grid power and shift to on-site diesel; diesel reserves typically run 12–48 hours. Possible thermal damage to rotating equipment during ungraceful trip sequences extends restart from hours to weeks per unit.

Market / financial:

Wholesale power prices in the affected ISO zone spike to administrative cap intraday. Hyperscaler-customer compute service-level agreements breach within the diesel-reserve window. Estimated combined economic loss across operator, downstream power buyers, and dependent cloud / AI customers: $10B–$50B in the first week.

Regulatory / political:

FERC and NERC special review of generator cybersecurity preparedness. Likely accelerated TSA-style cyber regulation extended to gas-fired generation feeding hyperscale customers. Insurance industry repricing for operators with measurable Symphony exposure on Shodan.

Cygnet SCADA — 71 US endpoints (pipeline-specific midstream)
Current exposure: 71 Cygnet midstream-pipeline SCADA endpoints visible today
Live KEV cross-reference: no KEV-listed CVEs currently affect this platform
Severity: HIGH — Direct compromise of pipeline operational visibility and control
Five-Paragraph OPORD (SMEAC)

S — Situation

Cygnet is the SCADA platform most narrowly targeted at the US midstream oil-and-gas industry — it runs the supervisory layer at 71 measurable US sites, almost all of which are pipeline operators. Of the operators we track, several are confirmed Cygnet users by name in vendor case-studies and public filings.

M — Mission

Adversary objective: simultaneous loss-of-visibility and limited-write control of pipeline metering, valve, and flow-control points across a single operator's footprint. Strategic intent: position to manipulate gas deliveries — to LDCs, to power generators, or to LNG export terminals — at a chosen moment, with the operator unable to see or counter the action in real time.

E — Execution

Phase 1: access via a Cygnet engineering workstation reachable through vendor-support tunnels. Phase 2: harvest field-device topology and operator runbooks from the SCADA database. Phase 3: stage scheduled control commands that fire at a precipitating moment. Phase 4: optionally falsify operator-view telemetry to extend the response window.

A — Administration & Logistics

Attack feasibility depends on Cygnet's typical deployment pattern: many operators connect Cygnet to their corporate IT for reporting, then connect corporate IT to the public internet — a documented common pathway. The 71 exposed endpoints in our Shodan dataset are the visible portion of that pattern.

C — Command & Signal

Indicators: Cygnet engineering-workstation traffic to non-vendor destinations; configuration changes outside change-control hours; discrepancies between Cygnet-reported volumes and independent end-of-line meter reads. Defensive priorities: place Cygnet servers behind a jump-host with MFA; close direct internet exposure on all 71 endpoints; deploy independent secondary metering whose data does NOT flow through Cygnet.

Consequences if unmitigated

Physical:

Manipulation of valve setpoints can cause unsafe pressure transients at downstream stations. Falsified metering allows undetected gas diversion or supply-cut to specific customers (e.g., a specific gas-fired power plant during a peak hour).

Market / financial:

If a Cygnet-driven event takes a specific compressor station offline during a peak demand window, the downstream basis (the local citygate price minus Henry Hub) can spike 200%+ in hours. LDC emergency curtailments. Power-gen fuel-supply force majeure to gas peakers serving data centers.

Regulatory / political:

Immediate FERC inquiry into operator cybersecurity. Possible TSA penalty action under PSR 2026-01. Operator's interstate transportation tariff put under audit.

Schneider Electric Modicon / Triconex — 9 pipeline-relevant KEV CVEs
Current exposure: 9 CISA KEV-listed CVEs currently affect Schneider OT platforms — the largest known-exploited footprint of any pipeline-relevant vendor today
Live KEV cross-reference: CVE-2018-7522, CVE-2018-8872, CVE-2017-7973, CVE-2021-22707
Severity: HIGH — Safety-instrumented-system bypass at gas processing and compression
Five-Paragraph OPORD (SMEAC)

S — Situation

Schneider Electric carries the largest set of actively-exploited CVEs of any pipeline-relevant vendor on the KEV catalog today — 9 entries (CVE-2018-7522, CVE-2018-8872, CVE-2017-7973, CVE-2021-22707). Modicon PLCs run valve and compressor logic across US midstream; Triconex is the dominant safety-instrumented system (SIS) at gas plants and LNG trains — the same SIS family targeted by the TRITON malware framework.

M — Mission

Adversary objective: defeat or blind the safety-instrumented layer at a gas-processing plant, LNG train, or major compressor station so a deliberately induced process upset is NOT tripped to a safe state — turning a recoverable fault into an overpressure or release event.

E — Execution

Phase 1: exploit one of the 9 known CVEs to gain a foothold on the engineering network. Phase 2: reach the Triconex/Modicon engineering workstation and load altered logic or disable SIS voting. Phase 3: drive the basic process control system to an unsafe setpoint while the safety layer is suppressed. Phase 4: erase the engineering audit trail.

A — Administration & Logistics

Feasibility today rests on (1) 9 unpatched, actively-exploited Schneider CVEs; (2) SIS and basic control logic that share engineering access in many deployments; (3) safety-system patch cycles tied to multi-year turnaround windows.

C — Command & Signal

Indicators: unscheduled logic downloads to any Triconex or Modicon controller; SIS voting or bypass changes outside a permitted-work window; engineering-station traffic to non-vendor destinations. Defensive priorities: patch the KEV-listed CVEs on a safety-critical schedule, enforce key-switch RUN mode on SIS controllers, require two-person authorization for any safety-logic change. Reporting: CISA; TSA Pipeline Security; ONG-ISAC.

Consequences if unmitigated

Physical:

A defeated safety-instrumented system removes the last automatic protection against overpressure, high temperature, or loss of containment at a gas plant or LNG train — from an emergency shutdown and days-long restart to a release, fire, or explosion if the basic control system is simultaneously driven unsafe.

Market / financial:

Loss of a single large gas-processing plant or LNG train removes major throughput; an LNG-train outage idles export cargoes and tightens domestic supply. Liability and business-interruption exposure runs to the billions.

Regulatory / political:

PHMSA and TSA scrutiny of OT cyber controls; likely CISA emergency directives for Schneider SIS operators; insurer repricing for sites running KEV-listed Triconex/Modicon.

Siemens SIMATIC S7 / WinCC — 5 pipeline-relevant KEV CVEs
Current exposure: 5 CISA KEV-listed CVEs currently affect Siemens SIMATIC / WinCC / Spectrum Power platforms
Live KEV cross-reference: CVE-2014-2908, CVE-2016-8562, CVE-2012-3015, CVE-2010-2772
Severity: HIGH — Loss of control at compression, metering, and gas-fired generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Siemens SIMATIC S7 controllers and WinCC SCADA run compressor stations, metering, and the gas-fired generation feeding data-center load; 5 Siemens CVEs sit on the KEV catalog today (CVE-2014-2908, CVE-2016-8562, CVE-2012-3015, CVE-2010-2772). S7 is the controller family Stuxnet was built to reprogram.

M — Mission

Adversary objective: reprogram or halt S7 logic controlling compression or generation in a chosen corridor, or falsify the WinCC operator view so the upset is not seen until it propagates.

E — Execution

Phase 1: exploit a KEV-listed S7/WinCC flaw reachable from an exposed HMI or remote-access path. Phase 2: pivot to the automation network. Phase 3: alter controller logic or HMI tags. Phase 4: synchronize disruption to peak demand and wipe the historian.

A — Administration & Logistics

Feasibility rests on (1) 5 unpatched Siemens CVEs; (2) WinCC stations bridged to corporate IT; (3) S7 controllers without RUN-mode key protection.

C — Command & Signal

Indicators: unexpected S7 STOP/PROGRAM transitions; WinCC tag changes with no work order; HMI traffic to unknown hosts. Defensive priorities: patch KEV CVEs, enforce controller key-switch protection, segment WinCC from IT. Reporting: CISA; TSA; ONG-ISAC; the relevant ISO security desk.

Consequences if unmitigated

Physical:

Tripped or runaway compression and generating units in one load zone; data-center alley loses grid supply and falls to diesel within hours; ungraceful trips can damage rotating equipment and extend restart to weeks.

Market / financial:

Intraday wholesale power spikes to the administrative cap in the affected ISO; compute SLAs breach within the diesel-reserve window; multi-billion-dollar loss across operators, power buyers, and AI customers.

Regulatory / political:

FERC/NERC review of generator cyber readiness; accelerated TSA-style cyber rules for gas-fired generation; insurer repricing for measurable Siemens exposure.

Rockwell ControlLogix / FactoryTalk — 2 pipeline-relevant KEV CVEs
Current exposure: 2 CISA KEV-listed CVEs currently affect Rockwell Allen-Bradley ControlLogix / FactoryTalk platforms
Live KEV cross-reference: CVE-2023-3595, CVE-2021-22681
Severity: HIGH — Pump-station and terminal control disruption across midstream
Five-Paragraph OPORD (SMEAC)

S — Situation

Allen-Bradley ControlLogix PLCs and FactoryTalk run pump stations, tank farms, and liquids terminals across US midstream; 2 Rockwell CVEs are on the KEV catalog today (CVE-2023-3595, CVE-2021-22681).

M — Mission

Adversary objective: seize or crash ControlLogix processors governing pumping and tank-farm valves to force a liquids-pipeline shutdown or a tank overfill / pressure transient.

E — Execution

Phase 1: exploit a KEV-listed ControlLogix/FactoryTalk CVE from an exposed engineering or remote path. Phase 2: reach the controller. Phase 3: fault the processor or alter pump/valve logic. Phase 4: mask the change in FactoryTalk.

A — Administration & Logistics

Feasibility rests on (1) 2 unpatched Rockwell CVEs; (2) flat OT networks at terminals; (3) remote-access tools left exposed.

C — Command & Signal

Indicators: unexpected processor faults; logic edits with no change ticket; FactoryTalk access from new hosts. Defensive priorities: patch KEV CVEs, segment terminal OT, lock down remote access. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Forced shutdown of a liquids pipeline or terminal; in the worst case a tank overfill or pressure transient with spill, fire, or environmental release.

Market / financial:

Regional product-supply disruption (gasoline, diesel, NGLs); price spikes at racks served by the affected terminals; cleanup and liability costs.

Regulatory / political:

PHMSA incident investigation; TSA review of terminal cyber controls; insurer scrutiny of operators on KEV-listed Rockwell versions.

Honeywell Experion PKS — 1 pipeline-relevant KEV CVE
Current exposure: 1 CISA KEV-listed CVE currently affect Honeywell Experion PKS — a dominant DCS at US gas processing and LNG
Live KEV cross-reference: CVE-2023-3710
Severity: HIGH — Distributed-control compromise at gas processing and LNG
Five-Paragraph OPORD (SMEAC)

S — Situation

Honeywell Experion PKS is a dominant distributed control system at US gas-processing plants, refineries, and LNG facilities; 1 Experion CVE on the KEV catalog today (CVE-2023-3710).

M — Mission

Adversary objective: take control of the Experion DCS at a gas-processing or LNG facility to drive units to an unsafe state or force a sustained outage.

E — Execution

Phase 1: exploit the KEV-listed Experion CVE from a reachable server or remote path. Phase 2: reach the C300 controllers and Experion servers. Phase 3: alter control strategy or force a unit trip. Phase 4: destroy the historian and backups.

A — Administration & Logistics

Feasibility rests on (1) 1 unpatched Experion CVE; (2) DCS servers bridged to plant IT; (3) deferred DCS patching tied to turnaround windows.

C — Command & Signal

Indicators: unscheduled control-strategy changes; Experion server traffic to unknown hosts; historian write failures. Defensive priorities: patch the KEV CVE, isolate the DCS, two-person change control. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Loss of control or forced shutdown at a gas-processing plant or LNG train; potential release, fire, or explosion if units are driven unsafe; restart measured in days to weeks.

Market / financial:

Lost processing/export throughput tightens domestic supply and idles cargoes; multi-billion-dollar interruption and liability exposure.

Regulatory / political:

PHMSA/TSA investigation; likely CISA directive for Experion operators; insurer repricing for KEV-listed Experion exposure.

ABB Symphony DCS — 244 US endpoints exposed (as of 2026-06-20)
Current exposure: 244 Symphony endpoints visible from the public US internet today
Live KEV cross-reference: CVE-2024-6298
Severity: HIGH — Power generation supply disruption to AI data center load
Five-Paragraph OPORD (SMEAC)

S — Situation

ABB Symphony has the largest measurable US public-internet exposure of any pipeline-relevant SCADA / DCS platform — 244 endpoints visible as of 2026-06-20, against a deployed base that we estimate to be on the order of hundreds of installations. Symphony is the dominant DCS at large gas-fired combined-cycle power plants, including most of the new and planned gas plants being built to serve hyperscale AI data centers. KEV catalog entries currently affecting ABB platforms: CVE-2024-6298.

M — Mission

Adversary objective: simultaneous loss-of-control or unsafe-state at multiple gas-fired generating units feeding a specific load zone — most likely PJM Dominion (Northern Virginia data-center alley, where AI training load is concentrated) or the Southeast (where Meta Hyperion's 7.46 GW gas plant cluster feeds the Hyperion campus). Strategic intent: deny power to AI compute infrastructure at a moment chosen for maximum disruption, with deniable attribution.

E — Execution

Phase 1: harvest a contractor or vendor credential that grants engineering access to one or more of the 244 exposed endpoints — many of which are vendor-support jump hosts that bridge corporate IT to the OT engineering network. Phase 2: lateral movement to the Symphony engineering workstation. Phase 3: stage malicious configuration changes across the deployment, synchronized to execute at peak-demand hour. Phase 4: trigger drives unit-trip sequences on every unit reachable, simultaneous; concurrent wiper destroys the historian and configuration backup.

A — Administration & Logistics

Attack feasibility depends on three conditions visible in the public-exposure data today: (1) 244 endpoints reachable from the public internet — that number is a defensive failure on its own; (2) operator deployments that centralize engineering across multiple sites; (3) deferred patching of any published Symphony CVSS 8.0+ CVE due to outage-window constraints.

C — Command & Signal

Indicators: outbound traffic from any Symphony engineering workstation to non-vendor destinations; unscheduled configuration updates across multiple units in the same hour; historian write failures across multiple stations. Defensive priorities: enumerate the 244 exposed endpoints in your perimeter and prioritize firewall closure or VPN-only access; rotate all vendor and contractor credentials with hardware-token MFA; require any logic or configuration change to pass two-person integrity check during the change window. Reporting: TSA Surface Transportation Cybersecurity; CISA Hotline; Oil and Natural Gas ISAC; PJM RTEP Security working group.

Consequences if unmitigated

Physical:

Simultaneous trips at multiple gas-fired generating units serving a data-center-heavy load zone. Within ~2 hours, hyperscale data centers in the affected zone exhaust grid power and shift to on-site diesel; diesel reserves typically run 12–48 hours. Possible thermal damage to rotating equipment during ungraceful trip sequences extends restart from hours to weeks per unit.

Market / financial:

Wholesale power prices in the affected ISO zone spike to administrative cap intraday. Hyperscaler-customer compute service-level agreements breach within the diesel-reserve window. Estimated combined economic loss across operator, downstream power buyers, and dependent cloud / AI customers: $10B–$50B in the first week.

Regulatory / political:

FERC and NERC special review of generator cybersecurity preparedness. Likely accelerated TSA-style cyber regulation extended to gas-fired generation feeding hyperscale customers. Insurance industry repricing for operators with measurable Symphony exposure on Shodan.

Henry Hub Composite (Physical + Cyber) — current state
Current exposure: 13 interstate pipelines converge at Erath, LA · NYMEX settlement node · ~2 Bcf/d physical throughput · 1 ICS exposures within 25 km · 14 active eminent-domain projects in supply chain
Live KEV cross-reference: 9 Schneider Electric KEVs · 5 Siemens KEVs · 1 Emerson KEVs affect platforms a Sabine Pipe Line operator would actually run.
Severity: STRATEGIC — National-scale market and supply disruption
Five-Paragraph OPORD (SMEAC)

S — Situation

Henry Hub today: 13 interstate pipelines converge at the Sabine Pipe Line LLC facility in Erath, Louisiana. The NYMEX Henry Hub futures contract settles here — the price benchmark for every US natural-gas trade, every LNG cargo loaded at Sabine Pass / Cameron / Plaquemines / Corpus Christi (≈14 Bcf/d combined LNG export capacity), and every gas-indexed power-purchase contract in PJM / SERC / Florida. Within 25 km of the hub, Shodan finds 1 exposed ICS endpoints; the operator's supply chain runs through platforms with 15 currently-KEV-listed CVEs across Schneider Electric, Siemens, and Emerson. The facility has no counter-UAS coverage (Vermilion Parish is outside designated military airspace) and no published joint OT/IT incident-command framework with downstream hyperscaler and federal partners.

M — Mission

Adversary objective: simultaneously disable physical throughput at Henry Hub for an extended window (weeks, not hours) AND destroy the operator's safety-system configuration files, so that even after physical repair the operator cannot safely restart. Strategic intent: suspend US natural-gas price discovery long enough to cascade through NYMEX, LNG cargo force majeure, power-grid load shedding during a peak-demand window, and financial-market liquidity events.

E — Execution

Phase 1 (months): cyber pre-positioning inside the Sabine Pipe Line OT network via a contracted-engineering credential — the same vector that has produced every confirmed US pipeline OT intrusion in the past five years. Phase 2 (days): adversary weaponizes a published CVSS 9.0+ CISA advisory affecting Schneider Telvent OASyS DNA or Triconex SIS, BEFORE the operator's change board approves the emergency patch. Phase 3 (D-Day, timed to coincide with polar vortex or hurricane-season demand peak): commercial-derivative drone strike against Compressor Units 1 and 2, simultaneously with cyber execution that disables the SIS, manipulates HMIs to display nominal state, vents high-pressure gas through stacks whose flare ignition has been pre-disabled. Phase 4 (D+1 through D+3): wiper malware destroys the historian, engineering workstation, and corporate IT backups, denying the recovery team the documentation needed to safely restart safety-instrumented systems.

A — Administration & Logistics

Attack feasibility depends on conditions present today: (1) 1 ICS endpoints within 25 km of the hub — the public attack surface; (2) absence of counter-UAS over Vermilion Parish; (3) the operator's change board having no pre-delegated authority to bypass normal review for CVSS 9+ items during weather-emergency windows; (4) no published joint incident-command structure across Sabine Pipe Line, FERC, TSA, CISA, FBI, DOE, and hyperscaler downstream customers. All four conditions exist as of 2026-06-19.

C — Command & Signal

Indicators: outbound traffic from any Sabine Pipe Line OT host to non-vendor destinations; Vermilion Parish law-enforcement reports of unusual UAS activity near the hub; any CISA advisory at CVSS 9+ affecting Schneider Electric / Siemens / Emerson platforms followed by Sabine Pipe Line change-board deferral. Defensive priorities (the four items above, each individually closable): (1) pre-delegate emergency-patch authority to senior security leadership without change-board veto for CVSS 9+ critical-asset platforms; (2) FAA + DOD counter-UAS authorization for FERC critical-asset compressor stations; (3) stand up the joint incident-command framework now, not after the event; (4) maintain air-gapped offline SIS configuration backups with quarterly recovery verification at every FERC critical site.

Consequences if unmitigated

Physical:

Henry Hub physical throughput goes to 0 Bcf/d for 7–30+ days. Worker fatalities at Sabine Pipe Line during the kinetic event range 20–100 depending on shift composition and time of day. Downstream civilian fatalities during coincident cold-weather power loss could exceed 200 if the polar-vortex timing is hit. Adjacent communities evacuated; groundwater and surface water contamination from fuel-rich firefighting operations.

Market / financial:

NYMEX Henry Hub trading suspended for 20–60 trading days. Daily LNG cargo force majeure declarations from Sabine Pass / Cameron / Plaquemines / Corpus Christi terminals. European TTF and Asian JKM gas prices spike 150–400%. PJM and TVA emergency load-shedding affecting 5–20M customers during the polar vortex. Combined direct + cascading economic damage: $200B–$400B over twelve months. Insurance-industry catastrophe loss: $80B–$200B. Two-to-three mid-sized US gas trading firms in Chapter 11 within ten days.

Regulatory / political:

FERC and TSA replace existing Pipeline Security Directive framework with a true regulatory framework. DOE stands up a permanent Critical Energy Infrastructure Cyber Response Unit. FAA authorizes counter-UAS at all FERC critical-asset facilities. Federal Reserve emergency liquidity facility for energy-sector counterparty exposure. Hyperscaler / pipeline operator joint incident command mandated. ODNI issues attribution finding; coordinated multi-allied response.

Schneider Electric Modicon / Triconex — 9 pipeline-relevant KEV CVEs
Current exposure: 9 CISA KEV-listed CVEs currently affect Schneider OT platforms — the largest known-exploited footprint of any pipeline-relevant vendor today
Live KEV cross-reference: CVE-2018-7522, CVE-2018-8872, CVE-2017-7973, CVE-2021-22707
Severity: HIGH — Safety-instrumented-system bypass at gas processing and compression
Five-Paragraph OPORD (SMEAC)

S — Situation

Schneider Electric carries the largest set of actively-exploited CVEs of any pipeline-relevant vendor on the KEV catalog today — 9 entries (CVE-2018-7522, CVE-2018-8872, CVE-2017-7973, CVE-2021-22707). Modicon PLCs run valve and compressor logic across US midstream; Triconex is the dominant safety-instrumented system (SIS) at gas plants and LNG trains — the same SIS family targeted by the TRITON malware framework.

M — Mission

Adversary objective: defeat or blind the safety-instrumented layer at a gas-processing plant, LNG train, or major compressor station so a deliberately induced process upset is NOT tripped to a safe state — turning a recoverable fault into an overpressure or release event.

E — Execution

Phase 1: exploit one of the 9 known CVEs to gain a foothold on the engineering network. Phase 2: reach the Triconex/Modicon engineering workstation and load altered logic or disable SIS voting. Phase 3: drive the basic process control system to an unsafe setpoint while the safety layer is suppressed. Phase 4: erase the engineering audit trail.

A — Administration & Logistics

Feasibility today rests on (1) 9 unpatched, actively-exploited Schneider CVEs; (2) SIS and basic control logic that share engineering access in many deployments; (3) safety-system patch cycles tied to multi-year turnaround windows.

C — Command & Signal

Indicators: unscheduled logic downloads to any Triconex or Modicon controller; SIS voting or bypass changes outside a permitted-work window; engineering-station traffic to non-vendor destinations. Defensive priorities: patch the KEV-listed CVEs on a safety-critical schedule, enforce key-switch RUN mode on SIS controllers, require two-person authorization for any safety-logic change. Reporting: CISA; TSA Pipeline Security; ONG-ISAC.

Consequences if unmitigated

Physical:

A defeated safety-instrumented system removes the last automatic protection against overpressure, high temperature, or loss of containment at a gas plant or LNG train — from an emergency shutdown and days-long restart to a release, fire, or explosion if the basic control system is simultaneously driven unsafe.

Market / financial:

Loss of a single large gas-processing plant or LNG train removes major throughput; an LNG-train outage idles export cargoes and tightens domestic supply. Liability and business-interruption exposure runs to the billions.

Regulatory / political:

PHMSA and TSA scrutiny of OT cyber controls; likely CISA emergency directives for Schneider SIS operators; insurer repricing for sites running KEV-listed Triconex/Modicon.

Siemens SIMATIC S7 / WinCC — 5 pipeline-relevant KEV CVEs
Current exposure: 5 CISA KEV-listed CVEs currently affect Siemens SIMATIC / WinCC / Spectrum Power platforms
Live KEV cross-reference: CVE-2014-2908, CVE-2016-8562, CVE-2012-3015, CVE-2010-2772
Severity: HIGH — Loss of control at compression, metering, and gas-fired generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Siemens SIMATIC S7 controllers and WinCC SCADA run compressor stations, metering, and the gas-fired generation feeding data-center load; 5 Siemens CVEs sit on the KEV catalog today (CVE-2014-2908, CVE-2016-8562, CVE-2012-3015, CVE-2010-2772). S7 is the controller family Stuxnet was built to reprogram.

M — Mission

Adversary objective: reprogram or halt S7 logic controlling compression or generation in a chosen corridor, or falsify the WinCC operator view so the upset is not seen until it propagates.

E — Execution

Phase 1: exploit a KEV-listed S7/WinCC flaw reachable from an exposed HMI or remote-access path. Phase 2: pivot to the automation network. Phase 3: alter controller logic or HMI tags. Phase 4: synchronize disruption to peak demand and wipe the historian.

A — Administration & Logistics

Feasibility rests on (1) 5 unpatched Siemens CVEs; (2) WinCC stations bridged to corporate IT; (3) S7 controllers without RUN-mode key protection.

C — Command & Signal

Indicators: unexpected S7 STOP/PROGRAM transitions; WinCC tag changes with no work order; HMI traffic to unknown hosts. Defensive priorities: patch KEV CVEs, enforce controller key-switch protection, segment WinCC from IT. Reporting: CISA; TSA; ONG-ISAC; the relevant ISO security desk.

Consequences if unmitigated

Physical:

Tripped or runaway compression and generating units in one load zone; data-center alley loses grid supply and falls to diesel within hours; ungraceful trips can damage rotating equipment and extend restart to weeks.

Market / financial:

Intraday wholesale power spikes to the administrative cap in the affected ISO; compute SLAs breach within the diesel-reserve window; multi-billion-dollar loss across operators, power buyers, and AI customers.

Regulatory / political:

FERC/NERC review of generator cyber readiness; accelerated TSA-style cyber rules for gas-fired generation; insurer repricing for measurable Siemens exposure.

Rockwell ControlLogix / FactoryTalk — 2 pipeline-relevant KEV CVEs
Current exposure: 2 CISA KEV-listed CVEs currently affect Rockwell Allen-Bradley ControlLogix / FactoryTalk platforms
Live KEV cross-reference: CVE-2023-3595, CVE-2021-22681
Severity: HIGH — Pump-station and terminal control disruption across midstream
Five-Paragraph OPORD (SMEAC)

S — Situation

Allen-Bradley ControlLogix PLCs and FactoryTalk run pump stations, tank farms, and liquids terminals across US midstream; 2 Rockwell CVEs are on the KEV catalog today (CVE-2023-3595, CVE-2021-22681).

M — Mission

Adversary objective: seize or crash ControlLogix processors governing pumping and tank-farm valves to force a liquids-pipeline shutdown or a tank overfill / pressure transient.

E — Execution

Phase 1: exploit a KEV-listed ControlLogix/FactoryTalk CVE from an exposed engineering or remote path. Phase 2: reach the controller. Phase 3: fault the processor or alter pump/valve logic. Phase 4: mask the change in FactoryTalk.

A — Administration & Logistics

Feasibility rests on (1) 2 unpatched Rockwell CVEs; (2) flat OT networks at terminals; (3) remote-access tools left exposed.

C — Command & Signal

Indicators: unexpected processor faults; logic edits with no change ticket; FactoryTalk access from new hosts. Defensive priorities: patch KEV CVEs, segment terminal OT, lock down remote access. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Forced shutdown of a liquids pipeline or terminal; in the worst case a tank overfill or pressure transient with spill, fire, or environmental release.

Market / financial:

Regional product-supply disruption (gasoline, diesel, NGLs); price spikes at racks served by the affected terminals; cleanup and liability costs.

Regulatory / political:

PHMSA incident investigation; TSA review of terminal cyber controls; insurer scrutiny of operators on KEV-listed Rockwell versions.

Honeywell Experion PKS — 1 pipeline-relevant KEV CVE
Current exposure: 1 CISA KEV-listed CVE currently affect Honeywell Experion PKS — a dominant DCS at US gas processing and LNG
Live KEV cross-reference: CVE-2023-3710
Severity: HIGH — Distributed-control compromise at gas processing and LNG
Five-Paragraph OPORD (SMEAC)

S — Situation

Honeywell Experion PKS is a dominant distributed control system at US gas-processing plants, refineries, and LNG facilities; 1 Experion CVE on the KEV catalog today (CVE-2023-3710).

M — Mission

Adversary objective: take control of the Experion DCS at a gas-processing or LNG facility to drive units to an unsafe state or force a sustained outage.

E — Execution

Phase 1: exploit the KEV-listed Experion CVE from a reachable server or remote path. Phase 2: reach the C300 controllers and Experion servers. Phase 3: alter control strategy or force a unit trip. Phase 4: destroy the historian and backups.

A — Administration & Logistics

Feasibility rests on (1) 1 unpatched Experion CVE; (2) DCS servers bridged to plant IT; (3) deferred DCS patching tied to turnaround windows.

C — Command & Signal

Indicators: unscheduled control-strategy changes; Experion server traffic to unknown hosts; historian write failures. Defensive priorities: patch the KEV CVE, isolate the DCS, two-person change control. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Loss of control or forced shutdown at a gas-processing plant or LNG train; potential release, fire, or explosion if units are driven unsafe; restart measured in days to weeks.

Market / financial:

Lost processing/export throughput tightens domestic supply and idles cargoes; multi-billion-dollar interruption and liability exposure.

Regulatory / political:

PHMSA/TSA investigation; likely CISA directive for Experion operators; insurer repricing for KEV-listed Experion exposure.

Emerson DeltaV + Ovation DCS — 68 US endpoints combined
Current exposure: 41 DeltaV + 27 Ovation US endpoints — total 68
Live KEV cross-reference: CVE-2021-45420
Severity: HIGH — Simultaneous compromise of LNG liquefaction AND gas-fired power generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Emerson runs two product lines with measurable US exposure: DeltaV (41 endpoints), the DCS for LNG liquefaction trains and refinery / petrochemical processes, and Ovation (27 endpoints), the DCS for fossil-fueled power generation. Combined US public exposure: 68 endpoints. KEV entries affecting Emerson: CVE-2021-45420.

M — Mission

Adversary objective: simultaneously disrupt LNG-export capacity AND gas-fired power generation by exploiting the same vendor's deployed platforms across the two industries — a single capability that reaches both demand sinks for US natural gas (LNG exports and AI/data-center power) at once. Strategic intent: dual-target economic disruption with shared toolchain.

E — Execution

Phase 1: gain access via an Emerson vendor-support credential — Emerson is one of the largest providers of process-control system service contracts in the US. Phase 2: deploy parallel implants against DeltaV at LNG terminals and Ovation at gas-fired plants. Phase 3: synchronized trigger at a chosen event.

A — Administration & Logistics

Attack feasibility hinges on whether the operator has accepted vendor persistent remote-support tunnels as a contractual requirement. Many DeltaV and Ovation operators have done so to maintain service-level guarantees. The 68 exposed endpoints visible today are the public portion of that pattern.

C — Command & Signal

Indicators: Emerson vendor-tunnel traffic outside scheduled service windows; configuration changes pushed to multiple sites within a single hour; unscheduled engineering-workstation logins. Defensive priorities: require Emerson vendor sessions to be initiated by the operator (not the vendor), with session recording and MFA; deploy egress monitoring on the DeltaV / Ovation engineering networks; require Emerson to publish per-product KEV applicability mapped to deployed firmware versions at each customer site.

Consequences if unmitigated

Physical:

LNG terminal liquefaction trains unsafe-shutdown; coincident gas-fired generator trips across affected fleet. Possible thermal damage to liquefaction compressors extends LNG outage from days to months.

Market / financial:

Cargoes in the Sabine Pass / Cameron / Plaquemines / Corpus Christi loading queue declare force majeure within hours. European TTF gas price spikes; US Henry Hub price drops on reduced export demand AND spikes on domestic gas-to-power dislocation — both directions same day. Combined economic impact: $30B–$120B over the first quarter post-event.

Regulatory / political:

Coordinated DOE / FERC / TSA / DOC (export licensing) investigation. Possible suspension of Emerson DCS service contracts pending audit. Insurance industry repricing across all Emerson-platform-dependent operators.

Henry Hub Composite (Physical + Cyber) — current state
Current exposure: 13 interstate pipelines converge at Erath, LA · NYMEX settlement node · ~2 Bcf/d physical throughput · 1 ICS exposures within 25 km · 14 active eminent-domain projects in supply chain
Live KEV cross-reference: 9 Schneider Electric KEVs · 5 Siemens KEVs · 1 Emerson KEVs affect platforms a Sabine Pipe Line operator would actually run.
Severity: STRATEGIC — National-scale market and supply disruption
Five-Paragraph OPORD (SMEAC)

S — Situation

Henry Hub today: 13 interstate pipelines converge at the Sabine Pipe Line LLC facility in Erath, Louisiana. The NYMEX Henry Hub futures contract settles here — the price benchmark for every US natural-gas trade, every LNG cargo loaded at Sabine Pass / Cameron / Plaquemines / Corpus Christi (≈14 Bcf/d combined LNG export capacity), and every gas-indexed power-purchase contract in PJM / SERC / Florida. Within 25 km of the hub, Shodan finds 1 exposed ICS endpoints; the operator's supply chain runs through platforms with 15 currently-KEV-listed CVEs across Schneider Electric, Siemens, and Emerson. The facility has no counter-UAS coverage (Vermilion Parish is outside designated military airspace) and no published joint OT/IT incident-command framework with downstream hyperscaler and federal partners.

M — Mission

Adversary objective: simultaneously disable physical throughput at Henry Hub for an extended window (weeks, not hours) AND destroy the operator's safety-system configuration files, so that even after physical repair the operator cannot safely restart. Strategic intent: suspend US natural-gas price discovery long enough to cascade through NYMEX, LNG cargo force majeure, power-grid load shedding during a peak-demand window, and financial-market liquidity events.

E — Execution

Phase 1 (months): cyber pre-positioning inside the Sabine Pipe Line OT network via a contracted-engineering credential — the same vector that has produced every confirmed US pipeline OT intrusion in the past five years. Phase 2 (days): adversary weaponizes a published CVSS 9.0+ CISA advisory affecting Schneider Telvent OASyS DNA or Triconex SIS, BEFORE the operator's change board approves the emergency patch. Phase 3 (D-Day, timed to coincide with polar vortex or hurricane-season demand peak): commercial-derivative drone strike against Compressor Units 1 and 2, simultaneously with cyber execution that disables the SIS, manipulates HMIs to display nominal state, vents high-pressure gas through stacks whose flare ignition has been pre-disabled. Phase 4 (D+1 through D+3): wiper malware destroys the historian, engineering workstation, and corporate IT backups, denying the recovery team the documentation needed to safely restart safety-instrumented systems.

A — Administration & Logistics

Attack feasibility depends on conditions present today: (1) 1 ICS endpoints within 25 km of the hub — the public attack surface; (2) absence of counter-UAS over Vermilion Parish; (3) the operator's change board having no pre-delegated authority to bypass normal review for CVSS 9+ items during weather-emergency windows; (4) no published joint incident-command structure across Sabine Pipe Line, FERC, TSA, CISA, FBI, DOE, and hyperscaler downstream customers. All four conditions exist as of 2026-06-18.

C — Command & Signal

Indicators: outbound traffic from any Sabine Pipe Line OT host to non-vendor destinations; Vermilion Parish law-enforcement reports of unusual UAS activity near the hub; any CISA advisory at CVSS 9+ affecting Schneider Electric / Siemens / Emerson platforms followed by Sabine Pipe Line change-board deferral. Defensive priorities (the four items above, each individually closable): (1) pre-delegate emergency-patch authority to senior security leadership without change-board veto for CVSS 9+ critical-asset platforms; (2) FAA + DOD counter-UAS authorization for FERC critical-asset compressor stations; (3) stand up the joint incident-command framework now, not after the event; (4) maintain air-gapped offline SIS configuration backups with quarterly recovery verification at every FERC critical site.

Consequences if unmitigated

Physical:

Henry Hub physical throughput goes to 0 Bcf/d for 7–30+ days. Worker fatalities at Sabine Pipe Line during the kinetic event range 20–100 depending on shift composition and time of day. Downstream civilian fatalities during coincident cold-weather power loss could exceed 200 if the polar-vortex timing is hit. Adjacent communities evacuated; groundwater and surface water contamination from fuel-rich firefighting operations.

Market / financial:

NYMEX Henry Hub trading suspended for 20–60 trading days. Daily LNG cargo force majeure declarations from Sabine Pass / Cameron / Plaquemines / Corpus Christi terminals. European TTF and Asian JKM gas prices spike 150–400%. PJM and TVA emergency load-shedding affecting 5–20M customers during the polar vortex. Combined direct + cascading economic damage: $200B–$400B over twelve months. Insurance-industry catastrophe loss: $80B–$200B. Two-to-three mid-sized US gas trading firms in Chapter 11 within ten days.

Regulatory / political:

FERC and TSA replace existing Pipeline Security Directive framework with a true regulatory framework. DOE stands up a permanent Critical Energy Infrastructure Cyber Response Unit. FAA authorizes counter-UAS at all FERC critical-asset facilities. Federal Reserve emergency liquidity facility for energy-sector counterparty exposure. Hyperscaler / pipeline operator joint incident command mandated. ODNI issues attribution finding; coordinated multi-allied response.

Schneider Electric Modicon / Triconex — 9 pipeline-relevant KEV CVEs
Current exposure: 9 CISA KEV-listed CVEs currently affect Schneider OT platforms — the largest known-exploited footprint of any pipeline-relevant vendor today
Live KEV cross-reference: CVE-2018-7522, CVE-2018-8872, CVE-2017-7973, CVE-2021-22707
Severity: HIGH — Safety-instrumented-system bypass at gas processing and compression
Five-Paragraph OPORD (SMEAC)

S — Situation

Schneider Electric carries the largest set of actively-exploited CVEs of any pipeline-relevant vendor on the KEV catalog today — 9 entries (CVE-2018-7522, CVE-2018-8872, CVE-2017-7973, CVE-2021-22707). Modicon PLCs run valve and compressor logic across US midstream; Triconex is the dominant safety-instrumented system (SIS) at gas plants and LNG trains — the same SIS family targeted by the TRITON malware framework.

M — Mission

Adversary objective: defeat or blind the safety-instrumented layer at a gas-processing plant, LNG train, or major compressor station so a deliberately induced process upset is NOT tripped to a safe state — turning a recoverable fault into an overpressure or release event.

E — Execution

Phase 1: exploit one of the 9 known CVEs to gain a foothold on the engineering network. Phase 2: reach the Triconex/Modicon engineering workstation and load altered logic or disable SIS voting. Phase 3: drive the basic process control system to an unsafe setpoint while the safety layer is suppressed. Phase 4: erase the engineering audit trail.

A — Administration & Logistics

Feasibility today rests on (1) 9 unpatched, actively-exploited Schneider CVEs; (2) SIS and basic control logic that share engineering access in many deployments; (3) safety-system patch cycles tied to multi-year turnaround windows.

C — Command & Signal

Indicators: unscheduled logic downloads to any Triconex or Modicon controller; SIS voting or bypass changes outside a permitted-work window; engineering-station traffic to non-vendor destinations. Defensive priorities: patch the KEV-listed CVEs on a safety-critical schedule, enforce key-switch RUN mode on SIS controllers, require two-person authorization for any safety-logic change. Reporting: CISA; TSA Pipeline Security; ONG-ISAC.

Consequences if unmitigated

Physical:

A defeated safety-instrumented system removes the last automatic protection against overpressure, high temperature, or loss of containment at a gas plant or LNG train — from an emergency shutdown and days-long restart to a release, fire, or explosion if the basic control system is simultaneously driven unsafe.

Market / financial:

Loss of a single large gas-processing plant or LNG train removes major throughput; an LNG-train outage idles export cargoes and tightens domestic supply. Liability and business-interruption exposure runs to the billions.

Regulatory / political:

PHMSA and TSA scrutiny of OT cyber controls; likely CISA emergency directives for Schneider SIS operators; insurer repricing for sites running KEV-listed Triconex/Modicon.

Siemens SIMATIC S7 / WinCC — 5 pipeline-relevant KEV CVEs
Current exposure: 5 CISA KEV-listed CVEs currently affect Siemens SIMATIC / WinCC / Spectrum Power platforms
Live KEV cross-reference: CVE-2014-2908, CVE-2016-8562, CVE-2012-3015, CVE-2010-2772
Severity: HIGH — Loss of control at compression, metering, and gas-fired generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Siemens SIMATIC S7 controllers and WinCC SCADA run compressor stations, metering, and the gas-fired generation feeding data-center load; 5 Siemens CVEs sit on the KEV catalog today (CVE-2014-2908, CVE-2016-8562, CVE-2012-3015, CVE-2010-2772). S7 is the controller family Stuxnet was built to reprogram.

M — Mission

Adversary objective: reprogram or halt S7 logic controlling compression or generation in a chosen corridor, or falsify the WinCC operator view so the upset is not seen until it propagates.

E — Execution

Phase 1: exploit a KEV-listed S7/WinCC flaw reachable from an exposed HMI or remote-access path. Phase 2: pivot to the automation network. Phase 3: alter controller logic or HMI tags. Phase 4: synchronize disruption to peak demand and wipe the historian.

A — Administration & Logistics

Feasibility rests on (1) 5 unpatched Siemens CVEs; (2) WinCC stations bridged to corporate IT; (3) S7 controllers without RUN-mode key protection.

C — Command & Signal

Indicators: unexpected S7 STOP/PROGRAM transitions; WinCC tag changes with no work order; HMI traffic to unknown hosts. Defensive priorities: patch KEV CVEs, enforce controller key-switch protection, segment WinCC from IT. Reporting: CISA; TSA; ONG-ISAC; the relevant ISO security desk.

Consequences if unmitigated

Physical:

Tripped or runaway compression and generating units in one load zone; data-center alley loses grid supply and falls to diesel within hours; ungraceful trips can damage rotating equipment and extend restart to weeks.

Market / financial:

Intraday wholesale power spikes to the administrative cap in the affected ISO; compute SLAs breach within the diesel-reserve window; multi-billion-dollar loss across operators, power buyers, and AI customers.

Regulatory / political:

FERC/NERC review of generator cyber readiness; accelerated TSA-style cyber rules for gas-fired generation; insurer repricing for measurable Siemens exposure.

Rockwell ControlLogix / FactoryTalk — 2 pipeline-relevant KEV CVEs
Current exposure: 2 CISA KEV-listed CVEs currently affect Rockwell Allen-Bradley ControlLogix / FactoryTalk platforms
Live KEV cross-reference: CVE-2023-3595, CVE-2021-22681
Severity: HIGH — Pump-station and terminal control disruption across midstream
Five-Paragraph OPORD (SMEAC)

S — Situation

Allen-Bradley ControlLogix PLCs and FactoryTalk run pump stations, tank farms, and liquids terminals across US midstream; 2 Rockwell CVEs are on the KEV catalog today (CVE-2023-3595, CVE-2021-22681).

M — Mission

Adversary objective: seize or crash ControlLogix processors governing pumping and tank-farm valves to force a liquids-pipeline shutdown or a tank overfill / pressure transient.

E — Execution

Phase 1: exploit a KEV-listed ControlLogix/FactoryTalk CVE from an exposed engineering or remote path. Phase 2: reach the controller. Phase 3: fault the processor or alter pump/valve logic. Phase 4: mask the change in FactoryTalk.

A — Administration & Logistics

Feasibility rests on (1) 2 unpatched Rockwell CVEs; (2) flat OT networks at terminals; (3) remote-access tools left exposed.

C — Command & Signal

Indicators: unexpected processor faults; logic edits with no change ticket; FactoryTalk access from new hosts. Defensive priorities: patch KEV CVEs, segment terminal OT, lock down remote access. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Forced shutdown of a liquids pipeline or terminal; in the worst case a tank overfill or pressure transient with spill, fire, or environmental release.

Market / financial:

Regional product-supply disruption (gasoline, diesel, NGLs); price spikes at racks served by the affected terminals; cleanup and liability costs.

Regulatory / political:

PHMSA incident investigation; TSA review of terminal cyber controls; insurer scrutiny of operators on KEV-listed Rockwell versions.

GE iFIX HMI/SCADA — 79 US endpoints exposed
Current exposure: 79 GE iFIX HMI/SCADA endpoints visible today
Live KEV cross-reference: CVE-2014-0751
Severity: HIGH — Operator-view denial across gas-plant and pipeline-station HMI
Five-Paragraph OPORD (SMEAC)

S — Situation

GE iFIX is a general-purpose HMI / SCADA platform with deep penetration in US gas plants, refineries, and pipeline compressor stations. Public US exposure today: 79 endpoints. KEV entries currently affecting GE platforms: CVE-2014-0751.

M — Mission

Adversary objective: deny operator visibility into the controlled process during a coincident attack — either cyber on the BPCS or kinetic on a physical asset. Strategic intent: extend the response window in the critical early minutes when operator action can avert physical damage.

E — Execution

Phase 1: access through internet-exposed iFIX terminal services / VPN. Phase 2: modify iFIX HMI screens to display canned 'nominal' values regardless of underlying tag data, OR disable HMI alarm escalation logic. Phase 3: hold capability until a coincident event — process upset, kinetic strike, or BPCS manipulation — at which point operators see normal screens while the physical process degrades.

A — Administration & Logistics

Attack feasibility increases when iFIX is deployed without segregation from corporate IT, when iFIX clients are reachable via remote-desktop services from the public internet (79 confirmed examples today), and when alarm-management audits are infrequent.

C — Command & Signal

Indicators: iFIX screen-version changes outside engineering change windows; HMI tag-display discrepancies vs. historian; alarm logs going abnormally quiet during normal operating variability. Defensive priorities: iFIX deployment audit (count vs. known inventory); HMI screen-checksum monitoring; independent secondary HMI that draws from a separate tag feed; close all 79 internet-exposed instances or move them behind MFA-required VPN.

Consequences if unmitigated

Physical:

On its own, an iFIX-only attack does not cause damage — but during a coincident physical or BPCS attack, the 'normal-screens-while-process-degrades' window extends operator response from minutes to tens of minutes, multiplying the physical damage.

Market / financial:

When combined with a BPCS attack, an HMI-deception layer can extend an outage from one shift to several days as the recovery team has no trustworthy view of pre-event state. Multiplier effect on operator's economic damage: 2–5x.

Regulatory / political:

HMI integrity-verification becomes a required TSA compliance element. Vendor-side requirements for cryptographic HMI screen verification.

Emerson DeltaV + Ovation DCS — 70 US endpoints combined
Current exposure: 41 DeltaV + 29 Ovation US endpoints — total 70
Live KEV cross-reference: CVE-2021-45420
Severity: HIGH — Simultaneous compromise of LNG liquefaction AND gas-fired power generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Emerson runs two product lines with measurable US exposure: DeltaV (41 endpoints), the DCS for LNG liquefaction trains and refinery / petrochemical processes, and Ovation (29 endpoints), the DCS for fossil-fueled power generation. Combined US public exposure: 70 endpoints. KEV entries affecting Emerson: CVE-2021-45420.

M — Mission

Adversary objective: simultaneously disrupt LNG-export capacity AND gas-fired power generation by exploiting the same vendor's deployed platforms across the two industries — a single capability that reaches both demand sinks for US natural gas (LNG exports and AI/data-center power) at once. Strategic intent: dual-target economic disruption with shared toolchain.

E — Execution

Phase 1: gain access via an Emerson vendor-support credential — Emerson is one of the largest providers of process-control system service contracts in the US. Phase 2: deploy parallel implants against DeltaV at LNG terminals and Ovation at gas-fired plants. Phase 3: synchronized trigger at a chosen event.

A — Administration & Logistics

Attack feasibility hinges on whether the operator has accepted vendor persistent remote-support tunnels as a contractual requirement. Many DeltaV and Ovation operators have done so to maintain service-level guarantees. The 70 exposed endpoints visible today are the public portion of that pattern.

C — Command & Signal

Indicators: Emerson vendor-tunnel traffic outside scheduled service windows; configuration changes pushed to multiple sites within a single hour; unscheduled engineering-workstation logins. Defensive priorities: require Emerson vendor sessions to be initiated by the operator (not the vendor), with session recording and MFA; deploy egress monitoring on the DeltaV / Ovation engineering networks; require Emerson to publish per-product KEV applicability mapped to deployed firmware versions at each customer site.

Consequences if unmitigated

Physical:

LNG terminal liquefaction trains unsafe-shutdown; coincident gas-fired generator trips across affected fleet. Possible thermal damage to liquefaction compressors extends LNG outage from days to months.

Market / financial:

Cargoes in the Sabine Pass / Cameron / Plaquemines / Corpus Christi loading queue declare force majeure within hours. European TTF gas price spikes; US Henry Hub price drops on reduced export demand AND spikes on domestic gas-to-power dislocation — both directions same day. Combined economic impact: $30B–$120B over the first quarter post-event.

Regulatory / political:

Coordinated DOE / FERC / TSA / DOC (export licensing) investigation. Possible suspension of Emerson DCS service contracts pending audit. Insurance industry repricing across all Emerson-platform-dependent operators.

Henry Hub Composite (Physical + Cyber) — current state
Current exposure: 13 interstate pipelines converge at Erath, LA · NYMEX settlement node · ~2 Bcf/d physical throughput · 1 ICS exposures within 25 km · 14 active eminent-domain projects in supply chain
Live KEV cross-reference: 9 Schneider Electric KEVs · 5 Siemens KEVs · 1 Emerson KEVs affect platforms a Sabine Pipe Line operator would actually run.
Severity: STRATEGIC — National-scale market and supply disruption
Five-Paragraph OPORD (SMEAC)

S — Situation

Henry Hub today: 13 interstate pipelines converge at the Sabine Pipe Line LLC facility in Erath, Louisiana. The NYMEX Henry Hub futures contract settles here — the price benchmark for every US natural-gas trade, every LNG cargo loaded at Sabine Pass / Cameron / Plaquemines / Corpus Christi (≈14 Bcf/d combined LNG export capacity), and every gas-indexed power-purchase contract in PJM / SERC / Florida. Within 25 km of the hub, Shodan finds 1 exposed ICS endpoints; the operator's supply chain runs through platforms with 15 currently-KEV-listed CVEs across Schneider Electric, Siemens, and Emerson. The facility has no counter-UAS coverage (Vermilion Parish is outside designated military airspace) and no published joint OT/IT incident-command framework with downstream hyperscaler and federal partners.

M — Mission

Adversary objective: simultaneously disable physical throughput at Henry Hub for an extended window (weeks, not hours) AND destroy the operator's safety-system configuration files, so that even after physical repair the operator cannot safely restart. Strategic intent: suspend US natural-gas price discovery long enough to cascade through NYMEX, LNG cargo force majeure, power-grid load shedding during a peak-demand window, and financial-market liquidity events.

E — Execution

Phase 1 (months): cyber pre-positioning inside the Sabine Pipe Line OT network via a contracted-engineering credential — the same vector that has produced every confirmed US pipeline OT intrusion in the past five years. Phase 2 (days): adversary weaponizes a published CVSS 9.0+ CISA advisory affecting Schneider Telvent OASyS DNA or Triconex SIS, BEFORE the operator's change board approves the emergency patch. Phase 3 (D-Day, timed to coincide with polar vortex or hurricane-season demand peak): commercial-derivative drone strike against Compressor Units 1 and 2, simultaneously with cyber execution that disables the SIS, manipulates HMIs to display nominal state, vents high-pressure gas through stacks whose flare ignition has been pre-disabled. Phase 4 (D+1 through D+3): wiper malware destroys the historian, engineering workstation, and corporate IT backups, denying the recovery team the documentation needed to safely restart safety-instrumented systems.

A — Administration & Logistics

Attack feasibility depends on conditions present today: (1) 1 ICS endpoints within 25 km of the hub — the public attack surface; (2) absence of counter-UAS over Vermilion Parish; (3) the operator's change board having no pre-delegated authority to bypass normal review for CVSS 9+ items during weather-emergency windows; (4) no published joint incident-command structure across Sabine Pipe Line, FERC, TSA, CISA, FBI, DOE, and hyperscaler downstream customers. All four conditions exist as of 2026-06-17.

C — Command & Signal

Indicators: outbound traffic from any Sabine Pipe Line OT host to non-vendor destinations; Vermilion Parish law-enforcement reports of unusual UAS activity near the hub; any CISA advisory at CVSS 9+ affecting Schneider Electric / Siemens / Emerson platforms followed by Sabine Pipe Line change-board deferral. Defensive priorities (the four items above, each individually closable): (1) pre-delegate emergency-patch authority to senior security leadership without change-board veto for CVSS 9+ critical-asset platforms; (2) FAA + DOD counter-UAS authorization for FERC critical-asset compressor stations; (3) stand up the joint incident-command framework now, not after the event; (4) maintain air-gapped offline SIS configuration backups with quarterly recovery verification at every FERC critical site.

Consequences if unmitigated

Physical:

Henry Hub physical throughput goes to 0 Bcf/d for 7–30+ days. Worker fatalities at Sabine Pipe Line during the kinetic event range 20–100 depending on shift composition and time of day. Downstream civilian fatalities during coincident cold-weather power loss could exceed 200 if the polar-vortex timing is hit. Adjacent communities evacuated; groundwater and surface water contamination from fuel-rich firefighting operations.

Market / financial:

NYMEX Henry Hub trading suspended for 20–60 trading days. Daily LNG cargo force majeure declarations from Sabine Pass / Cameron / Plaquemines / Corpus Christi terminals. European TTF and Asian JKM gas prices spike 150–400%. PJM and TVA emergency load-shedding affecting 5–20M customers during the polar vortex. Combined direct + cascading economic damage: $200B–$400B over twelve months. Insurance-industry catastrophe loss: $80B–$200B. Two-to-three mid-sized US gas trading firms in Chapter 11 within ten days.

Regulatory / political:

FERC and TSA replace existing Pipeline Security Directive framework with a true regulatory framework. DOE stands up a permanent Critical Energy Infrastructure Cyber Response Unit. FAA authorizes counter-UAS at all FERC critical-asset facilities. Federal Reserve emergency liquidity facility for energy-sector counterparty exposure. Hyperscaler / pipeline operator joint incident command mandated. ODNI issues attribution finding; coordinated multi-allied response.

Schneider Electric Modicon / Triconex — 9 pipeline-relevant KEV CVEs
Current exposure: 9 CISA KEV-listed CVEs currently affect Schneider OT platforms — the largest known-exploited footprint of any pipeline-relevant vendor today
Live KEV cross-reference: CVE-2018-7522, CVE-2018-8872, CVE-2017-7973, CVE-2021-22707
Severity: HIGH — Safety-instrumented-system bypass at gas processing and compression
Five-Paragraph OPORD (SMEAC)

S — Situation

Schneider Electric carries the largest set of actively-exploited CVEs of any pipeline-relevant vendor on the KEV catalog today — 9 entries (CVE-2018-7522, CVE-2018-8872, CVE-2017-7973, CVE-2021-22707). Modicon PLCs run valve and compressor logic across US midstream; Triconex is the dominant safety-instrumented system (SIS) at gas plants and LNG trains — the same SIS family targeted by the TRITON malware framework.

M — Mission

Adversary objective: defeat or blind the safety-instrumented layer at a gas-processing plant, LNG train, or major compressor station so a deliberately induced process upset is NOT tripped to a safe state — turning a recoverable fault into an overpressure or release event.

E — Execution

Phase 1: exploit one of the 9 known CVEs to gain a foothold on the engineering network. Phase 2: reach the Triconex/Modicon engineering workstation and load altered logic or disable SIS voting. Phase 3: drive the basic process control system to an unsafe setpoint while the safety layer is suppressed. Phase 4: erase the engineering audit trail.

A — Administration & Logistics

Feasibility today rests on (1) 9 unpatched, actively-exploited Schneider CVEs; (2) SIS and basic control logic that share engineering access in many deployments; (3) safety-system patch cycles tied to multi-year turnaround windows.

C — Command & Signal

Indicators: unscheduled logic downloads to any Triconex or Modicon controller; SIS voting or bypass changes outside a permitted-work window; engineering-station traffic to non-vendor destinations. Defensive priorities: patch the KEV-listed CVEs on a safety-critical schedule, enforce key-switch RUN mode on SIS controllers, require two-person authorization for any safety-logic change. Reporting: CISA; TSA Pipeline Security; ONG-ISAC.

Consequences if unmitigated

Physical:

A defeated safety-instrumented system removes the last automatic protection against overpressure, high temperature, or loss of containment at a gas plant or LNG train — from an emergency shutdown and days-long restart to a release, fire, or explosion if the basic control system is simultaneously driven unsafe.

Market / financial:

Loss of a single large gas-processing plant or LNG train removes major throughput; an LNG-train outage idles export cargoes and tightens domestic supply. Liability and business-interruption exposure runs to the billions.

Regulatory / political:

PHMSA and TSA scrutiny of OT cyber controls; likely CISA emergency directives for Schneider SIS operators; insurer repricing for sites running KEV-listed Triconex/Modicon.

Siemens SIMATIC S7 / WinCC — 5 pipeline-relevant KEV CVEs
Current exposure: 5 CISA KEV-listed CVEs currently affect Siemens SIMATIC / WinCC / Spectrum Power platforms
Live KEV cross-reference: CVE-2014-2908, CVE-2016-8562, CVE-2012-3015, CVE-2010-2772
Severity: HIGH — Loss of control at compression, metering, and gas-fired generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Siemens SIMATIC S7 controllers and WinCC SCADA run compressor stations, metering, and the gas-fired generation feeding data-center load; 5 Siemens CVEs sit on the KEV catalog today (CVE-2014-2908, CVE-2016-8562, CVE-2012-3015, CVE-2010-2772). S7 is the controller family Stuxnet was built to reprogram.

M — Mission

Adversary objective: reprogram or halt S7 logic controlling compression or generation in a chosen corridor, or falsify the WinCC operator view so the upset is not seen until it propagates.

E — Execution

Phase 1: exploit a KEV-listed S7/WinCC flaw reachable from an exposed HMI or remote-access path. Phase 2: pivot to the automation network. Phase 3: alter controller logic or HMI tags. Phase 4: synchronize disruption to peak demand and wipe the historian.

A — Administration & Logistics

Feasibility rests on (1) 5 unpatched Siemens CVEs; (2) WinCC stations bridged to corporate IT; (3) S7 controllers without RUN-mode key protection.

C — Command & Signal

Indicators: unexpected S7 STOP/PROGRAM transitions; WinCC tag changes with no work order; HMI traffic to unknown hosts. Defensive priorities: patch KEV CVEs, enforce controller key-switch protection, segment WinCC from IT. Reporting: CISA; TSA; ONG-ISAC; the relevant ISO security desk.

Consequences if unmitigated

Physical:

Tripped or runaway compression and generating units in one load zone; data-center alley loses grid supply and falls to diesel within hours; ungraceful trips can damage rotating equipment and extend restart to weeks.

Market / financial:

Intraday wholesale power spikes to the administrative cap in the affected ISO; compute SLAs breach within the diesel-reserve window; multi-billion-dollar loss across operators, power buyers, and AI customers.

Regulatory / political:

FERC/NERC review of generator cyber readiness; accelerated TSA-style cyber rules for gas-fired generation; insurer repricing for measurable Siemens exposure.

Cygnet SCADA — 82 US endpoints (pipeline-specific midstream)
Current exposure: 82 Cygnet midstream-pipeline SCADA endpoints visible today
Live KEV cross-reference: no KEV-listed CVEs currently affect this platform
Severity: HIGH — Direct compromise of pipeline operational visibility and control
Five-Paragraph OPORD (SMEAC)

S — Situation

Cygnet is the SCADA platform most narrowly targeted at the US midstream oil-and-gas industry — it runs the supervisory layer at 82 measurable US sites, almost all of which are pipeline operators. Of the operators we track, several are confirmed Cygnet users by name in vendor case-studies and public filings.

M — Mission

Adversary objective: simultaneous loss-of-visibility and limited-write control of pipeline metering, valve, and flow-control points across a single operator's footprint. Strategic intent: position to manipulate gas deliveries — to LDCs, to power generators, or to LNG export terminals — at a chosen moment, with the operator unable to see or counter the action in real time.

E — Execution

Phase 1: access via a Cygnet engineering workstation reachable through vendor-support tunnels. Phase 2: harvest field-device topology and operator runbooks from the SCADA database. Phase 3: stage scheduled control commands that fire at a precipitating moment. Phase 4: optionally falsify operator-view telemetry to extend the response window.

A — Administration & Logistics

Attack feasibility depends on Cygnet's typical deployment pattern: many operators connect Cygnet to their corporate IT for reporting, then connect corporate IT to the public internet — a documented common pathway. The 82 exposed endpoints in our Shodan dataset are the visible portion of that pattern.

C — Command & Signal

Indicators: Cygnet engineering-workstation traffic to non-vendor destinations; configuration changes outside change-control hours; discrepancies between Cygnet-reported volumes and independent end-of-line meter reads. Defensive priorities: place Cygnet servers behind a jump-host with MFA; close direct internet exposure on all 82 endpoints; deploy independent secondary metering whose data does NOT flow through Cygnet.

Consequences if unmitigated

Physical:

Manipulation of valve setpoints can cause unsafe pressure transients at downstream stations. Falsified metering allows undetected gas diversion or supply-cut to specific customers (e.g., a specific gas-fired power plant during a peak hour).

Market / financial:

If a Cygnet-driven event takes a specific compressor station offline during a peak demand window, the downstream basis (the local citygate price minus Henry Hub) can spike 200%+ in hours. LDC emergency curtailments. Power-gen fuel-supply force majeure to gas peakers serving data centers.

Regulatory / political:

Immediate FERC inquiry into operator cybersecurity. Possible TSA penalty action under PSR 2026-01. Operator's interstate transportation tariff put under audit.

GE iFIX HMI/SCADA — 75 US endpoints exposed
Current exposure: 75 GE iFIX HMI/SCADA endpoints visible today
Live KEV cross-reference: CVE-2014-0751
Severity: HIGH — Operator-view denial across gas-plant and pipeline-station HMI
Five-Paragraph OPORD (SMEAC)

S — Situation

GE iFIX is a general-purpose HMI / SCADA platform with deep penetration in US gas plants, refineries, and pipeline compressor stations. Public US exposure today: 75 endpoints. KEV entries currently affecting GE platforms: CVE-2014-0751.

M — Mission

Adversary objective: deny operator visibility into the controlled process during a coincident attack — either cyber on the BPCS or kinetic on a physical asset. Strategic intent: extend the response window in the critical early minutes when operator action can avert physical damage.

E — Execution

Phase 1: access through internet-exposed iFIX terminal services / VPN. Phase 2: modify iFIX HMI screens to display canned 'nominal' values regardless of underlying tag data, OR disable HMI alarm escalation logic. Phase 3: hold capability until a coincident event — process upset, kinetic strike, or BPCS manipulation — at which point operators see normal screens while the physical process degrades.

A — Administration & Logistics

Attack feasibility increases when iFIX is deployed without segregation from corporate IT, when iFIX clients are reachable via remote-desktop services from the public internet (75 confirmed examples today), and when alarm-management audits are infrequent.

C — Command & Signal

Indicators: iFIX screen-version changes outside engineering change windows; HMI tag-display discrepancies vs. historian; alarm logs going abnormally quiet during normal operating variability. Defensive priorities: iFIX deployment audit (count vs. known inventory); HMI screen-checksum monitoring; independent secondary HMI that draws from a separate tag feed; close all 75 internet-exposed instances or move them behind MFA-required VPN.

Consequences if unmitigated

Physical:

On its own, an iFIX-only attack does not cause damage — but during a coincident physical or BPCS attack, the 'normal-screens-while-process-degrades' window extends operator response from minutes to tens of minutes, multiplying the physical damage.

Market / financial:

When combined with a BPCS attack, an HMI-deception layer can extend an outage from one shift to several days as the recovery team has no trustworthy view of pre-event state. Multiplier effect on operator's economic damage: 2–5x.

Regulatory / political:

HMI integrity-verification becomes a required TSA compliance element. Vendor-side requirements for cryptographic HMI screen verification.

Emerson DeltaV + Ovation DCS — 72 US endpoints combined
Current exposure: 41 DeltaV + 31 Ovation US endpoints — total 72
Live KEV cross-reference: CVE-2021-45420
Severity: HIGH — Simultaneous compromise of LNG liquefaction AND gas-fired power generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Emerson runs two product lines with measurable US exposure: DeltaV (41 endpoints), the DCS for LNG liquefaction trains and refinery / petrochemical processes, and Ovation (31 endpoints), the DCS for fossil-fueled power generation. Combined US public exposure: 72 endpoints. KEV entries affecting Emerson: CVE-2021-45420.

M — Mission

Adversary objective: simultaneously disrupt LNG-export capacity AND gas-fired power generation by exploiting the same vendor's deployed platforms across the two industries — a single capability that reaches both demand sinks for US natural gas (LNG exports and AI/data-center power) at once. Strategic intent: dual-target economic disruption with shared toolchain.

E — Execution

Phase 1: gain access via an Emerson vendor-support credential — Emerson is one of the largest providers of process-control system service contracts in the US. Phase 2: deploy parallel implants against DeltaV at LNG terminals and Ovation at gas-fired plants. Phase 3: synchronized trigger at a chosen event.

A — Administration & Logistics

Attack feasibility hinges on whether the operator has accepted vendor persistent remote-support tunnels as a contractual requirement. Many DeltaV and Ovation operators have done so to maintain service-level guarantees. The 72 exposed endpoints visible today are the public portion of that pattern.

C — Command & Signal

Indicators: Emerson vendor-tunnel traffic outside scheduled service windows; configuration changes pushed to multiple sites within a single hour; unscheduled engineering-workstation logins. Defensive priorities: require Emerson vendor sessions to be initiated by the operator (not the vendor), with session recording and MFA; deploy egress monitoring on the DeltaV / Ovation engineering networks; require Emerson to publish per-product KEV applicability mapped to deployed firmware versions at each customer site.

Consequences if unmitigated

Physical:

LNG terminal liquefaction trains unsafe-shutdown; coincident gas-fired generator trips across affected fleet. Possible thermal damage to liquefaction compressors extends LNG outage from days to months.

Market / financial:

Cargoes in the Sabine Pass / Cameron / Plaquemines / Corpus Christi loading queue declare force majeure within hours. European TTF gas price spikes; US Henry Hub price drops on reduced export demand AND spikes on domestic gas-to-power dislocation — both directions same day. Combined economic impact: $30B–$120B over the first quarter post-event.

Regulatory / political:

Coordinated DOE / FERC / TSA / DOC (export licensing) investigation. Possible suspension of Emerson DCS service contracts pending audit. Insurance industry repricing across all Emerson-platform-dependent operators.

Henry Hub Composite (Physical + Cyber) — current state
Current exposure: 13 interstate pipelines converge at Erath, LA · NYMEX settlement node · ~2 Bcf/d physical throughput · -1 ICS exposures within 25 km · 14 active eminent-domain projects in supply chain
Live KEV cross-reference: 9 Schneider Electric KEVs · 5 Siemens KEVs · 1 Emerson KEVs affect platforms a Sabine Pipe Line operator would actually run.
Severity: STRATEGIC — National-scale market and supply disruption
Five-Paragraph OPORD (SMEAC)

S — Situation

Henry Hub today: 13 interstate pipelines converge at the Sabine Pipe Line LLC facility in Erath, Louisiana. The NYMEX Henry Hub futures contract settles here — the price benchmark for every US natural-gas trade, every LNG cargo loaded at Sabine Pass / Cameron / Plaquemines / Corpus Christi (≈14 Bcf/d combined LNG export capacity), and every gas-indexed power-purchase contract in PJM / SERC / Florida. Within 25 km of the hub, Shodan finds -1 exposed ICS endpoints; the operator's supply chain runs through platforms with 15 currently-KEV-listed CVEs across Schneider Electric, Siemens, and Emerson. The facility has no counter-UAS coverage (Vermilion Parish is outside designated military airspace) and no published joint OT/IT incident-command framework with downstream hyperscaler and federal partners.

M — Mission

Adversary objective: simultaneously disable physical throughput at Henry Hub for an extended window (weeks, not hours) AND destroy the operator's safety-system configuration files, so that even after physical repair the operator cannot safely restart. Strategic intent: suspend US natural-gas price discovery long enough to cascade through NYMEX, LNG cargo force majeure, power-grid load shedding during a peak-demand window, and financial-market liquidity events.

E — Execution

Phase 1 (months): cyber pre-positioning inside the Sabine Pipe Line OT network via a contracted-engineering credential — the same vector that has produced every confirmed US pipeline OT intrusion in the past five years. Phase 2 (days): adversary weaponizes a published CVSS 9.0+ CISA advisory affecting Schneider Telvent OASyS DNA or Triconex SIS, BEFORE the operator's change board approves the emergency patch. Phase 3 (D-Day, timed to coincide with polar vortex or hurricane-season demand peak): commercial-derivative drone strike against Compressor Units 1 and 2, simultaneously with cyber execution that disables the SIS, manipulates HMIs to display nominal state, vents high-pressure gas through stacks whose flare ignition has been pre-disabled. Phase 4 (D+1 through D+3): wiper malware destroys the historian, engineering workstation, and corporate IT backups, denying the recovery team the documentation needed to safely restart safety-instrumented systems.

A — Administration & Logistics

Attack feasibility depends on conditions present today: (1) -1 ICS endpoints within 25 km of the hub — the public attack surface; (2) absence of counter-UAS over Vermilion Parish; (3) the operator's change board having no pre-delegated authority to bypass normal review for CVSS 9+ items during weather-emergency windows; (4) no published joint incident-command structure across Sabine Pipe Line, FERC, TSA, CISA, FBI, DOE, and hyperscaler downstream customers. All four conditions exist as of 2026-06-16.

C — Command & Signal

Indicators: outbound traffic from any Sabine Pipe Line OT host to non-vendor destinations; Vermilion Parish law-enforcement reports of unusual UAS activity near the hub; any CISA advisory at CVSS 9+ affecting Schneider Electric / Siemens / Emerson platforms followed by Sabine Pipe Line change-board deferral. Defensive priorities (the four items above, each individually closable): (1) pre-delegate emergency-patch authority to senior security leadership without change-board veto for CVSS 9+ critical-asset platforms; (2) FAA + DOD counter-UAS authorization for FERC critical-asset compressor stations; (3) stand up the joint incident-command framework now, not after the event; (4) maintain air-gapped offline SIS configuration backups with quarterly recovery verification at every FERC critical site.

Consequences if unmitigated

Physical:

Henry Hub physical throughput goes to 0 Bcf/d for 7–30+ days. Worker fatalities at Sabine Pipe Line during the kinetic event range 20–100 depending on shift composition and time of day. Downstream civilian fatalities during coincident cold-weather power loss could exceed 200 if the polar-vortex timing is hit. Adjacent communities evacuated; groundwater and surface water contamination from fuel-rich firefighting operations.

Market / financial:

NYMEX Henry Hub trading suspended for 20–60 trading days. Daily LNG cargo force majeure declarations from Sabine Pass / Cameron / Plaquemines / Corpus Christi terminals. European TTF and Asian JKM gas prices spike 150–400%. PJM and TVA emergency load-shedding affecting 5–20M customers during the polar vortex. Combined direct + cascading economic damage: $200B–$400B over twelve months. Insurance-industry catastrophe loss: $80B–$200B. Two-to-three mid-sized US gas trading firms in Chapter 11 within ten days.

Regulatory / political:

FERC and TSA replace existing Pipeline Security Directive framework with a true regulatory framework. DOE stands up a permanent Critical Energy Infrastructure Cyber Response Unit. FAA authorizes counter-UAS at all FERC critical-asset facilities. Federal Reserve emergency liquidity facility for energy-sector counterparty exposure. Hyperscaler / pipeline operator joint incident command mandated. ODNI issues attribution finding; coordinated multi-allied response.

Schneider Electric Modicon / Triconex — 9 pipeline-relevant KEV CVEs
Current exposure: 9 CISA KEV-listed CVEs currently affect Schneider OT platforms — the largest known-exploited footprint of any pipeline-relevant vendor today
Live KEV cross-reference: CVE-2018-7522, CVE-2018-8872, CVE-2017-7973, CVE-2021-22707
Severity: HIGH — Safety-instrumented-system bypass at gas processing and compression
Five-Paragraph OPORD (SMEAC)

S — Situation

Schneider Electric carries the largest set of actively-exploited CVEs of any pipeline-relevant vendor on the KEV catalog today — 9 entries (CVE-2018-7522, CVE-2018-8872, CVE-2017-7973, CVE-2021-22707). Modicon PLCs run valve and compressor logic across US midstream; Triconex is the dominant safety-instrumented system (SIS) at gas plants and LNG trains — the same SIS family targeted by the TRITON malware framework.

M — Mission

Adversary objective: defeat or blind the safety-instrumented layer at a gas-processing plant, LNG train, or major compressor station so a deliberately induced process upset is NOT tripped to a safe state — turning a recoverable fault into an overpressure or release event.

E — Execution

Phase 1: exploit one of the 9 known CVEs to gain a foothold on the engineering network. Phase 2: reach the Triconex/Modicon engineering workstation and load altered logic or disable SIS voting. Phase 3: drive the basic process control system to an unsafe setpoint while the safety layer is suppressed. Phase 4: erase the engineering audit trail.

A — Administration & Logistics

Feasibility today rests on (1) 9 unpatched, actively-exploited Schneider CVEs; (2) SIS and basic control logic that share engineering access in many deployments; (3) safety-system patch cycles tied to multi-year turnaround windows.

C — Command & Signal

Indicators: unscheduled logic downloads to any Triconex or Modicon controller; SIS voting or bypass changes outside a permitted-work window; engineering-station traffic to non-vendor destinations. Defensive priorities: patch the KEV-listed CVEs on a safety-critical schedule, enforce key-switch RUN mode on SIS controllers, require two-person authorization for any safety-logic change. Reporting: CISA; TSA Pipeline Security; ONG-ISAC.

Consequences if unmitigated

Physical:

A defeated safety-instrumented system removes the last automatic protection against overpressure, high temperature, or loss of containment at a gas plant or LNG train — from an emergency shutdown and days-long restart to a release, fire, or explosion if the basic control system is simultaneously driven unsafe.

Market / financial:

Loss of a single large gas-processing plant or LNG train removes major throughput; an LNG-train outage idles export cargoes and tightens domestic supply. Liability and business-interruption exposure runs to the billions.

Regulatory / political:

PHMSA and TSA scrutiny of OT cyber controls; likely CISA emergency directives for Schneider SIS operators; insurer repricing for sites running KEV-listed Triconex/Modicon.

ABB Symphony DCS — 249 US endpoints exposed (as of 2026-06-15)
Current exposure: 249 Symphony endpoints visible from the public US internet today
Live KEV cross-reference: no KEV-listed CVEs currently affect this platform
Severity: HIGH — Power generation supply disruption to AI data center load
Five-Paragraph OPORD (SMEAC)

S — Situation

ABB Symphony has the largest measurable US public-internet exposure of any pipeline-relevant SCADA / DCS platform — 249 endpoints visible as of 2026-06-15, against a deployed base that we estimate to be on the order of hundreds of installations. Symphony is the dominant DCS at large gas-fired combined-cycle power plants, including most of the new and planned gas plants being built to serve hyperscale AI data centers. KEV catalog entries currently affecting ABB platforms: no KEV-listed CVEs currently affect this platform.

M — Mission

Adversary objective: simultaneous loss-of-control or unsafe-state at multiple gas-fired generating units feeding a specific load zone — most likely PJM Dominion (Northern Virginia data-center alley, where AI training load is concentrated) or the Southeast (where Meta Hyperion's 7.46 GW gas plant cluster feeds the Hyperion campus). Strategic intent: deny power to AI compute infrastructure at a moment chosen for maximum disruption, with deniable attribution.

E — Execution

Phase 1: harvest a contractor or vendor credential that grants engineering access to one or more of the 249 exposed endpoints — many of which are vendor-support jump hosts that bridge corporate IT to the OT engineering network. Phase 2: lateral movement to the Symphony engineering workstation. Phase 3: stage malicious configuration changes across the deployment, synchronized to execute at peak-demand hour. Phase 4: trigger drives unit-trip sequences on every unit reachable, simultaneous; concurrent wiper destroys the historian and configuration backup.

A — Administration & Logistics

Attack feasibility depends on three conditions visible in the public-exposure data today: (1) 249 endpoints reachable from the public internet — that number is a defensive failure on its own; (2) operator deployments that centralize engineering across multiple sites; (3) deferred patching of any published Symphony CVSS 8.0+ CVE due to outage-window constraints.

C — Command & Signal

Indicators: outbound traffic from any Symphony engineering workstation to non-vendor destinations; unscheduled configuration updates across multiple units in the same hour; historian write failures across multiple stations. Defensive priorities: enumerate the 249 exposed endpoints in your perimeter and prioritize firewall closure or VPN-only access; rotate all vendor and contractor credentials with hardware-token MFA; require any logic or configuration change to pass two-person integrity check during the change window. Reporting: TSA Surface Transportation Cybersecurity; CISA Hotline; Oil and Natural Gas ISAC; PJM RTEP Security working group.

Consequences if unmitigated

Physical:

Simultaneous trips at multiple gas-fired generating units serving a data-center-heavy load zone. Within ~2 hours, hyperscale data centers in the affected zone exhaust grid power and shift to on-site diesel; diesel reserves typically run 12–48 hours. Possible thermal damage to rotating equipment during ungraceful trip sequences extends restart from hours to weeks per unit.

Market / financial:

Wholesale power prices in the affected ISO zone spike to administrative cap intraday. Hyperscaler-customer compute service-level agreements breach within the diesel-reserve window. Estimated combined economic loss across operator, downstream power buyers, and dependent cloud / AI customers: $10B–$50B in the first week.

Regulatory / political:

FERC and NERC special review of generator cybersecurity preparedness. Likely accelerated TSA-style cyber regulation extended to gas-fired generation feeding hyperscale customers. Insurance industry repricing for operators with measurable Symphony exposure on Shodan.

Cygnet SCADA — 79 US endpoints (pipeline-specific midstream)
Current exposure: 79 Cygnet midstream-pipeline SCADA endpoints visible today
Live KEV cross-reference: no KEV-listed CVEs currently affect this platform
Severity: HIGH — Direct compromise of pipeline operational visibility and control
Five-Paragraph OPORD (SMEAC)

S — Situation

Cygnet is the SCADA platform most narrowly targeted at the US midstream oil-and-gas industry — it runs the supervisory layer at 79 measurable US sites, almost all of which are pipeline operators. Of the operators we track, several are confirmed Cygnet users by name in vendor case-studies and public filings.

M — Mission

Adversary objective: simultaneous loss-of-visibility and limited-write control of pipeline metering, valve, and flow-control points across a single operator's footprint. Strategic intent: position to manipulate gas deliveries — to LDCs, to power generators, or to LNG export terminals — at a chosen moment, with the operator unable to see or counter the action in real time.

E — Execution

Phase 1: access via a Cygnet engineering workstation reachable through vendor-support tunnels. Phase 2: harvest field-device topology and operator runbooks from the SCADA database. Phase 3: stage scheduled control commands that fire at a precipitating moment. Phase 4: optionally falsify operator-view telemetry to extend the response window.

A — Administration & Logistics

Attack feasibility depends on Cygnet's typical deployment pattern: many operators connect Cygnet to their corporate IT for reporting, then connect corporate IT to the public internet — a documented common pathway. The 79 exposed endpoints in our Shodan dataset are the visible portion of that pattern.

C — Command & Signal

Indicators: Cygnet engineering-workstation traffic to non-vendor destinations; configuration changes outside change-control hours; discrepancies between Cygnet-reported volumes and independent end-of-line meter reads. Defensive priorities: place Cygnet servers behind a jump-host with MFA; close direct internet exposure on all 79 endpoints; deploy independent secondary metering whose data does NOT flow through Cygnet.

Consequences if unmitigated

Physical:

Manipulation of valve setpoints can cause unsafe pressure transients at downstream stations. Falsified metering allows undetected gas diversion or supply-cut to specific customers (e.g., a specific gas-fired power plant during a peak hour).

Market / financial:

If a Cygnet-driven event takes a specific compressor station offline during a peak demand window, the downstream basis (the local citygate price minus Henry Hub) can spike 200%+ in hours. LDC emergency curtailments. Power-gen fuel-supply force majeure to gas peakers serving data centers.

Regulatory / political:

Immediate FERC inquiry into operator cybersecurity. Possible TSA penalty action under PSR 2026-01. Operator's interstate transportation tariff put under audit.

GE iFIX HMI/SCADA — 80 US endpoints exposed
Current exposure: 80 GE iFIX HMI/SCADA endpoints visible today
Live KEV cross-reference: no KEV-listed CVEs currently affect this platform
Severity: HIGH — Operator-view denial across gas-plant and pipeline-station HMI
Five-Paragraph OPORD (SMEAC)

S — Situation

GE iFIX is a general-purpose HMI / SCADA platform with deep penetration in US gas plants, refineries, and pipeline compressor stations. Public US exposure today: 80 endpoints. KEV entries currently affecting GE platforms: no KEV-listed CVEs currently affect this platform.

M — Mission

Adversary objective: deny operator visibility into the controlled process during a coincident attack — either cyber on the BPCS or kinetic on a physical asset. Strategic intent: extend the response window in the critical early minutes when operator action can avert physical damage.

E — Execution

Phase 1: access through internet-exposed iFIX terminal services / VPN. Phase 2: modify iFIX HMI screens to display canned 'nominal' values regardless of underlying tag data, OR disable HMI alarm escalation logic. Phase 3: hold capability until a coincident event — process upset, kinetic strike, or BPCS manipulation — at which point operators see normal screens while the physical process degrades.

A — Administration & Logistics

Attack feasibility increases when iFIX is deployed without segregation from corporate IT, when iFIX clients are reachable via remote-desktop services from the public internet (80 confirmed examples today), and when alarm-management audits are infrequent.

C — Command & Signal

Indicators: iFIX screen-version changes outside engineering change windows; HMI tag-display discrepancies vs. historian; alarm logs going abnormally quiet during normal operating variability. Defensive priorities: iFIX deployment audit (count vs. known inventory); HMI screen-checksum monitoring; independent secondary HMI that draws from a separate tag feed; close all 80 internet-exposed instances or move them behind MFA-required VPN.

Consequences if unmitigated

Physical:

On its own, an iFIX-only attack does not cause damage — but during a coincident physical or BPCS attack, the 'normal-screens-while-process-degrades' window extends operator response from minutes to tens of minutes, multiplying the physical damage.

Market / financial:

When combined with a BPCS attack, an HMI-deception layer can extend an outage from one shift to several days as the recovery team has no trustworthy view of pre-event state. Multiplier effect on operator's economic damage: 2–5x.

Regulatory / political:

HMI integrity-verification becomes a required TSA compliance element. Vendor-side requirements for cryptographic HMI screen verification.

Emerson DeltaV + Ovation DCS — 68 US endpoints combined
Current exposure: 40 DeltaV + 28 Ovation US endpoints — total 68
Live KEV cross-reference: no KEV-listed CVEs currently affect this platform
Severity: HIGH — Simultaneous compromise of LNG liquefaction AND gas-fired power generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Emerson runs two product lines with measurable US exposure: DeltaV (40 endpoints), the DCS for LNG liquefaction trains and refinery / petrochemical processes, and Ovation (28 endpoints), the DCS for fossil-fueled power generation. Combined US public exposure: 68 endpoints. KEV entries affecting Emerson: no KEV-listed CVEs currently affect this platform.

M — Mission

Adversary objective: simultaneously disrupt LNG-export capacity AND gas-fired power generation by exploiting the same vendor's deployed platforms across the two industries — a single capability that reaches both demand sinks for US natural gas (LNG exports and AI/data-center power) at once. Strategic intent: dual-target economic disruption with shared toolchain.

E — Execution

Phase 1: gain access via an Emerson vendor-support credential — Emerson is one of the largest providers of process-control system service contracts in the US. Phase 2: deploy parallel implants against DeltaV at LNG terminals and Ovation at gas-fired plants. Phase 3: synchronized trigger at a chosen event.

A — Administration & Logistics

Attack feasibility hinges on whether the operator has accepted vendor persistent remote-support tunnels as a contractual requirement. Many DeltaV and Ovation operators have done so to maintain service-level guarantees. The 68 exposed endpoints visible today are the public portion of that pattern.

C — Command & Signal

Indicators: Emerson vendor-tunnel traffic outside scheduled service windows; configuration changes pushed to multiple sites within a single hour; unscheduled engineering-workstation logins. Defensive priorities: require Emerson vendor sessions to be initiated by the operator (not the vendor), with session recording and MFA; deploy egress monitoring on the DeltaV / Ovation engineering networks; require Emerson to publish per-product KEV applicability mapped to deployed firmware versions at each customer site.

Consequences if unmitigated

Physical:

LNG terminal liquefaction trains unsafe-shutdown; coincident gas-fired generator trips across affected fleet. Possible thermal damage to liquefaction compressors extends LNG outage from days to months.

Market / financial:

Cargoes in the Sabine Pass / Cameron / Plaquemines / Corpus Christi loading queue declare force majeure within hours. European TTF gas price spikes; US Henry Hub price drops on reduced export demand AND spikes on domestic gas-to-power dislocation — both directions same day. Combined economic impact: $30B–$120B over the first quarter post-event.

Regulatory / political:

Coordinated DOE / FERC / TSA / DOC (export licensing) investigation. Possible suspension of Emerson DCS service contracts pending audit. Insurance industry repricing across all Emerson-platform-dependent operators.

Henry Hub Composite (Physical + Cyber) — current state
Current exposure: 13 interstate pipelines converge at Erath, LA · NYMEX settlement node · ~2 Bcf/d physical throughput · 1 ICS exposures within 25 km · 14 active eminent-domain projects in supply chain
Live KEV cross-reference: 1 Schneider Electric KEVs · 1 Siemens KEVs · 0 Emerson KEVs affect platforms a Sabine Pipe Line operator would actually run.
Severity: STRATEGIC — National-scale market and supply disruption
Five-Paragraph OPORD (SMEAC)

S — Situation

Henry Hub today: 13 interstate pipelines converge at the Sabine Pipe Line LLC facility in Erath, Louisiana. The NYMEX Henry Hub futures contract settles here — the price benchmark for every US natural-gas trade, every LNG cargo loaded at Sabine Pass / Cameron / Plaquemines / Corpus Christi (≈14 Bcf/d combined LNG export capacity), and every gas-indexed power-purchase contract in PJM / SERC / Florida. Within 25 km of the hub, Shodan finds 1 exposed ICS endpoints; the operator's supply chain runs through platforms with 2 currently-KEV-listed CVEs across Schneider Electric, Siemens, and Emerson. The facility has no counter-UAS coverage (Vermilion Parish is outside designated military airspace) and no published joint OT/IT incident-command framework with downstream hyperscaler and federal partners.

M — Mission

Adversary objective: simultaneously disable physical throughput at Henry Hub for an extended window (weeks, not hours) AND destroy the operator's safety-system configuration files, so that even after physical repair the operator cannot safely restart. Strategic intent: suspend US natural-gas price discovery long enough to cascade through NYMEX, LNG cargo force majeure, power-grid load shedding during a peak-demand window, and financial-market liquidity events.

E — Execution

Phase 1 (months): cyber pre-positioning inside the Sabine Pipe Line OT network via a contracted-engineering credential — the same vector that has produced every confirmed US pipeline OT intrusion in the past five years. Phase 2 (days): adversary weaponizes a published CVSS 9.0+ CISA advisory affecting Schneider Telvent OASyS DNA or Triconex SIS, BEFORE the operator's change board approves the emergency patch. Phase 3 (D-Day, timed to coincide with polar vortex or hurricane-season demand peak): commercial-derivative drone strike against Compressor Units 1 and 2, simultaneously with cyber execution that disables the SIS, manipulates HMIs to display nominal state, vents high-pressure gas through stacks whose flare ignition has been pre-disabled. Phase 4 (D+1 through D+3): wiper malware destroys the historian, engineering workstation, and corporate IT backups, denying the recovery team the documentation needed to safely restart safety-instrumented systems.

A — Administration & Logistics

Attack feasibility depends on conditions present today: (1) 1 ICS endpoints within 25 km of the hub — the public attack surface; (2) absence of counter-UAS over Vermilion Parish; (3) the operator's change board having no pre-delegated authority to bypass normal review for CVSS 9+ items during weather-emergency windows; (4) no published joint incident-command structure across Sabine Pipe Line, FERC, TSA, CISA, FBI, DOE, and hyperscaler downstream customers. All four conditions exist as of 2026-06-15.

C — Command & Signal

Indicators: outbound traffic from any Sabine Pipe Line OT host to non-vendor destinations; Vermilion Parish law-enforcement reports of unusual UAS activity near the hub; any CISA advisory at CVSS 9+ affecting Schneider Electric / Siemens / Emerson platforms followed by Sabine Pipe Line change-board deferral. Defensive priorities (the four items above, each individually closable): (1) pre-delegate emergency-patch authority to senior security leadership without change-board veto for CVSS 9+ critical-asset platforms; (2) FAA + DOD counter-UAS authorization for FERC critical-asset compressor stations; (3) stand up the joint incident-command framework now, not after the event; (4) maintain air-gapped offline SIS configuration backups with quarterly recovery verification at every FERC critical site.

Consequences if unmitigated

Physical:

Henry Hub physical throughput goes to 0 Bcf/d for 7–30+ days. Worker fatalities at Sabine Pipe Line during the kinetic event range 20–100 depending on shift composition and time of day. Downstream civilian fatalities during coincident cold-weather power loss could exceed 200 if the polar-vortex timing is hit. Adjacent communities evacuated; groundwater and surface water contamination from fuel-rich firefighting operations.

Market / financial:

NYMEX Henry Hub trading suspended for 20–60 trading days. Daily LNG cargo force majeure declarations from Sabine Pass / Cameron / Plaquemines / Corpus Christi terminals. European TTF and Asian JKM gas prices spike 150–400%. PJM and TVA emergency load-shedding affecting 5–20M customers during the polar vortex. Combined direct + cascading economic damage: $200B–$400B over twelve months. Insurance-industry catastrophe loss: $80B–$200B. Two-to-three mid-sized US gas trading firms in Chapter 11 within ten days.

Regulatory / political:

FERC and TSA replace existing Pipeline Security Directive framework with a true regulatory framework. DOE stands up a permanent Critical Energy Infrastructure Cyber Response Unit. FAA authorizes counter-UAS at all FERC critical-asset facilities. Federal Reserve emergency liquidity facility for energy-sector counterparty exposure. Hyperscaler / pipeline operator joint incident command mandated. ODNI issues attribution finding; coordinated multi-allied response.

Honeywell Experion PKS — 1 pipeline-relevant KEV CVE
Current exposure: 1 CISA KEV-listed CVE currently affect Honeywell Experion PKS — a dominant DCS at US gas processing and LNG
Live KEV cross-reference: CVE-2023-3710
Severity: HIGH — Distributed-control compromise at gas processing and LNG
Five-Paragraph OPORD (SMEAC)

S — Situation

Honeywell Experion PKS is a dominant distributed control system at US gas-processing plants, refineries, and LNG facilities; 1 Experion CVE on the KEV catalog today (CVE-2023-3710).

M — Mission

Adversary objective: take control of the Experion DCS at a gas-processing or LNG facility to drive units to an unsafe state or force a sustained outage.

E — Execution

Phase 1: exploit the KEV-listed Experion CVE from a reachable server or remote path. Phase 2: reach the C300 controllers and Experion servers. Phase 3: alter control strategy or force a unit trip. Phase 4: destroy the historian and backups.

A — Administration & Logistics

Feasibility rests on (1) 1 unpatched Experion CVE; (2) DCS servers bridged to plant IT; (3) deferred DCS patching tied to turnaround windows.

C — Command & Signal

Indicators: unscheduled control-strategy changes; Experion server traffic to unknown hosts; historian write failures. Defensive priorities: patch the KEV CVE, isolate the DCS, two-person change control. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Loss of control or forced shutdown at a gas-processing plant or LNG train; potential release, fire, or explosion if units are driven unsafe; restart measured in days to weeks.

Market / financial:

Lost processing/export throughput tightens domestic supply and idles cargoes; multi-billion-dollar interruption and liability exposure.

Regulatory / political:

PHMSA/TSA investigation; likely CISA directive for Experion operators; insurer repricing for KEV-listed Experion exposure.

ABB Symphony DCS — 249 US endpoints exposed (as of 2026-06-14)
Current exposure: 249 Symphony endpoints visible from the public US internet today
Live KEV cross-reference: CVE-2024-6298
Severity: HIGH — Power generation supply disruption to AI data center load
Five-Paragraph OPORD (SMEAC)

S — Situation

ABB Symphony has the largest measurable US public-internet exposure of any pipeline-relevant SCADA / DCS platform — 249 endpoints visible as of 2026-06-14, against a deployed base that we estimate to be on the order of hundreds of installations. Symphony is the dominant DCS at large gas-fired combined-cycle power plants, including most of the new and planned gas plants being built to serve hyperscale AI data centers. KEV catalog entries currently affecting ABB platforms: CVE-2024-6298.

M — Mission

Adversary objective: simultaneous loss-of-control or unsafe-state at multiple gas-fired generating units feeding a specific load zone — most likely PJM Dominion (Northern Virginia data-center alley, where AI training load is concentrated) or the Southeast (where Meta Hyperion's 7.46 GW gas plant cluster feeds the Hyperion campus). Strategic intent: deny power to AI compute infrastructure at a moment chosen for maximum disruption, with deniable attribution.

E — Execution

Phase 1: harvest a contractor or vendor credential that grants engineering access to one or more of the 249 exposed endpoints — many of which are vendor-support jump hosts that bridge corporate IT to the OT engineering network. Phase 2: lateral movement to the Symphony engineering workstation. Phase 3: stage malicious configuration changes across the deployment, synchronized to execute at peak-demand hour. Phase 4: trigger drives unit-trip sequences on every unit reachable, simultaneous; concurrent wiper destroys the historian and configuration backup.

A — Administration & Logistics

Attack feasibility depends on three conditions visible in the public-exposure data today: (1) 249 endpoints reachable from the public internet — that number is a defensive failure on its own; (2) operator deployments that centralize engineering across multiple sites; (3) deferred patching of any published Symphony CVSS 8.0+ CVE due to outage-window constraints.

C — Command & Signal

Indicators: outbound traffic from any Symphony engineering workstation to non-vendor destinations; unscheduled configuration updates across multiple units in the same hour; historian write failures across multiple stations. Defensive priorities: enumerate the 249 exposed endpoints in your perimeter and prioritize firewall closure or VPN-only access; rotate all vendor and contractor credentials with hardware-token MFA; require any logic or configuration change to pass two-person integrity check during the change window. Reporting: TSA Surface Transportation Cybersecurity; CISA Hotline; Oil and Natural Gas ISAC; PJM RTEP Security working group.

Consequences if unmitigated

Physical:

Simultaneous trips at multiple gas-fired generating units serving a data-center-heavy load zone. Within ~2 hours, hyperscale data centers in the affected zone exhaust grid power and shift to on-site diesel; diesel reserves typically run 12–48 hours. Possible thermal damage to rotating equipment during ungraceful trip sequences extends restart from hours to weeks per unit.

Market / financial:

Wholesale power prices in the affected ISO zone spike to administrative cap intraday. Hyperscaler-customer compute service-level agreements breach within the diesel-reserve window. Estimated combined economic loss across operator, downstream power buyers, and dependent cloud / AI customers: $10B–$50B in the first week.

Regulatory / political:

FERC and NERC special review of generator cybersecurity preparedness. Likely accelerated TSA-style cyber regulation extended to gas-fired generation feeding hyperscale customers. Insurance industry repricing for operators with measurable Symphony exposure on Shodan.

Cygnet SCADA — 79 US endpoints (pipeline-specific midstream)
Current exposure: 79 Cygnet midstream-pipeline SCADA endpoints visible today
Live KEV cross-reference: no KEV-listed CVEs currently affect this platform
Severity: HIGH — Direct compromise of pipeline operational visibility and control
Five-Paragraph OPORD (SMEAC)

S — Situation

Cygnet is the SCADA platform most narrowly targeted at the US midstream oil-and-gas industry — it runs the supervisory layer at 79 measurable US sites, almost all of which are pipeline operators. Of the operators we track, several are confirmed Cygnet users by name in vendor case-studies and public filings.

M — Mission

Adversary objective: simultaneous loss-of-visibility and limited-write control of pipeline metering, valve, and flow-control points across a single operator's footprint. Strategic intent: position to manipulate gas deliveries — to LDCs, to power generators, or to LNG export terminals — at a chosen moment, with the operator unable to see or counter the action in real time.

E — Execution

Phase 1: access via a Cygnet engineering workstation reachable through vendor-support tunnels. Phase 2: harvest field-device topology and operator runbooks from the SCADA database. Phase 3: stage scheduled control commands that fire at a precipitating moment. Phase 4: optionally falsify operator-view telemetry to extend the response window.

A — Administration & Logistics

Attack feasibility depends on Cygnet's typical deployment pattern: many operators connect Cygnet to their corporate IT for reporting, then connect corporate IT to the public internet — a documented common pathway. The 79 exposed endpoints in our Shodan dataset are the visible portion of that pattern.

C — Command & Signal

Indicators: Cygnet engineering-workstation traffic to non-vendor destinations; configuration changes outside change-control hours; discrepancies between Cygnet-reported volumes and independent end-of-line meter reads. Defensive priorities: place Cygnet servers behind a jump-host with MFA; close direct internet exposure on all 79 endpoints; deploy independent secondary metering whose data does NOT flow through Cygnet.

Consequences if unmitigated

Physical:

Manipulation of valve setpoints can cause unsafe pressure transients at downstream stations. Falsified metering allows undetected gas diversion or supply-cut to specific customers (e.g., a specific gas-fired power plant during a peak hour).

Market / financial:

If a Cygnet-driven event takes a specific compressor station offline during a peak demand window, the downstream basis (the local citygate price minus Henry Hub) can spike 200%+ in hours. LDC emergency curtailments. Power-gen fuel-supply force majeure to gas peakers serving data centers.

Regulatory / political:

Immediate FERC inquiry into operator cybersecurity. Possible TSA penalty action under PSR 2026-01. Operator's interstate transportation tariff put under audit.

GE iFIX HMI/SCADA — 80 US endpoints exposed
Current exposure: 80 GE iFIX HMI/SCADA endpoints visible today
Live KEV cross-reference: CVE-2014-0751
Severity: HIGH — Operator-view denial across gas-plant and pipeline-station HMI
Five-Paragraph OPORD (SMEAC)

S — Situation

GE iFIX is a general-purpose HMI / SCADA platform with deep penetration in US gas plants, refineries, and pipeline compressor stations. Public US exposure today: 80 endpoints. KEV entries currently affecting GE platforms: CVE-2014-0751.

M — Mission

Adversary objective: deny operator visibility into the controlled process during a coincident attack — either cyber on the BPCS or kinetic on a physical asset. Strategic intent: extend the response window in the critical early minutes when operator action can avert physical damage.

E — Execution

Phase 1: access through internet-exposed iFIX terminal services / VPN. Phase 2: modify iFIX HMI screens to display canned 'nominal' values regardless of underlying tag data, OR disable HMI alarm escalation logic. Phase 3: hold capability until a coincident event — process upset, kinetic strike, or BPCS manipulation — at which point operators see normal screens while the physical process degrades.

A — Administration & Logistics

Attack feasibility increases when iFIX is deployed without segregation from corporate IT, when iFIX clients are reachable via remote-desktop services from the public internet (80 confirmed examples today), and when alarm-management audits are infrequent.

C — Command & Signal

Indicators: iFIX screen-version changes outside engineering change windows; HMI tag-display discrepancies vs. historian; alarm logs going abnormally quiet during normal operating variability. Defensive priorities: iFIX deployment audit (count vs. known inventory); HMI screen-checksum monitoring; independent secondary HMI that draws from a separate tag feed; close all 80 internet-exposed instances or move them behind MFA-required VPN.

Consequences if unmitigated

Physical:

On its own, an iFIX-only attack does not cause damage — but during a coincident physical or BPCS attack, the 'normal-screens-while-process-degrades' window extends operator response from minutes to tens of minutes, multiplying the physical damage.

Market / financial:

When combined with a BPCS attack, an HMI-deception layer can extend an outage from one shift to several days as the recovery team has no trustworthy view of pre-event state. Multiplier effect on operator's economic damage: 2–5x.

Regulatory / political:

HMI integrity-verification becomes a required TSA compliance element. Vendor-side requirements for cryptographic HMI screen verification.

Emerson DeltaV + Ovation DCS — 68 US endpoints combined
Current exposure: 40 DeltaV + 28 Ovation US endpoints — total 68
Live KEV cross-reference: CVE-2021-45420
Severity: HIGH — Simultaneous compromise of LNG liquefaction AND gas-fired power generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Emerson runs two product lines with measurable US exposure: DeltaV (40 endpoints), the DCS for LNG liquefaction trains and refinery / petrochemical processes, and Ovation (28 endpoints), the DCS for fossil-fueled power generation. Combined US public exposure: 68 endpoints. KEV entries affecting Emerson: CVE-2021-45420.

M — Mission

Adversary objective: simultaneously disrupt LNG-export capacity AND gas-fired power generation by exploiting the same vendor's deployed platforms across the two industries — a single capability that reaches both demand sinks for US natural gas (LNG exports and AI/data-center power) at once. Strategic intent: dual-target economic disruption with shared toolchain.

E — Execution

Phase 1: gain access via an Emerson vendor-support credential — Emerson is one of the largest providers of process-control system service contracts in the US. Phase 2: deploy parallel implants against DeltaV at LNG terminals and Ovation at gas-fired plants. Phase 3: synchronized trigger at a chosen event.

A — Administration & Logistics

Attack feasibility hinges on whether the operator has accepted vendor persistent remote-support tunnels as a contractual requirement. Many DeltaV and Ovation operators have done so to maintain service-level guarantees. The 68 exposed endpoints visible today are the public portion of that pattern.

C — Command & Signal

Indicators: Emerson vendor-tunnel traffic outside scheduled service windows; configuration changes pushed to multiple sites within a single hour; unscheduled engineering-workstation logins. Defensive priorities: require Emerson vendor sessions to be initiated by the operator (not the vendor), with session recording and MFA; deploy egress monitoring on the DeltaV / Ovation engineering networks; require Emerson to publish per-product KEV applicability mapped to deployed firmware versions at each customer site.

Consequences if unmitigated

Physical:

LNG terminal liquefaction trains unsafe-shutdown; coincident gas-fired generator trips across affected fleet. Possible thermal damage to liquefaction compressors extends LNG outage from days to months.

Market / financial:

Cargoes in the Sabine Pass / Cameron / Plaquemines / Corpus Christi loading queue declare force majeure within hours. European TTF gas price spikes; US Henry Hub price drops on reduced export demand AND spikes on domestic gas-to-power dislocation — both directions same day. Combined economic impact: $30B–$120B over the first quarter post-event.

Regulatory / political:

Coordinated DOE / FERC / TSA / DOC (export licensing) investigation. Possible suspension of Emerson DCS service contracts pending audit. Insurance industry repricing across all Emerson-platform-dependent operators.

Rockwell ControlLogix / FactoryTalk — 2 pipeline-relevant KEV CVEs
Current exposure: 2 CISA KEV-listed CVEs currently affect Rockwell Allen-Bradley ControlLogix / FactoryTalk platforms
Live KEV cross-reference: CVE-2023-3595, CVE-2021-22681
Severity: HIGH — Pump-station and terminal control disruption across midstream
Five-Paragraph OPORD (SMEAC)

S — Situation

Allen-Bradley ControlLogix PLCs and FactoryTalk run pump stations, tank farms, and liquids terminals across US midstream; 2 Rockwell CVEs are on the KEV catalog today (CVE-2023-3595, CVE-2021-22681).

M — Mission

Adversary objective: seize or crash ControlLogix processors governing pumping and tank-farm valves to force a liquids-pipeline shutdown or a tank overfill / pressure transient.

E — Execution

Phase 1: exploit a KEV-listed ControlLogix/FactoryTalk CVE from an exposed engineering or remote path. Phase 2: reach the controller. Phase 3: fault the processor or alter pump/valve logic. Phase 4: mask the change in FactoryTalk.

A — Administration & Logistics

Feasibility rests on (1) 2 unpatched Rockwell CVEs; (2) flat OT networks at terminals; (3) remote-access tools left exposed.

C — Command & Signal

Indicators: unexpected processor faults; logic edits with no change ticket; FactoryTalk access from new hosts. Defensive priorities: patch KEV CVEs, segment terminal OT, lock down remote access. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Forced shutdown of a liquids pipeline or terminal; in the worst case a tank overfill or pressure transient with spill, fire, or environmental release.

Market / financial:

Regional product-supply disruption (gasoline, diesel, NGLs); price spikes at racks served by the affected terminals; cleanup and liability costs.

Regulatory / political:

PHMSA incident investigation; TSA review of terminal cyber controls; insurer scrutiny of operators on KEV-listed Rockwell versions.

Honeywell Experion PKS — 1 pipeline-relevant KEV CVE
Current exposure: 1 CISA KEV-listed CVE currently affect Honeywell Experion PKS — a dominant DCS at US gas processing and LNG
Live KEV cross-reference: CVE-2023-3710
Severity: HIGH — Distributed-control compromise at gas processing and LNG
Five-Paragraph OPORD (SMEAC)

S — Situation

Honeywell Experion PKS is a dominant distributed control system at US gas-processing plants, refineries, and LNG facilities; 1 Experion CVE on the KEV catalog today (CVE-2023-3710).

M — Mission

Adversary objective: take control of the Experion DCS at a gas-processing or LNG facility to drive units to an unsafe state or force a sustained outage.

E — Execution

Phase 1: exploit the KEV-listed Experion CVE from a reachable server or remote path. Phase 2: reach the C300 controllers and Experion servers. Phase 3: alter control strategy or force a unit trip. Phase 4: destroy the historian and backups.

A — Administration & Logistics

Feasibility rests on (1) 1 unpatched Experion CVE; (2) DCS servers bridged to plant IT; (3) deferred DCS patching tied to turnaround windows.

C — Command & Signal

Indicators: unscheduled control-strategy changes; Experion server traffic to unknown hosts; historian write failures. Defensive priorities: patch the KEV CVE, isolate the DCS, two-person change control. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Loss of control or forced shutdown at a gas-processing plant or LNG train; potential release, fire, or explosion if units are driven unsafe; restart measured in days to weeks.

Market / financial:

Lost processing/export throughput tightens domestic supply and idles cargoes; multi-billion-dollar interruption and liability exposure.

Regulatory / political:

PHMSA/TSA investigation; likely CISA directive for Experion operators; insurer repricing for KEV-listed Experion exposure.

ABB Symphony DCS — 255 US endpoints exposed (as of 2026-06-13)
Current exposure: 255 Symphony endpoints visible from the public US internet today
Live KEV cross-reference: CVE-2024-6298
Severity: HIGH — Power generation supply disruption to AI data center load
Five-Paragraph OPORD (SMEAC)

S — Situation

ABB Symphony has the largest measurable US public-internet exposure of any pipeline-relevant SCADA / DCS platform — 255 endpoints visible as of 2026-06-13, against a deployed base that we estimate to be on the order of hundreds of installations. Symphony is the dominant DCS at large gas-fired combined-cycle power plants, including most of the new and planned gas plants being built to serve hyperscale AI data centers. KEV catalog entries currently affecting ABB platforms: CVE-2024-6298.

M — Mission

Adversary objective: simultaneous loss-of-control or unsafe-state at multiple gas-fired generating units feeding a specific load zone — most likely PJM Dominion (Northern Virginia data-center alley, where AI training load is concentrated) or the Southeast (where Meta Hyperion's 7.46 GW gas plant cluster feeds the Hyperion campus). Strategic intent: deny power to AI compute infrastructure at a moment chosen for maximum disruption, with deniable attribution.

E — Execution

Phase 1: harvest a contractor or vendor credential that grants engineering access to one or more of the 255 exposed endpoints — many of which are vendor-support jump hosts that bridge corporate IT to the OT engineering network. Phase 2: lateral movement to the Symphony engineering workstation. Phase 3: stage malicious configuration changes across the deployment, synchronized to execute at peak-demand hour. Phase 4: trigger drives unit-trip sequences on every unit reachable, simultaneous; concurrent wiper destroys the historian and configuration backup.

A — Administration & Logistics

Attack feasibility depends on three conditions visible in the public-exposure data today: (1) 255 endpoints reachable from the public internet — that number is a defensive failure on its own; (2) operator deployments that centralize engineering across multiple sites; (3) deferred patching of any published Symphony CVSS 8.0+ CVE due to outage-window constraints.

C — Command & Signal

Indicators: outbound traffic from any Symphony engineering workstation to non-vendor destinations; unscheduled configuration updates across multiple units in the same hour; historian write failures across multiple stations. Defensive priorities: enumerate the 255 exposed endpoints in your perimeter and prioritize firewall closure or VPN-only access; rotate all vendor and contractor credentials with hardware-token MFA; require any logic or configuration change to pass two-person integrity check during the change window. Reporting: TSA Surface Transportation Cybersecurity; CISA Hotline; Oil and Natural Gas ISAC; PJM RTEP Security working group.

Consequences if unmitigated

Physical:

Simultaneous trips at multiple gas-fired generating units serving a data-center-heavy load zone. Within ~2 hours, hyperscale data centers in the affected zone exhaust grid power and shift to on-site diesel; diesel reserves typically run 12–48 hours. Possible thermal damage to rotating equipment during ungraceful trip sequences extends restart from hours to weeks per unit.

Market / financial:

Wholesale power prices in the affected ISO zone spike to administrative cap intraday. Hyperscaler-customer compute service-level agreements breach within the diesel-reserve window. Estimated combined economic loss across operator, downstream power buyers, and dependent cloud / AI customers: $10B–$50B in the first week.

Regulatory / political:

FERC and NERC special review of generator cybersecurity preparedness. Likely accelerated TSA-style cyber regulation extended to gas-fired generation feeding hyperscale customers. Insurance industry repricing for operators with measurable Symphony exposure on Shodan.

Cygnet SCADA — 79 US endpoints (pipeline-specific midstream)
Current exposure: 79 Cygnet midstream-pipeline SCADA endpoints visible today
Live KEV cross-reference: no KEV-listed CVEs currently affect this platform
Severity: HIGH — Direct compromise of pipeline operational visibility and control
Five-Paragraph OPORD (SMEAC)

S — Situation

Cygnet is the SCADA platform most narrowly targeted at the US midstream oil-and-gas industry — it runs the supervisory layer at 79 measurable US sites, almost all of which are pipeline operators. Of the operators we track, several are confirmed Cygnet users by name in vendor case-studies and public filings.

M — Mission

Adversary objective: simultaneous loss-of-visibility and limited-write control of pipeline metering, valve, and flow-control points across a single operator's footprint. Strategic intent: position to manipulate gas deliveries — to LDCs, to power generators, or to LNG export terminals — at a chosen moment, with the operator unable to see or counter the action in real time.

E — Execution

Phase 1: access via a Cygnet engineering workstation reachable through vendor-support tunnels. Phase 2: harvest field-device topology and operator runbooks from the SCADA database. Phase 3: stage scheduled control commands that fire at a precipitating moment. Phase 4: optionally falsify operator-view telemetry to extend the response window.

A — Administration & Logistics

Attack feasibility depends on Cygnet's typical deployment pattern: many operators connect Cygnet to their corporate IT for reporting, then connect corporate IT to the public internet — a documented common pathway. The 79 exposed endpoints in our Shodan dataset are the visible portion of that pattern.

C — Command & Signal

Indicators: Cygnet engineering-workstation traffic to non-vendor destinations; configuration changes outside change-control hours; discrepancies between Cygnet-reported volumes and independent end-of-line meter reads. Defensive priorities: place Cygnet servers behind a jump-host with MFA; close direct internet exposure on all 79 endpoints; deploy independent secondary metering whose data does NOT flow through Cygnet.

Consequences if unmitigated

Physical:

Manipulation of valve setpoints can cause unsafe pressure transients at downstream stations. Falsified metering allows undetected gas diversion or supply-cut to specific customers (e.g., a specific gas-fired power plant during a peak hour).

Market / financial:

If a Cygnet-driven event takes a specific compressor station offline during a peak demand window, the downstream basis (the local citygate price minus Henry Hub) can spike 200%+ in hours. LDC emergency curtailments. Power-gen fuel-supply force majeure to gas peakers serving data centers.

Regulatory / political:

Immediate FERC inquiry into operator cybersecurity. Possible TSA penalty action under PSR 2026-01. Operator's interstate transportation tariff put under audit.

GE iFIX HMI/SCADA — 75 US endpoints exposed
Current exposure: 75 GE iFIX HMI/SCADA endpoints visible today
Live KEV cross-reference: CVE-2014-0751
Severity: HIGH — Operator-view denial across gas-plant and pipeline-station HMI
Five-Paragraph OPORD (SMEAC)

S — Situation

GE iFIX is a general-purpose HMI / SCADA platform with deep penetration in US gas plants, refineries, and pipeline compressor stations. Public US exposure today: 75 endpoints. KEV entries currently affecting GE platforms: CVE-2014-0751.

M — Mission

Adversary objective: deny operator visibility into the controlled process during a coincident attack — either cyber on the BPCS or kinetic on a physical asset. Strategic intent: extend the response window in the critical early minutes when operator action can avert physical damage.

E — Execution

Phase 1: access through internet-exposed iFIX terminal services / VPN. Phase 2: modify iFIX HMI screens to display canned 'nominal' values regardless of underlying tag data, OR disable HMI alarm escalation logic. Phase 3: hold capability until a coincident event — process upset, kinetic strike, or BPCS manipulation — at which point operators see normal screens while the physical process degrades.

A — Administration & Logistics

Attack feasibility increases when iFIX is deployed without segregation from corporate IT, when iFIX clients are reachable via remote-desktop services from the public internet (75 confirmed examples today), and when alarm-management audits are infrequent.

C — Command & Signal

Indicators: iFIX screen-version changes outside engineering change windows; HMI tag-display discrepancies vs. historian; alarm logs going abnormally quiet during normal operating variability. Defensive priorities: iFIX deployment audit (count vs. known inventory); HMI screen-checksum monitoring; independent secondary HMI that draws from a separate tag feed; close all 75 internet-exposed instances or move them behind MFA-required VPN.

Consequences if unmitigated

Physical:

On its own, an iFIX-only attack does not cause damage — but during a coincident physical or BPCS attack, the 'normal-screens-while-process-degrades' window extends operator response from minutes to tens of minutes, multiplying the physical damage.

Market / financial:

When combined with a BPCS attack, an HMI-deception layer can extend an outage from one shift to several days as the recovery team has no trustworthy view of pre-event state. Multiplier effect on operator's economic damage: 2–5x.

Regulatory / political:

HMI integrity-verification becomes a required TSA compliance element. Vendor-side requirements for cryptographic HMI screen verification.

Siemens SIMATIC S7 / WinCC — 5 pipeline-relevant KEV CVEs
Current exposure: 5 CISA KEV-listed CVEs currently affect Siemens SIMATIC / WinCC / Spectrum Power platforms
Live KEV cross-reference: CVE-2014-2908, CVE-2016-8562, CVE-2012-3015, CVE-2010-2772
Severity: HIGH — Loss of control at compression, metering, and gas-fired generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Siemens SIMATIC S7 controllers and WinCC SCADA run compressor stations, metering, and the gas-fired generation feeding data-center load; 5 Siemens CVEs sit on the KEV catalog today (CVE-2014-2908, CVE-2016-8562, CVE-2012-3015, CVE-2010-2772). S7 is the controller family Stuxnet was built to reprogram.

M — Mission

Adversary objective: reprogram or halt S7 logic controlling compression or generation in a chosen corridor, or falsify the WinCC operator view so the upset is not seen until it propagates.

E — Execution

Phase 1: exploit a KEV-listed S7/WinCC flaw reachable from an exposed HMI or remote-access path. Phase 2: pivot to the automation network. Phase 3: alter controller logic or HMI tags. Phase 4: synchronize disruption to peak demand and wipe the historian.

A — Administration & Logistics

Feasibility rests on (1) 5 unpatched Siemens CVEs; (2) WinCC stations bridged to corporate IT; (3) S7 controllers without RUN-mode key protection.

C — Command & Signal

Indicators: unexpected S7 STOP/PROGRAM transitions; WinCC tag changes with no work order; HMI traffic to unknown hosts. Defensive priorities: patch KEV CVEs, enforce controller key-switch protection, segment WinCC from IT. Reporting: CISA; TSA; ONG-ISAC; the relevant ISO security desk.

Consequences if unmitigated

Physical:

Tripped or runaway compression and generating units in one load zone; data-center alley loses grid supply and falls to diesel within hours; ungraceful trips can damage rotating equipment and extend restart to weeks.

Market / financial:

Intraday wholesale power spikes to the administrative cap in the affected ISO; compute SLAs breach within the diesel-reserve window; multi-billion-dollar loss across operators, power buyers, and AI customers.

Regulatory / political:

FERC/NERC review of generator cyber readiness; accelerated TSA-style cyber rules for gas-fired generation; insurer repricing for measurable Siemens exposure.

Rockwell ControlLogix / FactoryTalk — 2 pipeline-relevant KEV CVEs
Current exposure: 2 CISA KEV-listed CVEs currently affect Rockwell Allen-Bradley ControlLogix / FactoryTalk platforms
Live KEV cross-reference: CVE-2023-3595, CVE-2021-22681
Severity: HIGH — Pump-station and terminal control disruption across midstream
Five-Paragraph OPORD (SMEAC)

S — Situation

Allen-Bradley ControlLogix PLCs and FactoryTalk run pump stations, tank farms, and liquids terminals across US midstream; 2 Rockwell CVEs are on the KEV catalog today (CVE-2023-3595, CVE-2021-22681).

M — Mission

Adversary objective: seize or crash ControlLogix processors governing pumping and tank-farm valves to force a liquids-pipeline shutdown or a tank overfill / pressure transient.

E — Execution

Phase 1: exploit a KEV-listed ControlLogix/FactoryTalk CVE from an exposed engineering or remote path. Phase 2: reach the controller. Phase 3: fault the processor or alter pump/valve logic. Phase 4: mask the change in FactoryTalk.

A — Administration & Logistics

Feasibility rests on (1) 2 unpatched Rockwell CVEs; (2) flat OT networks at terminals; (3) remote-access tools left exposed.

C — Command & Signal

Indicators: unexpected processor faults; logic edits with no change ticket; FactoryTalk access from new hosts. Defensive priorities: patch KEV CVEs, segment terminal OT, lock down remote access. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Forced shutdown of a liquids pipeline or terminal; in the worst case a tank overfill or pressure transient with spill, fire, or environmental release.

Market / financial:

Regional product-supply disruption (gasoline, diesel, NGLs); price spikes at racks served by the affected terminals; cleanup and liability costs.

Regulatory / political:

PHMSA incident investigation; TSA review of terminal cyber controls; insurer scrutiny of operators on KEV-listed Rockwell versions.

Honeywell Experion PKS — 1 pipeline-relevant KEV CVE
Current exposure: 1 CISA KEV-listed CVE currently affect Honeywell Experion PKS — a dominant DCS at US gas processing and LNG
Live KEV cross-reference: CVE-2023-3710
Severity: HIGH — Distributed-control compromise at gas processing and LNG
Five-Paragraph OPORD (SMEAC)

S — Situation

Honeywell Experion PKS is a dominant distributed control system at US gas-processing plants, refineries, and LNG facilities; 1 Experion CVE on the KEV catalog today (CVE-2023-3710).

M — Mission

Adversary objective: take control of the Experion DCS at a gas-processing or LNG facility to drive units to an unsafe state or force a sustained outage.

E — Execution

Phase 1: exploit the KEV-listed Experion CVE from a reachable server or remote path. Phase 2: reach the C300 controllers and Experion servers. Phase 3: alter control strategy or force a unit trip. Phase 4: destroy the historian and backups.

A — Administration & Logistics

Feasibility rests on (1) 1 unpatched Experion CVE; (2) DCS servers bridged to plant IT; (3) deferred DCS patching tied to turnaround windows.

C — Command & Signal

Indicators: unscheduled control-strategy changes; Experion server traffic to unknown hosts; historian write failures. Defensive priorities: patch the KEV CVE, isolate the DCS, two-person change control. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Loss of control or forced shutdown at a gas-processing plant or LNG train; potential release, fire, or explosion if units are driven unsafe; restart measured in days to weeks.

Market / financial:

Lost processing/export throughput tightens domestic supply and idles cargoes; multi-billion-dollar interruption and liability exposure.

Regulatory / political:

PHMSA/TSA investigation; likely CISA directive for Experion operators; insurer repricing for KEV-listed Experion exposure.

ABB Symphony DCS — 255 US endpoints exposed (as of 2026-06-12)
Current exposure: 255 Symphony endpoints visible from the public US internet today
Live KEV cross-reference: CVE-2024-6298
Severity: HIGH — Power generation supply disruption to AI data center load
Five-Paragraph OPORD (SMEAC)

S — Situation

ABB Symphony has the largest measurable US public-internet exposure of any pipeline-relevant SCADA / DCS platform — 255 endpoints visible as of 2026-06-12, against a deployed base that we estimate to be on the order of hundreds of installations. Symphony is the dominant DCS at large gas-fired combined-cycle power plants, including most of the new and planned gas plants being built to serve hyperscale AI data centers. KEV catalog entries currently affecting ABB platforms: CVE-2024-6298.

M — Mission

Adversary objective: simultaneous loss-of-control or unsafe-state at multiple gas-fired generating units feeding a specific load zone — most likely PJM Dominion (Northern Virginia data-center alley, where AI training load is concentrated) or the Southeast (where Meta Hyperion's 7.46 GW gas plant cluster feeds the Hyperion campus). Strategic intent: deny power to AI compute infrastructure at a moment chosen for maximum disruption, with deniable attribution.

E — Execution

Phase 1: harvest a contractor or vendor credential that grants engineering access to one or more of the 255 exposed endpoints — many of which are vendor-support jump hosts that bridge corporate IT to the OT engineering network. Phase 2: lateral movement to the Symphony engineering workstation. Phase 3: stage malicious configuration changes across the deployment, synchronized to execute at peak-demand hour. Phase 4: trigger drives unit-trip sequences on every unit reachable, simultaneous; concurrent wiper destroys the historian and configuration backup.

A — Administration & Logistics

Attack feasibility depends on three conditions visible in the public-exposure data today: (1) 255 endpoints reachable from the public internet — that number is a defensive failure on its own; (2) operator deployments that centralize engineering across multiple sites; (3) deferred patching of any published Symphony CVSS 8.0+ CVE due to outage-window constraints.

C — Command & Signal

Indicators: outbound traffic from any Symphony engineering workstation to non-vendor destinations; unscheduled configuration updates across multiple units in the same hour; historian write failures across multiple stations. Defensive priorities: enumerate the 255 exposed endpoints in your perimeter and prioritize firewall closure or VPN-only access; rotate all vendor and contractor credentials with hardware-token MFA; require any logic or configuration change to pass two-person integrity check during the change window. Reporting: TSA Surface Transportation Cybersecurity; CISA Hotline; Oil and Natural Gas ISAC; PJM RTEP Security working group.

Consequences if unmitigated

Physical:

Simultaneous trips at multiple gas-fired generating units serving a data-center-heavy load zone. Within ~2 hours, hyperscale data centers in the affected zone exhaust grid power and shift to on-site diesel; diesel reserves typically run 12–48 hours. Possible thermal damage to rotating equipment during ungraceful trip sequences extends restart from hours to weeks per unit.

Market / financial:

Wholesale power prices in the affected ISO zone spike to administrative cap intraday. Hyperscaler-customer compute service-level agreements breach within the diesel-reserve window. Estimated combined economic loss across operator, downstream power buyers, and dependent cloud / AI customers: $10B–$50B in the first week.

Regulatory / political:

FERC and NERC special review of generator cybersecurity preparedness. Likely accelerated TSA-style cyber regulation extended to gas-fired generation feeding hyperscale customers. Insurance industry repricing for operators with measurable Symphony exposure on Shodan.

Cygnet SCADA — 80 US endpoints (pipeline-specific midstream)
Current exposure: 80 Cygnet midstream-pipeline SCADA endpoints visible today
Live KEV cross-reference: no KEV-listed CVEs currently affect this platform
Severity: HIGH — Direct compromise of pipeline operational visibility and control
Five-Paragraph OPORD (SMEAC)

S — Situation

Cygnet is the SCADA platform most narrowly targeted at the US midstream oil-and-gas industry — it runs the supervisory layer at 80 measurable US sites, almost all of which are pipeline operators. Of the operators we track, several are confirmed Cygnet users by name in vendor case-studies and public filings.

M — Mission

Adversary objective: simultaneous loss-of-visibility and limited-write control of pipeline metering, valve, and flow-control points across a single operator's footprint. Strategic intent: position to manipulate gas deliveries — to LDCs, to power generators, or to LNG export terminals — at a chosen moment, with the operator unable to see or counter the action in real time.

E — Execution

Phase 1: access via a Cygnet engineering workstation reachable through vendor-support tunnels. Phase 2: harvest field-device topology and operator runbooks from the SCADA database. Phase 3: stage scheduled control commands that fire at a precipitating moment. Phase 4: optionally falsify operator-view telemetry to extend the response window.

A — Administration & Logistics

Attack feasibility depends on Cygnet's typical deployment pattern: many operators connect Cygnet to their corporate IT for reporting, then connect corporate IT to the public internet — a documented common pathway. The 80 exposed endpoints in our Shodan dataset are the visible portion of that pattern.

C — Command & Signal

Indicators: Cygnet engineering-workstation traffic to non-vendor destinations; configuration changes outside change-control hours; discrepancies between Cygnet-reported volumes and independent end-of-line meter reads. Defensive priorities: place Cygnet servers behind a jump-host with MFA; close direct internet exposure on all 80 endpoints; deploy independent secondary metering whose data does NOT flow through Cygnet.

Consequences if unmitigated

Physical:

Manipulation of valve setpoints can cause unsafe pressure transients at downstream stations. Falsified metering allows undetected gas diversion or supply-cut to specific customers (e.g., a specific gas-fired power plant during a peak hour).

Market / financial:

If a Cygnet-driven event takes a specific compressor station offline during a peak demand window, the downstream basis (the local citygate price minus Henry Hub) can spike 200%+ in hours. LDC emergency curtailments. Power-gen fuel-supply force majeure to gas peakers serving data centers.

Regulatory / political:

Immediate FERC inquiry into operator cybersecurity. Possible TSA penalty action under PSR 2026-01. Operator's interstate transportation tariff put under audit.

Schneider Electric Modicon / Triconex — 9 pipeline-relevant KEV CVEs
Current exposure: 9 CISA KEV-listed CVEs currently affect Schneider OT platforms — the largest known-exploited footprint of any pipeline-relevant vendor today
Live KEV cross-reference: CVE-2018-7522, CVE-2018-8872, CVE-2017-7973, CVE-2021-22707
Severity: HIGH — Safety-instrumented-system bypass at gas processing and compression
Five-Paragraph OPORD (SMEAC)

S — Situation

Schneider Electric carries the largest set of actively-exploited CVEs of any pipeline-relevant vendor on the KEV catalog today — 9 entries (CVE-2018-7522, CVE-2018-8872, CVE-2017-7973, CVE-2021-22707). Modicon PLCs run valve and compressor logic across US midstream; Triconex is the dominant safety-instrumented system (SIS) at gas plants and LNG trains — the same SIS family targeted by the TRITON malware framework.

M — Mission

Adversary objective: defeat or blind the safety-instrumented layer at a gas-processing plant, LNG train, or major compressor station so a deliberately induced process upset is NOT tripped to a safe state — turning a recoverable fault into an overpressure or release event.

E — Execution

Phase 1: exploit one of the 9 known CVEs to gain a foothold on the engineering network. Phase 2: reach the Triconex/Modicon engineering workstation and load altered logic or disable SIS voting. Phase 3: drive the basic process control system to an unsafe setpoint while the safety layer is suppressed. Phase 4: erase the engineering audit trail.

A — Administration & Logistics

Feasibility today rests on (1) 9 unpatched, actively-exploited Schneider CVEs; (2) SIS and basic control logic that share engineering access in many deployments; (3) safety-system patch cycles tied to multi-year turnaround windows.

C — Command & Signal

Indicators: unscheduled logic downloads to any Triconex or Modicon controller; SIS voting or bypass changes outside a permitted-work window; engineering-station traffic to non-vendor destinations. Defensive priorities: patch the KEV-listed CVEs on a safety-critical schedule, enforce key-switch RUN mode on SIS controllers, require two-person authorization for any safety-logic change. Reporting: CISA; TSA Pipeline Security; ONG-ISAC.

Consequences if unmitigated

Physical:

A defeated safety-instrumented system removes the last automatic protection against overpressure, high temperature, or loss of containment at a gas plant or LNG train — from an emergency shutdown and days-long restart to a release, fire, or explosion if the basic control system is simultaneously driven unsafe.

Market / financial:

Loss of a single large gas-processing plant or LNG train removes major throughput; an LNG-train outage idles export cargoes and tightens domestic supply. Liability and business-interruption exposure runs to the billions.

Regulatory / political:

PHMSA and TSA scrutiny of OT cyber controls; likely CISA emergency directives for Schneider SIS operators; insurer repricing for sites running KEV-listed Triconex/Modicon.

Siemens SIMATIC S7 / WinCC — 5 pipeline-relevant KEV CVEs
Current exposure: 5 CISA KEV-listed CVEs currently affect Siemens SIMATIC / WinCC / Spectrum Power platforms
Live KEV cross-reference: CVE-2014-2908, CVE-2016-8562, CVE-2012-3015, CVE-2010-2772
Severity: HIGH — Loss of control at compression, metering, and gas-fired generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Siemens SIMATIC S7 controllers and WinCC SCADA run compressor stations, metering, and the gas-fired generation feeding data-center load; 5 Siemens CVEs sit on the KEV catalog today (CVE-2014-2908, CVE-2016-8562, CVE-2012-3015, CVE-2010-2772). S7 is the controller family Stuxnet was built to reprogram.

M — Mission

Adversary objective: reprogram or halt S7 logic controlling compression or generation in a chosen corridor, or falsify the WinCC operator view so the upset is not seen until it propagates.

E — Execution

Phase 1: exploit a KEV-listed S7/WinCC flaw reachable from an exposed HMI or remote-access path. Phase 2: pivot to the automation network. Phase 3: alter controller logic or HMI tags. Phase 4: synchronize disruption to peak demand and wipe the historian.

A — Administration & Logistics

Feasibility rests on (1) 5 unpatched Siemens CVEs; (2) WinCC stations bridged to corporate IT; (3) S7 controllers without RUN-mode key protection.

C — Command & Signal

Indicators: unexpected S7 STOP/PROGRAM transitions; WinCC tag changes with no work order; HMI traffic to unknown hosts. Defensive priorities: patch KEV CVEs, enforce controller key-switch protection, segment WinCC from IT. Reporting: CISA; TSA; ONG-ISAC; the relevant ISO security desk.

Consequences if unmitigated

Physical:

Tripped or runaway compression and generating units in one load zone; data-center alley loses grid supply and falls to diesel within hours; ungraceful trips can damage rotating equipment and extend restart to weeks.

Market / financial:

Intraday wholesale power spikes to the administrative cap in the affected ISO; compute SLAs breach within the diesel-reserve window; multi-billion-dollar loss across operators, power buyers, and AI customers.

Regulatory / political:

FERC/NERC review of generator cyber readiness; accelerated TSA-style cyber rules for gas-fired generation; insurer repricing for measurable Siemens exposure.

Rockwell ControlLogix / FactoryTalk — 2 pipeline-relevant KEV CVEs
Current exposure: 2 CISA KEV-listed CVEs currently affect Rockwell Allen-Bradley ControlLogix / FactoryTalk platforms
Live KEV cross-reference: CVE-2023-3595, CVE-2021-22681
Severity: HIGH — Pump-station and terminal control disruption across midstream
Five-Paragraph OPORD (SMEAC)

S — Situation

Allen-Bradley ControlLogix PLCs and FactoryTalk run pump stations, tank farms, and liquids terminals across US midstream; 2 Rockwell CVEs are on the KEV catalog today (CVE-2023-3595, CVE-2021-22681).

M — Mission

Adversary objective: seize or crash ControlLogix processors governing pumping and tank-farm valves to force a liquids-pipeline shutdown or a tank overfill / pressure transient.

E — Execution

Phase 1: exploit a KEV-listed ControlLogix/FactoryTalk CVE from an exposed engineering or remote path. Phase 2: reach the controller. Phase 3: fault the processor or alter pump/valve logic. Phase 4: mask the change in FactoryTalk.

A — Administration & Logistics

Feasibility rests on (1) 2 unpatched Rockwell CVEs; (2) flat OT networks at terminals; (3) remote-access tools left exposed.

C — Command & Signal

Indicators: unexpected processor faults; logic edits with no change ticket; FactoryTalk access from new hosts. Defensive priorities: patch KEV CVEs, segment terminal OT, lock down remote access. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Forced shutdown of a liquids pipeline or terminal; in the worst case a tank overfill or pressure transient with spill, fire, or environmental release.

Market / financial:

Regional product-supply disruption (gasoline, diesel, NGLs); price spikes at racks served by the affected terminals; cleanup and liability costs.

Regulatory / political:

PHMSA incident investigation; TSA review of terminal cyber controls; insurer scrutiny of operators on KEV-listed Rockwell versions.

Honeywell Experion PKS — 1 pipeline-relevant KEV CVE
Current exposure: 1 CISA KEV-listed CVE currently affect Honeywell Experion PKS — a dominant DCS at US gas processing and LNG
Live KEV cross-reference: CVE-2023-3710
Severity: HIGH — Distributed-control compromise at gas processing and LNG
Five-Paragraph OPORD (SMEAC)

S — Situation

Honeywell Experion PKS is a dominant distributed control system at US gas-processing plants, refineries, and LNG facilities; 1 Experion CVE on the KEV catalog today (CVE-2023-3710).

M — Mission

Adversary objective: take control of the Experion DCS at a gas-processing or LNG facility to drive units to an unsafe state or force a sustained outage.

E — Execution

Phase 1: exploit the KEV-listed Experion CVE from a reachable server or remote path. Phase 2: reach the C300 controllers and Experion servers. Phase 3: alter control strategy or force a unit trip. Phase 4: destroy the historian and backups.

A — Administration & Logistics

Feasibility rests on (1) 1 unpatched Experion CVE; (2) DCS servers bridged to plant IT; (3) deferred DCS patching tied to turnaround windows.

C — Command & Signal

Indicators: unscheduled control-strategy changes; Experion server traffic to unknown hosts; historian write failures. Defensive priorities: patch the KEV CVE, isolate the DCS, two-person change control. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Loss of control or forced shutdown at a gas-processing plant or LNG train; potential release, fire, or explosion if units are driven unsafe; restart measured in days to weeks.

Market / financial:

Lost processing/export throughput tightens domestic supply and idles cargoes; multi-billion-dollar interruption and liability exposure.

Regulatory / political:

PHMSA/TSA investigation; likely CISA directive for Experion operators; insurer repricing for KEV-listed Experion exposure.

ABB Symphony DCS — 258 US endpoints exposed (as of 2026-06-11)
Current exposure: 258 Symphony endpoints visible from the public US internet today
Live KEV cross-reference: CVE-2024-6298
Severity: HIGH — Power generation supply disruption to AI data center load
Five-Paragraph OPORD (SMEAC)

S — Situation

ABB Symphony has the largest measurable US public-internet exposure of any pipeline-relevant SCADA / DCS platform — 258 endpoints visible as of 2026-06-11, against a deployed base that we estimate to be on the order of hundreds of installations. Symphony is the dominant DCS at large gas-fired combined-cycle power plants, including most of the new and planned gas plants being built to serve hyperscale AI data centers. KEV catalog entries currently affecting ABB platforms: CVE-2024-6298.

M — Mission

Adversary objective: simultaneous loss-of-control or unsafe-state at multiple gas-fired generating units feeding a specific load zone — most likely PJM Dominion (Northern Virginia data-center alley, where AI training load is concentrated) or the Southeast (where Meta Hyperion's 7.46 GW gas plant cluster feeds the Hyperion campus). Strategic intent: deny power to AI compute infrastructure at a moment chosen for maximum disruption, with deniable attribution.

E — Execution

Phase 1: harvest a contractor or vendor credential that grants engineering access to one or more of the 258 exposed endpoints — many of which are vendor-support jump hosts that bridge corporate IT to the OT engineering network. Phase 2: lateral movement to the Symphony engineering workstation. Phase 3: stage malicious configuration changes across the deployment, synchronized to execute at peak-demand hour. Phase 4: trigger drives unit-trip sequences on every unit reachable, simultaneous; concurrent wiper destroys the historian and configuration backup.

A — Administration & Logistics

Attack feasibility depends on three conditions visible in the public-exposure data today: (1) 258 endpoints reachable from the public internet — that number is a defensive failure on its own; (2) operator deployments that centralize engineering across multiple sites; (3) deferred patching of any published Symphony CVSS 8.0+ CVE due to outage-window constraints.

C — Command & Signal

Indicators: outbound traffic from any Symphony engineering workstation to non-vendor destinations; unscheduled configuration updates across multiple units in the same hour; historian write failures across multiple stations. Defensive priorities: enumerate the 258 exposed endpoints in your perimeter and prioritize firewall closure or VPN-only access; rotate all vendor and contractor credentials with hardware-token MFA; require any logic or configuration change to pass two-person integrity check during the change window. Reporting: TSA Surface Transportation Cybersecurity; CISA Hotline; Oil and Natural Gas ISAC; PJM RTEP Security working group.

Consequences if unmitigated

Physical:

Simultaneous trips at multiple gas-fired generating units serving a data-center-heavy load zone. Within ~2 hours, hyperscale data centers in the affected zone exhaust grid power and shift to on-site diesel; diesel reserves typically run 12–48 hours. Possible thermal damage to rotating equipment during ungraceful trip sequences extends restart from hours to weeks per unit.

Market / financial:

Wholesale power prices in the affected ISO zone spike to administrative cap intraday. Hyperscaler-customer compute service-level agreements breach within the diesel-reserve window. Estimated combined economic loss across operator, downstream power buyers, and dependent cloud / AI customers: $10B–$50B in the first week.

Regulatory / political:

FERC and NERC special review of generator cybersecurity preparedness. Likely accelerated TSA-style cyber regulation extended to gas-fired generation feeding hyperscale customers. Insurance industry repricing for operators with measurable Symphony exposure on Shodan.

Henry Hub Composite (Physical + Cyber) — current state
Current exposure: 13 interstate pipelines converge at Erath, LA · NYMEX settlement node · ~2 Bcf/d physical throughput · 1 ICS exposures within 25 km · 14 active eminent-domain projects in supply chain
Live KEV cross-reference: 9 Schneider Electric KEVs · 5 Siemens KEVs · 1 Emerson KEVs affect platforms a Sabine Pipe Line operator would actually run.
Severity: STRATEGIC — National-scale market and supply disruption
Five-Paragraph OPORD (SMEAC)

S — Situation

Henry Hub today: 13 interstate pipelines converge at the Sabine Pipe Line LLC facility in Erath, Louisiana. The NYMEX Henry Hub futures contract settles here — the price benchmark for every US natural-gas trade, every LNG cargo loaded at Sabine Pass / Cameron / Plaquemines / Corpus Christi (≈14 Bcf/d combined LNG export capacity), and every gas-indexed power-purchase contract in PJM / SERC / Florida. Within 25 km of the hub, Shodan finds 1 exposed ICS endpoints; the operator's supply chain runs through platforms with 15 currently-KEV-listed CVEs across Schneider Electric, Siemens, and Emerson. The facility has no counter-UAS coverage (Vermilion Parish is outside designated military airspace) and no published joint OT/IT incident-command framework with downstream hyperscaler and federal partners.

M — Mission

Adversary objective: simultaneously disable physical throughput at Henry Hub for an extended window (weeks, not hours) AND destroy the operator's safety-system configuration files, so that even after physical repair the operator cannot safely restart. Strategic intent: suspend US natural-gas price discovery long enough to cascade through NYMEX, LNG cargo force majeure, power-grid load shedding during a peak-demand window, and financial-market liquidity events.

E — Execution

Phase 1 (months): cyber pre-positioning inside the Sabine Pipe Line OT network via a contracted-engineering credential — the same vector that has produced every confirmed US pipeline OT intrusion in the past five years. Phase 2 (days): adversary weaponizes a published CVSS 9.0+ CISA advisory affecting Schneider Telvent OASyS DNA or Triconex SIS, BEFORE the operator's change board approves the emergency patch. Phase 3 (D-Day, timed to coincide with polar vortex or hurricane-season demand peak): commercial-derivative drone strike against Compressor Units 1 and 2, simultaneously with cyber execution that disables the SIS, manipulates HMIs to display nominal state, vents high-pressure gas through stacks whose flare ignition has been pre-disabled. Phase 4 (D+1 through D+3): wiper malware destroys the historian, engineering workstation, and corporate IT backups, denying the recovery team the documentation needed to safely restart safety-instrumented systems.

A — Administration & Logistics

Attack feasibility depends on conditions present today: (1) 1 ICS endpoints within 25 km of the hub — the public attack surface; (2) absence of counter-UAS over Vermilion Parish; (3) the operator's change board having no pre-delegated authority to bypass normal review for CVSS 9+ items during weather-emergency windows; (4) no published joint incident-command structure across Sabine Pipe Line, FERC, TSA, CISA, FBI, DOE, and hyperscaler downstream customers. All four conditions exist as of 2026-06-10.

C — Command & Signal

Indicators: outbound traffic from any Sabine Pipe Line OT host to non-vendor destinations; Vermilion Parish law-enforcement reports of unusual UAS activity near the hub; any CISA advisory at CVSS 9+ affecting Schneider Electric / Siemens / Emerson platforms followed by Sabine Pipe Line change-board deferral. Defensive priorities (the four items above, each individually closable): (1) pre-delegate emergency-patch authority to senior security leadership without change-board veto for CVSS 9+ critical-asset platforms; (2) FAA + DOD counter-UAS authorization for FERC critical-asset compressor stations; (3) stand up the joint incident-command framework now, not after the event; (4) maintain air-gapped offline SIS configuration backups with quarterly recovery verification at every FERC critical site.

Consequences if unmitigated

Physical:

Henry Hub physical throughput goes to 0 Bcf/d for 7–30+ days. Worker fatalities at Sabine Pipe Line during the kinetic event range 20–100 depending on shift composition and time of day. Downstream civilian fatalities during coincident cold-weather power loss could exceed 200 if the polar-vortex timing is hit. Adjacent communities evacuated; groundwater and surface water contamination from fuel-rich firefighting operations.

Market / financial:

NYMEX Henry Hub trading suspended for 20–60 trading days. Daily LNG cargo force majeure declarations from Sabine Pass / Cameron / Plaquemines / Corpus Christi terminals. European TTF and Asian JKM gas prices spike 150–400%. PJM and TVA emergency load-shedding affecting 5–20M customers during the polar vortex. Combined direct + cascading economic damage: $200B–$400B over twelve months. Insurance-industry catastrophe loss: $80B–$200B. Two-to-three mid-sized US gas trading firms in Chapter 11 within ten days.

Regulatory / political:

FERC and TSA replace existing Pipeline Security Directive framework with a true regulatory framework. DOE stands up a permanent Critical Energy Infrastructure Cyber Response Unit. FAA authorizes counter-UAS at all FERC critical-asset facilities. Federal Reserve emergency liquidity facility for energy-sector counterparty exposure. Hyperscaler / pipeline operator joint incident command mandated. ODNI issues attribution finding; coordinated multi-allied response.

Schneider Electric Modicon / Triconex — 9 pipeline-relevant KEV CVEs
Current exposure: 9 CISA KEV-listed CVEs currently affect Schneider OT platforms — the largest known-exploited footprint of any pipeline-relevant vendor today
Live KEV cross-reference: CVE-2018-7522, CVE-2018-8872, CVE-2017-7973, CVE-2021-22707
Severity: HIGH — Safety-instrumented-system bypass at gas processing and compression
Five-Paragraph OPORD (SMEAC)

S — Situation

Schneider Electric carries the largest set of actively-exploited CVEs of any pipeline-relevant vendor on the KEV catalog today — 9 entries (CVE-2018-7522, CVE-2018-8872, CVE-2017-7973, CVE-2021-22707). Modicon PLCs run valve and compressor logic across US midstream; Triconex is the dominant safety-instrumented system (SIS) at gas plants and LNG trains — the same SIS family targeted by the TRITON malware framework.

M — Mission

Adversary objective: defeat or blind the safety-instrumented layer at a gas-processing plant, LNG train, or major compressor station so a deliberately induced process upset is NOT tripped to a safe state — turning a recoverable fault into an overpressure or release event.

E — Execution

Phase 1: exploit one of the 9 known CVEs to gain a foothold on the engineering network. Phase 2: reach the Triconex/Modicon engineering workstation and load altered logic or disable SIS voting. Phase 3: drive the basic process control system to an unsafe setpoint while the safety layer is suppressed. Phase 4: erase the engineering audit trail.

A — Administration & Logistics

Feasibility today rests on (1) 9 unpatched, actively-exploited Schneider CVEs; (2) SIS and basic control logic that share engineering access in many deployments; (3) safety-system patch cycles tied to multi-year turnaround windows.

C — Command & Signal

Indicators: unscheduled logic downloads to any Triconex or Modicon controller; SIS voting or bypass changes outside a permitted-work window; engineering-station traffic to non-vendor destinations. Defensive priorities: patch the KEV-listed CVEs on a safety-critical schedule, enforce key-switch RUN mode on SIS controllers, require two-person authorization for any safety-logic change. Reporting: CISA; TSA Pipeline Security; ONG-ISAC.

Consequences if unmitigated

Physical:

A defeated safety-instrumented system removes the last automatic protection against overpressure, high temperature, or loss of containment at a gas plant or LNG train — from an emergency shutdown and days-long restart to a release, fire, or explosion if the basic control system is simultaneously driven unsafe.

Market / financial:

Loss of a single large gas-processing plant or LNG train removes major throughput; an LNG-train outage idles export cargoes and tightens domestic supply. Liability and business-interruption exposure runs to the billions.

Regulatory / political:

PHMSA and TSA scrutiny of OT cyber controls; likely CISA emergency directives for Schneider SIS operators; insurer repricing for sites running KEV-listed Triconex/Modicon.

Siemens SIMATIC S7 / WinCC — 5 pipeline-relevant KEV CVEs
Current exposure: 5 CISA KEV-listed CVEs currently affect Siemens SIMATIC / WinCC / Spectrum Power platforms
Live KEV cross-reference: CVE-2014-2908, CVE-2016-8562, CVE-2012-3015, CVE-2010-2772
Severity: HIGH — Loss of control at compression, metering, and gas-fired generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Siemens SIMATIC S7 controllers and WinCC SCADA run compressor stations, metering, and the gas-fired generation feeding data-center load; 5 Siemens CVEs sit on the KEV catalog today (CVE-2014-2908, CVE-2016-8562, CVE-2012-3015, CVE-2010-2772). S7 is the controller family Stuxnet was built to reprogram.

M — Mission

Adversary objective: reprogram or halt S7 logic controlling compression or generation in a chosen corridor, or falsify the WinCC operator view so the upset is not seen until it propagates.

E — Execution

Phase 1: exploit a KEV-listed S7/WinCC flaw reachable from an exposed HMI or remote-access path. Phase 2: pivot to the automation network. Phase 3: alter controller logic or HMI tags. Phase 4: synchronize disruption to peak demand and wipe the historian.

A — Administration & Logistics

Feasibility rests on (1) 5 unpatched Siemens CVEs; (2) WinCC stations bridged to corporate IT; (3) S7 controllers without RUN-mode key protection.

C — Command & Signal

Indicators: unexpected S7 STOP/PROGRAM transitions; WinCC tag changes with no work order; HMI traffic to unknown hosts. Defensive priorities: patch KEV CVEs, enforce controller key-switch protection, segment WinCC from IT. Reporting: CISA; TSA; ONG-ISAC; the relevant ISO security desk.

Consequences if unmitigated

Physical:

Tripped or runaway compression and generating units in one load zone; data-center alley loses grid supply and falls to diesel within hours; ungraceful trips can damage rotating equipment and extend restart to weeks.

Market / financial:

Intraday wholesale power spikes to the administrative cap in the affected ISO; compute SLAs breach within the diesel-reserve window; multi-billion-dollar loss across operators, power buyers, and AI customers.

Regulatory / political:

FERC/NERC review of generator cyber readiness; accelerated TSA-style cyber rules for gas-fired generation; insurer repricing for measurable Siemens exposure.

Rockwell ControlLogix / FactoryTalk — 2 pipeline-relevant KEV CVEs
Current exposure: 2 CISA KEV-listed CVEs currently affect Rockwell Allen-Bradley ControlLogix / FactoryTalk platforms
Live KEV cross-reference: CVE-2023-3595, CVE-2021-22681
Severity: HIGH — Pump-station and terminal control disruption across midstream
Five-Paragraph OPORD (SMEAC)

S — Situation

Allen-Bradley ControlLogix PLCs and FactoryTalk run pump stations, tank farms, and liquids terminals across US midstream; 2 Rockwell CVEs are on the KEV catalog today (CVE-2023-3595, CVE-2021-22681).

M — Mission

Adversary objective: seize or crash ControlLogix processors governing pumping and tank-farm valves to force a liquids-pipeline shutdown or a tank overfill / pressure transient.

E — Execution

Phase 1: exploit a KEV-listed ControlLogix/FactoryTalk CVE from an exposed engineering or remote path. Phase 2: reach the controller. Phase 3: fault the processor or alter pump/valve logic. Phase 4: mask the change in FactoryTalk.

A — Administration & Logistics

Feasibility rests on (1) 2 unpatched Rockwell CVEs; (2) flat OT networks at terminals; (3) remote-access tools left exposed.

C — Command & Signal

Indicators: unexpected processor faults; logic edits with no change ticket; FactoryTalk access from new hosts. Defensive priorities: patch KEV CVEs, segment terminal OT, lock down remote access. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Forced shutdown of a liquids pipeline or terminal; in the worst case a tank overfill or pressure transient with spill, fire, or environmental release.

Market / financial:

Regional product-supply disruption (gasoline, diesel, NGLs); price spikes at racks served by the affected terminals; cleanup and liability costs.

Regulatory / political:

PHMSA incident investigation; TSA review of terminal cyber controls; insurer scrutiny of operators on KEV-listed Rockwell versions.

Honeywell Experion PKS — 1 pipeline-relevant KEV CVE
Current exposure: 1 CISA KEV-listed CVE currently affect Honeywell Experion PKS — a dominant DCS at US gas processing and LNG
Live KEV cross-reference: CVE-2023-3710
Severity: HIGH — Distributed-control compromise at gas processing and LNG
Five-Paragraph OPORD (SMEAC)

S — Situation

Honeywell Experion PKS is a dominant distributed control system at US gas-processing plants, refineries, and LNG facilities; 1 Experion CVE on the KEV catalog today (CVE-2023-3710).

M — Mission

Adversary objective: take control of the Experion DCS at a gas-processing or LNG facility to drive units to an unsafe state or force a sustained outage.

E — Execution

Phase 1: exploit the KEV-listed Experion CVE from a reachable server or remote path. Phase 2: reach the C300 controllers and Experion servers. Phase 3: alter control strategy or force a unit trip. Phase 4: destroy the historian and backups.

A — Administration & Logistics

Feasibility rests on (1) 1 unpatched Experion CVE; (2) DCS servers bridged to plant IT; (3) deferred DCS patching tied to turnaround windows.

C — Command & Signal

Indicators: unscheduled control-strategy changes; Experion server traffic to unknown hosts; historian write failures. Defensive priorities: patch the KEV CVE, isolate the DCS, two-person change control. Reporting: CISA; TSA; ONG-ISAC.

Consequences if unmitigated

Physical:

Loss of control or forced shutdown at a gas-processing plant or LNG train; potential release, fire, or explosion if units are driven unsafe; restart measured in days to weeks.

Market / financial:

Lost processing/export throughput tightens domestic supply and idles cargoes; multi-billion-dollar interruption and liability exposure.

Regulatory / political:

PHMSA/TSA investigation; likely CISA directive for Experion operators; insurer repricing for KEV-listed Experion exposure.

ABB Symphony DCS — 248 US endpoints exposed (as of 2026-06-09)
Current exposure: 248 Symphony endpoints visible from the public US internet today
Live KEV cross-reference: CVE-2024-6298
Severity: HIGH — Power generation supply disruption to AI data center load
Five-Paragraph OPORD (SMEAC)

S — Situation

ABB Symphony has the largest measurable US public-internet exposure of any pipeline-relevant SCADA / DCS platform — 248 endpoints visible as of 2026-06-09, against a deployed base that we estimate to be on the order of hundreds of installations. Symphony is the dominant DCS at large gas-fired combined-cycle power plants, including most of the new and planned gas plants being built to serve hyperscale AI data centers. KEV catalog entries currently affecting ABB platforms: CVE-2024-6298.

M — Mission

Adversary objective: simultaneous loss-of-control or unsafe-state at multiple gas-fired generating units feeding a specific load zone — most likely PJM Dominion (Northern Virginia data-center alley, where AI training load is concentrated) or the Southeast (where Meta Hyperion's 7.46 GW gas plant cluster feeds the Hyperion campus). Strategic intent: deny power to AI compute infrastructure at a moment chosen for maximum disruption, with deniable attribution.

E — Execution

Phase 1: harvest a contractor or vendor credential that grants engineering access to one or more of the 248 exposed endpoints — many of which are vendor-support jump hosts that bridge corporate IT to the OT engineering network. Phase 2: lateral movement to the Symphony engineering workstation. Phase 3: stage malicious configuration changes across the deployment, synchronized to execute at peak-demand hour. Phase 4: trigger drives unit-trip sequences on every unit reachable, simultaneous; concurrent wiper destroys the historian and configuration backup.

A — Administration & Logistics

Attack feasibility depends on three conditions visible in the public-exposure data today: (1) 248 endpoints reachable from the public internet — that number is a defensive failure on its own; (2) operator deployments that centralize engineering across multiple sites; (3) deferred patching of any published Symphony CVSS 8.0+ CVE due to outage-window constraints.

C — Command & Signal

Indicators: outbound traffic from any Symphony engineering workstation to non-vendor destinations; unscheduled configuration updates across multiple units in the same hour; historian write failures across multiple stations. Defensive priorities: enumerate the 248 exposed endpoints in your perimeter and prioritize firewall closure or VPN-only access; rotate all vendor and contractor credentials with hardware-token MFA; require any logic or configuration change to pass two-person integrity check during the change window. Reporting: TSA Surface Transportation Cybersecurity; CISA Hotline; Oil and Natural Gas ISAC; PJM RTEP Security working group.

Consequences if unmitigated

Physical:

Simultaneous trips at multiple gas-fired generating units serving a data-center-heavy load zone. Within ~2 hours, hyperscale data centers in the affected zone exhaust grid power and shift to on-site diesel; diesel reserves typically run 12–48 hours. Possible thermal damage to rotating equipment during ungraceful trip sequences extends restart from hours to weeks per unit.

Market / financial:

Wholesale power prices in the affected ISO zone spike to administrative cap intraday. Hyperscaler-customer compute service-level agreements breach within the diesel-reserve window. Estimated combined economic loss across operator, downstream power buyers, and dependent cloud / AI customers: $10B–$50B in the first week.

Regulatory / political:

FERC and NERC special review of generator cybersecurity preparedness. Likely accelerated TSA-style cyber regulation extended to gas-fired generation feeding hyperscale customers. Insurance industry repricing for operators with measurable Symphony exposure on Shodan.

Cygnet SCADA — 74 US endpoints (pipeline-specific midstream)
Current exposure: 74 Cygnet midstream-pipeline SCADA endpoints visible today
Live KEV cross-reference: no KEV-listed CVEs currently affect this platform
Severity: HIGH — Direct compromise of pipeline operational visibility and control
Five-Paragraph OPORD (SMEAC)

S — Situation

Cygnet is the SCADA platform most narrowly targeted at the US midstream oil-and-gas industry — it runs the supervisory layer at 74 measurable US sites, almost all of which are pipeline operators. Of the operators we track, several are confirmed Cygnet users by name in vendor case-studies and public filings.

M — Mission

Adversary objective: simultaneous loss-of-visibility and limited-write control of pipeline metering, valve, and flow-control points across a single operator's footprint. Strategic intent: position to manipulate gas deliveries — to LDCs, to power generators, or to LNG export terminals — at a chosen moment, with the operator unable to see or counter the action in real time.

E — Execution

Phase 1: access via a Cygnet engineering workstation reachable through vendor-support tunnels. Phase 2: harvest field-device topology and operator runbooks from the SCADA database. Phase 3: stage scheduled control commands that fire at a precipitating moment. Phase 4: optionally falsify operator-view telemetry to extend the response window.

A — Administration & Logistics

Attack feasibility depends on Cygnet's typical deployment pattern: many operators connect Cygnet to their corporate IT for reporting, then connect corporate IT to the public internet — a documented common pathway. The 74 exposed endpoints in our Shodan dataset are the visible portion of that pattern.

C — Command & Signal

Indicators: Cygnet engineering-workstation traffic to non-vendor destinations; configuration changes outside change-control hours; discrepancies between Cygnet-reported volumes and independent end-of-line meter reads. Defensive priorities: place Cygnet servers behind a jump-host with MFA; close direct internet exposure on all 74 endpoints; deploy independent secondary metering whose data does NOT flow through Cygnet.

Consequences if unmitigated

Physical:

Manipulation of valve setpoints can cause unsafe pressure transients at downstream stations. Falsified metering allows undetected gas diversion or supply-cut to specific customers (e.g., a specific gas-fired power plant during a peak hour).

Market / financial:

If a Cygnet-driven event takes a specific compressor station offline during a peak demand window, the downstream basis (the local citygate price minus Henry Hub) can spike 200%+ in hours. LDC emergency curtailments. Power-gen fuel-supply force majeure to gas peakers serving data centers.

Regulatory / political:

Immediate FERC inquiry into operator cybersecurity. Possible TSA penalty action under PSR 2026-01. Operator's interstate transportation tariff put under audit.

GE iFIX HMI/SCADA — 68 US endpoints exposed
Current exposure: 68 GE iFIX HMI/SCADA endpoints visible today
Live KEV cross-reference: CVE-2014-0751
Severity: HIGH — Operator-view denial across gas-plant and pipeline-station HMI
Five-Paragraph OPORD (SMEAC)

S — Situation

GE iFIX is a general-purpose HMI / SCADA platform with deep penetration in US gas plants, refineries, and pipeline compressor stations. Public US exposure today: 68 endpoints. KEV entries currently affecting GE platforms: CVE-2014-0751.

M — Mission

Adversary objective: deny operator visibility into the controlled process during a coincident attack — either cyber on the BPCS or kinetic on a physical asset. Strategic intent: extend the response window in the critical early minutes when operator action can avert physical damage.

E — Execution

Phase 1: access through internet-exposed iFIX terminal services / VPN. Phase 2: modify iFIX HMI screens to display canned 'nominal' values regardless of underlying tag data, OR disable HMI alarm escalation logic. Phase 3: hold capability until a coincident event — process upset, kinetic strike, or BPCS manipulation — at which point operators see normal screens while the physical process degrades.

A — Administration & Logistics

Attack feasibility increases when iFIX is deployed without segregation from corporate IT, when iFIX clients are reachable via remote-desktop services from the public internet (68 confirmed examples today), and when alarm-management audits are infrequent.

C — Command & Signal

Indicators: iFIX screen-version changes outside engineering change windows; HMI tag-display discrepancies vs. historian; alarm logs going abnormally quiet during normal operating variability. Defensive priorities: iFIX deployment audit (count vs. known inventory); HMI screen-checksum monitoring; independent secondary HMI that draws from a separate tag feed; close all 68 internet-exposed instances or move them behind MFA-required VPN.

Consequences if unmitigated

Physical:

On its own, an iFIX-only attack does not cause damage — but during a coincident physical or BPCS attack, the 'normal-screens-while-process-degrades' window extends operator response from minutes to tens of minutes, multiplying the physical damage.

Market / financial:

When combined with a BPCS attack, an HMI-deception layer can extend an outage from one shift to several days as the recovery team has no trustworthy view of pre-event state. Multiplier effect on operator's economic damage: 2–5x.

Regulatory / political:

HMI integrity-verification becomes a required TSA compliance element. Vendor-side requirements for cryptographic HMI screen verification.

Emerson DeltaV + Ovation DCS — 66 US endpoints combined
Current exposure: 39 DeltaV + 27 Ovation US endpoints — total 66
Live KEV cross-reference: CVE-2021-45420
Severity: HIGH — Simultaneous compromise of LNG liquefaction AND gas-fired power generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Emerson runs two product lines with measurable US exposure: DeltaV (39 endpoints), the DCS for LNG liquefaction trains and refinery / petrochemical processes, and Ovation (27 endpoints), the DCS for fossil-fueled power generation. Combined US public exposure: 66 endpoints. KEV entries affecting Emerson: CVE-2021-45420.

M — Mission

Adversary objective: simultaneously disrupt LNG-export capacity AND gas-fired power generation by exploiting the same vendor's deployed platforms across the two industries — a single capability that reaches both demand sinks for US natural gas (LNG exports and AI/data-center power) at once. Strategic intent: dual-target economic disruption with shared toolchain.

E — Execution

Phase 1: gain access via an Emerson vendor-support credential — Emerson is one of the largest providers of process-control system service contracts in the US. Phase 2: deploy parallel implants against DeltaV at LNG terminals and Ovation at gas-fired plants. Phase 3: synchronized trigger at a chosen event.

A — Administration & Logistics

Attack feasibility hinges on whether the operator has accepted vendor persistent remote-support tunnels as a contractual requirement. Many DeltaV and Ovation operators have done so to maintain service-level guarantees. The 66 exposed endpoints visible today are the public portion of that pattern.

C — Command & Signal

Indicators: Emerson vendor-tunnel traffic outside scheduled service windows; configuration changes pushed to multiple sites within a single hour; unscheduled engineering-workstation logins. Defensive priorities: require Emerson vendor sessions to be initiated by the operator (not the vendor), with session recording and MFA; deploy egress monitoring on the DeltaV / Ovation engineering networks; require Emerson to publish per-product KEV applicability mapped to deployed firmware versions at each customer site.

Consequences if unmitigated

Physical:

LNG terminal liquefaction trains unsafe-shutdown; coincident gas-fired generator trips across affected fleet. Possible thermal damage to liquefaction compressors extends LNG outage from days to months.

Market / financial:

Cargoes in the Sabine Pass / Cameron / Plaquemines / Corpus Christi loading queue declare force majeure within hours. European TTF gas price spikes; US Henry Hub price drops on reduced export demand AND spikes on domestic gas-to-power dislocation — both directions same day. Combined economic impact: $30B–$120B over the first quarter post-event.

Regulatory / political:

Coordinated DOE / FERC / TSA / DOC (export licensing) investigation. Possible suspension of Emerson DCS service contracts pending audit. Insurance industry repricing across all Emerson-platform-dependent operators.

Henry Hub Composite (Physical + Cyber) — current state
Current exposure: 13 interstate pipelines converge at Erath, LA · NYMEX settlement node · ~2 Bcf/d physical throughput · -1 ICS exposures within 25 km · 14 active eminent-domain projects in supply chain
Live KEV cross-reference: 9 Schneider Electric KEVs · 5 Siemens KEVs · 1 Emerson KEVs affect platforms a Sabine Pipe Line operator would actually run.
Severity: STRATEGIC — National-scale market and supply disruption
Five-Paragraph OPORD (SMEAC)

S — Situation

Henry Hub today: 13 interstate pipelines converge at the Sabine Pipe Line LLC facility in Erath, Louisiana. The NYMEX Henry Hub futures contract settles here — the price benchmark for every US natural-gas trade, every LNG cargo loaded at Sabine Pass / Cameron / Plaquemines / Corpus Christi (≈14 Bcf/d combined LNG export capacity), and every gas-indexed power-purchase contract in PJM / SERC / Florida. Within 25 km of the hub, Shodan finds -1 exposed ICS endpoints; the operator's supply chain runs through platforms with 15 currently-KEV-listed CVEs across Schneider Electric, Siemens, and Emerson. The facility has no counter-UAS coverage (Vermilion Parish is outside designated military airspace) and no published joint OT/IT incident-command framework with downstream hyperscaler and federal partners.

M — Mission

Adversary objective: simultaneously disable physical throughput at Henry Hub for an extended window (weeks, not hours) AND destroy the operator's safety-system configuration files, so that even after physical repair the operator cannot safely restart. Strategic intent: suspend US natural-gas price discovery long enough to cascade through NYMEX, LNG cargo force majeure, power-grid load shedding during a peak-demand window, and financial-market liquidity events.

E — Execution

Phase 1 (months): cyber pre-positioning inside the Sabine Pipe Line OT network via a contracted-engineering credential — the same vector that has produced every confirmed US pipeline OT intrusion in the past five years. Phase 2 (days): adversary weaponizes a published CVSS 9.0+ CISA advisory affecting Schneider Telvent OASyS DNA or Triconex SIS, BEFORE the operator's change board approves the emergency patch. Phase 3 (D-Day, timed to coincide with polar vortex or hurricane-season demand peak): commercial-derivative drone strike against Compressor Units 1 and 2, simultaneously with cyber execution that disables the SIS, manipulates HMIs to display nominal state, vents high-pressure gas through stacks whose flare ignition has been pre-disabled. Phase 4 (D+1 through D+3): wiper malware destroys the historian, engineering workstation, and corporate IT backups, denying the recovery team the documentation needed to safely restart safety-instrumented systems.

A — Administration & Logistics

Attack feasibility depends on conditions present today: (1) -1 ICS endpoints within 25 km of the hub — the public attack surface; (2) absence of counter-UAS over Vermilion Parish; (3) the operator's change board having no pre-delegated authority to bypass normal review for CVSS 9+ items during weather-emergency windows; (4) no published joint incident-command structure across Sabine Pipe Line, FERC, TSA, CISA, FBI, DOE, and hyperscaler downstream customers. All four conditions exist as of 2026-06-09.

C — Command & Signal

Indicators: outbound traffic from any Sabine Pipe Line OT host to non-vendor destinations; Vermilion Parish law-enforcement reports of unusual UAS activity near the hub; any CISA advisory at CVSS 9+ affecting Schneider Electric / Siemens / Emerson platforms followed by Sabine Pipe Line change-board deferral. Defensive priorities (the four items above, each individually closable): (1) pre-delegate emergency-patch authority to senior security leadership without change-board veto for CVSS 9+ critical-asset platforms; (2) FAA + DOD counter-UAS authorization for FERC critical-asset compressor stations; (3) stand up the joint incident-command framework now, not after the event; (4) maintain air-gapped offline SIS configuration backups with quarterly recovery verification at every FERC critical site.

Consequences if unmitigated

Physical:

Henry Hub physical throughput goes to 0 Bcf/d for 7–30+ days. Worker fatalities at Sabine Pipe Line during the kinetic event range 20–100 depending on shift composition and time of day. Downstream civilian fatalities during coincident cold-weather power loss could exceed 200 if the polar-vortex timing is hit. Adjacent communities evacuated; groundwater and surface water contamination from fuel-rich firefighting operations.

Market / financial:

NYMEX Henry Hub trading suspended for 20–60 trading days. Daily LNG cargo force majeure declarations from Sabine Pass / Cameron / Plaquemines / Corpus Christi terminals. European TTF and Asian JKM gas prices spike 150–400%. PJM and TVA emergency load-shedding affecting 5–20M customers during the polar vortex. Combined direct + cascading economic damage: $200B–$400B over twelve months. Insurance-industry catastrophe loss: $80B–$200B. Two-to-three mid-sized US gas trading firms in Chapter 11 within ten days.

Regulatory / political:

FERC and TSA replace existing Pipeline Security Directive framework with a true regulatory framework. DOE stands up a permanent Critical Energy Infrastructure Cyber Response Unit. FAA authorizes counter-UAS at all FERC critical-asset facilities. Federal Reserve emergency liquidity facility for energy-sector counterparty exposure. Hyperscaler / pipeline operator joint incident command mandated. ODNI issues attribution finding; coordinated multi-allied response.

ABB Symphony DCS — 256 US endpoints exposed (as of 2026-06-08)
Current exposure: 256 Symphony endpoints visible from the public US internet today
Live KEV cross-reference: CVE-2024-6298
Severity: HIGH — Power generation supply disruption to AI data center load
Five-Paragraph OPORD (SMEAC)

S — Situation

ABB Symphony has the largest measurable US public-internet exposure of any pipeline-relevant SCADA / DCS platform — 256 endpoints visible as of 2026-06-08, against a deployed base that we estimate to be on the order of hundreds of installations. Symphony is the dominant DCS at large gas-fired combined-cycle power plants, including most of the new and planned gas plants being built to serve hyperscale AI data centers. KEV catalog entries currently affecting ABB platforms: CVE-2024-6298.

M — Mission

Adversary objective: simultaneous loss-of-control or unsafe-state at multiple gas-fired generating units feeding a specific load zone — most likely PJM Dominion (Northern Virginia data-center alley, where AI training load is concentrated) or the Southeast (where Meta Hyperion's 7.46 GW gas plant cluster feeds the Hyperion campus). Strategic intent: deny power to AI compute infrastructure at a moment chosen for maximum disruption, with deniable attribution.

E — Execution

Phase 1: harvest a contractor or vendor credential that grants engineering access to one or more of the 256 exposed endpoints — many of which are vendor-support jump hosts that bridge corporate IT to the OT engineering network. Phase 2: lateral movement to the Symphony engineering workstation. Phase 3: stage malicious configuration changes across the deployment, synchronized to execute at peak-demand hour. Phase 4: trigger drives unit-trip sequences on every unit reachable, simultaneous; concurrent wiper destroys the historian and configuration backup.

A — Administration & Logistics

Attack feasibility depends on three conditions visible in the public-exposure data today: (1) 256 endpoints reachable from the public internet — that number is a defensive failure on its own; (2) operator deployments that centralize engineering across multiple sites; (3) deferred patching of any published Symphony CVSS 8.0+ CVE due to outage-window constraints.

C — Command & Signal

Indicators: outbound traffic from any Symphony engineering workstation to non-vendor destinations; unscheduled configuration updates across multiple units in the same hour; historian write failures across multiple stations. Defensive priorities: enumerate the 256 exposed endpoints in your perimeter and prioritize firewall closure or VPN-only access; rotate all vendor and contractor credentials with hardware-token MFA; require any logic or configuration change to pass two-person integrity check during the change window. Reporting: TSA Surface Transportation Cybersecurity; CISA Hotline; Oil and Natural Gas ISAC; PJM RTEP Security working group.

Consequences if unmitigated

Physical:

Simultaneous trips at multiple gas-fired generating units serving a data-center-heavy load zone. Within ~2 hours, hyperscale data centers in the affected zone exhaust grid power and shift to on-site diesel; diesel reserves typically run 12–48 hours. Possible thermal damage to rotating equipment during ungraceful trip sequences extends restart from hours to weeks per unit.

Market / financial:

Wholesale power prices in the affected ISO zone spike to administrative cap intraday. Hyperscaler-customer compute service-level agreements breach within the diesel-reserve window. Estimated combined economic loss across operator, downstream power buyers, and dependent cloud / AI customers: $10B–$50B in the first week.

Regulatory / political:

FERC and NERC special review of generator cybersecurity preparedness. Likely accelerated TSA-style cyber regulation extended to gas-fired generation feeding hyperscale customers. Insurance industry repricing for operators with measurable Symphony exposure on Shodan.

Cygnet SCADA — 76 US endpoints (pipeline-specific midstream)
Current exposure: 76 Cygnet midstream-pipeline SCADA endpoints visible today
Live KEV cross-reference: no KEV-listed CVEs currently affect this platform
Severity: HIGH — Direct compromise of pipeline operational visibility and control
Five-Paragraph OPORD (SMEAC)

S — Situation

Cygnet is the SCADA platform most narrowly targeted at the US midstream oil-and-gas industry — it runs the supervisory layer at 76 measurable US sites, almost all of which are pipeline operators. Of the operators we track, several are confirmed Cygnet users by name in vendor case-studies and public filings.

M — Mission

Adversary objective: simultaneous loss-of-visibility and limited-write control of pipeline metering, valve, and flow-control points across a single operator's footprint. Strategic intent: position to manipulate gas deliveries — to LDCs, to power generators, or to LNG export terminals — at a chosen moment, with the operator unable to see or counter the action in real time.

E — Execution

Phase 1: access via a Cygnet engineering workstation reachable through vendor-support tunnels. Phase 2: harvest field-device topology and operator runbooks from the SCADA database. Phase 3: stage scheduled control commands that fire at a precipitating moment. Phase 4: optionally falsify operator-view telemetry to extend the response window.

A — Administration & Logistics

Attack feasibility depends on Cygnet's typical deployment pattern: many operators connect Cygnet to their corporate IT for reporting, then connect corporate IT to the public internet — a documented common pathway. The 76 exposed endpoints in our Shodan dataset are the visible portion of that pattern.

C — Command & Signal

Indicators: Cygnet engineering-workstation traffic to non-vendor destinations; configuration changes outside change-control hours; discrepancies between Cygnet-reported volumes and independent end-of-line meter reads. Defensive priorities: place Cygnet servers behind a jump-host with MFA; close direct internet exposure on all 76 endpoints; deploy independent secondary metering whose data does NOT flow through Cygnet.

Consequences if unmitigated

Physical:

Manipulation of valve setpoints can cause unsafe pressure transients at downstream stations. Falsified metering allows undetected gas diversion or supply-cut to specific customers (e.g., a specific gas-fired power plant during a peak hour).

Market / financial:

If a Cygnet-driven event takes a specific compressor station offline during a peak demand window, the downstream basis (the local citygate price minus Henry Hub) can spike 200%+ in hours. LDC emergency curtailments. Power-gen fuel-supply force majeure to gas peakers serving data centers.

Regulatory / political:

Immediate FERC inquiry into operator cybersecurity. Possible TSA penalty action under PSR 2026-01. Operator's interstate transportation tariff put under audit.

GE iFIX HMI/SCADA — 67 US endpoints exposed
Current exposure: 67 GE iFIX HMI/SCADA endpoints visible today
Live KEV cross-reference: CVE-2014-0751
Severity: HIGH — Operator-view denial across gas-plant and pipeline-station HMI
Five-Paragraph OPORD (SMEAC)

S — Situation

GE iFIX is a general-purpose HMI / SCADA platform with deep penetration in US gas plants, refineries, and pipeline compressor stations. Public US exposure today: 67 endpoints. KEV entries currently affecting GE platforms: CVE-2014-0751.

M — Mission

Adversary objective: deny operator visibility into the controlled process during a coincident attack — either cyber on the BPCS or kinetic on a physical asset. Strategic intent: extend the response window in the critical early minutes when operator action can avert physical damage.

E — Execution

Phase 1: access through internet-exposed iFIX terminal services / VPN. Phase 2: modify iFIX HMI screens to display canned 'nominal' values regardless of underlying tag data, OR disable HMI alarm escalation logic. Phase 3: hold capability until a coincident event — process upset, kinetic strike, or BPCS manipulation — at which point operators see normal screens while the physical process degrades.

A — Administration & Logistics

Attack feasibility increases when iFIX is deployed without segregation from corporate IT, when iFIX clients are reachable via remote-desktop services from the public internet (67 confirmed examples today), and when alarm-management audits are infrequent.

C — Command & Signal

Indicators: iFIX screen-version changes outside engineering change windows; HMI tag-display discrepancies vs. historian; alarm logs going abnormally quiet during normal operating variability. Defensive priorities: iFIX deployment audit (count vs. known inventory); HMI screen-checksum monitoring; independent secondary HMI that draws from a separate tag feed; close all 67 internet-exposed instances or move them behind MFA-required VPN.

Consequences if unmitigated

Physical:

On its own, an iFIX-only attack does not cause damage — but during a coincident physical or BPCS attack, the 'normal-screens-while-process-degrades' window extends operator response from minutes to tens of minutes, multiplying the physical damage.

Market / financial:

When combined with a BPCS attack, an HMI-deception layer can extend an outage from one shift to several days as the recovery team has no trustworthy view of pre-event state. Multiplier effect on operator's economic damage: 2–5x.

Regulatory / political:

HMI integrity-verification becomes a required TSA compliance element. Vendor-side requirements for cryptographic HMI screen verification.

Emerson DeltaV + Ovation DCS — 66 US endpoints combined
Current exposure: 39 DeltaV + 27 Ovation US endpoints — total 66
Live KEV cross-reference: CVE-2021-45420
Severity: HIGH — Simultaneous compromise of LNG liquefaction AND gas-fired power generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Emerson runs two product lines with measurable US exposure: DeltaV (39 endpoints), the DCS for LNG liquefaction trains and refinery / petrochemical processes, and Ovation (27 endpoints), the DCS for fossil-fueled power generation. Combined US public exposure: 66 endpoints. KEV entries affecting Emerson: CVE-2021-45420.

M — Mission

Adversary objective: simultaneously disrupt LNG-export capacity AND gas-fired power generation by exploiting the same vendor's deployed platforms across the two industries — a single capability that reaches both demand sinks for US natural gas (LNG exports and AI/data-center power) at once. Strategic intent: dual-target economic disruption with shared toolchain.

E — Execution

Phase 1: gain access via an Emerson vendor-support credential — Emerson is one of the largest providers of process-control system service contracts in the US. Phase 2: deploy parallel implants against DeltaV at LNG terminals and Ovation at gas-fired plants. Phase 3: synchronized trigger at a chosen event.

A — Administration & Logistics

Attack feasibility hinges on whether the operator has accepted vendor persistent remote-support tunnels as a contractual requirement. Many DeltaV and Ovation operators have done so to maintain service-level guarantees. The 66 exposed endpoints visible today are the public portion of that pattern.

C — Command & Signal

Indicators: Emerson vendor-tunnel traffic outside scheduled service windows; configuration changes pushed to multiple sites within a single hour; unscheduled engineering-workstation logins. Defensive priorities: require Emerson vendor sessions to be initiated by the operator (not the vendor), with session recording and MFA; deploy egress monitoring on the DeltaV / Ovation engineering networks; require Emerson to publish per-product KEV applicability mapped to deployed firmware versions at each customer site.

Consequences if unmitigated

Physical:

LNG terminal liquefaction trains unsafe-shutdown; coincident gas-fired generator trips across affected fleet. Possible thermal damage to liquefaction compressors extends LNG outage from days to months.

Market / financial:

Cargoes in the Sabine Pass / Cameron / Plaquemines / Corpus Christi loading queue declare force majeure within hours. European TTF gas price spikes; US Henry Hub price drops on reduced export demand AND spikes on domestic gas-to-power dislocation — both directions same day. Combined economic impact: $30B–$120B over the first quarter post-event.

Regulatory / political:

Coordinated DOE / FERC / TSA / DOC (export licensing) investigation. Possible suspension of Emerson DCS service contracts pending audit. Insurance industry repricing across all Emerson-platform-dependent operators.

Henry Hub Composite (Physical + Cyber) — current state
Current exposure: 13 interstate pipelines converge at Erath, LA · NYMEX settlement node · ~2 Bcf/d physical throughput · 1 ICS exposures within 25 km · 14 active eminent-domain projects in supply chain
Live KEV cross-reference: 9 Schneider Electric KEVs · 5 Siemens KEVs · 1 Emerson KEVs affect platforms a Sabine Pipe Line operator would actually run.
Severity: STRATEGIC — National-scale market and supply disruption
Five-Paragraph OPORD (SMEAC)

S — Situation

Henry Hub today: 13 interstate pipelines converge at the Sabine Pipe Line LLC facility in Erath, Louisiana. The NYMEX Henry Hub futures contract settles here — the price benchmark for every US natural-gas trade, every LNG cargo loaded at Sabine Pass / Cameron / Plaquemines / Corpus Christi (≈14 Bcf/d combined LNG export capacity), and every gas-indexed power-purchase contract in PJM / SERC / Florida. Within 25 km of the hub, Shodan finds 1 exposed ICS endpoints; the operator's supply chain runs through platforms with 15 currently-KEV-listed CVEs across Schneider Electric, Siemens, and Emerson. The facility has no counter-UAS coverage (Vermilion Parish is outside designated military airspace) and no published joint OT/IT incident-command framework with downstream hyperscaler and federal partners.

M — Mission

Adversary objective: simultaneously disable physical throughput at Henry Hub for an extended window (weeks, not hours) AND destroy the operator's safety-system configuration files, so that even after physical repair the operator cannot safely restart. Strategic intent: suspend US natural-gas price discovery long enough to cascade through NYMEX, LNG cargo force majeure, power-grid load shedding during a peak-demand window, and financial-market liquidity events.

E — Execution

Phase 1 (months): cyber pre-positioning inside the Sabine Pipe Line OT network via a contracted-engineering credential — the same vector that has produced every confirmed US pipeline OT intrusion in the past five years. Phase 2 (days): adversary weaponizes a published CVSS 9.0+ CISA advisory affecting Schneider Telvent OASyS DNA or Triconex SIS, BEFORE the operator's change board approves the emergency patch. Phase 3 (D-Day, timed to coincide with polar vortex or hurricane-season demand peak): commercial-derivative drone strike against Compressor Units 1 and 2, simultaneously with cyber execution that disables the SIS, manipulates HMIs to display nominal state, vents high-pressure gas through stacks whose flare ignition has been pre-disabled. Phase 4 (D+1 through D+3): wiper malware destroys the historian, engineering workstation, and corporate IT backups, denying the recovery team the documentation needed to safely restart safety-instrumented systems.

A — Administration & Logistics

Attack feasibility depends on conditions present today: (1) 1 ICS endpoints within 25 km of the hub — the public attack surface; (2) absence of counter-UAS over Vermilion Parish; (3) the operator's change board having no pre-delegated authority to bypass normal review for CVSS 9+ items during weather-emergency windows; (4) no published joint incident-command structure across Sabine Pipe Line, FERC, TSA, CISA, FBI, DOE, and hyperscaler downstream customers. All four conditions exist as of 2026-06-08.

C — Command & Signal

Indicators: outbound traffic from any Sabine Pipe Line OT host to non-vendor destinations; Vermilion Parish law-enforcement reports of unusual UAS activity near the hub; any CISA advisory at CVSS 9+ affecting Schneider Electric / Siemens / Emerson platforms followed by Sabine Pipe Line change-board deferral. Defensive priorities (the four items above, each individually closable): (1) pre-delegate emergency-patch authority to senior security leadership without change-board veto for CVSS 9+ critical-asset platforms; (2) FAA + DOD counter-UAS authorization for FERC critical-asset compressor stations; (3) stand up the joint incident-command framework now, not after the event; (4) maintain air-gapped offline SIS configuration backups with quarterly recovery verification at every FERC critical site.

Consequences if unmitigated

Physical:

Henry Hub physical throughput goes to 0 Bcf/d for 7–30+ days. Worker fatalities at Sabine Pipe Line during the kinetic event range 20–100 depending on shift composition and time of day. Downstream civilian fatalities during coincident cold-weather power loss could exceed 200 if the polar-vortex timing is hit. Adjacent communities evacuated; groundwater and surface water contamination from fuel-rich firefighting operations.

Market / financial:

NYMEX Henry Hub trading suspended for 20–60 trading days. Daily LNG cargo force majeure declarations from Sabine Pass / Cameron / Plaquemines / Corpus Christi terminals. European TTF and Asian JKM gas prices spike 150–400%. PJM and TVA emergency load-shedding affecting 5–20M customers during the polar vortex. Combined direct + cascading economic damage: $200B–$400B over twelve months. Insurance-industry catastrophe loss: $80B–$200B. Two-to-three mid-sized US gas trading firms in Chapter 11 within ten days.

Regulatory / political:

FERC and TSA replace existing Pipeline Security Directive framework with a true regulatory framework. DOE stands up a permanent Critical Energy Infrastructure Cyber Response Unit. FAA authorizes counter-UAS at all FERC critical-asset facilities. Federal Reserve emergency liquidity facility for energy-sector counterparty exposure. Hyperscaler / pipeline operator joint incident command mandated. ODNI issues attribution finding; coordinated multi-allied response.

ABB Symphony DCS — 257 US endpoints exposed (as of 2026-06-07)
Current exposure: 257 Symphony endpoints visible from the public US internet today
Live KEV cross-reference: CVE-2024-6298
Severity: HIGH — Power generation supply disruption to AI data center load
Five-Paragraph OPORD (SMEAC)

S — Situation

ABB Symphony has the largest measurable US public-internet exposure of any pipeline-relevant SCADA / DCS platform — 257 endpoints visible as of 2026-06-07, against a deployed base that we estimate to be on the order of hundreds of installations. Symphony is the dominant DCS at large gas-fired combined-cycle power plants, including most of the new and planned gas plants being built to serve hyperscale AI data centers. KEV catalog entries currently affecting ABB platforms: CVE-2024-6298.

M — Mission

Adversary objective: simultaneous loss-of-control or unsafe-state at multiple gas-fired generating units feeding a specific load zone — most likely PJM Dominion (Northern Virginia data-center alley, where AI training load is concentrated) or the Southeast (where Meta Hyperion's 7.46 GW gas plant cluster feeds the Hyperion campus). Strategic intent: deny power to AI compute infrastructure at a moment chosen for maximum disruption, with deniable attribution.

E — Execution

Phase 1: harvest a contractor or vendor credential that grants engineering access to one or more of the 257 exposed endpoints — many of which are vendor-support jump hosts that bridge corporate IT to the OT engineering network. Phase 2: lateral movement to the Symphony engineering workstation. Phase 3: stage malicious configuration changes across the deployment, synchronized to execute at peak-demand hour. Phase 4: trigger drives unit-trip sequences on every unit reachable, simultaneous; concurrent wiper destroys the historian and configuration backup.

A — Administration & Logistics

Attack feasibility depends on three conditions visible in the public-exposure data today: (1) 257 endpoints reachable from the public internet — that number is a defensive failure on its own; (2) operator deployments that centralize engineering across multiple sites; (3) deferred patching of any published Symphony CVSS 8.0+ CVE due to outage-window constraints.

C — Command & Signal

Indicators: outbound traffic from any Symphony engineering workstation to non-vendor destinations; unscheduled configuration updates across multiple units in the same hour; historian write failures across multiple stations. Defensive priorities: enumerate the 257 exposed endpoints in your perimeter and prioritize firewall closure or VPN-only access; rotate all vendor and contractor credentials with hardware-token MFA; require any logic or configuration change to pass two-person integrity check during the change window. Reporting: TSA Surface Transportation Cybersecurity; CISA Hotline; Oil and Natural Gas ISAC; PJM RTEP Security working group.

Consequences if unmitigated

Physical:

Simultaneous trips at multiple gas-fired generating units serving a data-center-heavy load zone. Within ~2 hours, hyperscale data centers in the affected zone exhaust grid power and shift to on-site diesel; diesel reserves typically run 12–48 hours. Possible thermal damage to rotating equipment during ungraceful trip sequences extends restart from hours to weeks per unit.

Market / financial:

Wholesale power prices in the affected ISO zone spike to administrative cap intraday. Hyperscaler-customer compute service-level agreements breach within the diesel-reserve window. Estimated combined economic loss across operator, downstream power buyers, and dependent cloud / AI customers: $10B–$50B in the first week.

Regulatory / political:

FERC and NERC special review of generator cybersecurity preparedness. Likely accelerated TSA-style cyber regulation extended to gas-fired generation feeding hyperscale customers. Insurance industry repricing for operators with measurable Symphony exposure on Shodan.

Cygnet SCADA — 76 US endpoints (pipeline-specific midstream)
Current exposure: 76 Cygnet midstream-pipeline SCADA endpoints visible today
Live KEV cross-reference: no KEV-listed CVEs currently affect this platform
Severity: HIGH — Direct compromise of pipeline operational visibility and control
Five-Paragraph OPORD (SMEAC)

S — Situation

Cygnet is the SCADA platform most narrowly targeted at the US midstream oil-and-gas industry — it runs the supervisory layer at 76 measurable US sites, almost all of which are pipeline operators. Of the operators we track, several are confirmed Cygnet users by name in vendor case-studies and public filings.

M — Mission

Adversary objective: simultaneous loss-of-visibility and limited-write control of pipeline metering, valve, and flow-control points across a single operator's footprint. Strategic intent: position to manipulate gas deliveries — to LDCs, to power generators, or to LNG export terminals — at a chosen moment, with the operator unable to see or counter the action in real time.

E — Execution

Phase 1: access via a Cygnet engineering workstation reachable through vendor-support tunnels. Phase 2: harvest field-device topology and operator runbooks from the SCADA database. Phase 3: stage scheduled control commands that fire at a precipitating moment. Phase 4: optionally falsify operator-view telemetry to extend the response window.

A — Administration & Logistics

Attack feasibility depends on Cygnet's typical deployment pattern: many operators connect Cygnet to their corporate IT for reporting, then connect corporate IT to the public internet — a documented common pathway. The 76 exposed endpoints in our Shodan dataset are the visible portion of that pattern.

C — Command & Signal

Indicators: Cygnet engineering-workstation traffic to non-vendor destinations; configuration changes outside change-control hours; discrepancies between Cygnet-reported volumes and independent end-of-line meter reads. Defensive priorities: place Cygnet servers behind a jump-host with MFA; close direct internet exposure on all 76 endpoints; deploy independent secondary metering whose data does NOT flow through Cygnet.

Consequences if unmitigated

Physical:

Manipulation of valve setpoints can cause unsafe pressure transients at downstream stations. Falsified metering allows undetected gas diversion or supply-cut to specific customers (e.g., a specific gas-fired power plant during a peak hour).

Market / financial:

If a Cygnet-driven event takes a specific compressor station offline during a peak demand window, the downstream basis (the local citygate price minus Henry Hub) can spike 200%+ in hours. LDC emergency curtailments. Power-gen fuel-supply force majeure to gas peakers serving data centers.

Regulatory / political:

Immediate FERC inquiry into operator cybersecurity. Possible TSA penalty action under PSR 2026-01. Operator's interstate transportation tariff put under audit.

GE iFIX HMI/SCADA — 68 US endpoints exposed
Current exposure: 68 GE iFIX HMI/SCADA endpoints visible today
Live KEV cross-reference: CVE-2014-0751
Severity: HIGH — Operator-view denial across gas-plant and pipeline-station HMI
Five-Paragraph OPORD (SMEAC)

S — Situation

GE iFIX is a general-purpose HMI / SCADA platform with deep penetration in US gas plants, refineries, and pipeline compressor stations. Public US exposure today: 68 endpoints. KEV entries currently affecting GE platforms: CVE-2014-0751.

M — Mission

Adversary objective: deny operator visibility into the controlled process during a coincident attack — either cyber on the BPCS or kinetic on a physical asset. Strategic intent: extend the response window in the critical early minutes when operator action can avert physical damage.

E — Execution

Phase 1: access through internet-exposed iFIX terminal services / VPN. Phase 2: modify iFIX HMI screens to display canned 'nominal' values regardless of underlying tag data, OR disable HMI alarm escalation logic. Phase 3: hold capability until a coincident event — process upset, kinetic strike, or BPCS manipulation — at which point operators see normal screens while the physical process degrades.

A — Administration & Logistics

Attack feasibility increases when iFIX is deployed without segregation from corporate IT, when iFIX clients are reachable via remote-desktop services from the public internet (68 confirmed examples today), and when alarm-management audits are infrequent.

C — Command & Signal

Indicators: iFIX screen-version changes outside engineering change windows; HMI tag-display discrepancies vs. historian; alarm logs going abnormally quiet during normal operating variability. Defensive priorities: iFIX deployment audit (count vs. known inventory); HMI screen-checksum monitoring; independent secondary HMI that draws from a separate tag feed; close all 68 internet-exposed instances or move them behind MFA-required VPN.

Consequences if unmitigated

Physical:

On its own, an iFIX-only attack does not cause damage — but during a coincident physical or BPCS attack, the 'normal-screens-while-process-degrades' window extends operator response from minutes to tens of minutes, multiplying the physical damage.

Market / financial:

When combined with a BPCS attack, an HMI-deception layer can extend an outage from one shift to several days as the recovery team has no trustworthy view of pre-event state. Multiplier effect on operator's economic damage: 2–5x.

Regulatory / political:

HMI integrity-verification becomes a required TSA compliance element. Vendor-side requirements for cryptographic HMI screen verification.

Emerson DeltaV + Ovation DCS — 63 US endpoints combined
Current exposure: 38 DeltaV + 25 Ovation US endpoints — total 63
Live KEV cross-reference: CVE-2021-45420
Severity: HIGH — Simultaneous compromise of LNG liquefaction AND gas-fired power generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Emerson runs two product lines with measurable US exposure: DeltaV (38 endpoints), the DCS for LNG liquefaction trains and refinery / petrochemical processes, and Ovation (25 endpoints), the DCS for fossil-fueled power generation. Combined US public exposure: 63 endpoints. KEV entries affecting Emerson: CVE-2021-45420.

M — Mission

Adversary objective: simultaneously disrupt LNG-export capacity AND gas-fired power generation by exploiting the same vendor's deployed platforms across the two industries — a single capability that reaches both demand sinks for US natural gas (LNG exports and AI/data-center power) at once. Strategic intent: dual-target economic disruption with shared toolchain.

E — Execution

Phase 1: gain access via an Emerson vendor-support credential — Emerson is one of the largest providers of process-control system service contracts in the US. Phase 2: deploy parallel implants against DeltaV at LNG terminals and Ovation at gas-fired plants. Phase 3: synchronized trigger at a chosen event.

A — Administration & Logistics

Attack feasibility hinges on whether the operator has accepted vendor persistent remote-support tunnels as a contractual requirement. Many DeltaV and Ovation operators have done so to maintain service-level guarantees. The 63 exposed endpoints visible today are the public portion of that pattern.

C — Command & Signal

Indicators: Emerson vendor-tunnel traffic outside scheduled service windows; configuration changes pushed to multiple sites within a single hour; unscheduled engineering-workstation logins. Defensive priorities: require Emerson vendor sessions to be initiated by the operator (not the vendor), with session recording and MFA; deploy egress monitoring on the DeltaV / Ovation engineering networks; require Emerson to publish per-product KEV applicability mapped to deployed firmware versions at each customer site.

Consequences if unmitigated

Physical:

LNG terminal liquefaction trains unsafe-shutdown; coincident gas-fired generator trips across affected fleet. Possible thermal damage to liquefaction compressors extends LNG outage from days to months.

Market / financial:

Cargoes in the Sabine Pass / Cameron / Plaquemines / Corpus Christi loading queue declare force majeure within hours. European TTF gas price spikes; US Henry Hub price drops on reduced export demand AND spikes on domestic gas-to-power dislocation — both directions same day. Combined economic impact: $30B–$120B over the first quarter post-event.

Regulatory / political:

Coordinated DOE / FERC / TSA / DOC (export licensing) investigation. Possible suspension of Emerson DCS service contracts pending audit. Insurance industry repricing across all Emerson-platform-dependent operators.

Henry Hub Composite (Physical + Cyber) — current state
Current exposure: 13 interstate pipelines converge at Erath, LA · NYMEX settlement node · ~2 Bcf/d physical throughput · -1 ICS exposures within 25 km · 14 active eminent-domain projects in supply chain
Live KEV cross-reference: 9 Schneider Electric KEVs · 5 Siemens KEVs · 1 Emerson KEVs affect platforms a Sabine Pipe Line operator would actually run.
Severity: STRATEGIC — National-scale market and supply disruption
Five-Paragraph OPORD (SMEAC)

S — Situation

Henry Hub today: 13 interstate pipelines converge at the Sabine Pipe Line LLC facility in Erath, Louisiana. The NYMEX Henry Hub futures contract settles here — the price benchmark for every US natural-gas trade, every LNG cargo loaded at Sabine Pass / Cameron / Plaquemines / Corpus Christi (≈14 Bcf/d combined LNG export capacity), and every gas-indexed power-purchase contract in PJM / SERC / Florida. Within 25 km of the hub, Shodan finds -1 exposed ICS endpoints; the operator's supply chain runs through platforms with 15 currently-KEV-listed CVEs across Schneider Electric, Siemens, and Emerson. The facility has no counter-UAS coverage (Vermilion Parish is outside designated military airspace) and no published joint OT/IT incident-command framework with downstream hyperscaler and federal partners.

M — Mission

Adversary objective: simultaneously disable physical throughput at Henry Hub for an extended window (weeks, not hours) AND destroy the operator's safety-system configuration files, so that even after physical repair the operator cannot safely restart. Strategic intent: suspend US natural-gas price discovery long enough to cascade through NYMEX, LNG cargo force majeure, power-grid load shedding during a peak-demand window, and financial-market liquidity events.

E — Execution

Phase 1 (months): cyber pre-positioning inside the Sabine Pipe Line OT network via a contracted-engineering credential — the same vector that has produced every confirmed US pipeline OT intrusion in the past five years. Phase 2 (days): adversary weaponizes a published CVSS 9.0+ CISA advisory affecting Schneider Telvent OASyS DNA or Triconex SIS, BEFORE the operator's change board approves the emergency patch. Phase 3 (D-Day, timed to coincide with polar vortex or hurricane-season demand peak): commercial-derivative drone strike against Compressor Units 1 and 2, simultaneously with cyber execution that disables the SIS, manipulates HMIs to display nominal state, vents high-pressure gas through stacks whose flare ignition has been pre-disabled. Phase 4 (D+1 through D+3): wiper malware destroys the historian, engineering workstation, and corporate IT backups, denying the recovery team the documentation needed to safely restart safety-instrumented systems.

A — Administration & Logistics

Attack feasibility depends on conditions present today: (1) -1 ICS endpoints within 25 km of the hub — the public attack surface; (2) absence of counter-UAS over Vermilion Parish; (3) the operator's change board having no pre-delegated authority to bypass normal review for CVSS 9+ items during weather-emergency windows; (4) no published joint incident-command structure across Sabine Pipe Line, FERC, TSA, CISA, FBI, DOE, and hyperscaler downstream customers. All four conditions exist as of 2026-06-07.

C — Command & Signal

Indicators: outbound traffic from any Sabine Pipe Line OT host to non-vendor destinations; Vermilion Parish law-enforcement reports of unusual UAS activity near the hub; any CISA advisory at CVSS 9+ affecting Schneider Electric / Siemens / Emerson platforms followed by Sabine Pipe Line change-board deferral. Defensive priorities (the four items above, each individually closable): (1) pre-delegate emergency-patch authority to senior security leadership without change-board veto for CVSS 9+ critical-asset platforms; (2) FAA + DOD counter-UAS authorization for FERC critical-asset compressor stations; (3) stand up the joint incident-command framework now, not after the event; (4) maintain air-gapped offline SIS configuration backups with quarterly recovery verification at every FERC critical site.

Consequences if unmitigated

Physical:

Henry Hub physical throughput goes to 0 Bcf/d for 7–30+ days. Worker fatalities at Sabine Pipe Line during the kinetic event range 20–100 depending on shift composition and time of day. Downstream civilian fatalities during coincident cold-weather power loss could exceed 200 if the polar-vortex timing is hit. Adjacent communities evacuated; groundwater and surface water contamination from fuel-rich firefighting operations.

Market / financial:

NYMEX Henry Hub trading suspended for 20–60 trading days. Daily LNG cargo force majeure declarations from Sabine Pass / Cameron / Plaquemines / Corpus Christi terminals. European TTF and Asian JKM gas prices spike 150–400%. PJM and TVA emergency load-shedding affecting 5–20M customers during the polar vortex. Combined direct + cascading economic damage: $200B–$400B over twelve months. Insurance-industry catastrophe loss: $80B–$200B. Two-to-three mid-sized US gas trading firms in Chapter 11 within ten days.

Regulatory / political:

FERC and TSA replace existing Pipeline Security Directive framework with a true regulatory framework. DOE stands up a permanent Critical Energy Infrastructure Cyber Response Unit. FAA authorizes counter-UAS at all FERC critical-asset facilities. Federal Reserve emergency liquidity facility for energy-sector counterparty exposure. Hyperscaler / pipeline operator joint incident command mandated. ODNI issues attribution finding; coordinated multi-allied response.

ABB Symphony DCS — 264 US endpoints exposed (as of 2026-06-06)
Current exposure: 264 Symphony endpoints visible from the public US internet today
Live KEV cross-reference: CVE-2024-6298
Severity: HIGH — Power generation supply disruption to AI data center load
Five-Paragraph OPORD (SMEAC)

S — Situation

ABB Symphony has the largest measurable US public-internet exposure of any pipeline-relevant SCADA / DCS platform — 264 endpoints visible as of 2026-06-06, against a deployed base that we estimate to be on the order of hundreds of installations. Symphony is the dominant DCS at large gas-fired combined-cycle power plants, including most of the new and planned gas plants being built to serve hyperscale AI data centers. KEV catalog entries currently affecting ABB platforms: CVE-2024-6298.

M — Mission

Adversary objective: simultaneous loss-of-control or unsafe-state at multiple gas-fired generating units feeding a specific load zone — most likely PJM Dominion (Northern Virginia data-center alley, where AI training load is concentrated) or the Southeast (where Meta Hyperion's 7.46 GW gas plant cluster feeds the Hyperion campus). Strategic intent: deny power to AI compute infrastructure at a moment chosen for maximum disruption, with deniable attribution.

E — Execution

Phase 1: harvest a contractor or vendor credential that grants engineering access to one or more of the 264 exposed endpoints — many of which are vendor-support jump hosts that bridge corporate IT to the OT engineering network. Phase 2: lateral movement to the Symphony engineering workstation. Phase 3: stage malicious configuration changes across the deployment, synchronized to execute at peak-demand hour. Phase 4: trigger drives unit-trip sequences on every unit reachable, simultaneous; concurrent wiper destroys the historian and configuration backup.

A — Administration & Logistics

Attack feasibility depends on three conditions visible in the public-exposure data today: (1) 264 endpoints reachable from the public internet — that number is a defensive failure on its own; (2) operator deployments that centralize engineering across multiple sites; (3) deferred patching of any published Symphony CVSS 8.0+ CVE due to outage-window constraints.

C — Command & Signal

Indicators: outbound traffic from any Symphony engineering workstation to non-vendor destinations; unscheduled configuration updates across multiple units in the same hour; historian write failures across multiple stations. Defensive priorities: enumerate the 264 exposed endpoints in your perimeter and prioritize firewall closure or VPN-only access; rotate all vendor and contractor credentials with hardware-token MFA; require any logic or configuration change to pass two-person integrity check during the change window. Reporting: TSA Surface Transportation Cybersecurity; CISA Hotline; Oil and Natural Gas ISAC; PJM RTEP Security working group.

Consequences if unmitigated

Physical:

Simultaneous trips at multiple gas-fired generating units serving a data-center-heavy load zone. Within ~2 hours, hyperscale data centers in the affected zone exhaust grid power and shift to on-site diesel; diesel reserves typically run 12–48 hours. Possible thermal damage to rotating equipment during ungraceful trip sequences extends restart from hours to weeks per unit.

Market / financial:

Wholesale power prices in the affected ISO zone spike to administrative cap intraday. Hyperscaler-customer compute service-level agreements breach within the diesel-reserve window. Estimated combined economic loss across operator, downstream power buyers, and dependent cloud / AI customers: $10B–$50B in the first week.

Regulatory / political:

FERC and NERC special review of generator cybersecurity preparedness. Likely accelerated TSA-style cyber regulation extended to gas-fired generation feeding hyperscale customers. Insurance industry repricing for operators with measurable Symphony exposure on Shodan.

Cygnet SCADA — 77 US endpoints (pipeline-specific midstream)
Current exposure: 77 Cygnet midstream-pipeline SCADA endpoints visible today
Live KEV cross-reference: no KEV-listed CVEs currently affect this platform
Severity: HIGH — Direct compromise of pipeline operational visibility and control
Five-Paragraph OPORD (SMEAC)

S — Situation

Cygnet is the SCADA platform most narrowly targeted at the US midstream oil-and-gas industry — it runs the supervisory layer at 77 measurable US sites, almost all of which are pipeline operators. Of the operators we track, several are confirmed Cygnet users by name in vendor case-studies and public filings.

M — Mission

Adversary objective: simultaneous loss-of-visibility and limited-write control of pipeline metering, valve, and flow-control points across a single operator's footprint. Strategic intent: position to manipulate gas deliveries — to LDCs, to power generators, or to LNG export terminals — at a chosen moment, with the operator unable to see or counter the action in real time.

E — Execution

Phase 1: access via a Cygnet engineering workstation reachable through vendor-support tunnels. Phase 2: harvest field-device topology and operator runbooks from the SCADA database. Phase 3: stage scheduled control commands that fire at a precipitating moment. Phase 4: optionally falsify operator-view telemetry to extend the response window.

A — Administration & Logistics

Attack feasibility depends on Cygnet's typical deployment pattern: many operators connect Cygnet to their corporate IT for reporting, then connect corporate IT to the public internet — a documented common pathway. The 77 exposed endpoints in our Shodan dataset are the visible portion of that pattern.

C — Command & Signal

Indicators: Cygnet engineering-workstation traffic to non-vendor destinations; configuration changes outside change-control hours; discrepancies between Cygnet-reported volumes and independent end-of-line meter reads. Defensive priorities: place Cygnet servers behind a jump-host with MFA; close direct internet exposure on all 77 endpoints; deploy independent secondary metering whose data does NOT flow through Cygnet.

Consequences if unmitigated

Physical:

Manipulation of valve setpoints can cause unsafe pressure transients at downstream stations. Falsified metering allows undetected gas diversion or supply-cut to specific customers (e.g., a specific gas-fired power plant during a peak hour).

Market / financial:

If a Cygnet-driven event takes a specific compressor station offline during a peak demand window, the downstream basis (the local citygate price minus Henry Hub) can spike 200%+ in hours. LDC emergency curtailments. Power-gen fuel-supply force majeure to gas peakers serving data centers.

Regulatory / political:

Immediate FERC inquiry into operator cybersecurity. Possible TSA penalty action under PSR 2026-01. Operator's interstate transportation tariff put under audit.

GE iFIX HMI/SCADA — 75 US endpoints exposed
Current exposure: 75 GE iFIX HMI/SCADA endpoints visible today
Live KEV cross-reference: CVE-2014-0751
Severity: HIGH — Operator-view denial across gas-plant and pipeline-station HMI
Five-Paragraph OPORD (SMEAC)

S — Situation

GE iFIX is a general-purpose HMI / SCADA platform with deep penetration in US gas plants, refineries, and pipeline compressor stations. Public US exposure today: 75 endpoints. KEV entries currently affecting GE platforms: CVE-2014-0751.

M — Mission

Adversary objective: deny operator visibility into the controlled process during a coincident attack — either cyber on the BPCS or kinetic on a physical asset. Strategic intent: extend the response window in the critical early minutes when operator action can avert physical damage.

E — Execution

Phase 1: access through internet-exposed iFIX terminal services / VPN. Phase 2: modify iFIX HMI screens to display canned 'nominal' values regardless of underlying tag data, OR disable HMI alarm escalation logic. Phase 3: hold capability until a coincident event — process upset, kinetic strike, or BPCS manipulation — at which point operators see normal screens while the physical process degrades.

A — Administration & Logistics

Attack feasibility increases when iFIX is deployed without segregation from corporate IT, when iFIX clients are reachable via remote-desktop services from the public internet (75 confirmed examples today), and when alarm-management audits are infrequent.

C — Command & Signal

Indicators: iFIX screen-version changes outside engineering change windows; HMI tag-display discrepancies vs. historian; alarm logs going abnormally quiet during normal operating variability. Defensive priorities: iFIX deployment audit (count vs. known inventory); HMI screen-checksum monitoring; independent secondary HMI that draws from a separate tag feed; close all 75 internet-exposed instances or move them behind MFA-required VPN.

Consequences if unmitigated

Physical:

On its own, an iFIX-only attack does not cause damage — but during a coincident physical or BPCS attack, the 'normal-screens-while-process-degrades' window extends operator response from minutes to tens of minutes, multiplying the physical damage.

Market / financial:

When combined with a BPCS attack, an HMI-deception layer can extend an outage from one shift to several days as the recovery team has no trustworthy view of pre-event state. Multiplier effect on operator's economic damage: 2–5x.

Regulatory / political:

HMI integrity-verification becomes a required TSA compliance element. Vendor-side requirements for cryptographic HMI screen verification.

Emerson DeltaV + Ovation DCS — 65 US endpoints combined
Current exposure: 42 DeltaV + 23 Ovation US endpoints — total 65
Live KEV cross-reference: CVE-2021-45420
Severity: HIGH — Simultaneous compromise of LNG liquefaction AND gas-fired power generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Emerson runs two product lines with measurable US exposure: DeltaV (42 endpoints), the DCS for LNG liquefaction trains and refinery / petrochemical processes, and Ovation (23 endpoints), the DCS for fossil-fueled power generation. Combined US public exposure: 65 endpoints. KEV entries affecting Emerson: CVE-2021-45420.

M — Mission

Adversary objective: simultaneously disrupt LNG-export capacity AND gas-fired power generation by exploiting the same vendor's deployed platforms across the two industries — a single capability that reaches both demand sinks for US natural gas (LNG exports and AI/data-center power) at once. Strategic intent: dual-target economic disruption with shared toolchain.

E — Execution

Phase 1: gain access via an Emerson vendor-support credential — Emerson is one of the largest providers of process-control system service contracts in the US. Phase 2: deploy parallel implants against DeltaV at LNG terminals and Ovation at gas-fired plants. Phase 3: synchronized trigger at a chosen event.

A — Administration & Logistics

Attack feasibility hinges on whether the operator has accepted vendor persistent remote-support tunnels as a contractual requirement. Many DeltaV and Ovation operators have done so to maintain service-level guarantees. The 65 exposed endpoints visible today are the public portion of that pattern.

C — Command & Signal

Indicators: Emerson vendor-tunnel traffic outside scheduled service windows; configuration changes pushed to multiple sites within a single hour; unscheduled engineering-workstation logins. Defensive priorities: require Emerson vendor sessions to be initiated by the operator (not the vendor), with session recording and MFA; deploy egress monitoring on the DeltaV / Ovation engineering networks; require Emerson to publish per-product KEV applicability mapped to deployed firmware versions at each customer site.

Consequences if unmitigated

Physical:

LNG terminal liquefaction trains unsafe-shutdown; coincident gas-fired generator trips across affected fleet. Possible thermal damage to liquefaction compressors extends LNG outage from days to months.

Market / financial:

Cargoes in the Sabine Pass / Cameron / Plaquemines / Corpus Christi loading queue declare force majeure within hours. European TTF gas price spikes; US Henry Hub price drops on reduced export demand AND spikes on domestic gas-to-power dislocation — both directions same day. Combined economic impact: $30B–$120B over the first quarter post-event.

Regulatory / political:

Coordinated DOE / FERC / TSA / DOC (export licensing) investigation. Possible suspension of Emerson DCS service contracts pending audit. Insurance industry repricing across all Emerson-platform-dependent operators.

Henry Hub Composite (Physical + Cyber) — current state
Current exposure: 13 interstate pipelines converge at Erath, LA · NYMEX settlement node · ~2 Bcf/d physical throughput · 1 ICS exposures within 25 km · 14 active eminent-domain projects in supply chain
Live KEV cross-reference: 9 Schneider Electric KEVs · 5 Siemens KEVs · 1 Emerson KEVs affect platforms a Sabine Pipe Line operator would actually run.
Severity: STRATEGIC — National-scale market and supply disruption
Five-Paragraph OPORD (SMEAC)

S — Situation

Henry Hub today: 13 interstate pipelines converge at the Sabine Pipe Line LLC facility in Erath, Louisiana. The NYMEX Henry Hub futures contract settles here — the price benchmark for every US natural-gas trade, every LNG cargo loaded at Sabine Pass / Cameron / Plaquemines / Corpus Christi (≈14 Bcf/d combined LNG export capacity), and every gas-indexed power-purchase contract in PJM / SERC / Florida. Within 25 km of the hub, Shodan finds 1 exposed ICS endpoints; the operator's supply chain runs through platforms with 15 currently-KEV-listed CVEs across Schneider Electric, Siemens, and Emerson. The facility has no counter-UAS coverage (Vermilion Parish is outside designated military airspace) and no published joint OT/IT incident-command framework with downstream hyperscaler and federal partners.

M — Mission

Adversary objective: simultaneously disable physical throughput at Henry Hub for an extended window (weeks, not hours) AND destroy the operator's safety-system configuration files, so that even after physical repair the operator cannot safely restart. Strategic intent: suspend US natural-gas price discovery long enough to cascade through NYMEX, LNG cargo force majeure, power-grid load shedding during a peak-demand window, and financial-market liquidity events.

E — Execution

Phase 1 (months): cyber pre-positioning inside the Sabine Pipe Line OT network via a contracted-engineering credential — the same vector that has produced every confirmed US pipeline OT intrusion in the past five years. Phase 2 (days): adversary weaponizes a published CVSS 9.0+ CISA advisory affecting Schneider Telvent OASyS DNA or Triconex SIS, BEFORE the operator's change board approves the emergency patch. Phase 3 (D-Day, timed to coincide with polar vortex or hurricane-season demand peak): commercial-derivative drone strike against Compressor Units 1 and 2, simultaneously with cyber execution that disables the SIS, manipulates HMIs to display nominal state, vents high-pressure gas through stacks whose flare ignition has been pre-disabled. Phase 4 (D+1 through D+3): wiper malware destroys the historian, engineering workstation, and corporate IT backups, denying the recovery team the documentation needed to safely restart safety-instrumented systems.

A — Administration & Logistics

Attack feasibility depends on conditions present today: (1) 1 ICS endpoints within 25 km of the hub — the public attack surface; (2) absence of counter-UAS over Vermilion Parish; (3) the operator's change board having no pre-delegated authority to bypass normal review for CVSS 9+ items during weather-emergency windows; (4) no published joint incident-command structure across Sabine Pipe Line, FERC, TSA, CISA, FBI, DOE, and hyperscaler downstream customers. All four conditions exist as of 2026-06-06.

C — Command & Signal

Indicators: outbound traffic from any Sabine Pipe Line OT host to non-vendor destinations; Vermilion Parish law-enforcement reports of unusual UAS activity near the hub; any CISA advisory at CVSS 9+ affecting Schneider Electric / Siemens / Emerson platforms followed by Sabine Pipe Line change-board deferral. Defensive priorities (the four items above, each individually closable): (1) pre-delegate emergency-patch authority to senior security leadership without change-board veto for CVSS 9+ critical-asset platforms; (2) FAA + DOD counter-UAS authorization for FERC critical-asset compressor stations; (3) stand up the joint incident-command framework now, not after the event; (4) maintain air-gapped offline SIS configuration backups with quarterly recovery verification at every FERC critical site.

Consequences if unmitigated

Physical:

Henry Hub physical throughput goes to 0 Bcf/d for 7–30+ days. Worker fatalities at Sabine Pipe Line during the kinetic event range 20–100 depending on shift composition and time of day. Downstream civilian fatalities during coincident cold-weather power loss could exceed 200 if the polar-vortex timing is hit. Adjacent communities evacuated; groundwater and surface water contamination from fuel-rich firefighting operations.

Market / financial:

NYMEX Henry Hub trading suspended for 20–60 trading days. Daily LNG cargo force majeure declarations from Sabine Pass / Cameron / Plaquemines / Corpus Christi terminals. European TTF and Asian JKM gas prices spike 150–400%. PJM and TVA emergency load-shedding affecting 5–20M customers during the polar vortex. Combined direct + cascading economic damage: $200B–$400B over twelve months. Insurance-industry catastrophe loss: $80B–$200B. Two-to-three mid-sized US gas trading firms in Chapter 11 within ten days.

Regulatory / political:

FERC and TSA replace existing Pipeline Security Directive framework with a true regulatory framework. DOE stands up a permanent Critical Energy Infrastructure Cyber Response Unit. FAA authorizes counter-UAS at all FERC critical-asset facilities. Federal Reserve emergency liquidity facility for energy-sector counterparty exposure. Hyperscaler / pipeline operator joint incident command mandated. ODNI issues attribution finding; coordinated multi-allied response.

ABB Symphony DCS — 264 US endpoints exposed (as of 2026-06-05)
Current exposure: 264 Symphony endpoints visible from the public US internet today
Live KEV cross-reference: CVE-2024-6298
Severity: HIGH — Power generation supply disruption to AI data center load
Five-Paragraph OPORD (SMEAC)

S — Situation

ABB Symphony has the largest measurable US public-internet exposure of any pipeline-relevant SCADA / DCS platform — 264 endpoints visible as of 2026-06-05, against a deployed base that we estimate to be on the order of hundreds of installations. Symphony is the dominant DCS at large gas-fired combined-cycle power plants, including most of the new and planned gas plants being built to serve hyperscale AI data centers. KEV catalog entries currently affecting ABB platforms: CVE-2024-6298.

M — Mission

Adversary objective: simultaneous loss-of-control or unsafe-state at multiple gas-fired generating units feeding a specific load zone — most likely PJM Dominion (Northern Virginia data-center alley, where AI training load is concentrated) or the Southeast (where Meta Hyperion's 7.46 GW gas plant cluster feeds the Hyperion campus). Strategic intent: deny power to AI compute infrastructure at a moment chosen for maximum disruption, with deniable attribution.

E — Execution

Phase 1: harvest a contractor or vendor credential that grants engineering access to one or more of the 264 exposed endpoints — many of which are vendor-support jump hosts that bridge corporate IT to the OT engineering network. Phase 2: lateral movement to the Symphony engineering workstation. Phase 3: stage malicious configuration changes across the deployment, synchronized to execute at peak-demand hour. Phase 4: trigger drives unit-trip sequences on every unit reachable, simultaneous; concurrent wiper destroys the historian and configuration backup.

A — Administration & Logistics

Attack feasibility depends on three conditions visible in the public-exposure data today: (1) 264 endpoints reachable from the public internet — that number is a defensive failure on its own; (2) operator deployments that centralize engineering across multiple sites; (3) deferred patching of any published Symphony CVSS 8.0+ CVE due to outage-window constraints.

C — Command & Signal

Indicators: outbound traffic from any Symphony engineering workstation to non-vendor destinations; unscheduled configuration updates across multiple units in the same hour; historian write failures across multiple stations. Defensive priorities: enumerate the 264 exposed endpoints in your perimeter and prioritize firewall closure or VPN-only access; rotate all vendor and contractor credentials with hardware-token MFA; require any logic or configuration change to pass two-person integrity check during the change window. Reporting: TSA Surface Transportation Cybersecurity; CISA Hotline; Oil and Natural Gas ISAC; PJM RTEP Security working group.

Consequences if unmitigated

Physical:

Simultaneous trips at multiple gas-fired generating units serving a data-center-heavy load zone. Within ~2 hours, hyperscale data centers in the affected zone exhaust grid power and shift to on-site diesel; diesel reserves typically run 12–48 hours. Possible thermal damage to rotating equipment during ungraceful trip sequences extends restart from hours to weeks per unit.

Market / financial:

Wholesale power prices in the affected ISO zone spike to administrative cap intraday. Hyperscaler-customer compute service-level agreements breach within the diesel-reserve window. Estimated combined economic loss across operator, downstream power buyers, and dependent cloud / AI customers: $10B–$50B in the first week.

Regulatory / political:

FERC and NERC special review of generator cybersecurity preparedness. Likely accelerated TSA-style cyber regulation extended to gas-fired generation feeding hyperscale customers. Insurance industry repricing for operators with measurable Symphony exposure on Shodan.

Cygnet SCADA — 78 US endpoints (pipeline-specific midstream)
Current exposure: 78 Cygnet midstream-pipeline SCADA endpoints visible today
Live KEV cross-reference: no KEV-listed CVEs currently affect this platform
Severity: HIGH — Direct compromise of pipeline operational visibility and control
Five-Paragraph OPORD (SMEAC)

S — Situation

Cygnet is the SCADA platform most narrowly targeted at the US midstream oil-and-gas industry — it runs the supervisory layer at 78 measurable US sites, almost all of which are pipeline operators. Of the operators we track, several are confirmed Cygnet users by name in vendor case-studies and public filings.

M — Mission

Adversary objective: simultaneous loss-of-visibility and limited-write control of pipeline metering, valve, and flow-control points across a single operator's footprint. Strategic intent: position to manipulate gas deliveries — to LDCs, to power generators, or to LNG export terminals — at a chosen moment, with the operator unable to see or counter the action in real time.

E — Execution

Phase 1: access via a Cygnet engineering workstation reachable through vendor-support tunnels. Phase 2: harvest field-device topology and operator runbooks from the SCADA database. Phase 3: stage scheduled control commands that fire at a precipitating moment. Phase 4: optionally falsify operator-view telemetry to extend the response window.

A — Administration & Logistics

Attack feasibility depends on Cygnet's typical deployment pattern: many operators connect Cygnet to their corporate IT for reporting, then connect corporate IT to the public internet — a documented common pathway. The 78 exposed endpoints in our Shodan dataset are the visible portion of that pattern.

C — Command & Signal

Indicators: Cygnet engineering-workstation traffic to non-vendor destinations; configuration changes outside change-control hours; discrepancies between Cygnet-reported volumes and independent end-of-line meter reads. Defensive priorities: place Cygnet servers behind a jump-host with MFA; close direct internet exposure on all 78 endpoints; deploy independent secondary metering whose data does NOT flow through Cygnet.

Consequences if unmitigated

Physical:

Manipulation of valve setpoints can cause unsafe pressure transients at downstream stations. Falsified metering allows undetected gas diversion or supply-cut to specific customers (e.g., a specific gas-fired power plant during a peak hour).

Market / financial:

If a Cygnet-driven event takes a specific compressor station offline during a peak demand window, the downstream basis (the local citygate price minus Henry Hub) can spike 200%+ in hours. LDC emergency curtailments. Power-gen fuel-supply force majeure to gas peakers serving data centers.

Regulatory / political:

Immediate FERC inquiry into operator cybersecurity. Possible TSA penalty action under PSR 2026-01. Operator's interstate transportation tariff put under audit.

GE iFIX HMI/SCADA — 68 US endpoints exposed
Current exposure: 68 GE iFIX HMI/SCADA endpoints visible today
Live KEV cross-reference: CVE-2014-0751
Severity: HIGH — Operator-view denial across gas-plant and pipeline-station HMI
Five-Paragraph OPORD (SMEAC)

S — Situation

GE iFIX is a general-purpose HMI / SCADA platform with deep penetration in US gas plants, refineries, and pipeline compressor stations. Public US exposure today: 68 endpoints. KEV entries currently affecting GE platforms: CVE-2014-0751.

M — Mission

Adversary objective: deny operator visibility into the controlled process during a coincident attack — either cyber on the BPCS or kinetic on a physical asset. Strategic intent: extend the response window in the critical early minutes when operator action can avert physical damage.

E — Execution

Phase 1: access through internet-exposed iFIX terminal services / VPN. Phase 2: modify iFIX HMI screens to display canned 'nominal' values regardless of underlying tag data, OR disable HMI alarm escalation logic. Phase 3: hold capability until a coincident event — process upset, kinetic strike, or BPCS manipulation — at which point operators see normal screens while the physical process degrades.

A — Administration & Logistics

Attack feasibility increases when iFIX is deployed without segregation from corporate IT, when iFIX clients are reachable via remote-desktop services from the public internet (68 confirmed examples today), and when alarm-management audits are infrequent.

C — Command & Signal

Indicators: iFIX screen-version changes outside engineering change windows; HMI tag-display discrepancies vs. historian; alarm logs going abnormally quiet during normal operating variability. Defensive priorities: iFIX deployment audit (count vs. known inventory); HMI screen-checksum monitoring; independent secondary HMI that draws from a separate tag feed; close all 68 internet-exposed instances or move them behind MFA-required VPN.

Consequences if unmitigated

Physical:

On its own, an iFIX-only attack does not cause damage — but during a coincident physical or BPCS attack, the 'normal-screens-while-process-degrades' window extends operator response from minutes to tens of minutes, multiplying the physical damage.

Market / financial:

When combined with a BPCS attack, an HMI-deception layer can extend an outage from one shift to several days as the recovery team has no trustworthy view of pre-event state. Multiplier effect on operator's economic damage: 2–5x.

Regulatory / political:

HMI integrity-verification becomes a required TSA compliance element. Vendor-side requirements for cryptographic HMI screen verification.

Emerson DeltaV + Ovation DCS — 66 US endpoints combined
Current exposure: 41 DeltaV + 25 Ovation US endpoints — total 66
Live KEV cross-reference: CVE-2021-45420
Severity: HIGH — Simultaneous compromise of LNG liquefaction AND gas-fired power generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Emerson runs two product lines with measurable US exposure: DeltaV (41 endpoints), the DCS for LNG liquefaction trains and refinery / petrochemical processes, and Ovation (25 endpoints), the DCS for fossil-fueled power generation. Combined US public exposure: 66 endpoints. KEV entries affecting Emerson: CVE-2021-45420.

M — Mission

Adversary objective: simultaneously disrupt LNG-export capacity AND gas-fired power generation by exploiting the same vendor's deployed platforms across the two industries — a single capability that reaches both demand sinks for US natural gas (LNG exports and AI/data-center power) at once. Strategic intent: dual-target economic disruption with shared toolchain.

E — Execution

Phase 1: gain access via an Emerson vendor-support credential — Emerson is one of the largest providers of process-control system service contracts in the US. Phase 2: deploy parallel implants against DeltaV at LNG terminals and Ovation at gas-fired plants. Phase 3: synchronized trigger at a chosen event.

A — Administration & Logistics

Attack feasibility hinges on whether the operator has accepted vendor persistent remote-support tunnels as a contractual requirement. Many DeltaV and Ovation operators have done so to maintain service-level guarantees. The 66 exposed endpoints visible today are the public portion of that pattern.

C — Command & Signal

Indicators: Emerson vendor-tunnel traffic outside scheduled service windows; configuration changes pushed to multiple sites within a single hour; unscheduled engineering-workstation logins. Defensive priorities: require Emerson vendor sessions to be initiated by the operator (not the vendor), with session recording and MFA; deploy egress monitoring on the DeltaV / Ovation engineering networks; require Emerson to publish per-product KEV applicability mapped to deployed firmware versions at each customer site.

Consequences if unmitigated

Physical:

LNG terminal liquefaction trains unsafe-shutdown; coincident gas-fired generator trips across affected fleet. Possible thermal damage to liquefaction compressors extends LNG outage from days to months.

Market / financial:

Cargoes in the Sabine Pass / Cameron / Plaquemines / Corpus Christi loading queue declare force majeure within hours. European TTF gas price spikes; US Henry Hub price drops on reduced export demand AND spikes on domestic gas-to-power dislocation — both directions same day. Combined economic impact: $30B–$120B over the first quarter post-event.

Regulatory / political:

Coordinated DOE / FERC / TSA / DOC (export licensing) investigation. Possible suspension of Emerson DCS service contracts pending audit. Insurance industry repricing across all Emerson-platform-dependent operators.

Henry Hub Composite (Physical + Cyber) — current state
Current exposure: 13 interstate pipelines converge at Erath, LA · NYMEX settlement node · ~2 Bcf/d physical throughput · -1 ICS exposures within 25 km · 12 active eminent-domain projects in supply chain
Live KEV cross-reference: 9 Schneider Electric KEVs · 5 Siemens KEVs · 1 Emerson KEVs affect platforms a Sabine Pipe Line operator would actually run.
Severity: STRATEGIC — National-scale market and supply disruption
Five-Paragraph OPORD (SMEAC)

S — Situation

Henry Hub today: 13 interstate pipelines converge at the Sabine Pipe Line LLC facility in Erath, Louisiana. The NYMEX Henry Hub futures contract settles here — the price benchmark for every US natural-gas trade, every LNG cargo loaded at Sabine Pass / Cameron / Plaquemines / Corpus Christi (≈14 Bcf/d combined LNG export capacity), and every gas-indexed power-purchase contract in PJM / SERC / Florida. Within 25 km of the hub, Shodan finds -1 exposed ICS endpoints; the operator's supply chain runs through platforms with 15 currently-KEV-listed CVEs across Schneider Electric, Siemens, and Emerson. The facility has no counter-UAS coverage (Vermilion Parish is outside designated military airspace) and no published joint OT/IT incident-command framework with downstream hyperscaler and federal partners.

M — Mission

Adversary objective: simultaneously disable physical throughput at Henry Hub for an extended window (weeks, not hours) AND destroy the operator's safety-system configuration files, so that even after physical repair the operator cannot safely restart. Strategic intent: suspend US natural-gas price discovery long enough to cascade through NYMEX, LNG cargo force majeure, power-grid load shedding during a peak-demand window, and financial-market liquidity events.

E — Execution

Phase 1 (months): cyber pre-positioning inside the Sabine Pipe Line OT network via a contracted-engineering credential — the same vector that has produced every confirmed US pipeline OT intrusion in the past five years. Phase 2 (days): adversary weaponizes a published CVSS 9.0+ CISA advisory affecting Schneider Telvent OASyS DNA or Triconex SIS, BEFORE the operator's change board approves the emergency patch. Phase 3 (D-Day, timed to coincide with polar vortex or hurricane-season demand peak): commercial-derivative drone strike against Compressor Units 1 and 2, simultaneously with cyber execution that disables the SIS, manipulates HMIs to display nominal state, vents high-pressure gas through stacks whose flare ignition has been pre-disabled. Phase 4 (D+1 through D+3): wiper malware destroys the historian, engineering workstation, and corporate IT backups, denying the recovery team the documentation needed to safely restart safety-instrumented systems.

A — Administration & Logistics

Attack feasibility depends on conditions present today: (1) -1 ICS endpoints within 25 km of the hub — the public attack surface; (2) absence of counter-UAS over Vermilion Parish; (3) the operator's change board having no pre-delegated authority to bypass normal review for CVSS 9+ items during weather-emergency windows; (4) no published joint incident-command structure across Sabine Pipe Line, FERC, TSA, CISA, FBI, DOE, and hyperscaler downstream customers. All four conditions exist as of 2026-06-05.

C — Command & Signal

Indicators: outbound traffic from any Sabine Pipe Line OT host to non-vendor destinations; Vermilion Parish law-enforcement reports of unusual UAS activity near the hub; any CISA advisory at CVSS 9+ affecting Schneider Electric / Siemens / Emerson platforms followed by Sabine Pipe Line change-board deferral. Defensive priorities (the four items above, each individually closable): (1) pre-delegate emergency-patch authority to senior security leadership without change-board veto for CVSS 9+ critical-asset platforms; (2) FAA + DOD counter-UAS authorization for FERC critical-asset compressor stations; (3) stand up the joint incident-command framework now, not after the event; (4) maintain air-gapped offline SIS configuration backups with quarterly recovery verification at every FERC critical site.

Consequences if unmitigated

Physical:

Henry Hub physical throughput goes to 0 Bcf/d for 7–30+ days. Worker fatalities at Sabine Pipe Line during the kinetic event range 20–100 depending on shift composition and time of day. Downstream civilian fatalities during coincident cold-weather power loss could exceed 200 if the polar-vortex timing is hit. Adjacent communities evacuated; groundwater and surface water contamination from fuel-rich firefighting operations.

Market / financial:

NYMEX Henry Hub trading suspended for 20–60 trading days. Daily LNG cargo force majeure declarations from Sabine Pass / Cameron / Plaquemines / Corpus Christi terminals. European TTF and Asian JKM gas prices spike 150–400%. PJM and TVA emergency load-shedding affecting 5–20M customers during the polar vortex. Combined direct + cascading economic damage: $200B–$400B over twelve months. Insurance-industry catastrophe loss: $80B–$200B. Two-to-three mid-sized US gas trading firms in Chapter 11 within ten days.

Regulatory / political:

FERC and TSA replace existing Pipeline Security Directive framework with a true regulatory framework. DOE stands up a permanent Critical Energy Infrastructure Cyber Response Unit. FAA authorizes counter-UAS at all FERC critical-asset facilities. Federal Reserve emergency liquidity facility for energy-sector counterparty exposure. Hyperscaler / pipeline operator joint incident command mandated. ODNI issues attribution finding; coordinated multi-allied response.

ABB Symphony DCS — 259 US endpoints exposed (as of 2026-06-04)
Current exposure: 259 Symphony endpoints visible from the public US internet today
Live KEV cross-reference: CVE-2024-6298
Severity: HIGH — Power generation supply disruption to AI data center load
Five-Paragraph OPORD (SMEAC)

S — Situation

ABB Symphony has the largest measurable US public-internet exposure of any pipeline-relevant SCADA / DCS platform — 259 endpoints visible as of 2026-06-04, against a deployed base that we estimate to be on the order of hundreds of installations. Symphony is the dominant DCS at large gas-fired combined-cycle power plants, including most of the new and planned gas plants being built to serve hyperscale AI data centers. KEV catalog entries currently affecting ABB platforms: CVE-2024-6298.

M — Mission

Adversary objective: simultaneous loss-of-control or unsafe-state at multiple gas-fired generating units feeding a specific load zone — most likely PJM Dominion (Northern Virginia data-center alley, where AI training load is concentrated) or the Southeast (where Meta Hyperion's 7.46 GW gas plant cluster feeds the Hyperion campus). Strategic intent: deny power to AI compute infrastructure at a moment chosen for maximum disruption, with deniable attribution.

E — Execution

Phase 1: harvest a contractor or vendor credential that grants engineering access to one or more of the 259 exposed endpoints — many of which are vendor-support jump hosts that bridge corporate IT to the OT engineering network. Phase 2: lateral movement to the Symphony engineering workstation. Phase 3: stage malicious configuration changes across the deployment, synchronized to execute at peak-demand hour. Phase 4: trigger drives unit-trip sequences on every unit reachable, simultaneous; concurrent wiper destroys the historian and configuration backup.

A — Administration & Logistics

Attack feasibility depends on three conditions visible in the public-exposure data today: (1) 259 endpoints reachable from the public internet — that number is a defensive failure on its own; (2) operator deployments that centralize engineering across multiple sites; (3) deferred patching of any published Symphony CVSS 8.0+ CVE due to outage-window constraints.

C — Command & Signal

Indicators: outbound traffic from any Symphony engineering workstation to non-vendor destinations; unscheduled configuration updates across multiple units in the same hour; historian write failures across multiple stations. Defensive priorities: enumerate the 259 exposed endpoints in your perimeter and prioritize firewall closure or VPN-only access; rotate all vendor and contractor credentials with hardware-token MFA; require any logic or configuration change to pass two-person integrity check during the change window. Reporting: TSA Surface Transportation Cybersecurity; CISA Hotline; Oil and Natural Gas ISAC; PJM RTEP Security working group.

Consequences if unmitigated

Physical:

Simultaneous trips at multiple gas-fired generating units serving a data-center-heavy load zone. Within ~2 hours, hyperscale data centers in the affected zone exhaust grid power and shift to on-site diesel; diesel reserves typically run 12–48 hours. Possible thermal damage to rotating equipment during ungraceful trip sequences extends restart from hours to weeks per unit.

Market / financial:

Wholesale power prices in the affected ISO zone spike to administrative cap intraday. Hyperscaler-customer compute service-level agreements breach within the diesel-reserve window. Estimated combined economic loss across operator, downstream power buyers, and dependent cloud / AI customers: $10B–$50B in the first week.

Regulatory / political:

FERC and NERC special review of generator cybersecurity preparedness. Likely accelerated TSA-style cyber regulation extended to gas-fired generation feeding hyperscale customers. Insurance industry repricing for operators with measurable Symphony exposure on Shodan.

Cygnet SCADA — 78 US endpoints (pipeline-specific midstream)
Current exposure: 78 Cygnet midstream-pipeline SCADA endpoints visible today
Live KEV cross-reference: no KEV-listed CVEs currently affect this platform
Severity: HIGH — Direct compromise of pipeline operational visibility and control
Five-Paragraph OPORD (SMEAC)

S — Situation

Cygnet is the SCADA platform most narrowly targeted at the US midstream oil-and-gas industry — it runs the supervisory layer at 78 measurable US sites, almost all of which are pipeline operators. Of the operators we track, several are confirmed Cygnet users by name in vendor case-studies and public filings.

M — Mission

Adversary objective: simultaneous loss-of-visibility and limited-write control of pipeline metering, valve, and flow-control points across a single operator's footprint. Strategic intent: position to manipulate gas deliveries — to LDCs, to power generators, or to LNG export terminals — at a chosen moment, with the operator unable to see or counter the action in real time.

E — Execution

Phase 1: access via a Cygnet engineering workstation reachable through vendor-support tunnels. Phase 2: harvest field-device topology and operator runbooks from the SCADA database. Phase 3: stage scheduled control commands that fire at a precipitating moment. Phase 4: optionally falsify operator-view telemetry to extend the response window.

A — Administration & Logistics

Attack feasibility depends on Cygnet's typical deployment pattern: many operators connect Cygnet to their corporate IT for reporting, then connect corporate IT to the public internet — a documented common pathway. The 78 exposed endpoints in our Shodan dataset are the visible portion of that pattern.

C — Command & Signal

Indicators: Cygnet engineering-workstation traffic to non-vendor destinations; configuration changes outside change-control hours; discrepancies between Cygnet-reported volumes and independent end-of-line meter reads. Defensive priorities: place Cygnet servers behind a jump-host with MFA; close direct internet exposure on all 78 endpoints; deploy independent secondary metering whose data does NOT flow through Cygnet.

Consequences if unmitigated

Physical:

Manipulation of valve setpoints can cause unsafe pressure transients at downstream stations. Falsified metering allows undetected gas diversion or supply-cut to specific customers (e.g., a specific gas-fired power plant during a peak hour).

Market / financial:

If a Cygnet-driven event takes a specific compressor station offline during a peak demand window, the downstream basis (the local citygate price minus Henry Hub) can spike 200%+ in hours. LDC emergency curtailments. Power-gen fuel-supply force majeure to gas peakers serving data centers.

Regulatory / political:

Immediate FERC inquiry into operator cybersecurity. Possible TSA penalty action under PSR 2026-01. Operator's interstate transportation tariff put under audit.

GE iFIX HMI/SCADA — 71 US endpoints exposed
Current exposure: 71 GE iFIX HMI/SCADA endpoints visible today
Live KEV cross-reference: CVE-2014-0751
Severity: HIGH — Operator-view denial across gas-plant and pipeline-station HMI
Five-Paragraph OPORD (SMEAC)

S — Situation

GE iFIX is a general-purpose HMI / SCADA platform with deep penetration in US gas plants, refineries, and pipeline compressor stations. Public US exposure today: 71 endpoints. KEV entries currently affecting GE platforms: CVE-2014-0751.

M — Mission

Adversary objective: deny operator visibility into the controlled process during a coincident attack — either cyber on the BPCS or kinetic on a physical asset. Strategic intent: extend the response window in the critical early minutes when operator action can avert physical damage.

E — Execution

Phase 1: access through internet-exposed iFIX terminal services / VPN. Phase 2: modify iFIX HMI screens to display canned 'nominal' values regardless of underlying tag data, OR disable HMI alarm escalation logic. Phase 3: hold capability until a coincident event — process upset, kinetic strike, or BPCS manipulation — at which point operators see normal screens while the physical process degrades.

A — Administration & Logistics

Attack feasibility increases when iFIX is deployed without segregation from corporate IT, when iFIX clients are reachable via remote-desktop services from the public internet (71 confirmed examples today), and when alarm-management audits are infrequent.

C — Command & Signal

Indicators: iFIX screen-version changes outside engineering change windows; HMI tag-display discrepancies vs. historian; alarm logs going abnormally quiet during normal operating variability. Defensive priorities: iFIX deployment audit (count vs. known inventory); HMI screen-checksum monitoring; independent secondary HMI that draws from a separate tag feed; close all 71 internet-exposed instances or move them behind MFA-required VPN.

Consequences if unmitigated

Physical:

On its own, an iFIX-only attack does not cause damage — but during a coincident physical or BPCS attack, the 'normal-screens-while-process-degrades' window extends operator response from minutes to tens of minutes, multiplying the physical damage.

Market / financial:

When combined with a BPCS attack, an HMI-deception layer can extend an outage from one shift to several days as the recovery team has no trustworthy view of pre-event state. Multiplier effect on operator's economic damage: 2–5x.

Regulatory / political:

HMI integrity-verification becomes a required TSA compliance element. Vendor-side requirements for cryptographic HMI screen verification.

Emerson DeltaV + Ovation DCS — 67 US endpoints combined
Current exposure: 40 DeltaV + 27 Ovation US endpoints — total 67
Live KEV cross-reference: CVE-2021-45420
Severity: HIGH — Simultaneous compromise of LNG liquefaction AND gas-fired power generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Emerson runs two product lines with measurable US exposure: DeltaV (40 endpoints), the DCS for LNG liquefaction trains and refinery / petrochemical processes, and Ovation (27 endpoints), the DCS for fossil-fueled power generation. Combined US public exposure: 67 endpoints. KEV entries affecting Emerson: CVE-2021-45420.

M — Mission

Adversary objective: simultaneously disrupt LNG-export capacity AND gas-fired power generation by exploiting the same vendor's deployed platforms across the two industries — a single capability that reaches both demand sinks for US natural gas (LNG exports and AI/data-center power) at once. Strategic intent: dual-target economic disruption with shared toolchain.

E — Execution

Phase 1: gain access via an Emerson vendor-support credential — Emerson is one of the largest providers of process-control system service contracts in the US. Phase 2: deploy parallel implants against DeltaV at LNG terminals and Ovation at gas-fired plants. Phase 3: synchronized trigger at a chosen event.

A — Administration & Logistics

Attack feasibility hinges on whether the operator has accepted vendor persistent remote-support tunnels as a contractual requirement. Many DeltaV and Ovation operators have done so to maintain service-level guarantees. The 67 exposed endpoints visible today are the public portion of that pattern.

C — Command & Signal

Indicators: Emerson vendor-tunnel traffic outside scheduled service windows; configuration changes pushed to multiple sites within a single hour; unscheduled engineering-workstation logins. Defensive priorities: require Emerson vendor sessions to be initiated by the operator (not the vendor), with session recording and MFA; deploy egress monitoring on the DeltaV / Ovation engineering networks; require Emerson to publish per-product KEV applicability mapped to deployed firmware versions at each customer site.

Consequences if unmitigated

Physical:

LNG terminal liquefaction trains unsafe-shutdown; coincident gas-fired generator trips across affected fleet. Possible thermal damage to liquefaction compressors extends LNG outage from days to months.

Market / financial:

Cargoes in the Sabine Pass / Cameron / Plaquemines / Corpus Christi loading queue declare force majeure within hours. European TTF gas price spikes; US Henry Hub price drops on reduced export demand AND spikes on domestic gas-to-power dislocation — both directions same day. Combined economic impact: $30B–$120B over the first quarter post-event.

Regulatory / political:

Coordinated DOE / FERC / TSA / DOC (export licensing) investigation. Possible suspension of Emerson DCS service contracts pending audit. Insurance industry repricing across all Emerson-platform-dependent operators.

Henry Hub Composite (Physical + Cyber) — current state
Current exposure: 13 interstate pipelines converge at Erath, LA · NYMEX settlement node · ~2 Bcf/d physical throughput · 1 ICS exposures within 25 km · 12 active eminent-domain projects in supply chain
Live KEV cross-reference: 9 Schneider Electric KEVs · 5 Siemens KEVs · 1 Emerson KEVs affect platforms a Sabine Pipe Line operator would actually run.
Severity: STRATEGIC — National-scale market and supply disruption
Five-Paragraph OPORD (SMEAC)

S — Situation

Henry Hub today: 13 interstate pipelines converge at the Sabine Pipe Line LLC facility in Erath, Louisiana. The NYMEX Henry Hub futures contract settles here — the price benchmark for every US natural-gas trade, every LNG cargo loaded at Sabine Pass / Cameron / Plaquemines / Corpus Christi (≈14 Bcf/d combined LNG export capacity), and every gas-indexed power-purchase contract in PJM / SERC / Florida. Within 25 km of the hub, Shodan finds 1 exposed ICS endpoints; the operator's supply chain runs through platforms with 15 currently-KEV-listed CVEs across Schneider Electric, Siemens, and Emerson. The facility has no counter-UAS coverage (Vermilion Parish is outside designated military airspace) and no published joint OT/IT incident-command framework with downstream hyperscaler and federal partners.

M — Mission

Adversary objective: simultaneously disable physical throughput at Henry Hub for an extended window (weeks, not hours) AND destroy the operator's safety-system configuration files, so that even after physical repair the operator cannot safely restart. Strategic intent: suspend US natural-gas price discovery long enough to cascade through NYMEX, LNG cargo force majeure, power-grid load shedding during a peak-demand window, and financial-market liquidity events.

E — Execution

Phase 1 (months): cyber pre-positioning inside the Sabine Pipe Line OT network via a contracted-engineering credential — the same vector that has produced every confirmed US pipeline OT intrusion in the past five years. Phase 2 (days): adversary weaponizes a published CVSS 9.0+ CISA advisory affecting Schneider Telvent OASyS DNA or Triconex SIS, BEFORE the operator's change board approves the emergency patch. Phase 3 (D-Day, timed to coincide with polar vortex or hurricane-season demand peak): commercial-derivative drone strike against Compressor Units 1 and 2, simultaneously with cyber execution that disables the SIS, manipulates HMIs to display nominal state, vents high-pressure gas through stacks whose flare ignition has been pre-disabled. Phase 4 (D+1 through D+3): wiper malware destroys the historian, engineering workstation, and corporate IT backups, denying the recovery team the documentation needed to safely restart safety-instrumented systems.

A — Administration & Logistics

Attack feasibility depends on conditions present today: (1) 1 ICS endpoints within 25 km of the hub — the public attack surface; (2) absence of counter-UAS over Vermilion Parish; (3) the operator's change board having no pre-delegated authority to bypass normal review for CVSS 9+ items during weather-emergency windows; (4) no published joint incident-command structure across Sabine Pipe Line, FERC, TSA, CISA, FBI, DOE, and hyperscaler downstream customers. All four conditions exist as of 2026-06-04.

C — Command & Signal

Indicators: outbound traffic from any Sabine Pipe Line OT host to non-vendor destinations; Vermilion Parish law-enforcement reports of unusual UAS activity near the hub; any CISA advisory at CVSS 9+ affecting Schneider Electric / Siemens / Emerson platforms followed by Sabine Pipe Line change-board deferral. Defensive priorities (the four items above, each individually closable): (1) pre-delegate emergency-patch authority to senior security leadership without change-board veto for CVSS 9+ critical-asset platforms; (2) FAA + DOD counter-UAS authorization for FERC critical-asset compressor stations; (3) stand up the joint incident-command framework now, not after the event; (4) maintain air-gapped offline SIS configuration backups with quarterly recovery verification at every FERC critical site.

Consequences if unmitigated

Physical:

Henry Hub physical throughput goes to 0 Bcf/d for 7–30+ days. Worker fatalities at Sabine Pipe Line during the kinetic event range 20–100 depending on shift composition and time of day. Downstream civilian fatalities during coincident cold-weather power loss could exceed 200 if the polar-vortex timing is hit. Adjacent communities evacuated; groundwater and surface water contamination from fuel-rich firefighting operations.

Market / financial:

NYMEX Henry Hub trading suspended for 20–60 trading days. Daily LNG cargo force majeure declarations from Sabine Pass / Cameron / Plaquemines / Corpus Christi terminals. European TTF and Asian JKM gas prices spike 150–400%. PJM and TVA emergency load-shedding affecting 5–20M customers during the polar vortex. Combined direct + cascading economic damage: $200B–$400B over twelve months. Insurance-industry catastrophe loss: $80B–$200B. Two-to-three mid-sized US gas trading firms in Chapter 11 within ten days.

Regulatory / political:

FERC and TSA replace existing Pipeline Security Directive framework with a true regulatory framework. DOE stands up a permanent Critical Energy Infrastructure Cyber Response Unit. FAA authorizes counter-UAS at all FERC critical-asset facilities. Federal Reserve emergency liquidity facility for energy-sector counterparty exposure. Hyperscaler / pipeline operator joint incident command mandated. ODNI issues attribution finding; coordinated multi-allied response.

ABB Symphony DCS — 255 US endpoints exposed (as of 2026-06-03)
Current exposure: 255 Symphony endpoints visible from the public US internet today
Live KEV cross-reference: CVE-2024-6298
Severity: HIGH — Power generation supply disruption to AI data center load
Five-Paragraph OPORD (SMEAC)

S — Situation

ABB Symphony has the largest measurable US public-internet exposure of any pipeline-relevant SCADA / DCS platform — 255 endpoints visible as of 2026-06-03, against a deployed base that we estimate to be on the order of hundreds of installations. Symphony is the dominant DCS at large gas-fired combined-cycle power plants, including most of the new and planned gas plants being built to serve hyperscale AI data centers. KEV catalog entries currently affecting ABB platforms: CVE-2024-6298.

M — Mission

Adversary objective: simultaneous loss-of-control or unsafe-state at multiple gas-fired generating units feeding a specific load zone — most likely PJM Dominion (Northern Virginia data-center alley, where AI training load is concentrated) or the Southeast (where Meta Hyperion's 7.46 GW gas plant cluster feeds the Hyperion campus). Strategic intent: deny power to AI compute infrastructure at a moment chosen for maximum disruption, with deniable attribution.

E — Execution

Phase 1: harvest a contractor or vendor credential that grants engineering access to one or more of the 255 exposed endpoints — many of which are vendor-support jump hosts that bridge corporate IT to the OT engineering network. Phase 2: lateral movement to the Symphony engineering workstation. Phase 3: stage malicious configuration changes across the deployment, synchronized to execute at peak-demand hour. Phase 4: trigger drives unit-trip sequences on every unit reachable, simultaneous; concurrent wiper destroys the historian and configuration backup.

A — Administration & Logistics

Attack feasibility depends on three conditions visible in the public-exposure data today: (1) 255 endpoints reachable from the public internet — that number is a defensive failure on its own; (2) operator deployments that centralize engineering across multiple sites; (3) deferred patching of any published Symphony CVSS 8.0+ CVE due to outage-window constraints.

C — Command & Signal

Indicators: outbound traffic from any Symphony engineering workstation to non-vendor destinations; unscheduled configuration updates across multiple units in the same hour; historian write failures across multiple stations. Defensive priorities: enumerate the 255 exposed endpoints in your perimeter and prioritize firewall closure or VPN-only access; rotate all vendor and contractor credentials with hardware-token MFA; require any logic or configuration change to pass two-person integrity check during the change window. Reporting: TSA Surface Transportation Cybersecurity; CISA Hotline; Oil and Natural Gas ISAC; PJM RTEP Security working group.

Consequences if unmitigated

Physical:

Simultaneous trips at multiple gas-fired generating units serving a data-center-heavy load zone. Within ~2 hours, hyperscale data centers in the affected zone exhaust grid power and shift to on-site diesel; diesel reserves typically run 12–48 hours. Possible thermal damage to rotating equipment during ungraceful trip sequences extends restart from hours to weeks per unit.

Market / financial:

Wholesale power prices in the affected ISO zone spike to administrative cap intraday. Hyperscaler-customer compute service-level agreements breach within the diesel-reserve window. Estimated combined economic loss across operator, downstream power buyers, and dependent cloud / AI customers: $10B–$50B in the first week.

Regulatory / political:

FERC and NERC special review of generator cybersecurity preparedness. Likely accelerated TSA-style cyber regulation extended to gas-fired generation feeding hyperscale customers. Insurance industry repricing for operators with measurable Symphony exposure on Shodan.

Cygnet SCADA — 78 US endpoints (pipeline-specific midstream)
Current exposure: 78 Cygnet midstream-pipeline SCADA endpoints visible today
Live KEV cross-reference: no KEV-listed CVEs currently affect this platform
Severity: HIGH — Direct compromise of pipeline operational visibility and control
Five-Paragraph OPORD (SMEAC)

S — Situation

Cygnet is the SCADA platform most narrowly targeted at the US midstream oil-and-gas industry — it runs the supervisory layer at 78 measurable US sites, almost all of which are pipeline operators. Of the operators we track, several are confirmed Cygnet users by name in vendor case-studies and public filings.

M — Mission

Adversary objective: simultaneous loss-of-visibility and limited-write control of pipeline metering, valve, and flow-control points across a single operator's footprint. Strategic intent: position to manipulate gas deliveries — to LDCs, to power generators, or to LNG export terminals — at a chosen moment, with the operator unable to see or counter the action in real time.

E — Execution

Phase 1: access via a Cygnet engineering workstation reachable through vendor-support tunnels. Phase 2: harvest field-device topology and operator runbooks from the SCADA database. Phase 3: stage scheduled control commands that fire at a precipitating moment. Phase 4: optionally falsify operator-view telemetry to extend the response window.

A — Administration & Logistics

Attack feasibility depends on Cygnet's typical deployment pattern: many operators connect Cygnet to their corporate IT for reporting, then connect corporate IT to the public internet — a documented common pathway. The 78 exposed endpoints in our Shodan dataset are the visible portion of that pattern.

C — Command & Signal

Indicators: Cygnet engineering-workstation traffic to non-vendor destinations; configuration changes outside change-control hours; discrepancies between Cygnet-reported volumes and independent end-of-line meter reads. Defensive priorities: place Cygnet servers behind a jump-host with MFA; close direct internet exposure on all 78 endpoints; deploy independent secondary metering whose data does NOT flow through Cygnet.

Consequences if unmitigated

Physical:

Manipulation of valve setpoints can cause unsafe pressure transients at downstream stations. Falsified metering allows undetected gas diversion or supply-cut to specific customers (e.g., a specific gas-fired power plant during a peak hour).

Market / financial:

If a Cygnet-driven event takes a specific compressor station offline during a peak demand window, the downstream basis (the local citygate price minus Henry Hub) can spike 200%+ in hours. LDC emergency curtailments. Power-gen fuel-supply force majeure to gas peakers serving data centers.

Regulatory / political:

Immediate FERC inquiry into operator cybersecurity. Possible TSA penalty action under PSR 2026-01. Operator's interstate transportation tariff put under audit.

GE iFIX HMI/SCADA — 66 US endpoints exposed
Current exposure: 66 GE iFIX HMI/SCADA endpoints visible today
Live KEV cross-reference: CVE-2014-0751
Severity: HIGH — Operator-view denial across gas-plant and pipeline-station HMI
Five-Paragraph OPORD (SMEAC)

S — Situation

GE iFIX is a general-purpose HMI / SCADA platform with deep penetration in US gas plants, refineries, and pipeline compressor stations. Public US exposure today: 66 endpoints. KEV entries currently affecting GE platforms: CVE-2014-0751.

M — Mission

Adversary objective: deny operator visibility into the controlled process during a coincident attack — either cyber on the BPCS or kinetic on a physical asset. Strategic intent: extend the response window in the critical early minutes when operator action can avert physical damage.

E — Execution

Phase 1: access through internet-exposed iFIX terminal services / VPN. Phase 2: modify iFIX HMI screens to display canned 'nominal' values regardless of underlying tag data, OR disable HMI alarm escalation logic. Phase 3: hold capability until a coincident event — process upset, kinetic strike, or BPCS manipulation — at which point operators see normal screens while the physical process degrades.

A — Administration & Logistics

Attack feasibility increases when iFIX is deployed without segregation from corporate IT, when iFIX clients are reachable via remote-desktop services from the public internet (66 confirmed examples today), and when alarm-management audits are infrequent.

C — Command & Signal

Indicators: iFIX screen-version changes outside engineering change windows; HMI tag-display discrepancies vs. historian; alarm logs going abnormally quiet during normal operating variability. Defensive priorities: iFIX deployment audit (count vs. known inventory); HMI screen-checksum monitoring; independent secondary HMI that draws from a separate tag feed; close all 66 internet-exposed instances or move them behind MFA-required VPN.

Consequences if unmitigated

Physical:

On its own, an iFIX-only attack does not cause damage — but during a coincident physical or BPCS attack, the 'normal-screens-while-process-degrades' window extends operator response from minutes to tens of minutes, multiplying the physical damage.

Market / financial:

When combined with a BPCS attack, an HMI-deception layer can extend an outage from one shift to several days as the recovery team has no trustworthy view of pre-event state. Multiplier effect on operator's economic damage: 2–5x.

Regulatory / political:

HMI integrity-verification becomes a required TSA compliance element. Vendor-side requirements for cryptographic HMI screen verification.

Emerson DeltaV + Ovation DCS — 72 US endpoints combined
Current exposure: 45 DeltaV + 27 Ovation US endpoints — total 72
Live KEV cross-reference: CVE-2021-45420
Severity: HIGH — Simultaneous compromise of LNG liquefaction AND gas-fired power generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Emerson runs two product lines with measurable US exposure: DeltaV (45 endpoints), the DCS for LNG liquefaction trains and refinery / petrochemical processes, and Ovation (27 endpoints), the DCS for fossil-fueled power generation. Combined US public exposure: 72 endpoints. KEV entries affecting Emerson: CVE-2021-45420.

M — Mission

Adversary objective: simultaneously disrupt LNG-export capacity AND gas-fired power generation by exploiting the same vendor's deployed platforms across the two industries — a single capability that reaches both demand sinks for US natural gas (LNG exports and AI/data-center power) at once. Strategic intent: dual-target economic disruption with shared toolchain.

E — Execution

Phase 1: gain access via an Emerson vendor-support credential — Emerson is one of the largest providers of process-control system service contracts in the US. Phase 2: deploy parallel implants against DeltaV at LNG terminals and Ovation at gas-fired plants. Phase 3: synchronized trigger at a chosen event.

A — Administration & Logistics

Attack feasibility hinges on whether the operator has accepted vendor persistent remote-support tunnels as a contractual requirement. Many DeltaV and Ovation operators have done so to maintain service-level guarantees. The 72 exposed endpoints visible today are the public portion of that pattern.

C — Command & Signal

Indicators: Emerson vendor-tunnel traffic outside scheduled service windows; configuration changes pushed to multiple sites within a single hour; unscheduled engineering-workstation logins. Defensive priorities: require Emerson vendor sessions to be initiated by the operator (not the vendor), with session recording and MFA; deploy egress monitoring on the DeltaV / Ovation engineering networks; require Emerson to publish per-product KEV applicability mapped to deployed firmware versions at each customer site.

Consequences if unmitigated

Physical:

LNG terminal liquefaction trains unsafe-shutdown; coincident gas-fired generator trips across affected fleet. Possible thermal damage to liquefaction compressors extends LNG outage from days to months.

Market / financial:

Cargoes in the Sabine Pass / Cameron / Plaquemines / Corpus Christi loading queue declare force majeure within hours. European TTF gas price spikes; US Henry Hub price drops on reduced export demand AND spikes on domestic gas-to-power dislocation — both directions same day. Combined economic impact: $30B–$120B over the first quarter post-event.

Regulatory / political:

Coordinated DOE / FERC / TSA / DOC (export licensing) investigation. Possible suspension of Emerson DCS service contracts pending audit. Insurance industry repricing across all Emerson-platform-dependent operators.

Henry Hub Composite (Physical + Cyber) — current state
Current exposure: 13 interstate pipelines converge at Erath, LA · NYMEX settlement node · ~2 Bcf/d physical throughput · 1 ICS exposures within 25 km · 12 active eminent-domain projects in supply chain
Live KEV cross-reference: 9 Schneider Electric KEVs · 5 Siemens KEVs · 1 Emerson KEVs affect platforms a Sabine Pipe Line operator would actually run.
Severity: STRATEGIC — National-scale market and supply disruption
Five-Paragraph OPORD (SMEAC)

S — Situation

Henry Hub today: 13 interstate pipelines converge at the Sabine Pipe Line LLC facility in Erath, Louisiana. The NYMEX Henry Hub futures contract settles here — the price benchmark for every US natural-gas trade, every LNG cargo loaded at Sabine Pass / Cameron / Plaquemines / Corpus Christi (≈14 Bcf/d combined LNG export capacity), and every gas-indexed power-purchase contract in PJM / SERC / Florida. Within 25 km of the hub, Shodan finds 1 exposed ICS endpoints; the operator's supply chain runs through platforms with 15 currently-KEV-listed CVEs across Schneider Electric, Siemens, and Emerson. The facility has no counter-UAS coverage (Vermilion Parish is outside designated military airspace) and no published joint OT/IT incident-command framework with downstream hyperscaler and federal partners.

M — Mission

Adversary objective: simultaneously disable physical throughput at Henry Hub for an extended window (weeks, not hours) AND destroy the operator's safety-system configuration files, so that even after physical repair the operator cannot safely restart. Strategic intent: suspend US natural-gas price discovery long enough to cascade through NYMEX, LNG cargo force majeure, power-grid load shedding during a peak-demand window, and financial-market liquidity events.

E — Execution

Phase 1 (months): cyber pre-positioning inside the Sabine Pipe Line OT network via a contracted-engineering credential — the same vector that has produced every confirmed US pipeline OT intrusion in the past five years. Phase 2 (days): adversary weaponizes a published CVSS 9.0+ CISA advisory affecting Schneider Telvent OASyS DNA or Triconex SIS, BEFORE the operator's change board approves the emergency patch. Phase 3 (D-Day, timed to coincide with polar vortex or hurricane-season demand peak): commercial-derivative drone strike against Compressor Units 1 and 2, simultaneously with cyber execution that disables the SIS, manipulates HMIs to display nominal state, vents high-pressure gas through stacks whose flare ignition has been pre-disabled. Phase 4 (D+1 through D+3): wiper malware destroys the historian, engineering workstation, and corporate IT backups, denying the recovery team the documentation needed to safely restart safety-instrumented systems.

A — Administration & Logistics

Attack feasibility depends on conditions present today: (1) 1 ICS endpoints within 25 km of the hub — the public attack surface; (2) absence of counter-UAS over Vermilion Parish; (3) the operator's change board having no pre-delegated authority to bypass normal review for CVSS 9+ items during weather-emergency windows; (4) no published joint incident-command structure across Sabine Pipe Line, FERC, TSA, CISA, FBI, DOE, and hyperscaler downstream customers. All four conditions exist as of 2026-06-03.

C — Command & Signal

Indicators: outbound traffic from any Sabine Pipe Line OT host to non-vendor destinations; Vermilion Parish law-enforcement reports of unusual UAS activity near the hub; any CISA advisory at CVSS 9+ affecting Schneider Electric / Siemens / Emerson platforms followed by Sabine Pipe Line change-board deferral. Defensive priorities (the four items above, each individually closable): (1) pre-delegate emergency-patch authority to senior security leadership without change-board veto for CVSS 9+ critical-asset platforms; (2) FAA + DOD counter-UAS authorization for FERC critical-asset compressor stations; (3) stand up the joint incident-command framework now, not after the event; (4) maintain air-gapped offline SIS configuration backups with quarterly recovery verification at every FERC critical site.

Consequences if unmitigated

Physical:

Henry Hub physical throughput goes to 0 Bcf/d for 7–30+ days. Worker fatalities at Sabine Pipe Line during the kinetic event range 20–100 depending on shift composition and time of day. Downstream civilian fatalities during coincident cold-weather power loss could exceed 200 if the polar-vortex timing is hit. Adjacent communities evacuated; groundwater and surface water contamination from fuel-rich firefighting operations.

Market / financial:

NYMEX Henry Hub trading suspended for 20–60 trading days. Daily LNG cargo force majeure declarations from Sabine Pass / Cameron / Plaquemines / Corpus Christi terminals. European TTF and Asian JKM gas prices spike 150–400%. PJM and TVA emergency load-shedding affecting 5–20M customers during the polar vortex. Combined direct + cascading economic damage: $200B–$400B over twelve months. Insurance-industry catastrophe loss: $80B–$200B. Two-to-three mid-sized US gas trading firms in Chapter 11 within ten days.

Regulatory / political:

FERC and TSA replace existing Pipeline Security Directive framework with a true regulatory framework. DOE stands up a permanent Critical Energy Infrastructure Cyber Response Unit. FAA authorizes counter-UAS at all FERC critical-asset facilities. Federal Reserve emergency liquidity facility for energy-sector counterparty exposure. Hyperscaler / pipeline operator joint incident command mandated. ODNI issues attribution finding; coordinated multi-allied response.

ABB Symphony DCS — 262 US endpoints exposed (as of 2026-06-02)
Current exposure: 262 Symphony endpoints visible from the public US internet today
Live KEV cross-reference: CVE-2024-6298
Severity: HIGH — Power generation supply disruption to AI data center load
Five-Paragraph OPORD (SMEAC)

S — Situation

ABB Symphony has the largest measurable US public-internet exposure of any pipeline-relevant SCADA / DCS platform — 262 endpoints visible as of 2026-06-02, against a deployed base that we estimate to be on the order of hundreds of installations. Symphony is the dominant DCS at large gas-fired combined-cycle power plants, including most of the new and planned gas plants being built to serve hyperscale AI data centers. KEV catalog entries currently affecting ABB platforms: CVE-2024-6298.

M — Mission

Adversary objective: simultaneous loss-of-control or unsafe-state at multiple gas-fired generating units feeding a specific load zone — most likely PJM Dominion (Northern Virginia data-center alley, where AI training load is concentrated) or the Southeast (where Meta Hyperion's 7.46 GW gas plant cluster feeds the Hyperion campus). Strategic intent: deny power to AI compute infrastructure at a moment chosen for maximum disruption, with deniable attribution.

E — Execution

Phase 1: harvest a contractor or vendor credential that grants engineering access to one or more of the 262 exposed endpoints — many of which are vendor-support jump hosts that bridge corporate IT to the OT engineering network. Phase 2: lateral movement to the Symphony engineering workstation. Phase 3: stage malicious configuration changes across the deployment, synchronized to execute at peak-demand hour. Phase 4: trigger drives unit-trip sequences on every unit reachable, simultaneous; concurrent wiper destroys the historian and configuration backup.

A — Administration & Logistics

Attack feasibility depends on three conditions visible in the public-exposure data today: (1) 262 endpoints reachable from the public internet — that number is a defensive failure on its own; (2) operator deployments that centralize engineering across multiple sites; (3) deferred patching of any published Symphony CVSS 8.0+ CVE due to outage-window constraints.

C — Command & Signal

Indicators: outbound traffic from any Symphony engineering workstation to non-vendor destinations; unscheduled configuration updates across multiple units in the same hour; historian write failures across multiple stations. Defensive priorities: enumerate the 262 exposed endpoints in your perimeter and prioritize firewall closure or VPN-only access; rotate all vendor and contractor credentials with hardware-token MFA; require any logic or configuration change to pass two-person integrity check during the change window. Reporting: TSA Surface Transportation Cybersecurity; CISA Hotline; Oil and Natural Gas ISAC; PJM RTEP Security working group.

Consequences if unmitigated

Physical:

Simultaneous trips at multiple gas-fired generating units serving a data-center-heavy load zone. Within ~2 hours, hyperscale data centers in the affected zone exhaust grid power and shift to on-site diesel; diesel reserves typically run 12–48 hours. Possible thermal damage to rotating equipment during ungraceful trip sequences extends restart from hours to weeks per unit.

Market / financial:

Wholesale power prices in the affected ISO zone spike to administrative cap intraday. Hyperscaler-customer compute service-level agreements breach within the diesel-reserve window. Estimated combined economic loss across operator, downstream power buyers, and dependent cloud / AI customers: $10B–$50B in the first week.

Regulatory / political:

FERC and NERC special review of generator cybersecurity preparedness. Likely accelerated TSA-style cyber regulation extended to gas-fired generation feeding hyperscale customers. Insurance industry repricing for operators with measurable Symphony exposure on Shodan.

Cygnet SCADA — 78 US endpoints (pipeline-specific midstream)
Current exposure: 78 Cygnet midstream-pipeline SCADA endpoints visible today
Live KEV cross-reference: no KEV-listed CVEs currently affect this platform
Severity: HIGH — Direct compromise of pipeline operational visibility and control
Five-Paragraph OPORD (SMEAC)

S — Situation

Cygnet is the SCADA platform most narrowly targeted at the US midstream oil-and-gas industry — it runs the supervisory layer at 78 measurable US sites, almost all of which are pipeline operators. Of the operators we track, several are confirmed Cygnet users by name in vendor case-studies and public filings.

M — Mission

Adversary objective: simultaneous loss-of-visibility and limited-write control of pipeline metering, valve, and flow-control points across a single operator's footprint. Strategic intent: position to manipulate gas deliveries — to LDCs, to power generators, or to LNG export terminals — at a chosen moment, with the operator unable to see or counter the action in real time.

E — Execution

Phase 1: access via a Cygnet engineering workstation reachable through vendor-support tunnels. Phase 2: harvest field-device topology and operator runbooks from the SCADA database. Phase 3: stage scheduled control commands that fire at a precipitating moment. Phase 4: optionally falsify operator-view telemetry to extend the response window.

A — Administration & Logistics

Attack feasibility depends on Cygnet's typical deployment pattern: many operators connect Cygnet to their corporate IT for reporting, then connect corporate IT to the public internet — a documented common pathway. The 78 exposed endpoints in our Shodan dataset are the visible portion of that pattern.

C — Command & Signal

Indicators: Cygnet engineering-workstation traffic to non-vendor destinations; configuration changes outside change-control hours; discrepancies between Cygnet-reported volumes and independent end-of-line meter reads. Defensive priorities: place Cygnet servers behind a jump-host with MFA; close direct internet exposure on all 78 endpoints; deploy independent secondary metering whose data does NOT flow through Cygnet.

Consequences if unmitigated

Physical:

Manipulation of valve setpoints can cause unsafe pressure transients at downstream stations. Falsified metering allows undetected gas diversion or supply-cut to specific customers (e.g., a specific gas-fired power plant during a peak hour).

Market / financial:

If a Cygnet-driven event takes a specific compressor station offline during a peak demand window, the downstream basis (the local citygate price minus Henry Hub) can spike 200%+ in hours. LDC emergency curtailments. Power-gen fuel-supply force majeure to gas peakers serving data centers.

Regulatory / political:

Immediate FERC inquiry into operator cybersecurity. Possible TSA penalty action under PSR 2026-01. Operator's interstate transportation tariff put under audit.

GE iFIX HMI/SCADA — 63 US endpoints exposed
Current exposure: 63 GE iFIX HMI/SCADA endpoints visible today
Live KEV cross-reference: CVE-2014-0751
Severity: HIGH — Operator-view denial across gas-plant and pipeline-station HMI
Five-Paragraph OPORD (SMEAC)

S — Situation

GE iFIX is a general-purpose HMI / SCADA platform with deep penetration in US gas plants, refineries, and pipeline compressor stations. Public US exposure today: 63 endpoints. KEV entries currently affecting GE platforms: CVE-2014-0751.

M — Mission

Adversary objective: deny operator visibility into the controlled process during a coincident attack — either cyber on the BPCS or kinetic on a physical asset. Strategic intent: extend the response window in the critical early minutes when operator action can avert physical damage.

E — Execution

Phase 1: access through internet-exposed iFIX terminal services / VPN. Phase 2: modify iFIX HMI screens to display canned 'nominal' values regardless of underlying tag data, OR disable HMI alarm escalation logic. Phase 3: hold capability until a coincident event — process upset, kinetic strike, or BPCS manipulation — at which point operators see normal screens while the physical process degrades.

A — Administration & Logistics

Attack feasibility increases when iFIX is deployed without segregation from corporate IT, when iFIX clients are reachable via remote-desktop services from the public internet (63 confirmed examples today), and when alarm-management audits are infrequent.

C — Command & Signal

Indicators: iFIX screen-version changes outside engineering change windows; HMI tag-display discrepancies vs. historian; alarm logs going abnormally quiet during normal operating variability. Defensive priorities: iFIX deployment audit (count vs. known inventory); HMI screen-checksum monitoring; independent secondary HMI that draws from a separate tag feed; close all 63 internet-exposed instances or move them behind MFA-required VPN.

Consequences if unmitigated

Physical:

On its own, an iFIX-only attack does not cause damage — but during a coincident physical or BPCS attack, the 'normal-screens-while-process-degrades' window extends operator response from minutes to tens of minutes, multiplying the physical damage.

Market / financial:

When combined with a BPCS attack, an HMI-deception layer can extend an outage from one shift to several days as the recovery team has no trustworthy view of pre-event state. Multiplier effect on operator's economic damage: 2–5x.

Regulatory / political:

HMI integrity-verification becomes a required TSA compliance element. Vendor-side requirements for cryptographic HMI screen verification.

Emerson DeltaV + Ovation DCS — 75 US endpoints combined
Current exposure: 48 DeltaV + 27 Ovation US endpoints — total 75
Live KEV cross-reference: CVE-2021-45420
Severity: HIGH — Simultaneous compromise of LNG liquefaction AND gas-fired power generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Emerson runs two product lines with measurable US exposure: DeltaV (48 endpoints), the DCS for LNG liquefaction trains and refinery / petrochemical processes, and Ovation (27 endpoints), the DCS for fossil-fueled power generation. Combined US public exposure: 75 endpoints. KEV entries affecting Emerson: CVE-2021-45420.

M — Mission

Adversary objective: simultaneously disrupt LNG-export capacity AND gas-fired power generation by exploiting the same vendor's deployed platforms across the two industries — a single capability that reaches both demand sinks for US natural gas (LNG exports and AI/data-center power) at once. Strategic intent: dual-target economic disruption with shared toolchain.

E — Execution

Phase 1: gain access via an Emerson vendor-support credential — Emerson is one of the largest providers of process-control system service contracts in the US. Phase 2: deploy parallel implants against DeltaV at LNG terminals and Ovation at gas-fired plants. Phase 3: synchronized trigger at a chosen event.

A — Administration & Logistics

Attack feasibility hinges on whether the operator has accepted vendor persistent remote-support tunnels as a contractual requirement. Many DeltaV and Ovation operators have done so to maintain service-level guarantees. The 75 exposed endpoints visible today are the public portion of that pattern.

C — Command & Signal

Indicators: Emerson vendor-tunnel traffic outside scheduled service windows; configuration changes pushed to multiple sites within a single hour; unscheduled engineering-workstation logins. Defensive priorities: require Emerson vendor sessions to be initiated by the operator (not the vendor), with session recording and MFA; deploy egress monitoring on the DeltaV / Ovation engineering networks; require Emerson to publish per-product KEV applicability mapped to deployed firmware versions at each customer site.

Consequences if unmitigated

Physical:

LNG terminal liquefaction trains unsafe-shutdown; coincident gas-fired generator trips across affected fleet. Possible thermal damage to liquefaction compressors extends LNG outage from days to months.

Market / financial:

Cargoes in the Sabine Pass / Cameron / Plaquemines / Corpus Christi loading queue declare force majeure within hours. European TTF gas price spikes; US Henry Hub price drops on reduced export demand AND spikes on domestic gas-to-power dislocation — both directions same day. Combined economic impact: $30B–$120B over the first quarter post-event.

Regulatory / political:

Coordinated DOE / FERC / TSA / DOC (export licensing) investigation. Possible suspension of Emerson DCS service contracts pending audit. Insurance industry repricing across all Emerson-platform-dependent operators.

Henry Hub Composite (Physical + Cyber) — current state
Current exposure: 13 interstate pipelines converge at Erath, LA · NYMEX settlement node · ~2 Bcf/d physical throughput · 1 ICS exposures within 25 km · 12 active eminent-domain projects in supply chain
Live KEV cross-reference: 9 Schneider Electric KEVs · 5 Siemens KEVs · 1 Emerson KEVs affect platforms a Sabine Pipe Line operator would actually run.
Severity: STRATEGIC — National-scale market and supply disruption
Five-Paragraph OPORD (SMEAC)

S — Situation

Henry Hub today: 13 interstate pipelines converge at the Sabine Pipe Line LLC facility in Erath, Louisiana. The NYMEX Henry Hub futures contract settles here — the price benchmark for every US natural-gas trade, every LNG cargo loaded at Sabine Pass / Cameron / Plaquemines / Corpus Christi (≈14 Bcf/d combined LNG export capacity), and every gas-indexed power-purchase contract in PJM / SERC / Florida. Within 25 km of the hub, Shodan finds 1 exposed ICS endpoints; the operator's supply chain runs through platforms with 15 currently-KEV-listed CVEs across Schneider Electric, Siemens, and Emerson. The facility has no counter-UAS coverage (Vermilion Parish is outside designated military airspace) and no published joint OT/IT incident-command framework with downstream hyperscaler and federal partners.

M — Mission

Adversary objective: simultaneously disable physical throughput at Henry Hub for an extended window (weeks, not hours) AND destroy the operator's safety-system configuration files, so that even after physical repair the operator cannot safely restart. Strategic intent: suspend US natural-gas price discovery long enough to cascade through NYMEX, LNG cargo force majeure, power-grid load shedding during a peak-demand window, and financial-market liquidity events.

E — Execution

Phase 1 (months): cyber pre-positioning inside the Sabine Pipe Line OT network via a contracted-engineering credential — the same vector that has produced every confirmed US pipeline OT intrusion in the past five years. Phase 2 (days): adversary weaponizes a published CVSS 9.0+ CISA advisory affecting Schneider Telvent OASyS DNA or Triconex SIS, BEFORE the operator's change board approves the emergency patch. Phase 3 (D-Day, timed to coincide with polar vortex or hurricane-season demand peak): commercial-derivative drone strike against Compressor Units 1 and 2, simultaneously with cyber execution that disables the SIS, manipulates HMIs to display nominal state, vents high-pressure gas through stacks whose flare ignition has been pre-disabled. Phase 4 (D+1 through D+3): wiper malware destroys the historian, engineering workstation, and corporate IT backups, denying the recovery team the documentation needed to safely restart safety-instrumented systems.

A — Administration & Logistics

Attack feasibility depends on conditions present today: (1) 1 ICS endpoints within 25 km of the hub — the public attack surface; (2) absence of counter-UAS over Vermilion Parish; (3) the operator's change board having no pre-delegated authority to bypass normal review for CVSS 9+ items during weather-emergency windows; (4) no published joint incident-command structure across Sabine Pipe Line, FERC, TSA, CISA, FBI, DOE, and hyperscaler downstream customers. All four conditions exist as of 2026-06-02.

C — Command & Signal

Indicators: outbound traffic from any Sabine Pipe Line OT host to non-vendor destinations; Vermilion Parish law-enforcement reports of unusual UAS activity near the hub; any CISA advisory at CVSS 9+ affecting Schneider Electric / Siemens / Emerson platforms followed by Sabine Pipe Line change-board deferral. Defensive priorities (the four items above, each individually closable): (1) pre-delegate emergency-patch authority to senior security leadership without change-board veto for CVSS 9+ critical-asset platforms; (2) FAA + DOD counter-UAS authorization for FERC critical-asset compressor stations; (3) stand up the joint incident-command framework now, not after the event; (4) maintain air-gapped offline SIS configuration backups with quarterly recovery verification at every FERC critical site.

Consequences if unmitigated

Physical:

Henry Hub physical throughput goes to 0 Bcf/d for 7–30+ days. Worker fatalities at Sabine Pipe Line during the kinetic event range 20–100 depending on shift composition and time of day. Downstream civilian fatalities during coincident cold-weather power loss could exceed 200 if the polar-vortex timing is hit. Adjacent communities evacuated; groundwater and surface water contamination from fuel-rich firefighting operations.

Market / financial:

NYMEX Henry Hub trading suspended for 20–60 trading days. Daily LNG cargo force majeure declarations from Sabine Pass / Cameron / Plaquemines / Corpus Christi terminals. European TTF and Asian JKM gas prices spike 150–400%. PJM and TVA emergency load-shedding affecting 5–20M customers during the polar vortex. Combined direct + cascading economic damage: $200B–$400B over twelve months. Insurance-industry catastrophe loss: $80B–$200B. Two-to-three mid-sized US gas trading firms in Chapter 11 within ten days.

Regulatory / political:

FERC and TSA replace existing Pipeline Security Directive framework with a true regulatory framework. DOE stands up a permanent Critical Energy Infrastructure Cyber Response Unit. FAA authorizes counter-UAS at all FERC critical-asset facilities. Federal Reserve emergency liquidity facility for energy-sector counterparty exposure. Hyperscaler / pipeline operator joint incident command mandated. ODNI issues attribution finding; coordinated multi-allied response.

ABB Symphony DCS — 257 US endpoints exposed (as of 2026-05-31)
Current exposure: 257 Symphony endpoints visible from the public US internet today
Live KEV cross-reference: CVE-2024-6298
Severity: HIGH — Power generation supply disruption to AI data center load
Five-Paragraph OPORD (SMEAC)

S — Situation

ABB Symphony has the largest measurable US public-internet exposure of any pipeline-relevant SCADA / DCS platform — 257 endpoints visible as of 2026-05-31, against a deployed base that we estimate to be on the order of hundreds of installations. Symphony is the dominant DCS at large gas-fired combined-cycle power plants, including most of the new and planned gas plants being built to serve hyperscale AI data centers. KEV catalog entries currently affecting ABB platforms: CVE-2024-6298.

M — Mission

Adversary objective: simultaneous loss-of-control or unsafe-state at multiple gas-fired generating units feeding a specific load zone — most likely PJM Dominion (Northern Virginia data-center alley, where AI training load is concentrated) or the Southeast (where Meta Hyperion's 7.46 GW gas plant cluster feeds the Hyperion campus). Strategic intent: deny power to AI compute infrastructure at a moment chosen for maximum disruption, with deniable attribution.

E — Execution

Phase 1: harvest a contractor or vendor credential that grants engineering access to one or more of the 257 exposed endpoints — many of which are vendor-support jump hosts that bridge corporate IT to the OT engineering network. Phase 2: lateral movement to the Symphony engineering workstation. Phase 3: stage malicious configuration changes across the deployment, synchronized to execute at peak-demand hour. Phase 4: trigger drives unit-trip sequences on every unit reachable, simultaneous; concurrent wiper destroys the historian and configuration backup.

A — Administration & Logistics

Attack feasibility depends on three conditions visible in the public-exposure data today: (1) 257 endpoints reachable from the public internet — that number is a defensive failure on its own; (2) operator deployments that centralize engineering across multiple sites; (3) deferred patching of any published Symphony CVSS 8.0+ CVE due to outage-window constraints.

C — Command & Signal

Indicators: outbound traffic from any Symphony engineering workstation to non-vendor destinations; unscheduled configuration updates across multiple units in the same hour; historian write failures across multiple stations. Defensive priorities: enumerate the 257 exposed endpoints in your perimeter and prioritize firewall closure or VPN-only access; rotate all vendor and contractor credentials with hardware-token MFA; require any logic or configuration change to pass two-person integrity check during the change window. Reporting: TSA Surface Transportation Cybersecurity; CISA Hotline; Oil and Natural Gas ISAC; PJM RTEP Security working group.

Consequences if unmitigated

Physical:

Simultaneous trips at multiple gas-fired generating units serving a data-center-heavy load zone. Within ~2 hours, hyperscale data centers in the affected zone exhaust grid power and shift to on-site diesel; diesel reserves typically run 12–48 hours. Possible thermal damage to rotating equipment during ungraceful trip sequences extends restart from hours to weeks per unit.

Market / financial:

Wholesale power prices in the affected ISO zone spike to administrative cap intraday. Hyperscaler-customer compute service-level agreements breach within the diesel-reserve window. Estimated combined economic loss across operator, downstream power buyers, and dependent cloud / AI customers: $10B–$50B in the first week.

Regulatory / political:

FERC and NERC special review of generator cybersecurity preparedness. Likely accelerated TSA-style cyber regulation extended to gas-fired generation feeding hyperscale customers. Insurance industry repricing for operators with measurable Symphony exposure on Shodan.

Cygnet SCADA — 73 US endpoints (pipeline-specific midstream)
Current exposure: 73 Cygnet midstream-pipeline SCADA endpoints visible today
Live KEV cross-reference: no KEV-listed CVEs currently affect this platform
Severity: HIGH — Direct compromise of pipeline operational visibility and control
Five-Paragraph OPORD (SMEAC)

S — Situation

Cygnet is the SCADA platform most narrowly targeted at the US midstream oil-and-gas industry — it runs the supervisory layer at 73 measurable US sites, almost all of which are pipeline operators. Of the operators we track, several are confirmed Cygnet users by name in vendor case-studies and public filings.

M — Mission

Adversary objective: simultaneous loss-of-visibility and limited-write control of pipeline metering, valve, and flow-control points across a single operator's footprint. Strategic intent: position to manipulate gas deliveries — to LDCs, to power generators, or to LNG export terminals — at a chosen moment, with the operator unable to see or counter the action in real time.

E — Execution

Phase 1: access via a Cygnet engineering workstation reachable through vendor-support tunnels. Phase 2: harvest field-device topology and operator runbooks from the SCADA database. Phase 3: stage scheduled control commands that fire at a precipitating moment. Phase 4: optionally falsify operator-view telemetry to extend the response window.

A — Administration & Logistics

Attack feasibility depends on Cygnet's typical deployment pattern: many operators connect Cygnet to their corporate IT for reporting, then connect corporate IT to the public internet — a documented common pathway. The 73 exposed endpoints in our Shodan dataset are the visible portion of that pattern.

C — Command & Signal

Indicators: Cygnet engineering-workstation traffic to non-vendor destinations; configuration changes outside change-control hours; discrepancies between Cygnet-reported volumes and independent end-of-line meter reads. Defensive priorities: place Cygnet servers behind a jump-host with MFA; close direct internet exposure on all 73 endpoints; deploy independent secondary metering whose data does NOT flow through Cygnet.

Consequences if unmitigated

Physical:

Manipulation of valve setpoints can cause unsafe pressure transients at downstream stations. Falsified metering allows undetected gas diversion or supply-cut to specific customers (e.g., a specific gas-fired power plant during a peak hour).

Market / financial:

If a Cygnet-driven event takes a specific compressor station offline during a peak demand window, the downstream basis (the local citygate price minus Henry Hub) can spike 200%+ in hours. LDC emergency curtailments. Power-gen fuel-supply force majeure to gas peakers serving data centers.

Regulatory / political:

Immediate FERC inquiry into operator cybersecurity. Possible TSA penalty action under PSR 2026-01. Operator's interstate transportation tariff put under audit.

GE iFIX HMI/SCADA — 67 US endpoints exposed
Current exposure: 67 GE iFIX HMI/SCADA endpoints visible today
Live KEV cross-reference: CVE-2014-0751
Severity: HIGH — Operator-view denial across gas-plant and pipeline-station HMI
Five-Paragraph OPORD (SMEAC)

S — Situation

GE iFIX is a general-purpose HMI / SCADA platform with deep penetration in US gas plants, refineries, and pipeline compressor stations. Public US exposure today: 67 endpoints. KEV entries currently affecting GE platforms: CVE-2014-0751.

M — Mission

Adversary objective: deny operator visibility into the controlled process during a coincident attack — either cyber on the BPCS or kinetic on a physical asset. Strategic intent: extend the response window in the critical early minutes when operator action can avert physical damage.

E — Execution

Phase 1: access through internet-exposed iFIX terminal services / VPN. Phase 2: modify iFIX HMI screens to display canned 'nominal' values regardless of underlying tag data, OR disable HMI alarm escalation logic. Phase 3: hold capability until a coincident event — process upset, kinetic strike, or BPCS manipulation — at which point operators see normal screens while the physical process degrades.

A — Administration & Logistics

Attack feasibility increases when iFIX is deployed without segregation from corporate IT, when iFIX clients are reachable via remote-desktop services from the public internet (67 confirmed examples today), and when alarm-management audits are infrequent.

C — Command & Signal

Indicators: iFIX screen-version changes outside engineering change windows; HMI tag-display discrepancies vs. historian; alarm logs going abnormally quiet during normal operating variability. Defensive priorities: iFIX deployment audit (count vs. known inventory); HMI screen-checksum monitoring; independent secondary HMI that draws from a separate tag feed; close all 67 internet-exposed instances or move them behind MFA-required VPN.

Consequences if unmitigated

Physical:

On its own, an iFIX-only attack does not cause damage — but during a coincident physical or BPCS attack, the 'normal-screens-while-process-degrades' window extends operator response from minutes to tens of minutes, multiplying the physical damage.

Market / financial:

When combined with a BPCS attack, an HMI-deception layer can extend an outage from one shift to several days as the recovery team has no trustworthy view of pre-event state. Multiplier effect on operator's economic damage: 2–5x.

Regulatory / political:

HMI integrity-verification becomes a required TSA compliance element. Vendor-side requirements for cryptographic HMI screen verification.

Emerson DeltaV + Ovation DCS — 67 US endpoints combined
Current exposure: 44 DeltaV + 23 Ovation US endpoints — total 67
Live KEV cross-reference: CVE-2021-45420
Severity: HIGH — Simultaneous compromise of LNG liquefaction AND gas-fired power generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Emerson runs two product lines with measurable US exposure: DeltaV (44 endpoints), the DCS for LNG liquefaction trains and refinery / petrochemical processes, and Ovation (23 endpoints), the DCS for fossil-fueled power generation. Combined US public exposure: 67 endpoints. KEV entries affecting Emerson: CVE-2021-45420.

M — Mission

Adversary objective: simultaneously disrupt LNG-export capacity AND gas-fired power generation by exploiting the same vendor's deployed platforms across the two industries — a single capability that reaches both demand sinks for US natural gas (LNG exports and AI/data-center power) at once. Strategic intent: dual-target economic disruption with shared toolchain.

E — Execution

Phase 1: gain access via an Emerson vendor-support credential — Emerson is one of the largest providers of process-control system service contracts in the US. Phase 2: deploy parallel implants against DeltaV at LNG terminals and Ovation at gas-fired plants. Phase 3: synchronized trigger at a chosen event.

A — Administration & Logistics

Attack feasibility hinges on whether the operator has accepted vendor persistent remote-support tunnels as a contractual requirement. Many DeltaV and Ovation operators have done so to maintain service-level guarantees. The 67 exposed endpoints visible today are the public portion of that pattern.

C — Command & Signal

Indicators: Emerson vendor-tunnel traffic outside scheduled service windows; configuration changes pushed to multiple sites within a single hour; unscheduled engineering-workstation logins. Defensive priorities: require Emerson vendor sessions to be initiated by the operator (not the vendor), with session recording and MFA; deploy egress monitoring on the DeltaV / Ovation engineering networks; require Emerson to publish per-product KEV applicability mapped to deployed firmware versions at each customer site.

Consequences if unmitigated

Physical:

LNG terminal liquefaction trains unsafe-shutdown; coincident gas-fired generator trips across affected fleet. Possible thermal damage to liquefaction compressors extends LNG outage from days to months.

Market / financial:

Cargoes in the Sabine Pass / Cameron / Plaquemines / Corpus Christi loading queue declare force majeure within hours. European TTF gas price spikes; US Henry Hub price drops on reduced export demand AND spikes on domestic gas-to-power dislocation — both directions same day. Combined economic impact: $30B–$120B over the first quarter post-event.

Regulatory / political:

Coordinated DOE / FERC / TSA / DOC (export licensing) investigation. Possible suspension of Emerson DCS service contracts pending audit. Insurance industry repricing across all Emerson-platform-dependent operators.

Henry Hub Composite (Physical + Cyber) — current state
Current exposure: 13 interstate pipelines converge at Erath, LA · NYMEX settlement node · ~2 Bcf/d physical throughput · 1 ICS exposures within 25 km · 12 active eminent-domain projects in supply chain
Live KEV cross-reference: 9 Schneider Electric KEVs · 5 Siemens KEVs · 1 Emerson KEVs affect platforms a Sabine Pipe Line operator would actually run.
Severity: STRATEGIC — National-scale market and supply disruption
Five-Paragraph OPORD (SMEAC)

S — Situation

Henry Hub today: 13 interstate pipelines converge at the Sabine Pipe Line LLC facility in Erath, Louisiana. The NYMEX Henry Hub futures contract settles here — the price benchmark for every US natural-gas trade, every LNG cargo loaded at Sabine Pass / Cameron / Plaquemines / Corpus Christi (≈14 Bcf/d combined LNG export capacity), and every gas-indexed power-purchase contract in PJM / SERC / Florida. Within 25 km of the hub, Shodan finds 1 exposed ICS endpoints; the operator's supply chain runs through platforms with 15 currently-KEV-listed CVEs across Schneider Electric, Siemens, and Emerson. The facility has no counter-UAS coverage (Vermilion Parish is outside designated military airspace) and no published joint OT/IT incident-command framework with downstream hyperscaler and federal partners.

M — Mission

Adversary objective: simultaneously disable physical throughput at Henry Hub for an extended window (weeks, not hours) AND destroy the operator's safety-system configuration files, so that even after physical repair the operator cannot safely restart. Strategic intent: suspend US natural-gas price discovery long enough to cascade through NYMEX, LNG cargo force majeure, power-grid load shedding during a peak-demand window, and financial-market liquidity events.

E — Execution

Phase 1 (months): cyber pre-positioning inside the Sabine Pipe Line OT network via a contracted-engineering credential — the same vector that has produced every confirmed US pipeline OT intrusion in the past five years. Phase 2 (days): adversary weaponizes a published CVSS 9.0+ CISA advisory affecting Schneider Telvent OASyS DNA or Triconex SIS, BEFORE the operator's change board approves the emergency patch. Phase 3 (D-Day, timed to coincide with polar vortex or hurricane-season demand peak): commercial-derivative drone strike against Compressor Units 1 and 2, simultaneously with cyber execution that disables the SIS, manipulates HMIs to display nominal state, vents high-pressure gas through stacks whose flare ignition has been pre-disabled. Phase 4 (D+1 through D+3): wiper malware destroys the historian, engineering workstation, and corporate IT backups, denying the recovery team the documentation needed to safely restart safety-instrumented systems.

A — Administration & Logistics

Attack feasibility depends on conditions present today: (1) 1 ICS endpoints within 25 km of the hub — the public attack surface; (2) absence of counter-UAS over Vermilion Parish; (3) the operator's change board having no pre-delegated authority to bypass normal review for CVSS 9+ items during weather-emergency windows; (4) no published joint incident-command structure across Sabine Pipe Line, FERC, TSA, CISA, FBI, DOE, and hyperscaler downstream customers. All four conditions exist as of 2026-05-31.

C — Command & Signal

Indicators: outbound traffic from any Sabine Pipe Line OT host to non-vendor destinations; Vermilion Parish law-enforcement reports of unusual UAS activity near the hub; any CISA advisory at CVSS 9+ affecting Schneider Electric / Siemens / Emerson platforms followed by Sabine Pipe Line change-board deferral. Defensive priorities (the four items above, each individually closable): (1) pre-delegate emergency-patch authority to senior security leadership without change-board veto for CVSS 9+ critical-asset platforms; (2) FAA + DOD counter-UAS authorization for FERC critical-asset compressor stations; (3) stand up the joint incident-command framework now, not after the event; (4) maintain air-gapped offline SIS configuration backups with quarterly recovery verification at every FERC critical site.

Consequences if unmitigated

Physical:

Henry Hub physical throughput goes to 0 Bcf/d for 7–30+ days. Worker fatalities at Sabine Pipe Line during the kinetic event range 20–100 depending on shift composition and time of day. Downstream civilian fatalities during coincident cold-weather power loss could exceed 200 if the polar-vortex timing is hit. Adjacent communities evacuated; groundwater and surface water contamination from fuel-rich firefighting operations.

Market / financial:

NYMEX Henry Hub trading suspended for 20–60 trading days. Daily LNG cargo force majeure declarations from Sabine Pass / Cameron / Plaquemines / Corpus Christi terminals. European TTF and Asian JKM gas prices spike 150–400%. PJM and TVA emergency load-shedding affecting 5–20M customers during the polar vortex. Combined direct + cascading economic damage: $200B–$400B over twelve months. Insurance-industry catastrophe loss: $80B–$200B. Two-to-three mid-sized US gas trading firms in Chapter 11 within ten days.

Regulatory / political:

FERC and TSA replace existing Pipeline Security Directive framework with a true regulatory framework. DOE stands up a permanent Critical Energy Infrastructure Cyber Response Unit. FAA authorizes counter-UAS at all FERC critical-asset facilities. Federal Reserve emergency liquidity facility for energy-sector counterparty exposure. Hyperscaler / pipeline operator joint incident command mandated. ODNI issues attribution finding; coordinated multi-allied response.

ABB Symphony DCS — 255 US endpoints exposed (as of 2026-05-30)
Current exposure: 255 Symphony endpoints visible from the public US internet today
Live KEV cross-reference: CVE-2024-6298
Severity: HIGH — Power generation supply disruption to AI data center load
Five-Paragraph OPORD (SMEAC)

S — Situation

ABB Symphony has the largest measurable US public-internet exposure of any pipeline-relevant SCADA / DCS platform — 255 endpoints visible as of 2026-05-30, against a deployed base that we estimate to be on the order of hundreds of installations. Symphony is the dominant DCS at large gas-fired combined-cycle power plants, including most of the new and planned gas plants being built to serve hyperscale AI data centers. KEV catalog entries currently affecting ABB platforms: CVE-2024-6298.

M — Mission

Adversary objective: simultaneous loss-of-control or unsafe-state at multiple gas-fired generating units feeding a specific load zone — most likely PJM Dominion (Northern Virginia data-center alley, where AI training load is concentrated) or the Southeast (where Meta Hyperion's 7.46 GW gas plant cluster feeds the Hyperion campus). Strategic intent: deny power to AI compute infrastructure at a moment chosen for maximum disruption, with deniable attribution.

E — Execution

Phase 1: harvest a contractor or vendor credential that grants engineering access to one or more of the 255 exposed endpoints — many of which are vendor-support jump hosts that bridge corporate IT to the OT engineering network. Phase 2: lateral movement to the Symphony engineering workstation. Phase 3: stage malicious configuration changes across the deployment, synchronized to execute at peak-demand hour. Phase 4: trigger drives unit-trip sequences on every unit reachable, simultaneous; concurrent wiper destroys the historian and configuration backup.

A — Administration & Logistics

Attack feasibility depends on three conditions visible in the public-exposure data today: (1) 255 endpoints reachable from the public internet — that number is a defensive failure on its own; (2) operator deployments that centralize engineering across multiple sites; (3) deferred patching of any published Symphony CVSS 8.0+ CVE due to outage-window constraints.

C — Command & Signal

Indicators: outbound traffic from any Symphony engineering workstation to non-vendor destinations; unscheduled configuration updates across multiple units in the same hour; historian write failures across multiple stations. Defensive priorities: enumerate the 255 exposed endpoints in your perimeter and prioritize firewall closure or VPN-only access; rotate all vendor and contractor credentials with hardware-token MFA; require any logic or configuration change to pass two-person integrity check during the change window. Reporting: TSA Surface Transportation Cybersecurity; CISA Hotline; Oil and Natural Gas ISAC; PJM RTEP Security working group.

Consequences if unmitigated

Physical:

Simultaneous trips at multiple gas-fired generating units serving a data-center-heavy load zone. Within ~2 hours, hyperscale data centers in the affected zone exhaust grid power and shift to on-site diesel; diesel reserves typically run 12–48 hours. Possible thermal damage to rotating equipment during ungraceful trip sequences extends restart from hours to weeks per unit.

Market / financial:

Wholesale power prices in the affected ISO zone spike to administrative cap intraday. Hyperscaler-customer compute service-level agreements breach within the diesel-reserve window. Estimated combined economic loss across operator, downstream power buyers, and dependent cloud / AI customers: $10B–$50B in the first week.

Regulatory / political:

FERC and NERC special review of generator cybersecurity preparedness. Likely accelerated TSA-style cyber regulation extended to gas-fired generation feeding hyperscale customers. Insurance industry repricing for operators with measurable Symphony exposure on Shodan.

Cygnet SCADA — 72 US endpoints (pipeline-specific midstream)
Current exposure: 72 Cygnet midstream-pipeline SCADA endpoints visible today
Live KEV cross-reference: no KEV-listed CVEs currently affect this platform
Severity: HIGH — Direct compromise of pipeline operational visibility and control
Five-Paragraph OPORD (SMEAC)

S — Situation

Cygnet is the SCADA platform most narrowly targeted at the US midstream oil-and-gas industry — it runs the supervisory layer at 72 measurable US sites, almost all of which are pipeline operators. Of the operators we track, several are confirmed Cygnet users by name in vendor case-studies and public filings.

M — Mission

Adversary objective: simultaneous loss-of-visibility and limited-write control of pipeline metering, valve, and flow-control points across a single operator's footprint. Strategic intent: position to manipulate gas deliveries — to LDCs, to power generators, or to LNG export terminals — at a chosen moment, with the operator unable to see or counter the action in real time.

E — Execution

Phase 1: access via a Cygnet engineering workstation reachable through vendor-support tunnels. Phase 2: harvest field-device topology and operator runbooks from the SCADA database. Phase 3: stage scheduled control commands that fire at a precipitating moment. Phase 4: optionally falsify operator-view telemetry to extend the response window.

A — Administration & Logistics

Attack feasibility depends on Cygnet's typical deployment pattern: many operators connect Cygnet to their corporate IT for reporting, then connect corporate IT to the public internet — a documented common pathway. The 72 exposed endpoints in our Shodan dataset are the visible portion of that pattern.

C — Command & Signal

Indicators: Cygnet engineering-workstation traffic to non-vendor destinations; configuration changes outside change-control hours; discrepancies between Cygnet-reported volumes and independent end-of-line meter reads. Defensive priorities: place Cygnet servers behind a jump-host with MFA; close direct internet exposure on all 72 endpoints; deploy independent secondary metering whose data does NOT flow through Cygnet.

Consequences if unmitigated

Physical:

Manipulation of valve setpoints can cause unsafe pressure transients at downstream stations. Falsified metering allows undetected gas diversion or supply-cut to specific customers (e.g., a specific gas-fired power plant during a peak hour).

Market / financial:

If a Cygnet-driven event takes a specific compressor station offline during a peak demand window, the downstream basis (the local citygate price minus Henry Hub) can spike 200%+ in hours. LDC emergency curtailments. Power-gen fuel-supply force majeure to gas peakers serving data centers.

Regulatory / political:

Immediate FERC inquiry into operator cybersecurity. Possible TSA penalty action under PSR 2026-01. Operator's interstate transportation tariff put under audit.

GE iFIX HMI/SCADA — 71 US endpoints exposed
Current exposure: 71 GE iFIX HMI/SCADA endpoints visible today
Live KEV cross-reference: CVE-2014-0751
Severity: HIGH — Operator-view denial across gas-plant and pipeline-station HMI
Five-Paragraph OPORD (SMEAC)

S — Situation

GE iFIX is a general-purpose HMI / SCADA platform with deep penetration in US gas plants, refineries, and pipeline compressor stations. Public US exposure today: 71 endpoints. KEV entries currently affecting GE platforms: CVE-2014-0751.

M — Mission

Adversary objective: deny operator visibility into the controlled process during a coincident attack — either cyber on the BPCS or kinetic on a physical asset. Strategic intent: extend the response window in the critical early minutes when operator action can avert physical damage.

E — Execution

Phase 1: access through internet-exposed iFIX terminal services / VPN. Phase 2: modify iFIX HMI screens to display canned 'nominal' values regardless of underlying tag data, OR disable HMI alarm escalation logic. Phase 3: hold capability until a coincident event — process upset, kinetic strike, or BPCS manipulation — at which point operators see normal screens while the physical process degrades.

A — Administration & Logistics

Attack feasibility increases when iFIX is deployed without segregation from corporate IT, when iFIX clients are reachable via remote-desktop services from the public internet (71 confirmed examples today), and when alarm-management audits are infrequent.

C — Command & Signal

Indicators: iFIX screen-version changes outside engineering change windows; HMI tag-display discrepancies vs. historian; alarm logs going abnormally quiet during normal operating variability. Defensive priorities: iFIX deployment audit (count vs. known inventory); HMI screen-checksum monitoring; independent secondary HMI that draws from a separate tag feed; close all 71 internet-exposed instances or move them behind MFA-required VPN.

Consequences if unmitigated

Physical:

On its own, an iFIX-only attack does not cause damage — but during a coincident physical or BPCS attack, the 'normal-screens-while-process-degrades' window extends operator response from minutes to tens of minutes, multiplying the physical damage.

Market / financial:

When combined with a BPCS attack, an HMI-deception layer can extend an outage from one shift to several days as the recovery team has no trustworthy view of pre-event state. Multiplier effect on operator's economic damage: 2–5x.

Regulatory / political:

HMI integrity-verification becomes a required TSA compliance element. Vendor-side requirements for cryptographic HMI screen verification.

Emerson DeltaV + Ovation DCS — 66 US endpoints combined
Current exposure: 44 DeltaV + 22 Ovation US endpoints — total 66
Live KEV cross-reference: CVE-2021-45420
Severity: HIGH — Simultaneous compromise of LNG liquefaction AND gas-fired power generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Emerson runs two product lines with measurable US exposure: DeltaV (44 endpoints), the DCS for LNG liquefaction trains and refinery / petrochemical processes, and Ovation (22 endpoints), the DCS for fossil-fueled power generation. Combined US public exposure: 66 endpoints. KEV entries affecting Emerson: CVE-2021-45420.

M — Mission

Adversary objective: simultaneously disrupt LNG-export capacity AND gas-fired power generation by exploiting the same vendor's deployed platforms across the two industries — a single capability that reaches both demand sinks for US natural gas (LNG exports and AI/data-center power) at once. Strategic intent: dual-target economic disruption with shared toolchain.

E — Execution

Phase 1: gain access via an Emerson vendor-support credential — Emerson is one of the largest providers of process-control system service contracts in the US. Phase 2: deploy parallel implants against DeltaV at LNG terminals and Ovation at gas-fired plants. Phase 3: synchronized trigger at a chosen event.

A — Administration & Logistics

Attack feasibility hinges on whether the operator has accepted vendor persistent remote-support tunnels as a contractual requirement. Many DeltaV and Ovation operators have done so to maintain service-level guarantees. The 66 exposed endpoints visible today are the public portion of that pattern.

C — Command & Signal

Indicators: Emerson vendor-tunnel traffic outside scheduled service windows; configuration changes pushed to multiple sites within a single hour; unscheduled engineering-workstation logins. Defensive priorities: require Emerson vendor sessions to be initiated by the operator (not the vendor), with session recording and MFA; deploy egress monitoring on the DeltaV / Ovation engineering networks; require Emerson to publish per-product KEV applicability mapped to deployed firmware versions at each customer site.

Consequences if unmitigated

Physical:

LNG terminal liquefaction trains unsafe-shutdown; coincident gas-fired generator trips across affected fleet. Possible thermal damage to liquefaction compressors extends LNG outage from days to months.

Market / financial:

Cargoes in the Sabine Pass / Cameron / Plaquemines / Corpus Christi loading queue declare force majeure within hours. European TTF gas price spikes; US Henry Hub price drops on reduced export demand AND spikes on domestic gas-to-power dislocation — both directions same day. Combined economic impact: $30B–$120B over the first quarter post-event.

Regulatory / political:

Coordinated DOE / FERC / TSA / DOC (export licensing) investigation. Possible suspension of Emerson DCS service contracts pending audit. Insurance industry repricing across all Emerson-platform-dependent operators.

Henry Hub Composite (Physical + Cyber) — current state
Current exposure: 13 interstate pipelines converge at Erath, LA · NYMEX settlement node · ~2 Bcf/d physical throughput · -1 ICS exposures within 25 km · 12 active eminent-domain projects in supply chain
Live KEV cross-reference: 9 Schneider Electric KEVs · 5 Siemens KEVs · 1 Emerson KEVs affect platforms a Sabine Pipe Line operator would actually run.
Severity: STRATEGIC — National-scale market and supply disruption
Five-Paragraph OPORD (SMEAC)

S — Situation

Henry Hub today: 13 interstate pipelines converge at the Sabine Pipe Line LLC facility in Erath, Louisiana. The NYMEX Henry Hub futures contract settles here — the price benchmark for every US natural-gas trade, every LNG cargo loaded at Sabine Pass / Cameron / Plaquemines / Corpus Christi (≈14 Bcf/d combined LNG export capacity), and every gas-indexed power-purchase contract in PJM / SERC / Florida. Within 25 km of the hub, Shodan finds -1 exposed ICS endpoints; the operator's supply chain runs through platforms with 15 currently-KEV-listed CVEs across Schneider Electric, Siemens, and Emerson. The facility has no counter-UAS coverage (Vermilion Parish is outside designated military airspace) and no published joint OT/IT incident-command framework with downstream hyperscaler and federal partners.

M — Mission

Adversary objective: simultaneously disable physical throughput at Henry Hub for an extended window (weeks, not hours) AND destroy the operator's safety-system configuration files, so that even after physical repair the operator cannot safely restart. Strategic intent: suspend US natural-gas price discovery long enough to cascade through NYMEX, LNG cargo force majeure, power-grid load shedding during a peak-demand window, and financial-market liquidity events.

E — Execution

Phase 1 (months): cyber pre-positioning inside the Sabine Pipe Line OT network via a contracted-engineering credential — the same vector that has produced every confirmed US pipeline OT intrusion in the past five years. Phase 2 (days): adversary weaponizes a published CVSS 9.0+ CISA advisory affecting Schneider Telvent OASyS DNA or Triconex SIS, BEFORE the operator's change board approves the emergency patch. Phase 3 (D-Day, timed to coincide with polar vortex or hurricane-season demand peak): commercial-derivative drone strike against Compressor Units 1 and 2, simultaneously with cyber execution that disables the SIS, manipulates HMIs to display nominal state, vents high-pressure gas through stacks whose flare ignition has been pre-disabled. Phase 4 (D+1 through D+3): wiper malware destroys the historian, engineering workstation, and corporate IT backups, denying the recovery team the documentation needed to safely restart safety-instrumented systems.

A — Administration & Logistics

Attack feasibility depends on conditions present today: (1) -1 ICS endpoints within 25 km of the hub — the public attack surface; (2) absence of counter-UAS over Vermilion Parish; (3) the operator's change board having no pre-delegated authority to bypass normal review for CVSS 9+ items during weather-emergency windows; (4) no published joint incident-command structure across Sabine Pipe Line, FERC, TSA, CISA, FBI, DOE, and hyperscaler downstream customers. All four conditions exist as of 2026-05-30.

C — Command & Signal

Indicators: outbound traffic from any Sabine Pipe Line OT host to non-vendor destinations; Vermilion Parish law-enforcement reports of unusual UAS activity near the hub; any CISA advisory at CVSS 9+ affecting Schneider Electric / Siemens / Emerson platforms followed by Sabine Pipe Line change-board deferral. Defensive priorities (the four items above, each individually closable): (1) pre-delegate emergency-patch authority to senior security leadership without change-board veto for CVSS 9+ critical-asset platforms; (2) FAA + DOD counter-UAS authorization for FERC critical-asset compressor stations; (3) stand up the joint incident-command framework now, not after the event; (4) maintain air-gapped offline SIS configuration backups with quarterly recovery verification at every FERC critical site.

Consequences if unmitigated

Physical:

Henry Hub physical throughput goes to 0 Bcf/d for 7–30+ days. Worker fatalities at Sabine Pipe Line during the kinetic event range 20–100 depending on shift composition and time of day. Downstream civilian fatalities during coincident cold-weather power loss could exceed 200 if the polar-vortex timing is hit. Adjacent communities evacuated; groundwater and surface water contamination from fuel-rich firefighting operations.

Market / financial:

NYMEX Henry Hub trading suspended for 20–60 trading days. Daily LNG cargo force majeure declarations from Sabine Pass / Cameron / Plaquemines / Corpus Christi terminals. European TTF and Asian JKM gas prices spike 150–400%. PJM and TVA emergency load-shedding affecting 5–20M customers during the polar vortex. Combined direct + cascading economic damage: $200B–$400B over twelve months. Insurance-industry catastrophe loss: $80B–$200B. Two-to-three mid-sized US gas trading firms in Chapter 11 within ten days.

Regulatory / political:

FERC and TSA replace existing Pipeline Security Directive framework with a true regulatory framework. DOE stands up a permanent Critical Energy Infrastructure Cyber Response Unit. FAA authorizes counter-UAS at all FERC critical-asset facilities. Federal Reserve emergency liquidity facility for energy-sector counterparty exposure. Hyperscaler / pipeline operator joint incident command mandated. ODNI issues attribution finding; coordinated multi-allied response.

ABB Symphony DCS — 255 US endpoints exposed (as of 2026-05-29)
Current exposure: 255 Symphony endpoints visible from the public US internet today
Live KEV cross-reference: CVE-2024-6298
Severity: HIGH — Power generation supply disruption to AI data center load
Five-Paragraph OPORD (SMEAC)

S — Situation

ABB Symphony has the largest measurable US public-internet exposure of any pipeline-relevant SCADA / DCS platform — 255 endpoints visible as of 2026-05-29, against a deployed base that we estimate to be on the order of hundreds of installations. Symphony is the dominant DCS at large gas-fired combined-cycle power plants, including most of the new and planned gas plants being built to serve hyperscale AI data centers. KEV catalog entries currently affecting ABB platforms: CVE-2024-6298.

M — Mission

Adversary objective: simultaneous loss-of-control or unsafe-state at multiple gas-fired generating units feeding a specific load zone — most likely PJM Dominion (Northern Virginia data-center alley, where AI training load is concentrated) or the Southeast (where Meta Hyperion's 7.46 GW gas plant cluster feeds the Hyperion campus). Strategic intent: deny power to AI compute infrastructure at a moment chosen for maximum disruption, with deniable attribution.

E — Execution

Phase 1: harvest a contractor or vendor credential that grants engineering access to one or more of the 255 exposed endpoints — many of which are vendor-support jump hosts that bridge corporate IT to the OT engineering network. Phase 2: lateral movement to the Symphony engineering workstation. Phase 3: stage malicious configuration changes across the deployment, synchronized to execute at peak-demand hour. Phase 4: trigger drives unit-trip sequences on every unit reachable, simultaneous; concurrent wiper destroys the historian and configuration backup.

A — Administration & Logistics

Attack feasibility depends on three conditions visible in the public-exposure data today: (1) 255 endpoints reachable from the public internet — that number is a defensive failure on its own; (2) operator deployments that centralize engineering across multiple sites; (3) deferred patching of any published Symphony CVSS 8.0+ CVE due to outage-window constraints.

C — Command & Signal

Indicators: outbound traffic from any Symphony engineering workstation to non-vendor destinations; unscheduled configuration updates across multiple units in the same hour; historian write failures across multiple stations. Defensive priorities: enumerate the 255 exposed endpoints in your perimeter and prioritize firewall closure or VPN-only access; rotate all vendor and contractor credentials with hardware-token MFA; require any logic or configuration change to pass two-person integrity check during the change window. Reporting: TSA Surface Transportation Cybersecurity; CISA Hotline; Oil and Natural Gas ISAC; PJM RTEP Security working group.

Consequences if unmitigated

Physical:

Simultaneous trips at multiple gas-fired generating units serving a data-center-heavy load zone. Within ~2 hours, hyperscale data centers in the affected zone exhaust grid power and shift to on-site diesel; diesel reserves typically run 12–48 hours. Possible thermal damage to rotating equipment during ungraceful trip sequences extends restart from hours to weeks per unit.

Market / financial:

Wholesale power prices in the affected ISO zone spike to administrative cap intraday. Hyperscaler-customer compute service-level agreements breach within the diesel-reserve window. Estimated combined economic loss across operator, downstream power buyers, and dependent cloud / AI customers: $10B–$50B in the first week.

Regulatory / political:

FERC and NERC special review of generator cybersecurity preparedness. Likely accelerated TSA-style cyber regulation extended to gas-fired generation feeding hyperscale customers. Insurance industry repricing for operators with measurable Symphony exposure on Shodan.

Cygnet SCADA — 74 US endpoints (pipeline-specific midstream)
Current exposure: 74 Cygnet midstream-pipeline SCADA endpoints visible today
Live KEV cross-reference: no KEV-listed CVEs currently affect this platform
Severity: HIGH — Direct compromise of pipeline operational visibility and control
Five-Paragraph OPORD (SMEAC)

S — Situation

Cygnet is the SCADA platform most narrowly targeted at the US midstream oil-and-gas industry — it runs the supervisory layer at 74 measurable US sites, almost all of which are pipeline operators. Of the operators we track, several are confirmed Cygnet users by name in vendor case-studies and public filings.

M — Mission

Adversary objective: simultaneous loss-of-visibility and limited-write control of pipeline metering, valve, and flow-control points across a single operator's footprint. Strategic intent: position to manipulate gas deliveries — to LDCs, to power generators, or to LNG export terminals — at a chosen moment, with the operator unable to see or counter the action in real time.

E — Execution

Phase 1: access via a Cygnet engineering workstation reachable through vendor-support tunnels. Phase 2: harvest field-device topology and operator runbooks from the SCADA database. Phase 3: stage scheduled control commands that fire at a precipitating moment. Phase 4: optionally falsify operator-view telemetry to extend the response window.

A — Administration & Logistics

Attack feasibility depends on Cygnet's typical deployment pattern: many operators connect Cygnet to their corporate IT for reporting, then connect corporate IT to the public internet — a documented common pathway. The 74 exposed endpoints in our Shodan dataset are the visible portion of that pattern.

C — Command & Signal

Indicators: Cygnet engineering-workstation traffic to non-vendor destinations; configuration changes outside change-control hours; discrepancies between Cygnet-reported volumes and independent end-of-line meter reads. Defensive priorities: place Cygnet servers behind a jump-host with MFA; close direct internet exposure on all 74 endpoints; deploy independent secondary metering whose data does NOT flow through Cygnet.

Consequences if unmitigated

Physical:

Manipulation of valve setpoints can cause unsafe pressure transients at downstream stations. Falsified metering allows undetected gas diversion or supply-cut to specific customers (e.g., a specific gas-fired power plant during a peak hour).

Market / financial:

If a Cygnet-driven event takes a specific compressor station offline during a peak demand window, the downstream basis (the local citygate price minus Henry Hub) can spike 200%+ in hours. LDC emergency curtailments. Power-gen fuel-supply force majeure to gas peakers serving data centers.

Regulatory / political:

Immediate FERC inquiry into operator cybersecurity. Possible TSA penalty action under PSR 2026-01. Operator's interstate transportation tariff put under audit.

GE iFIX HMI/SCADA — 72 US endpoints exposed
Current exposure: 72 GE iFIX HMI/SCADA endpoints visible today
Live KEV cross-reference: CVE-2014-0751
Severity: HIGH — Operator-view denial across gas-plant and pipeline-station HMI
Five-Paragraph OPORD (SMEAC)

S — Situation

GE iFIX is a general-purpose HMI / SCADA platform with deep penetration in US gas plants, refineries, and pipeline compressor stations. Public US exposure today: 72 endpoints. KEV entries currently affecting GE platforms: CVE-2014-0751.

M — Mission

Adversary objective: deny operator visibility into the controlled process during a coincident attack — either cyber on the BPCS or kinetic on a physical asset. Strategic intent: extend the response window in the critical early minutes when operator action can avert physical damage.

E — Execution

Phase 1: access through internet-exposed iFIX terminal services / VPN. Phase 2: modify iFIX HMI screens to display canned 'nominal' values regardless of underlying tag data, OR disable HMI alarm escalation logic. Phase 3: hold capability until a coincident event — process upset, kinetic strike, or BPCS manipulation — at which point operators see normal screens while the physical process degrades.

A — Administration & Logistics

Attack feasibility increases when iFIX is deployed without segregation from corporate IT, when iFIX clients are reachable via remote-desktop services from the public internet (72 confirmed examples today), and when alarm-management audits are infrequent.

C — Command & Signal

Indicators: iFIX screen-version changes outside engineering change windows; HMI tag-display discrepancies vs. historian; alarm logs going abnormally quiet during normal operating variability. Defensive priorities: iFIX deployment audit (count vs. known inventory); HMI screen-checksum monitoring; independent secondary HMI that draws from a separate tag feed; close all 72 internet-exposed instances or move them behind MFA-required VPN.

Consequences if unmitigated

Physical:

On its own, an iFIX-only attack does not cause damage — but during a coincident physical or BPCS attack, the 'normal-screens-while-process-degrades' window extends operator response from minutes to tens of minutes, multiplying the physical damage.

Market / financial:

When combined with a BPCS attack, an HMI-deception layer can extend an outage from one shift to several days as the recovery team has no trustworthy view of pre-event state. Multiplier effect on operator's economic damage: 2–5x.

Regulatory / political:

HMI integrity-verification becomes a required TSA compliance element. Vendor-side requirements for cryptographic HMI screen verification.

Emerson DeltaV + Ovation DCS — 71 US endpoints combined
Current exposure: 44 DeltaV + 27 Ovation US endpoints — total 71
Live KEV cross-reference: CVE-2021-45420
Severity: HIGH — Simultaneous compromise of LNG liquefaction AND gas-fired power generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Emerson runs two product lines with measurable US exposure: DeltaV (44 endpoints), the DCS for LNG liquefaction trains and refinery / petrochemical processes, and Ovation (27 endpoints), the DCS for fossil-fueled power generation. Combined US public exposure: 71 endpoints. KEV entries affecting Emerson: CVE-2021-45420.

M — Mission

Adversary objective: simultaneously disrupt LNG-export capacity AND gas-fired power generation by exploiting the same vendor's deployed platforms across the two industries — a single capability that reaches both demand sinks for US natural gas (LNG exports and AI/data-center power) at once. Strategic intent: dual-target economic disruption with shared toolchain.

E — Execution

Phase 1: gain access via an Emerson vendor-support credential — Emerson is one of the largest providers of process-control system service contracts in the US. Phase 2: deploy parallel implants against DeltaV at LNG terminals and Ovation at gas-fired plants. Phase 3: synchronized trigger at a chosen event.

A — Administration & Logistics

Attack feasibility hinges on whether the operator has accepted vendor persistent remote-support tunnels as a contractual requirement. Many DeltaV and Ovation operators have done so to maintain service-level guarantees. The 71 exposed endpoints visible today are the public portion of that pattern.

C — Command & Signal

Indicators: Emerson vendor-tunnel traffic outside scheduled service windows; configuration changes pushed to multiple sites within a single hour; unscheduled engineering-workstation logins. Defensive priorities: require Emerson vendor sessions to be initiated by the operator (not the vendor), with session recording and MFA; deploy egress monitoring on the DeltaV / Ovation engineering networks; require Emerson to publish per-product KEV applicability mapped to deployed firmware versions at each customer site.

Consequences if unmitigated

Physical:

LNG terminal liquefaction trains unsafe-shutdown; coincident gas-fired generator trips across affected fleet. Possible thermal damage to liquefaction compressors extends LNG outage from days to months.

Market / financial:

Cargoes in the Sabine Pass / Cameron / Plaquemines / Corpus Christi loading queue declare force majeure within hours. European TTF gas price spikes; US Henry Hub price drops on reduced export demand AND spikes on domestic gas-to-power dislocation — both directions same day. Combined economic impact: $30B–$120B over the first quarter post-event.

Regulatory / political:

Coordinated DOE / FERC / TSA / DOC (export licensing) investigation. Possible suspension of Emerson DCS service contracts pending audit. Insurance industry repricing across all Emerson-platform-dependent operators.

Henry Hub Composite (Physical + Cyber) — current state
Current exposure: 13 interstate pipelines converge at Erath, LA · NYMEX settlement node · ~2 Bcf/d physical throughput · 1 ICS exposures within 25 km · 12 active eminent-domain projects in supply chain
Live KEV cross-reference: 9 Schneider Electric KEVs · 5 Siemens KEVs · 1 Emerson KEVs affect platforms a Sabine Pipe Line operator would actually run.
Severity: STRATEGIC — National-scale market and supply disruption
Five-Paragraph OPORD (SMEAC)

S — Situation

Henry Hub today: 13 interstate pipelines converge at the Sabine Pipe Line LLC facility in Erath, Louisiana. The NYMEX Henry Hub futures contract settles here — the price benchmark for every US natural-gas trade, every LNG cargo loaded at Sabine Pass / Cameron / Plaquemines / Corpus Christi (≈14 Bcf/d combined LNG export capacity), and every gas-indexed power-purchase contract in PJM / SERC / Florida. Within 25 km of the hub, Shodan finds 1 exposed ICS endpoints; the operator's supply chain runs through platforms with 15 currently-KEV-listed CVEs across Schneider Electric, Siemens, and Emerson. The facility has no counter-UAS coverage (Vermilion Parish is outside designated military airspace) and no published joint OT/IT incident-command framework with downstream hyperscaler and federal partners.

M — Mission

Adversary objective: simultaneously disable physical throughput at Henry Hub for an extended window (weeks, not hours) AND destroy the operator's safety-system configuration files, so that even after physical repair the operator cannot safely restart. Strategic intent: suspend US natural-gas price discovery long enough to cascade through NYMEX, LNG cargo force majeure, power-grid load shedding during a peak-demand window, and financial-market liquidity events.

E — Execution

Phase 1 (months): cyber pre-positioning inside the Sabine Pipe Line OT network via a contracted-engineering credential — the same vector that has produced every confirmed US pipeline OT intrusion in the past five years. Phase 2 (days): adversary weaponizes a published CVSS 9.0+ CISA advisory affecting Schneider Telvent OASyS DNA or Triconex SIS, BEFORE the operator's change board approves the emergency patch. Phase 3 (D-Day, timed to coincide with polar vortex or hurricane-season demand peak): commercial-derivative drone strike against Compressor Units 1 and 2, simultaneously with cyber execution that disables the SIS, manipulates HMIs to display nominal state, vents high-pressure gas through stacks whose flare ignition has been pre-disabled. Phase 4 (D+1 through D+3): wiper malware destroys the historian, engineering workstation, and corporate IT backups, denying the recovery team the documentation needed to safely restart safety-instrumented systems.

A — Administration & Logistics

Attack feasibility depends on conditions present today: (1) 1 ICS endpoints within 25 km of the hub — the public attack surface; (2) absence of counter-UAS over Vermilion Parish; (3) the operator's change board having no pre-delegated authority to bypass normal review for CVSS 9+ items during weather-emergency windows; (4) no published joint incident-command structure across Sabine Pipe Line, FERC, TSA, CISA, FBI, DOE, and hyperscaler downstream customers. All four conditions exist as of 2026-05-29.

C — Command & Signal

Indicators: outbound traffic from any Sabine Pipe Line OT host to non-vendor destinations; Vermilion Parish law-enforcement reports of unusual UAS activity near the hub; any CISA advisory at CVSS 9+ affecting Schneider Electric / Siemens / Emerson platforms followed by Sabine Pipe Line change-board deferral. Defensive priorities (the four items above, each individually closable): (1) pre-delegate emergency-patch authority to senior security leadership without change-board veto for CVSS 9+ critical-asset platforms; (2) FAA + DOD counter-UAS authorization for FERC critical-asset compressor stations; (3) stand up the joint incident-command framework now, not after the event; (4) maintain air-gapped offline SIS configuration backups with quarterly recovery verification at every FERC critical site.

Consequences if unmitigated

Physical:

Henry Hub physical throughput goes to 0 Bcf/d for 7–30+ days. Worker fatalities at Sabine Pipe Line during the kinetic event range 20–100 depending on shift composition and time of day. Downstream civilian fatalities during coincident cold-weather power loss could exceed 200 if the polar-vortex timing is hit. Adjacent communities evacuated; groundwater and surface water contamination from fuel-rich firefighting operations.

Market / financial:

NYMEX Henry Hub trading suspended for 20–60 trading days. Daily LNG cargo force majeure declarations from Sabine Pass / Cameron / Plaquemines / Corpus Christi terminals. European TTF and Asian JKM gas prices spike 150–400%. PJM and TVA emergency load-shedding affecting 5–20M customers during the polar vortex. Combined direct + cascading economic damage: $200B–$400B over twelve months. Insurance-industry catastrophe loss: $80B–$200B. Two-to-three mid-sized US gas trading firms in Chapter 11 within ten days.

Regulatory / political:

FERC and TSA replace existing Pipeline Security Directive framework with a true regulatory framework. DOE stands up a permanent Critical Energy Infrastructure Cyber Response Unit. FAA authorizes counter-UAS at all FERC critical-asset facilities. Federal Reserve emergency liquidity facility for energy-sector counterparty exposure. Hyperscaler / pipeline operator joint incident command mandated. ODNI issues attribution finding; coordinated multi-allied response.

ABB Symphony DCS — 257 US endpoints exposed (as of 2026-05-28)
Current exposure: 257 Symphony endpoints visible from the public US internet today
Live KEV cross-reference: CVE-2024-6298
Severity: HIGH — Power generation supply disruption to AI data center load
Five-Paragraph OPORD (SMEAC)

S — Situation

ABB Symphony has the largest measurable US public-internet exposure of any pipeline-relevant SCADA / DCS platform — 257 endpoints visible as of 2026-05-28, against a deployed base that we estimate to be on the order of hundreds of installations. Symphony is the dominant DCS at large gas-fired combined-cycle power plants, including most of the new and planned gas plants being built to serve hyperscale AI data centers. KEV catalog entries currently affecting ABB platforms: CVE-2024-6298.

M — Mission

Adversary objective: simultaneous loss-of-control or unsafe-state at multiple gas-fired generating units feeding a specific load zone — most likely PJM Dominion (Northern Virginia data-center alley, where AI training load is concentrated) or the Southeast (where Meta Hyperion's 7.46 GW gas plant cluster feeds the Hyperion campus). Strategic intent: deny power to AI compute infrastructure at a moment chosen for maximum disruption, with deniable attribution.

E — Execution

Phase 1: harvest a contractor or vendor credential that grants engineering access to one or more of the 257 exposed endpoints — many of which are vendor-support jump hosts that bridge corporate IT to the OT engineering network. Phase 2: lateral movement to the Symphony engineering workstation. Phase 3: stage malicious configuration changes across the deployment, synchronized to execute at peak-demand hour. Phase 4: trigger drives unit-trip sequences on every unit reachable, simultaneous; concurrent wiper destroys the historian and configuration backup.

A — Administration & Logistics

Attack feasibility depends on three conditions visible in the public-exposure data today: (1) 257 endpoints reachable from the public internet — that number is a defensive failure on its own; (2) operator deployments that centralize engineering across multiple sites; (3) deferred patching of any published Symphony CVSS 8.0+ CVE due to outage-window constraints.

C — Command & Signal

Indicators: outbound traffic from any Symphony engineering workstation to non-vendor destinations; unscheduled configuration updates across multiple units in the same hour; historian write failures across multiple stations. Defensive priorities: enumerate the 257 exposed endpoints in your perimeter and prioritize firewall closure or VPN-only access; rotate all vendor and contractor credentials with hardware-token MFA; require any logic or configuration change to pass two-person integrity check during the change window. Reporting: TSA Surface Transportation Cybersecurity; CISA Hotline; Oil and Natural Gas ISAC; PJM RTEP Security working group.

Consequences if unmitigated

Physical:

Simultaneous trips at multiple gas-fired generating units serving a data-center-heavy load zone. Within ~2 hours, hyperscale data centers in the affected zone exhaust grid power and shift to on-site diesel; diesel reserves typically run 12–48 hours. Possible thermal damage to rotating equipment during ungraceful trip sequences extends restart from hours to weeks per unit.

Market / financial:

Wholesale power prices in the affected ISO zone spike to administrative cap intraday. Hyperscaler-customer compute service-level agreements breach within the diesel-reserve window. Estimated combined economic loss across operator, downstream power buyers, and dependent cloud / AI customers: $10B–$50B in the first week.

Regulatory / political:

FERC and NERC special review of generator cybersecurity preparedness. Likely accelerated TSA-style cyber regulation extended to gas-fired generation feeding hyperscale customers. Insurance industry repricing for operators with measurable Symphony exposure on Shodan.

Cygnet SCADA — 77 US endpoints (pipeline-specific midstream)
Current exposure: 77 Cygnet midstream-pipeline SCADA endpoints visible today
Live KEV cross-reference: no KEV-listed CVEs currently affect this platform
Severity: HIGH — Direct compromise of pipeline operational visibility and control
Five-Paragraph OPORD (SMEAC)

S — Situation

Cygnet is the SCADA platform most narrowly targeted at the US midstream oil-and-gas industry — it runs the supervisory layer at 77 measurable US sites, almost all of which are pipeline operators. Of the operators we track, several are confirmed Cygnet users by name in vendor case-studies and public filings.

M — Mission

Adversary objective: simultaneous loss-of-visibility and limited-write control of pipeline metering, valve, and flow-control points across a single operator's footprint. Strategic intent: position to manipulate gas deliveries — to LDCs, to power generators, or to LNG export terminals — at a chosen moment, with the operator unable to see or counter the action in real time.

E — Execution

Phase 1: access via a Cygnet engineering workstation reachable through vendor-support tunnels. Phase 2: harvest field-device topology and operator runbooks from the SCADA database. Phase 3: stage scheduled control commands that fire at a precipitating moment. Phase 4: optionally falsify operator-view telemetry to extend the response window.

A — Administration & Logistics

Attack feasibility depends on Cygnet's typical deployment pattern: many operators connect Cygnet to their corporate IT for reporting, then connect corporate IT to the public internet — a documented common pathway. The 77 exposed endpoints in our Shodan dataset are the visible portion of that pattern.

C — Command & Signal

Indicators: Cygnet engineering-workstation traffic to non-vendor destinations; configuration changes outside change-control hours; discrepancies between Cygnet-reported volumes and independent end-of-line meter reads. Defensive priorities: place Cygnet servers behind a jump-host with MFA; close direct internet exposure on all 77 endpoints; deploy independent secondary metering whose data does NOT flow through Cygnet.

Consequences if unmitigated

Physical:

Manipulation of valve setpoints can cause unsafe pressure transients at downstream stations. Falsified metering allows undetected gas diversion or supply-cut to specific customers (e.g., a specific gas-fired power plant during a peak hour).

Market / financial:

If a Cygnet-driven event takes a specific compressor station offline during a peak demand window, the downstream basis (the local citygate price minus Henry Hub) can spike 200%+ in hours. LDC emergency curtailments. Power-gen fuel-supply force majeure to gas peakers serving data centers.

Regulatory / political:

Immediate FERC inquiry into operator cybersecurity. Possible TSA penalty action under PSR 2026-01. Operator's interstate transportation tariff put under audit.

GE iFIX HMI/SCADA — 70 US endpoints exposed
Current exposure: 70 GE iFIX HMI/SCADA endpoints visible today
Live KEV cross-reference: CVE-2014-0751
Severity: HIGH — Operator-view denial across gas-plant and pipeline-station HMI
Five-Paragraph OPORD (SMEAC)

S — Situation

GE iFIX is a general-purpose HMI / SCADA platform with deep penetration in US gas plants, refineries, and pipeline compressor stations. Public US exposure today: 70 endpoints. KEV entries currently affecting GE platforms: CVE-2014-0751.

M — Mission

Adversary objective: deny operator visibility into the controlled process during a coincident attack — either cyber on the BPCS or kinetic on a physical asset. Strategic intent: extend the response window in the critical early minutes when operator action can avert physical damage.

E — Execution

Phase 1: access through internet-exposed iFIX terminal services / VPN. Phase 2: modify iFIX HMI screens to display canned 'nominal' values regardless of underlying tag data, OR disable HMI alarm escalation logic. Phase 3: hold capability until a coincident event — process upset, kinetic strike, or BPCS manipulation — at which point operators see normal screens while the physical process degrades.

A — Administration & Logistics

Attack feasibility increases when iFIX is deployed without segregation from corporate IT, when iFIX clients are reachable via remote-desktop services from the public internet (70 confirmed examples today), and when alarm-management audits are infrequent.

C — Command & Signal

Indicators: iFIX screen-version changes outside engineering change windows; HMI tag-display discrepancies vs. historian; alarm logs going abnormally quiet during normal operating variability. Defensive priorities: iFIX deployment audit (count vs. known inventory); HMI screen-checksum monitoring; independent secondary HMI that draws from a separate tag feed; close all 70 internet-exposed instances or move them behind MFA-required VPN.

Consequences if unmitigated

Physical:

On its own, an iFIX-only attack does not cause damage — but during a coincident physical or BPCS attack, the 'normal-screens-while-process-degrades' window extends operator response from minutes to tens of minutes, multiplying the physical damage.

Market / financial:

When combined with a BPCS attack, an HMI-deception layer can extend an outage from one shift to several days as the recovery team has no trustworthy view of pre-event state. Multiplier effect on operator's economic damage: 2–5x.

Regulatory / political:

HMI integrity-verification becomes a required TSA compliance element. Vendor-side requirements for cryptographic HMI screen verification.

Emerson DeltaV + Ovation DCS — 78 US endpoints combined
Current exposure: 47 DeltaV + 31 Ovation US endpoints — total 78
Live KEV cross-reference: CVE-2021-45420
Severity: HIGH — Simultaneous compromise of LNG liquefaction AND gas-fired power generation
Five-Paragraph OPORD (SMEAC)

S — Situation

Emerson runs two product lines with measurable US exposure: DeltaV (47 endpoints), the DCS for LNG liquefaction trains and refinery / petrochemical processes, and Ovation (31 endpoints), the DCS for fossil-fueled power generation. Combined US public exposure: 78 endpoints. KEV entries affecting Emerson: CVE-2021-45420.

M — Mission

Adversary objective: simultaneously disrupt LNG-export capacity AND gas-fired power generation by exploiting the same vendor's deployed platforms across the two industries — a single capability that reaches both demand sinks for US natural gas (LNG exports and AI/data-center power) at once. Strategic intent: dual-target economic disruption with shared toolchain.

E — Execution

Phase 1: gain access via an Emerson vendor-support credential — Emerson is one of the largest providers of process-control system service contracts in the US. Phase 2: deploy parallel implants against DeltaV at LNG terminals and Ovation at gas-fired plants. Phase 3: synchronized trigger at a chosen event.

A — Administration & Logistics

Attack feasibility hinges on whether the operator has accepted vendor persistent remote-support tunnels as a contractual requirement. Many DeltaV and Ovation operators have done so to maintain service-level guarantees. The 78 exposed endpoints visible today are the public portion of that pattern.

C — Command & Signal

Indicators: Emerson vendor-tunnel traffic outside scheduled service windows; configuration changes pushed to multiple sites within a single hour; unscheduled engineering-workstation logins. Defensive priorities: require Emerson vendor sessions to be initiated by the operator (not the vendor), with session recording and MFA; deploy egress monitoring on the DeltaV / Ovation engineering networks; require Emerson to publish per-product KEV applicability mapped to deployed firmware versions at each customer site.

Consequences if unmitigated

Physical:

LNG terminal liquefaction trains unsafe-shutdown; coincident gas-fired generator trips across affected fleet. Possible thermal damage to liquefaction compressors extends LNG outage from days to months.

Market / financial:

Cargoes in the Sabine Pass / Cameron / Plaquemines / Corpus Christi loading queue declare force majeure within hours. European TTF gas price spikes; US Henry Hub price drops on reduced export demand AND spikes on domestic gas-to-power dislocation — both directions same day. Combined economic impact: $30B–$120B over the first quarter post-event.

Regulatory / political:

Coordinated DOE / FERC / TSA / DOC (export licensing) investigation. Possible suspension of Emerson DCS service contracts pending audit. Insurance industry repricing across all Emerson-platform-dependent operators.

Henry Hub Composite (Physical + Cyber) — current state
Current exposure: 13 interstate pipelines converge at Erath, LA · NYMEX settlement node · ~2 Bcf/d physical throughput · 1 ICS exposures within 25 km · 12 active eminent-domain projects in supply chain
Live KEV cross-reference: 9 Schneider Electric KEVs · 5 Siemens KEVs · 1 Emerson KEVs affect platforms a Sabine Pipe Line operator would actually run.
Severity: STRATEGIC — National-scale market and supply disruption
Five-Paragraph OPORD (SMEAC)

S — Situation

Henry Hub today: 13 interstate pipelines converge at the Sabine Pipe Line LLC facility in Erath, Louisiana. The NYMEX Henry Hub futures contract settles here — the price benchmark for every US natural-gas trade, every LNG cargo loaded at Sabine Pass / Cameron / Plaquemines / Corpus Christi (≈14 Bcf/d combined LNG export capacity), and every gas-indexed power-purchase contract in PJM / SERC / Florida. Within 25 km of the hub, Shodan finds 1 exposed ICS endpoints; the operator's supply chain runs through platforms with 15 currently-KEV-listed CVEs across Schneider Electric, Siemens, and Emerson. The facility has no counter-UAS coverage (Vermilion Parish is outside designated military airspace) and no published joint OT/IT incident-command framework with downstream hyperscaler and federal partners.

M — Mission

Adversary objective: simultaneously disable physical throughput at Henry Hub for an extended window (weeks, not hours) AND destroy the operator's safety-system configuration files, so that even after physical repair the operator cannot safely restart. Strategic intent: suspend US natural-gas price discovery long enough to cascade through NYMEX, LNG cargo force majeure, power-grid load shedding during a peak-demand window, and financial-market liquidity events.

E — Execution

Phase 1 (months): cyber pre-positioning inside the Sabine Pipe Line OT network via a contracted-engineering credential — the same vector that has produced every confirmed US pipeline OT intrusion in the past five years. Phase 2 (days): adversary weaponizes a published CVSS 9.0+ CISA advisory affecting Schneider Telvent OASyS DNA or Triconex SIS, BEFORE the operator's change board approves the emergency patch. Phase 3 (D-Day, timed to coincide with polar vortex or hurricane-season demand peak): commercial-derivative drone strike against Compressor Units 1 and 2, simultaneously with cyber execution that disables the SIS, manipulates HMIs to display nominal state, vents high-pressure gas through stacks whose flare ignition has been pre-disabled. Phase 4 (D+1 through D+3): wiper malware destroys the historian, engineering workstation, and corporate IT backups, denying the recovery team the documentation needed to safely restart safety-instrumented systems.

A — Administration & Logistics

Attack feasibility depends on conditions present today: (1) 1 ICS endpoints within 25 km of the hub — the public attack surface; (2) absence of counter-UAS over Vermilion Parish; (3) the operator's change board having no pre-delegated authority to bypass normal review for CVSS 9+ items during weather-emergency windows; (4) no published joint incident-command structure across Sabine Pipe Line, FERC, TSA, CISA, FBI, DOE, and hyperscaler downstream customers. All four conditions exist as of 2026-05-28.

C — Command & Signal

Indicators: outbound traffic from any Sabine Pipe Line OT host to non-vendor destinations; Vermilion Parish law-enforcement reports of unusual UAS activity near the hub; any CISA advisory at CVSS 9+ affecting Schneider Electric / Siemens / Emerson platforms followed by Sabine Pipe Line change-board deferral. Defensive priorities (the four items above, each individually closable): (1) pre-delegate emergency-patch authority to senior security leadership without change-board veto for CVSS 9+ critical-asset platforms; (2) FAA + DOD counter-UAS authorization for FERC critical-asset compressor stations; (3) stand up the joint incident-command framework now, not after the event; (4) maintain air-gapped offline SIS configuration backups with quarterly recovery verification at every FERC critical site.

Consequences if unmitigated

Physical:

Henry Hub physical throughput goes to 0 Bcf/d for 7–30+ days. Worker fatalities at Sabine Pipe Line during the kinetic event range 20–100 depending on shift composition and time of day. Downstream civilian fatalities during coincident cold-weather power loss could exceed 200 if the polar-vortex timing is hit. Adjacent communities evacuated; groundwater and surface water contamination from fuel-rich firefighting operations.

Market / financial:

NYMEX Henry Hub trading suspended for 20–60 trading days. Daily LNG cargo force majeure declarations from Sabine Pass / Cameron / Plaquemines / Corpus Christi terminals. European TTF and Asian JKM gas prices spike 150–400%. PJM and TVA emergency load-shedding affecting 5–20M customers during the polar vortex. Combined direct + cascading economic damage: $200B–$400B over twelve months. Insurance-industry catastrophe loss: $80B–$200B. Two-to-three mid-sized US gas trading firms in Chapter 11 within ten days.

Regulatory / political:

FERC and TSA replace existing Pipeline Security Directive framework with a true regulatory framework. DOE stands up a permanent Critical Energy Infrastructure Cyber Response Unit. FAA authorizes counter-UAS at all FERC critical-asset facilities. Federal Reserve emergency liquidity facility for energy-sector counterparty exposure. Hyperscaler / pipeline operator joint incident command mandated. ODNI issues attribution finding; coordinated multi-allied response.

KEV Analysis — running history

latest
29
Total pipeline-relevant
13
HIGH (SCADA exposure)
1
Ransomware-flagged (3.4%)
26
VulnCheck-only (early warning)
0 new in last 7d · 0 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20262311
0.43%
20255640
0.0%
20246621
0.15%
20235412
0.37%
20224773
0.63%
20215086
1.18%
20203772
0.53%
20192903
1.03%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Siemens5
Advantech3
Rockwell Automation2
Mitsubishi Electric2
Inductive Automation1
ABB1
Honeywell1
Emerson1
Omron1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]Siemens / SIMATIC S7 CPU 1200 Firmware2024-07-25
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]Siemens / SIMATIC PCS72021-12-15
Untrusted Search Path
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-17
Missing Authentication for Critical Function
CVE-2019-14931 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-12-20
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-01-12
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]Siemens / SIMATIC WinCC2010-10-01
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

29
Total pipeline-relevant
13
HIGH (SCADA exposure)
1
Ransomware-flagged (3.4%)
26
VulnCheck-only (early warning)
0 new in last 7d · 0 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20262301
0.43%
20255640
0.0%
20246611
0.15%
20235412
0.37%
20224773
0.63%
20215086
1.18%
20203772
0.53%
20192903
1.03%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Siemens5
Advantech3
Rockwell Automation2
Mitsubishi Electric2
Inductive Automation1
ABB1
Honeywell1
Emerson1
Omron1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]Siemens / SIMATIC S7 CPU 1200 Firmware2024-07-25
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]Siemens / SIMATIC PCS72021-12-15
Untrusted Search Path
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-17
Missing Authentication for Critical Function
CVE-2019-14931 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-12-20
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-01-12
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]Siemens / SIMATIC WinCC2010-10-01
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

29
Total pipeline-relevant
13
HIGH (SCADA exposure)
1
Ransomware-flagged (3.4%)
26
VulnCheck-only (early warning)
0 new in last 7d · 0 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20262291
0.44%
20255640
0.0%
20246611
0.15%
20235402
0.37%
20224773
0.63%
20215086
1.18%
20203772
0.53%
20192903
1.03%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Siemens5
Advantech3
Rockwell Automation2
Mitsubishi Electric2
Inductive Automation1
ABB1
Honeywell1
Emerson1
Omron1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]Siemens / SIMATIC S7 CPU 1200 Firmware2024-07-25
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]Siemens / SIMATIC PCS72021-12-15
Untrusted Search Path
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-17
Missing Authentication for Critical Function
CVE-2019-14931 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-12-20
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-01-12
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]Siemens / SIMATIC WinCC2010-10-01
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

17
Total pipeline-relevant
6
HIGH (SCADA exposure)
1
Ransomware-flagged (5.9%)
14
VulnCheck-only (early warning)
0 new in last 7d · 0 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20262241
0.45%
20255640
0.0%
20246611
0.15%
20235402
0.37%
20224773
0.63%
20215086
1.18%
20203772
0.53%
20191450
0.0%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric4
Advantech3
Rockwell Automation2
Inductive Automation1
Siemens1
ABB1
Honeywell1
Emerson1
Omron1
Gnu1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

29
Total pipeline-relevant
13
HIGH (SCADA exposure)
1
Ransomware-flagged (3.4%)
26
VulnCheck-only (early warning)
0 new in last 7d · 0 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20262241
0.45%
20255640
0.0%
20246611
0.15%
20235402
0.37%
20224773
0.63%
20215086
1.18%
20203772
0.53%
20192903
1.03%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Siemens5
Advantech3
Rockwell Automation2
Mitsubishi Electric2
Inductive Automation1
ABB1
Honeywell1
Emerson1
Omron1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]Siemens / SIMATIC S7 CPU 1200 Firmware2024-07-25
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]Siemens / SIMATIC PCS72021-12-15
Untrusted Search Path
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-17
Missing Authentication for Critical Function
CVE-2019-14931 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-12-20
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-01-12
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]Siemens / SIMATIC WinCC2010-10-01
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

29
Total pipeline-relevant
13
HIGH (SCADA exposure)
1
Ransomware-flagged (3.4%)
26
VulnCheck-only (early warning)
0 new in last 7d · 1 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20262241
0.45%
20255640
0.0%
20246611
0.15%
20235402
0.37%
20224773
0.63%
20215086
1.18%
20203772
0.53%
20192903
1.03%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Siemens5
Advantech3
Rockwell Automation2
Mitsubishi Electric2
Inductive Automation1
ABB1
Honeywell1
Emerson1
Omron1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]Siemens / SIMATIC S7 CPU 1200 Firmware2024-07-25
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]Siemens / SIMATIC PCS72021-12-15
Untrusted Search Path
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-17
Missing Authentication for Critical Function
CVE-2019-14931 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-12-20
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-01-12
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]Siemens / SIMATIC WinCC2010-10-01
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

29
Total pipeline-relevant
13
HIGH (SCADA exposure)
1
Ransomware-flagged (3.4%)
26
VulnCheck-only (early warning)
0 new in last 7d · 1 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20262241
0.45%
20255640
0.0%
20246611
0.15%
20235402
0.37%
20224773
0.63%
20215086
1.18%
20203772
0.53%
20192903
1.03%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Siemens5
Advantech3
Rockwell Automation2
Mitsubishi Electric2
Inductive Automation1
ABB1
Honeywell1
Emerson1
Omron1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]Siemens / SIMATIC S7 CPU 1200 Firmware2024-07-25
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]Siemens / SIMATIC PCS72021-12-15
Untrusted Search Path
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-17
Missing Authentication for Critical Function
CVE-2019-14931 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-12-20
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-01-12
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]Siemens / SIMATIC WinCC2010-10-01
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

15
Total pipeline-relevant
5
HIGH (SCADA exposure)
0
Ransomware-flagged (0.0%)
12
VulnCheck-only (early warning)
0 new in last 7d · 1 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20262201
0.45%
20255650
0.0%
20246611
0.15%
20235402
0.37%
20224773
0.63%
20215086
1.18%
20203530
0.0%
20191180
0.0%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric4
Advantech2
Rockwell Automation2
Inductive Automation1
Siemens1
ABB1
Honeywell1
Emerson1
Omron1
Frangoteam1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

4
Total pipeline-relevant
1
HIGH (SCADA exposure)
0
Ransomware-flagged (0.0%)
1
VulnCheck-only (early warning)
0 new in last 7d · 1 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20262161
0.46%
20253110
0.0%
20241640
0.0%
20231630
0.0%
20221310
0.0%
20212131
0.47%
20201460
0.0%
20191180
0.0%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Siemens1
Rockwell Automation1
Schneider Electric1
Frangoteam1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

29
Total pipeline-relevant
13
HIGH (SCADA exposure)
1
Ransomware-flagged (3.4%)
26
VulnCheck-only (early warning)
0 new in last 7d · 1 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20262151
0.47%
20255630
0.0%
20246611
0.15%
20235402
0.37%
20224773
0.63%
20215086
1.18%
20203762
0.53%
20192903
1.03%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Siemens5
Advantech3
Rockwell Automation2
Mitsubishi Electric2
Inductive Automation1
ABB1
Honeywell1
Emerson1
Omron1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]Siemens / SIMATIC S7 CPU 1200 Firmware2024-07-25
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]Siemens / SIMATIC PCS72021-12-15
Untrusted Search Path
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-17
Missing Authentication for Critical Function
CVE-2019-14931 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-12-20
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-01-12
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]Siemens / SIMATIC WinCC2010-10-01
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

29
Total pipeline-relevant
13
HIGH (SCADA exposure)
1
Ransomware-flagged (3.4%)
26
VulnCheck-only (early warning)
0 new in last 7d · 1 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20262141
0.47%
20255630
0.0%
20246611
0.15%
20235392
0.37%
20224773
0.63%
20215086
1.18%
20203742
0.53%
20192903
1.03%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Siemens5
Advantech3
Rockwell Automation2
Mitsubishi Electric2
Inductive Automation1
ABB1
Honeywell1
Emerson1
Omron1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]Siemens / SIMATIC S7 CPU 1200 Firmware2024-07-25
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]Siemens / SIMATIC PCS72021-12-15
Untrusted Search Path
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-17
Missing Authentication for Critical Function
CVE-2019-14931 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-12-20
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-01-12
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]Siemens / SIMATIC WinCC2010-10-01
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

29
Total pipeline-relevant
13
HIGH (SCADA exposure)
1
Ransomware-flagged (3.4%)
26
VulnCheck-only (early warning)
0 new in last 7d · 1 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20262121
0.47%
20255630
0.0%
20246611
0.15%
20235392
0.37%
20224773
0.63%
20215086
1.18%
20203742
0.53%
20192903
1.03%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Siemens5
Advantech3
Rockwell Automation2
Mitsubishi Electric2
Inductive Automation1
ABB1
Honeywell1
Emerson1
Omron1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]Siemens / SIMATIC S7 CPU 1200 Firmware2024-07-25
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]Siemens / SIMATIC PCS72021-12-15
Untrusted Search Path
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-17
Missing Authentication for Critical Function
CVE-2019-14931 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-12-20
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-01-12
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]Siemens / SIMATIC WinCC2010-10-01
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

29
Total pipeline-relevant
13
HIGH (SCADA exposure)
1
Ransomware-flagged (3.4%)
26
VulnCheck-only (early warning)
0 new in last 7d · 1 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20262121
0.47%
20255630
0.0%
20246611
0.15%
20235392
0.37%
20224773
0.63%
20215086
1.18%
20203742
0.53%
20192903
1.03%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Siemens5
Advantech3
Rockwell Automation2
Mitsubishi Electric2
Inductive Automation1
ABB1
Honeywell1
Emerson1
Omron1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]Siemens / SIMATIC S7 CPU 1200 Firmware2024-07-25
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]Siemens / SIMATIC PCS72021-12-15
Untrusted Search Path
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-17
Missing Authentication for Critical Function
CVE-2019-14931 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-12-20
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-01-12
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]Siemens / SIMATIC WinCC2010-10-01
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

3
Total pipeline-relevant
1
HIGH (SCADA exposure)
0
Ransomware-flagged (0.0%)
0
VulnCheck-only (early warning)
0 new in last 7d · 0 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
2026800
0.0%
20251830
0.0%
20241640
0.0%
20231630
0.0%
20221310
0.0%
20212131
0.47%
20201460
0.0%
20191180
0.0%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Siemens1
Rockwell Automation1
Schneider Electric1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

29
Total pipeline-relevant
13
HIGH (SCADA exposure)
1
Ransomware-flagged (3.4%)
26
VulnCheck-only (early warning)
0 new in last 7d · 1 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20262111
0.47%
20255630
0.0%
20246611
0.15%
20235392
0.37%
20224773
0.63%
20215086
1.18%
20203742
0.53%
20192903
1.03%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Siemens5
Advantech3
Rockwell Automation2
Mitsubishi Electric2
Inductive Automation1
ABB1
Honeywell1
Emerson1
Omron1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]Siemens / SIMATIC S7 CPU 1200 Firmware2024-07-25
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]Siemens / SIMATIC PCS72021-12-15
Untrusted Search Path
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-17
Missing Authentication for Critical Function
CVE-2019-14931 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-12-20
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-01-12
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]Siemens / SIMATIC WinCC2010-10-01
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

29
Total pipeline-relevant
13
HIGH (SCADA exposure)
1
Ransomware-flagged (3.4%)
26
VulnCheck-only (early warning)
0 new in last 7d · 1 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20262061
0.49%
20255630
0.0%
20246591
0.15%
20235392
0.37%
20224763
0.63%
20215086
1.18%
20203742
0.53%
20192903
1.03%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Siemens5
Advantech3
Rockwell Automation2
Mitsubishi Electric2
Inductive Automation1
ABB1
Honeywell1
Emerson1
Omron1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]Siemens / SIMATIC S7 CPU 1200 Firmware2024-07-25
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]Siemens / SIMATIC PCS72021-12-15
Untrusted Search Path
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-17
Missing Authentication for Critical Function
CVE-2019-14931 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-12-20
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-01-12
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]Siemens / SIMATIC WinCC2010-10-01
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

29
Total pipeline-relevant
13
HIGH (SCADA exposure)
1
Ransomware-flagged (3.4%)
26
VulnCheck-only (early warning)
0 new in last 7d · 1 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20262031
0.49%
20255630
0.0%
20246591
0.15%
20235392
0.37%
20224763
0.63%
20215086
1.18%
20203742
0.53%
20192903
1.03%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Siemens5
Advantech3
Rockwell Automation2
Mitsubishi Electric2
Inductive Automation1
ABB1
Honeywell1
Emerson1
Omron1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]Siemens / SIMATIC S7 CPU 1200 Firmware2024-07-25
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]Siemens / SIMATIC PCS72021-12-15
Untrusted Search Path
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-17
Missing Authentication for Critical Function
CVE-2019-14931 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-12-20
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-01-12
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]Siemens / SIMATIC WinCC2010-10-01
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

29
Total pipeline-relevant
13
HIGH (SCADA exposure)
1
Ransomware-flagged (3.4%)
26
VulnCheck-only (early warning)
0 new in last 7d · 1 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20262011
0.5%
20255630
0.0%
20246591
0.15%
20235392
0.37%
20224763
0.63%
20215086
1.18%
20203742
0.53%
20192903
1.03%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Siemens5
Advantech3
Rockwell Automation2
Mitsubishi Electric2
Inductive Automation1
ABB1
Honeywell1
Emerson1
Omron1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]Siemens / SIMATIC S7 CPU 1200 Firmware2024-07-25
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]Siemens / SIMATIC PCS72021-12-15
Untrusted Search Path
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-17
Missing Authentication for Critical Function
CVE-2019-14931 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-12-20
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-01-12
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]Siemens / SIMATIC WinCC2010-10-01
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

29
Total pipeline-relevant
13
HIGH (SCADA exposure)
1
Ransomware-flagged (3.4%)
26
VulnCheck-only (early warning)
0 new in last 7d · 1 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20261981
0.51%
20255630
0.0%
20246591
0.15%
20235392
0.37%
20224763
0.63%
20215086
1.18%
20203742
0.53%
20192903
1.03%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Siemens5
Advantech3
Rockwell Automation2
Mitsubishi Electric2
Inductive Automation1
ABB1
Honeywell1
Emerson1
Omron1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]Siemens / SIMATIC S7 CPU 1200 Firmware2024-07-25
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]Siemens / SIMATIC PCS72021-12-15
Untrusted Search Path
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-17
Missing Authentication for Critical Function
CVE-2019-14931 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-12-20
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-01-12
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]Siemens / SIMATIC WinCC2010-10-01
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

29
Total pipeline-relevant
13
HIGH (SCADA exposure)
1
Ransomware-flagged (3.4%)
26
VulnCheck-only (early warning)
0 new in last 7d · 1 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20261981
0.51%
20255630
0.0%
20246591
0.15%
20235392
0.37%
20224763
0.63%
20215086
1.18%
20203742
0.53%
20192903
1.03%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Siemens5
Advantech3
Rockwell Automation2
Mitsubishi Electric2
Inductive Automation1
ABB1
Honeywell1
Emerson1
Omron1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]Siemens / SIMATIC S7 CPU 1200 Firmware2024-07-25
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]Siemens / SIMATIC PCS72021-12-15
Untrusted Search Path
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-17
Missing Authentication for Critical Function
CVE-2019-14931 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-12-20
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-01-12
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]Siemens / SIMATIC WinCC2010-10-01
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

29
Total pipeline-relevant
13
HIGH (SCADA exposure)
1
Ransomware-flagged (3.4%)
26
VulnCheck-only (early warning)
0 new in last 7d · 1 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20261971
0.51%
20255630
0.0%
20246591
0.15%
20235392
0.37%
20224763
0.63%
20215086
1.18%
20203742
0.53%
20192903
1.03%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Siemens5
Advantech3
Rockwell Automation2
Mitsubishi Electric2
Inductive Automation1
ABB1
Honeywell1
Emerson1
Omron1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]Siemens / SIMATIC S7 CPU 1200 Firmware2024-07-25
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]Siemens / SIMATIC PCS72021-12-15
Untrusted Search Path
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-17
Missing Authentication for Critical Function
CVE-2019-14931 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-12-20
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-01-12
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]Siemens / SIMATIC WinCC2010-10-01
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

29
Total pipeline-relevant
13
HIGH (SCADA exposure)
1
Ransomware-flagged (3.4%)
26
VulnCheck-only (early warning)
0 new in last 7d · 1 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20261961
0.51%
20255630
0.0%
20246591
0.15%
20235392
0.37%
20224763
0.63%
20215086
1.18%
20203742
0.53%
20192903
1.03%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Siemens5
Advantech3
Rockwell Automation2
Mitsubishi Electric2
Inductive Automation1
ABB1
Honeywell1
Emerson1
Omron1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]Siemens / SIMATIC S7 CPU 1200 Firmware2024-07-25
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]Siemens / SIMATIC PCS72021-12-15
Untrusted Search Path
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-17
Missing Authentication for Critical Function
CVE-2019-14931 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-12-20
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-01-12
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]Siemens / SIMATIC WinCC2010-10-01
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

29
Total pipeline-relevant
13
HIGH (SCADA exposure)
1
Ransomware-flagged (3.4%)
26
VulnCheck-only (early warning)
0 new in last 7d · 1 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20261941
0.52%
20255630
0.0%
20246581
0.15%
20235392
0.37%
20224763
0.63%
20215086
1.18%
20203742
0.53%
20192903
1.03%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Siemens5
Advantech3
Rockwell Automation2
Mitsubishi Electric2
Inductive Automation1
ABB1
Honeywell1
Emerson1
Omron1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]Siemens / SIMATIC S7 CPU 1200 Firmware2024-07-25
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]Siemens / SIMATIC PCS72021-12-15
Untrusted Search Path
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-17
Missing Authentication for Critical Function
CVE-2019-14931 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-12-20
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-01-12
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]Siemens / SIMATIC WinCC2010-10-01
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

29
Total pipeline-relevant
13
HIGH (SCADA exposure)
1
Ransomware-flagged (3.4%)
26
VulnCheck-only (early warning)
0 new in last 7d · 1 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20261911
0.52%
20255630
0.0%
20246581
0.15%
20235392
0.37%
20224763
0.63%
20215066
1.19%
20203742
0.53%
20192903
1.03%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Siemens5
Advantech3
Rockwell Automation2
Mitsubishi Electric2
Inductive Automation1
ABB1
Honeywell1
Emerson1
Omron1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]Siemens / SIMATIC S7 CPU 1200 Firmware2024-07-25
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]Siemens / SIMATIC PCS72021-12-15
Untrusted Search Path
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-17
Missing Authentication for Critical Function
CVE-2019-14931 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-12-20
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-01-12
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]Siemens / SIMATIC WinCC2010-10-01
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

29
Total pipeline-relevant
13
HIGH (SCADA exposure)
1
Ransomware-flagged (3.4%)
26
VulnCheck-only (early warning)
0 new in last 7d · 1 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20261891
0.53%
20255600
0.0%
20246571
0.15%
20235392
0.37%
20224763
0.63%
20215066
1.19%
20203732
0.54%
20192903
1.03%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Siemens5
Advantech3
Rockwell Automation2
Mitsubishi Electric2
Inductive Automation1
ABB1
Honeywell1
Emerson1
Omron1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]Siemens / SIMATIC S7 CPU 1200 Firmware2024-07-25
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]Siemens / SIMATIC PCS72021-12-15
Untrusted Search Path
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-17
Missing Authentication for Critical Function
CVE-2019-14931 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-12-20
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-01-12
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]Siemens / SIMATIC WinCC2010-10-01
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

29
Total pipeline-relevant
13
HIGH (SCADA exposure)
1
Ransomware-flagged (3.4%)
26
VulnCheck-only (early warning)
0 new in last 7d · 1 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20261841
0.54%
20255590
0.0%
20246571
0.15%
20235392
0.37%
20224763
0.63%
20215056
1.19%
20203732
0.54%
20192903
1.03%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Siemens5
Advantech3
Rockwell Automation2
Mitsubishi Electric2
Inductive Automation1
ABB1
Honeywell1
Emerson1
Omron1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]Siemens / SIMATIC S7 CPU 1200 Firmware2024-07-25
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]Siemens / SIMATIC PCS72021-12-15
Untrusted Search Path
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-17
Missing Authentication for Critical Function
CVE-2019-14931 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-12-20
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-01-12
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]Siemens / SIMATIC WinCC2010-10-01
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

29
Total pipeline-relevant
13
HIGH (SCADA exposure)
1
Ransomware-flagged (3.4%)
26
VulnCheck-only (early warning)
0 new in last 7d · 1 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20261841
0.54%
20255590
0.0%
20246571
0.15%
20235392
0.37%
20224763
0.63%
20215056
1.19%
20203732
0.54%
20192903
1.03%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Siemens5
Advantech3
Rockwell Automation2
Mitsubishi Electric2
Inductive Automation1
ABB1
Honeywell1
Emerson1
Omron1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]Siemens / SIMATIC S7 CPU 1200 Firmware2024-07-25
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]Siemens / SIMATIC PCS72021-12-15
Untrusted Search Path
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-17
Missing Authentication for Critical Function
CVE-2019-14931 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-12-20
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-01-12
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]Siemens / SIMATIC WinCC2010-10-01
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

29
Total pipeline-relevant
13
HIGH (SCADA exposure)
1
Ransomware-flagged (3.4%)
26
VulnCheck-only (early warning)
0 new in last 7d · 1 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20261841
0.54%
20255590
0.0%
20246571
0.15%
20235392
0.37%
20224763
0.63%
20215056
1.19%
20203732
0.54%
20192903
1.03%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Siemens5
Advantech3
Rockwell Automation2
Mitsubishi Electric2
Inductive Automation1
ABB1
Honeywell1
Emerson1
Omron1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]Siemens / SIMATIC S7 CPU 1200 Firmware2024-07-25
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]Siemens / SIMATIC PCS72021-12-15
Untrusted Search Path
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-17
Missing Authentication for Critical Function
CVE-2019-14931 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-12-20
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-01-12
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]Siemens / SIMATIC WinCC2010-10-01
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

29
Total pipeline-relevant
13
HIGH (SCADA exposure)
1
Ransomware-flagged (3.4%)
26
VulnCheck-only (early warning)
1 new in last 7d · 1 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20261841
0.54%
20255590
0.0%
20246571
0.15%
20235392
0.37%
20224763
0.63%
20215056
1.19%
20203732
0.54%
20192903
1.03%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Siemens5
Advantech3
Rockwell Automation2
Mitsubishi Electric2
Inductive Automation1
ABB1
Honeywell1
Emerson1
Omron1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]Siemens / SIMATIC S7 CPU 1200 Firmware2024-07-25
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]Siemens / SIMATIC PCS72021-12-15
Untrusted Search Path
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-17
Missing Authentication for Critical Function
CVE-2019-14931 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-12-20
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-01-12
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]Siemens / SIMATIC WinCC2010-10-01
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

29
Total pipeline-relevant
13
HIGH (SCADA exposure)
1
Ransomware-flagged (3.4%)
26
VulnCheck-only (early warning)
1 new in last 7d · 1 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20261831
0.55%
20255590
0.0%
20246571
0.15%
20235392
0.37%
20224763
0.63%
20215056
1.19%
20203732
0.54%
20192903
1.03%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Siemens5
Advantech3
Rockwell Automation2
Mitsubishi Electric2
Inductive Automation1
ABB1
Honeywell1
Emerson1
Omron1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]Siemens / SIMATIC S7 CPU 1200 Firmware2024-07-25
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]Siemens / SIMATIC PCS72021-12-15
Untrusted Search Path
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-17
Missing Authentication for Critical Function
CVE-2019-14931 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-12-20
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-01-12
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]Siemens / SIMATIC WinCC2010-10-01
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

29
Total pipeline-relevant
13
HIGH (SCADA exposure)
1
Ransomware-flagged (3.4%)
26
VulnCheck-only (early warning)
1 new in last 7d · 1 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20261831
0.55%
20255590
0.0%
20246571
0.15%
20235392
0.37%
20224763
0.63%
20215056
1.19%
20203732
0.54%
20192903
1.03%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Siemens5
Advantech3
Rockwell Automation2
Mitsubishi Electric2
Inductive Automation1
ABB1
Honeywell1
Emerson1
Omron1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]Siemens / SIMATIC S7 CPU 1200 Firmware2024-07-25
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]Siemens / SIMATIC PCS72021-12-15
Untrusted Search Path
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-17
Missing Authentication for Critical Function
CVE-2019-14931 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-12-20
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-01-12
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]Siemens / SIMATIC WinCC2010-10-01
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

29
Total pipeline-relevant
13
HIGH (SCADA exposure)
1
Ransomware-flagged (3.4%)
26
VulnCheck-only (early warning)
1 new in last 7d · 1 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20261801
0.56%
20255580
0.0%
20246571
0.15%
20235382
0.37%
20224763
0.63%
20215056
1.19%
20203732
0.54%
20192903
1.03%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Siemens5
Advantech3
Rockwell Automation2
Mitsubishi Electric2
Inductive Automation1
ABB1
Honeywell1
Emerson1
Omron1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]Siemens / SIMATIC S7 CPU 1200 Firmware2024-07-25
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]Siemens / SIMATIC PCS72021-12-15
Untrusted Search Path
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-17
Missing Authentication for Critical Function
CVE-2019-14931 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-12-20
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-01-12
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]Siemens / SIMATIC WinCC2010-10-01
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

3
Total pipeline-relevant
1
HIGH (SCADA exposure)
0
Ransomware-flagged (0.0%)
0
VulnCheck-only (early warning)
0 new in last 7d · 0 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
2026690
0.0%
20251820
0.0%
20241640
0.0%
20231630
0.0%
20221310
0.0%
20212131
0.47%
20201460
0.0%
20191180
0.0%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Siemens1
Rockwell Automation1
Schneider Electric1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

29
Total pipeline-relevant
13
HIGH (SCADA exposure)
1
Ransomware-flagged (3.4%)
26
VulnCheck-only (early warning)
1 new in last 7d · 1 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20261741
0.57%
20255580
0.0%
20246571
0.15%
20235382
0.37%
20224763
0.63%
20215056
1.19%
20203732
0.54%
20192903
1.03%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Siemens5
Advantech3
Rockwell Automation2
Mitsubishi Electric2
Inductive Automation1
ABB1
Honeywell1
Emerson1
Omron1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]Siemens / SIMATIC S7 CPU 1200 Firmware2024-07-25
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]Siemens / SIMATIC PCS72021-12-15
Untrusted Search Path
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-17
Missing Authentication for Critical Function
CVE-2019-14931 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-12-20
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-01-12
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]Siemens / SIMATIC WinCC2010-10-01
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

29
Total pipeline-relevant
13
HIGH (SCADA exposure)
1
Ransomware-flagged (3.4%)
26
VulnCheck-only (early warning)
1 new in last 7d · 1 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20261741
0.57%
20255580
0.0%
20246571
0.15%
20235382
0.37%
20224763
0.63%
20215056
1.19%
20203732
0.54%
20192903
1.03%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Siemens5
Advantech3
Rockwell Automation2
Mitsubishi Electric2
Inductive Automation1
ABB1
Honeywell1
Emerson1
Omron1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]Siemens / SIMATIC S7 CPU 1200 Firmware2024-07-25
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]Siemens / SIMATIC PCS72021-12-15
Untrusted Search Path
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-17
Missing Authentication for Critical Function
CVE-2019-14931 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-12-20
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-01-12
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]Siemens / SIMATIC WinCC2010-10-01
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

28
Total pipeline-relevant
13
HIGH (SCADA exposure)
1
Ransomware-flagged (3.6%)
25
VulnCheck-only (early warning)
0 new in last 7d · 0 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20261700
0.0%
20255580
0.0%
20246571
0.15%
20235382
0.37%
20224763
0.63%
20215056
1.19%
20203722
0.54%
20192903
1.03%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Siemens5
Advantech3
Rockwell Automation2
Mitsubishi Electric2
Inductive Automation1
ABB1
Honeywell1
Emerson1
Omron1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]Siemens / SIMATIC S7 CPU 1200 Firmware2024-07-25
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]Siemens / SIMATIC PCS72021-12-15
Untrusted Search Path
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-17
Missing Authentication for Critical Function
CVE-2019-14931 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-12-20
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-01-12
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]Siemens / SIMATIC WinCC2010-10-01
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

28
Total pipeline-relevant
13
HIGH (SCADA exposure)
1
Ransomware-flagged (3.6%)
25
VulnCheck-only (early warning)
0 new in last 7d · 0 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20261680
0.0%
20255580
0.0%
20246571
0.15%
20235382
0.37%
20224763
0.63%
20215056
1.19%
20203722
0.54%
20192903
1.03%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Siemens5
Advantech3
Rockwell Automation2
Mitsubishi Electric2
Inductive Automation1
ABB1
Honeywell1
Emerson1
Omron1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]Siemens / SIMATIC S7 CPU 1200 Firmware2024-07-25
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]Siemens / SIMATIC PCS72021-12-15
Untrusted Search Path
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-17
Missing Authentication for Critical Function
CVE-2019-14931 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-12-20
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-01-12
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]Siemens / SIMATIC WinCC2010-10-01
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

28
Total pipeline-relevant
13
HIGH (SCADA exposure)
1
Ransomware-flagged (3.6%)
25
VulnCheck-only (early warning)
0 new in last 7d · 0 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20261660
0.0%
20255580
0.0%
20246571
0.15%
20235382
0.37%
20224763
0.63%
20215056
1.19%
20203722
0.54%
20192903
1.03%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Siemens5
Advantech3
Rockwell Automation2
Mitsubishi Electric2
Inductive Automation1
ABB1
Honeywell1
Emerson1
Omron1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]Siemens / SIMATIC S7 CPU 1200 Firmware2024-07-25
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]Siemens / SIMATIC PCS72021-12-15
Untrusted Search Path
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-17
Missing Authentication for Critical Function
CVE-2019-14931 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-12-20
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-01-12
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]Siemens / SIMATIC WinCC2010-10-01
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

28
Total pipeline-relevant
13
HIGH (SCADA exposure)
1
Ransomware-flagged (3.6%)
25
VulnCheck-only (early warning)
0 new in last 7d · 0 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20261640
0.0%
20255580
0.0%
20246571
0.15%
20235382
0.37%
20224763
0.63%
20215056
1.19%
20203722
0.54%
20192903
1.03%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Siemens5
Advantech3
Rockwell Automation2
Mitsubishi Electric2
Inductive Automation1
ABB1
Honeywell1
Emerson1
Omron1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]Siemens / SIMATIC S7 CPU 1200 Firmware2024-07-25
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]Siemens / SIMATIC PCS72021-12-15
Untrusted Search Path
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-17
Missing Authentication for Critical Function
CVE-2019-14931 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-12-20
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-01-12
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]Siemens / SIMATIC WinCC2010-10-01
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

28
Total pipeline-relevant
13
HIGH (SCADA exposure)
1
Ransomware-flagged (3.6%)
25
VulnCheck-only (early warning)
0 new in last 7d · 0 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20261590
0.0%
20255580
0.0%
20246571
0.15%
20235382
0.37%
20224763
0.63%
20215056
1.19%
20203722
0.54%
20192903
1.03%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Siemens5
Advantech3
Rockwell Automation2
Mitsubishi Electric2
Inductive Automation1
ABB1
Honeywell1
Emerson1
Omron1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]Siemens / SIMATIC S7 CPU 1200 Firmware2024-07-25
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]Siemens / SIMATIC PCS72021-12-15
Untrusted Search Path
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-17
Missing Authentication for Critical Function
CVE-2019-14931 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-12-20
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-01-12
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]Siemens / SIMATIC WinCC2010-10-01
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

28
Total pipeline-relevant
13
HIGH (SCADA exposure)
1
Ransomware-flagged (3.6%)
25
VulnCheck-only (early warning)
0 new in last 7d · 0 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20261580
0.0%
20255580
0.0%
20246571
0.15%
20235382
0.37%
20224763
0.63%
20215056
1.19%
20203722
0.54%
20192903
1.03%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Siemens5
Advantech3
Rockwell Automation2
Mitsubishi Electric2
Inductive Automation1
ABB1
Honeywell1
Emerson1
Omron1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]Siemens / SIMATIC S7 CPU 1200 Firmware2024-07-25
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]Siemens / SIMATIC PCS72021-12-15
Untrusted Search Path
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-17
Missing Authentication for Critical Function
CVE-2019-14931 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-12-20
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-01-12
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]Siemens / SIMATIC WinCC2010-10-01
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

28
Total pipeline-relevant
13
HIGH (SCADA exposure)
1
Ransomware-flagged (3.6%)
25
VulnCheck-only (early warning)
0 new in last 7d · 0 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20261580
0.0%
20255580
0.0%
20246571
0.15%
20235382
0.37%
20224763
0.63%
20215056
1.19%
20203722
0.54%
20192903
1.03%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Siemens5
Advantech3
Rockwell Automation2
Mitsubishi Electric2
Inductive Automation1
ABB1
Honeywell1
Emerson1
Omron1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]Siemens / SIMATIC S7 CPU 1200 Firmware2024-07-25
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]Siemens / SIMATIC PCS72021-12-15
Untrusted Search Path
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-17
Missing Authentication for Critical Function
CVE-2019-14931 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-12-20
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-01-12
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]Siemens / SIMATIC WinCC2010-10-01
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

28
Total pipeline-relevant
13
HIGH (SCADA exposure)
1
Ransomware-flagged (3.6%)
25
VulnCheck-only (early warning)
0 new in last 7d · 0 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20261540
0.0%
20255580
0.0%
20246571
0.15%
20235382
0.37%
20224763
0.63%
20215056
1.19%
20203722
0.54%
20192903
1.03%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Siemens5
Advantech3
Rockwell Automation2
Mitsubishi Electric2
Inductive Automation1
ABB1
Honeywell1
Emerson1
Omron1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]Siemens / SIMATIC S7 CPU 1200 Firmware2024-07-25
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]Siemens / SIMATIC PCS72021-12-15
Untrusted Search Path
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-17
Missing Authentication for Critical Function
CVE-2019-14931 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-12-20
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-01-12
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]Siemens / SIMATIC WinCC2010-10-01
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

29
Total pipeline-relevant
14
HIGH (SCADA exposure)
1
Ransomware-flagged (3.4%)
26
VulnCheck-only (early warning)
0 new in last 7d · 0 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20261520
0.0%
20255580
0.0%
20246571
0.15%
20235382
0.37%
20224763
0.63%
20215057
1.39%
20203722
0.54%
20192903
1.03%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Siemens5
Advantech3
Rockwell Automation2
Mitsubishi Electric2
Inductive Automation1
Thrive Themes1
ABB1
Honeywell1
Emerson1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]Siemens / SIMATIC S7 CPU 1200 Firmware2024-07-25
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]Siemens / SIMATIC PCS72021-12-15
Untrusted Search Path
CVE-2021-24219 [VC]Thrive Themes / FocusBlog2021-03-2427
Improper Access Control
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-17
Missing Authentication for Critical Function
CVE-2019-14931 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-12-20
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-01-12
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]Siemens / SIMATIC WinCC2010-10-01
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

29
Total pipeline-relevant
14
HIGH (SCADA exposure)
1
Ransomware-flagged (3.4%)
26
VulnCheck-only (early warning)
0 new in last 7d · 0 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20261510
0.0%
20255580
0.0%
20246571
0.15%
20235382
0.37%
20224763
0.63%
20215047
1.39%
20203722
0.54%
20192903
1.03%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Siemens5
Advantech3
Rockwell Automation2
Mitsubishi Electric2
Inductive Automation1
Thrive Themes1
ABB1
Honeywell1
Emerson1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]Siemens / SIMATIC S7 CPU 1200 Firmware2024-07-25
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]Siemens / SIMATIC PCS72021-12-15
Untrusted Search Path
CVE-2021-24219 [VC]Thrive Themes / FocusBlog2021-03-2427
Improper Access Control
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-17
Missing Authentication for Critical Function
CVE-2019-14931 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-12-20
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-01-12
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]Siemens / SIMATIC WinCC2010-10-01
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

29
Total pipeline-relevant
14
HIGH (SCADA exposure)
1
Ransomware-flagged (3.4%)
26
VulnCheck-only (early warning)
0 new in last 7d · 0 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20261500
0.0%
20255570
0.0%
20246571
0.15%
20235382
0.37%
20224763
0.63%
20215047
1.39%
20203722
0.54%
20192903
1.03%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Siemens5
Advantech3
Rockwell Automation2
Mitsubishi Electric2
Inductive Automation1
Thrive Themes1
ABB1
Honeywell1
Emerson1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]Siemens / SIMATIC S7 CPU 1200 Firmware2024-07-25
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]Siemens / SIMATIC PCS72021-12-15
Untrusted Search Path
CVE-2021-24219 [VC]Thrive Themes / FocusBlog2021-03-2427
Improper Access Control
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-17
Missing Authentication for Critical Function
CVE-2019-14931 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-12-20
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-01-12
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]Siemens / SIMATIC WinCC2010-10-01
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

29
Total pipeline-relevant
14
HIGH (SCADA exposure)
1
Ransomware-flagged (3.4%)
26
VulnCheck-only (early warning)
0 new in last 7d · 0 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20261470
0.0%
20255560
0.0%
20246551
0.15%
20235382
0.37%
20224753
0.63%
20215047
1.39%
20203722
0.54%
20192903
1.03%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Siemens5
Advantech3
Rockwell Automation2
Mitsubishi Electric2
Inductive Automation1
Thrive Themes1
ABB1
Honeywell1
Emerson1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]Siemens / SIMATIC S7 CPU 1200 Firmware2024-07-25
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]Siemens / SIMATIC PCS72021-12-15
Untrusted Search Path
CVE-2021-24219 [VC]Thrive Themes / FocusBlog2021-03-2423
Improper Access Control
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-17
Missing Authentication for Critical Function
CVE-2019-14931 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-12-20
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-01-12
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]Siemens / SIMATIC WinCC2010-10-01
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

29
Total pipeline-relevant
14
HIGH (SCADA exposure)
1
Ransomware-flagged (3.4%)
26
VulnCheck-only (early warning)
0 new in last 7d · 0 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20261470
0.0%
20255560
0.0%
20246551
0.15%
20235382
0.37%
20224753
0.63%
20215047
1.39%
20203722
0.54%
20192903
1.03%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Siemens5
Advantech3
Rockwell Automation2
Mitsubishi Electric2
Inductive Automation1
Thrive Themes1
ABB1
Honeywell1
Emerson1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]Siemens / SIMATIC S7 CPU 1200 Firmware2024-07-25
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]Siemens / SIMATIC PCS72021-12-15
Untrusted Search Path
CVE-2021-24219 [VC]Thrive Themes / FocusBlog2021-03-2422
Improper Access Control
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-17
Missing Authentication for Critical Function
CVE-2019-14931 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-12-20
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-01-12
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]Siemens / SIMATIC WinCC2010-10-01
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

29
Total pipeline-relevant
14
HIGH (SCADA exposure)
1
Ransomware-flagged (3.4%)
26
VulnCheck-only (early warning)
0 new in last 7d · 0 in last 30d · Median CISA patch-lag: 21 days

Year distribution — pipeline-relevant vs. full KEV catalog
Year All KEVs Pipeline-rel. % pipeline-rel.
20261470
0.0%
20255560
0.0%
20246551
0.15%
20235382
0.37%
20224753
0.63%
20215047
1.39%
20203722
0.54%
20192903
1.03%

The KEV catalog has shifted heavily toward IT (Cisco, Microsoft, VMware, Citrix, Ivanti) in recent years. Pipeline-specific SCADA/OT CVEs rarely reach the "confirmed exploited at scale" bar CISA requires for KEV listing, so they make up a small percentage of recent additions. Recent published OT vulnerabilities (not yet exploited at scale) surface in the Daily Digest's CISA ICS Advisories section.


Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Siemens5
Advantech3
Rockwell Automation2
Mitsubishi Electric2
Inductive Automation1
Thrive Themes1
ABB1
Honeywell1
Emerson1

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2021-21801 [VC]Advantech / R-SeeNet2024-09-19
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2014-2908 [VC]Siemens / SIMATIC S7 CPU 1200 Firmware2024-07-25
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3595 [VC]Rockwell Automation / 1756-EN2F Series A Firmware2024-02-20
Out-of-bounds Write
CVE-2022-35871 [VC]Inductive Automation / Ignition2024-02-20
Missing Authentication for Critical Function
CVE-2021-21805 [VC]Advantech / R-SeeNet2023-12-24
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
1543-1 Improper Privilege Management Vulnerability
CVE-2012-3015 [VC]Siemens / SIMATIC PCS72021-12-15
Untrusted Search Path
CVE-2021-24219 [VC]Thrive Themes / FocusBlog2021-03-2427
Improper Access Control
CVE-2020-10621 [VC]Advantech / WebAccess/NMS2020-08-27
Unrestricted Upload of File with Dangerous Type
CVE-2019-14927 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-17
Missing Authentication for Critical Function
CVE-2019-14931 [VC]Mitsubishi Electric / SmartRTU Firmware2019-12-13
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CVE-2018-7522 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-12-20
Triconex Tricon MP model 3008 firmware versions 10.0-10.4 Privilege Escalation
CVE-2018-8872 [VC]Schneider Electric / Triconex Tricon MP 3008 Firmware2018-01-12
Improper Restriction of Operations within the Bounds of a Memory Buffer
CVE-2010-2772 [VC]Siemens / SIMATIC WinCC2010-10-01
Use of Hard-coded Credentials

[CISA] = listed in CISA's Known Exploited Vulnerabilities catalog · [VC] = in VulnCheck's KEV feed (early-warning — exploitation observed, not yet in CISA KEV) · RW = ransomware-linked

84
Total pipeline-relevant
9
HIGH (SCADA exposure)
8
Ransomware-flagged (9.5%)
50
VulnCheck-only (early warning)
0 new in last 7d · 1 in last 30d · Median CISA patch-lag: 21 days

Top vendors (pipeline-relevant)
Vendor # CVEs
Schneider Electric9
Microsoft9
Arm6
Siemens5
GIGABYTE4
Qualcomm3
mitsubishielectric2
codepress2
SonicWall2
PTZOptics2

HIGH-priority CVEs (top 25)
CVE Vendor / Product RW Added Exposure
CVE-2010-2772 [VC]Siemens / simatic_wincc2010-10-01
CVE-2018-8872 [VC]Schneider Electric / triconex_tricon_mp_3008_firmware2018-01-12
CVE-2018-7522 [VC]Schneider Electric / triconex_tricon_mp_3008_firmware2018-12-20
CVE-2019-14931 [VC]mitsubishielectric / smartrtu_firmware2019-12-13
CVE-2019-14927 [VC]mitsubishielectric / smartrtu_firmware2019-12-17
CVE-2021-24219 [VC]thrivethemes / focusblog2021-03-2431
CVE-2012-3015 [VC]Siemens / simatic_pcs72021-12-15
CVE-2016-8562 [CISA]Siemens / SIMATIC CP2022-03-03
CVE-2014-2908 [VC]Siemens / simatic_s7_cpu_1200_firmware2024-07-25

Eminent Domain — running history

latest
14 active projects 265 miles 330+ properties 14,593 MW BTM gas
2,811,082 miles of U.S. gas pipeline already in the ground (300,158 transmission · 2,397,775 distribution · 113,148 gathering). The takings below extend that network. Source: PHMSA annual-report mileage.
14 entries > 14d stale—flagged below for status re-check
🗺 Not Yours Anymore—the StoryMap of land being taken →
Loading live federal condemnation filings…
Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Ashley Park–Wansley 500kV (Project Sail)
Georgia Power · GA  stale · 26d (2026-06-21)
AJC↗ · FOX5 Atlanta—Coweta approves Project Sail↗ · 11Alive—Coweta homeowner eminent-domain dispute↗
condemnation_active
litigation
330
Dominion Golden to Mars 500kV (Loudoun)
Dominion Energy Virginia · VA  stale · 26d (2026-06-21)
Patch—SCC sets school-board easement deadline↗ · Virginia Mercury—SCC approves Loudoun line↗ · Virginia Mercury—Loudoun neighbors fight lines↗
certificate_granted
litigation
contingent—fallback Route 3a (~182 homes within 500 ft); condemnation not executed
Enbridge Chatham County gas pipeline (Siler City–Moncure, NC)
Enbridge · NC  stale · 26d (2026-06-21)
Chatham Journal—Enbridge pipeline debate↗ · Inside Climate News↗ · Canary Media↗ · PHMSA #4060↗
condemnation_active
litigation
Chatham County landowners receiving condemnation-warning letters (e.g. John Alderman); count not yet public
ANR Pipeline—Heartland Project condemnations (N. Illinois)
ANR Pipeline Company, LLC · IL, WI  stale · 26d (2026-06-21)
CourtListener (RECAP / PACER)↗ · U.S. District Court, N.D. Illinois↗ · U.S. District Court, N.D. Illinois↗ · PHMSA #405↗
condemnation_active
litigation
estimated_>3
Transco—Northeast Supply Enhancement (Compressor Station 206, NJ)
Transcontinental Gas Pipe Line Company, LLC · PA, NJ, NY  stale · 26d (2026-06-21)
CourtListener (RECAP / PACER)↗ · Federal Register—NESE Notice of Application (FERC CP17-101)↗ · FERC docket↗ · U.S. District Court, D. New Jersey↗ · PHMSA #19570↗
condemnation_active
litigation
estimated_>1
Columbia Gas—Virginia Reliability Project (VA) + Seville Loop (OH)
Columbia Gas Transmission, LLC · VA, OH  stale · 26d (2026-06-21)
CourtListener (RECAP / PACER)↗ · Federal Register—VRP Final EIS notice (FERC CP22-502)↗ · FERC docket↗ · U.S. District Court, N.D. Ohio↗ · U.S. District Court, E.D. Virginia↗ · PHMSA #2616↗
condemnation_active
litigation
estimated_>2
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX  stale · 26d (2026-06-21)
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA  stale · 26d (2026-06-21)
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX  stale · 26d (2026-06-21)
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH  stale · 26d (2026-06-21)
no link
construction18
Meta Beaver Dam Site Transmission + Substation (Dodge County Interconnection)
American Transmission Company (ATC) · WI  stale · 26d (2026-06-21)
PSC of Wisconsin—Dodge County Distribution Interconnection (Docket 137-CE-210)↗ · ABC30↗ · Wisconsin PSC docket↗
certificate_grantedunconfirmed (no condemnation filing found)
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA  stale · 26d (2026-06-21)
WV MetroNews—MARL evidentiary hearing set↗ · WESA↗ · Allegheny Front↗ · FERC docket↗
certificate_filedestimated_>500
Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
Transwestern Pipeline Company (Energy Transfer subsidiary) · NM  stale · 26d (2026-06-21)
Pipeline & Gas Journal↗ · BLM—Green Chile right-of-way↗ · Source NM↗ · FERC docket↗
certificate_filedpotential—FERC §7 authority; no private condemnation filed (route mostly federal BLM + state land)
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX  stale · 26d (2026-06-21)
TechCrunch↗
announcedminimal_industrial_site

Federal condemnation cases—docket & latest filing pulled from CourtListener/PACER 2026-06-21
Case (docket)Latest filing / status
ANR Pipeline Company, LLC v. Haugh↗
U.S. District Court, N.D. Illinois · 3:26-cv-50202 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
ANR Pipeline Company v. Brener↗
U.S. District Court, N.D. Illinois · 1:26-cv-05668 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company
2026-05-15
ANR Pipeline Company, LLC v. Cooper↗
U.S. District Court, N.D. Illinois · 1:26-cv-05664 · filed 2026-05-15 · 5 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
TRANSCONTINENTAL GAS PIPE LINE COMPANY, LLC v. 1.451 ACRES OF PERMANEN↗
U.S. District Court, D. New Jersey · 3:26-cv-00018 · filed 2026-01-02 · 25 filings
OPINION filed. Signed by Judge Zahid N. Quraishi on 2/20/2026. (mlh)
2026-02-20
Columbia Gas Transmission, LLC v. Gearing↗
U.S. District Court, N.D. Ohio · 1:25-cv-00181 · filed 2025-01-31 · 11 filings
Order [non-document] Counsel and the parties are hereby advised that this Court will not accept ex parte telephone calls to Chambers regardi
2025-01-31
Columbia Gas Transmission, LLC v. 0.068 Acres of Land, Located in Ches↗
U.S. District Court, E.D. Virginia · 2:24-cv-00548 · filed 2024-09-09 · 1 filings
closed/terminated 2024-12-03
2024-12-03
ANR Pipeline Company v. 1.92 Acres More or Less in Washington County W↗
U.S. District Court, E.D. Wisconsin (2024) · 2:24-cv-00530 · filed 2024-05-01 · 21 filings
closed/terminated 2024-07-24
2024-05-15

State legislative pushback
StateActionStatus / Date
NCNC S730—Ratepayer Protection Act
The bill NC reporting (WRAL) identifies as limiting data-center-driven eminent domain and ratepayer cost-shifting for transmission primarily serving data-center load; full text pending. Status: Ref to Senate Rules & Operations, 2026-06-08.
in Senate Rules committee
2026-06-08
OHOH SB381—PUCO approval to connect data centers to the grid
Requires Public Utilities Commission of Ohio approval of agreements to interconnect a data center to the electric grid (enacts R.C. ch. 4908). Referred to Senate Public Utilities, 2026-03-25.
in committee (Public Utilities)
2026-03-25
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA SB334—Conveyances of interests in real property; public hearing required
Would require a locality to hold a public hearing before disposing of any permanent easement or right-of-way for new >69 kV electric transmission/distribution or for data-center operations. Tabled in Appropriations 2026-02-16 (21-Y 0-N 1-A).
tabled in Appropriations
2026-02-16
PAPA SB1359—statewide hyperscale data-center moratorium
Imposes a statewide moratorium on hyperscale data-center development and permitting. Runs alongside the MARL transmission-line eminent-domain fight in western PA (WESA / Allegheny Front). Referred to Local Government, 2026-06-04.
referred to Local Government
2026-06-04

New cases + status changes are surfaced daily in the digest's Eminent Domain section from federal condemnation dockets (CourtListener / PACER, Natural Gas Act §717f(h)), FERC certificate notices (Federal Register), state PUC dockets, LegiScan, and local + trade press. Each row links out to its sources, dockets, and court cases; the date shows when the entry was last confirmed (entries > 14d are flagged stale).

14 active projects 265 miles 330+ properties 14,593 MW BTM gas
2,811,082 miles of U.S. gas pipeline already in the ground (300,158 transmission · 2,397,775 distribution · 113,148 gathering). The takings below extend that network. Source: PHMSA annual-report mileage.
14 entries > 14d stale—flagged below for status re-check
🗺 Not Yours Anymore—the StoryMap of land being taken →
Loading live federal condemnation filings…
Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Ashley Park–Wansley 500kV (Project Sail)
Georgia Power · GA  stale · 25d (2026-06-21)
AJC↗ · FOX5 Atlanta—Coweta approves Project Sail↗ · 11Alive—Coweta homeowner eminent-domain dispute↗
condemnation_active
litigation
330
Dominion Golden to Mars 500kV (Loudoun)
Dominion Energy Virginia · VA  stale · 25d (2026-06-21)
Patch—SCC sets school-board easement deadline↗ · Virginia Mercury—SCC approves Loudoun line↗ · Virginia Mercury—Loudoun neighbors fight lines↗
certificate_granted
litigation
contingent—fallback Route 3a (~182 homes within 500 ft); condemnation not executed
Enbridge Chatham County gas pipeline (Siler City–Moncure, NC)
Enbridge · NC  stale · 25d (2026-06-21)
Chatham Journal—Enbridge pipeline debate↗ · Inside Climate News↗ · Canary Media↗ · PHMSA #4060↗
condemnation_active
litigation
Chatham County landowners receiving condemnation-warning letters (e.g. John Alderman); count not yet public
ANR Pipeline—Heartland Project condemnations (N. Illinois)
ANR Pipeline Company, LLC · IL, WI  stale · 25d (2026-06-21)
CourtListener (RECAP / PACER)↗ · U.S. District Court, N.D. Illinois↗ · U.S. District Court, N.D. Illinois↗ · PHMSA #405↗
condemnation_active
litigation
estimated_>3
Transco—Northeast Supply Enhancement (Compressor Station 206, NJ)
Transcontinental Gas Pipe Line Company, LLC · PA, NJ, NY  stale · 25d (2026-06-21)
CourtListener (RECAP / PACER)↗ · Federal Register—NESE Notice of Application (FERC CP17-101)↗ · FERC docket↗ · U.S. District Court, D. New Jersey↗ · PHMSA #19570↗
condemnation_active
litigation
estimated_>1
Columbia Gas—Virginia Reliability Project (VA) + Seville Loop (OH)
Columbia Gas Transmission, LLC · VA, OH  stale · 25d (2026-06-21)
CourtListener (RECAP / PACER)↗ · Federal Register—VRP Final EIS notice (FERC CP22-502)↗ · FERC docket↗ · U.S. District Court, N.D. Ohio↗ · U.S. District Court, E.D. Virginia↗ · PHMSA #2616↗
condemnation_active
litigation
estimated_>2
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX  stale · 25d (2026-06-21)
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA  stale · 25d (2026-06-21)
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX  stale · 25d (2026-06-21)
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH  stale · 25d (2026-06-21)
no link
construction18
Meta Beaver Dam Site Transmission + Substation (Dodge County Interconnection)
American Transmission Company (ATC) · WI  stale · 25d (2026-06-21)
PSC of Wisconsin—Dodge County Distribution Interconnection (Docket 137-CE-210)↗ · ABC30↗ · Wisconsin PSC docket↗
certificate_grantedunconfirmed (no condemnation filing found)
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA  stale · 25d (2026-06-21)
WV MetroNews—MARL evidentiary hearing set↗ · WESA↗ · Allegheny Front↗ · FERC docket↗
certificate_filedestimated_>500
Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
Transwestern Pipeline Company (Energy Transfer subsidiary) · NM  stale · 25d (2026-06-21)
Pipeline & Gas Journal↗ · BLM—Green Chile right-of-way↗ · Source NM↗ · FERC docket↗
certificate_filedpotential—FERC §7 authority; no private condemnation filed (route mostly federal BLM + state land)
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX  stale · 25d (2026-06-21)
TechCrunch↗
announcedminimal_industrial_site

Federal condemnation cases—docket & latest filing pulled from CourtListener/PACER 2026-06-21
Case (docket)Latest filing / status
ANR Pipeline Company, LLC v. Haugh↗
U.S. District Court, N.D. Illinois · 3:26-cv-50202 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
ANR Pipeline Company v. Brener↗
U.S. District Court, N.D. Illinois · 1:26-cv-05668 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company
2026-05-15
ANR Pipeline Company, LLC v. Cooper↗
U.S. District Court, N.D. Illinois · 1:26-cv-05664 · filed 2026-05-15 · 5 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
TRANSCONTINENTAL GAS PIPE LINE COMPANY, LLC v. 1.451 ACRES OF PERMANEN↗
U.S. District Court, D. New Jersey · 3:26-cv-00018 · filed 2026-01-02 · 25 filings
OPINION filed. Signed by Judge Zahid N. Quraishi on 2/20/2026. (mlh)
2026-02-20
Columbia Gas Transmission, LLC v. Gearing↗
U.S. District Court, N.D. Ohio · 1:25-cv-00181 · filed 2025-01-31 · 11 filings
Order [non-document] Counsel and the parties are hereby advised that this Court will not accept ex parte telephone calls to Chambers regardi
2025-01-31
Columbia Gas Transmission, LLC v. 0.068 Acres of Land, Located in Ches↗
U.S. District Court, E.D. Virginia · 2:24-cv-00548 · filed 2024-09-09 · 1 filings
closed/terminated 2024-12-03
2024-12-03
ANR Pipeline Company v. 1.92 Acres More or Less in Washington County W↗
U.S. District Court, E.D. Wisconsin (2024) · 2:24-cv-00530 · filed 2024-05-01 · 21 filings
closed/terminated 2024-07-24
2024-05-15

State legislative pushback
StateActionStatus / Date
NCNC S730—Ratepayer Protection Act
The bill NC reporting (WRAL) identifies as limiting data-center-driven eminent domain and ratepayer cost-shifting for transmission primarily serving data-center load; full text pending. Status: Ref to Senate Rules & Operations, 2026-06-08.
in Senate Rules committee
2026-06-08
OHOH SB381—PUCO approval to connect data centers to the grid
Requires Public Utilities Commission of Ohio approval of agreements to interconnect a data center to the electric grid (enacts R.C. ch. 4908). Referred to Senate Public Utilities, 2026-03-25.
in committee (Public Utilities)
2026-03-25
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA SB334—Conveyances of interests in real property; public hearing required
Would require a locality to hold a public hearing before disposing of any permanent easement or right-of-way for new >69 kV electric transmission/distribution or for data-center operations. Tabled in Appropriations 2026-02-16 (21-Y 0-N 1-A).
tabled in Appropriations
2026-02-16
PAPA SB1359—statewide hyperscale data-center moratorium
Imposes a statewide moratorium on hyperscale data-center development and permitting. Runs alongside the MARL transmission-line eminent-domain fight in western PA (WESA / Allegheny Front). Referred to Local Government, 2026-06-04.
referred to Local Government
2026-06-04

New cases + status changes are surfaced daily in the digest's Eminent Domain section from federal condemnation dockets (CourtListener / PACER, Natural Gas Act §717f(h)), FERC certificate notices (Federal Register), state PUC dockets, LegiScan, and local + trade press. Each row links out to its sources, dockets, and court cases; the date shows when the entry was last confirmed (entries > 14d are flagged stale).

14 active projects 265 miles 330+ properties 14,593 MW BTM gas
2,811,082 miles of U.S. gas pipeline already in the ground (300,158 transmission · 2,397,775 distribution · 113,148 gathering). The takings below extend that network. Source: PHMSA annual-report mileage.
14 entries > 14d stale—flagged below for status re-check
🗺 Not Yours Anymore—the StoryMap of land being taken →
Loading live federal condemnation filings…
Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Ashley Park–Wansley 500kV (Project Sail)
Georgia Power · GA  stale · 24d (2026-06-21)
AJC↗ · FOX5 Atlanta—Coweta approves Project Sail↗ · 11Alive—Coweta homeowner eminent-domain dispute↗
condemnation_active
litigation
330
Dominion Golden to Mars 500kV (Loudoun)
Dominion Energy Virginia · VA  stale · 24d (2026-06-21)
Patch—SCC sets school-board easement deadline↗ · Virginia Mercury—SCC approves Loudoun line↗ · Virginia Mercury—Loudoun neighbors fight lines↗
certificate_granted
litigation
contingent—fallback Route 3a (~182 homes within 500 ft); condemnation not executed
Enbridge Chatham County gas pipeline (Siler City–Moncure, NC)
Enbridge · NC  stale · 24d (2026-06-21)
Chatham Journal—Enbridge pipeline debate↗ · Inside Climate News↗ · Canary Media↗ · PHMSA #4060↗
condemnation_active
litigation
Chatham County landowners receiving condemnation-warning letters (e.g. John Alderman); count not yet public
ANR Pipeline—Heartland Project condemnations (N. Illinois)
ANR Pipeline Company, LLC · IL, WI  stale · 24d (2026-06-21)
CourtListener (RECAP / PACER)↗ · U.S. District Court, N.D. Illinois↗ · U.S. District Court, N.D. Illinois↗ · PHMSA #405↗
condemnation_active
litigation
estimated_>3
Transco—Northeast Supply Enhancement (Compressor Station 206, NJ)
Transcontinental Gas Pipe Line Company, LLC · PA, NJ, NY  stale · 24d (2026-06-21)
CourtListener (RECAP / PACER)↗ · Federal Register—NESE Notice of Application (FERC CP17-101)↗ · FERC docket↗ · U.S. District Court, D. New Jersey↗ · PHMSA #19570↗
condemnation_active
litigation
estimated_>1
Columbia Gas—Virginia Reliability Project (VA) + Seville Loop (OH)
Columbia Gas Transmission, LLC · VA, OH  stale · 24d (2026-06-21)
CourtListener (RECAP / PACER)↗ · Federal Register—VRP Final EIS notice (FERC CP22-502)↗ · FERC docket↗ · U.S. District Court, N.D. Ohio↗ · U.S. District Court, E.D. Virginia↗ · PHMSA #2616↗
condemnation_active
litigation
estimated_>2
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX  stale · 24d (2026-06-21)
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA  stale · 24d (2026-06-21)
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX  stale · 24d (2026-06-21)
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH  stale · 24d (2026-06-21)
no link
construction18
Meta Beaver Dam Site Transmission + Substation (Dodge County Interconnection)
American Transmission Company (ATC) · WI  stale · 24d (2026-06-21)
PSC of Wisconsin—Dodge County Distribution Interconnection (Docket 137-CE-210)↗ · ABC30↗ · Wisconsin PSC docket↗
certificate_grantedunconfirmed (no condemnation filing found)
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA  stale · 24d (2026-06-21)
WV MetroNews—MARL evidentiary hearing set↗ · WESA↗ · Allegheny Front↗ · FERC docket↗
certificate_filedestimated_>500
Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
Transwestern Pipeline Company (Energy Transfer subsidiary) · NM  stale · 24d (2026-06-21)
Pipeline & Gas Journal↗ · BLM—Green Chile right-of-way↗ · Source NM↗ · FERC docket↗
certificate_filedpotential—FERC §7 authority; no private condemnation filed (route mostly federal BLM + state land)
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX  stale · 24d (2026-06-21)
TechCrunch↗
announcedminimal_industrial_site

Federal condemnation cases—docket & latest filing pulled from CourtListener/PACER 2026-06-21
Case (docket)Latest filing / status
ANR Pipeline Company, LLC v. Haugh↗
U.S. District Court, N.D. Illinois · 3:26-cv-50202 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
ANR Pipeline Company v. Brener↗
U.S. District Court, N.D. Illinois · 1:26-cv-05668 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company
2026-05-15
ANR Pipeline Company, LLC v. Cooper↗
U.S. District Court, N.D. Illinois · 1:26-cv-05664 · filed 2026-05-15 · 5 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
TRANSCONTINENTAL GAS PIPE LINE COMPANY, LLC v. 1.451 ACRES OF PERMANEN↗
U.S. District Court, D. New Jersey · 3:26-cv-00018 · filed 2026-01-02 · 25 filings
OPINION filed. Signed by Judge Zahid N. Quraishi on 2/20/2026. (mlh)
2026-02-20
Columbia Gas Transmission, LLC v. Gearing↗
U.S. District Court, N.D. Ohio · 1:25-cv-00181 · filed 2025-01-31 · 11 filings
Order [non-document] Counsel and the parties are hereby advised that this Court will not accept ex parte telephone calls to Chambers regardi
2025-01-31
Columbia Gas Transmission, LLC v. 0.068 Acres of Land, Located in Ches↗
U.S. District Court, E.D. Virginia · 2:24-cv-00548 · filed 2024-09-09 · 1 filings
closed/terminated 2024-12-03
2024-12-03
ANR Pipeline Company v. 1.92 Acres More or Less in Washington County W↗
U.S. District Court, E.D. Wisconsin (2024) · 2:24-cv-00530 · filed 2024-05-01 · 21 filings
closed/terminated 2024-07-24
2024-05-15

State legislative pushback
StateActionStatus / Date
NCNC S730—Ratepayer Protection Act
The bill NC reporting (WRAL) identifies as limiting data-center-driven eminent domain and ratepayer cost-shifting for transmission primarily serving data-center load; full text pending. Status: Ref to Senate Rules & Operations, 2026-06-08.
in Senate Rules committee
2026-06-08
OHOH SB381—PUCO approval to connect data centers to the grid
Requires Public Utilities Commission of Ohio approval of agreements to interconnect a data center to the electric grid (enacts R.C. ch. 4908). Referred to Senate Public Utilities, 2026-03-25.
in committee (Public Utilities)
2026-03-25
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA SB334—Conveyances of interests in real property; public hearing required
Would require a locality to hold a public hearing before disposing of any permanent easement or right-of-way for new >69 kV electric transmission/distribution or for data-center operations. Tabled in Appropriations 2026-02-16 (21-Y 0-N 1-A).
tabled in Appropriations
2026-02-16
PAPA SB1359—statewide hyperscale data-center moratorium
Imposes a statewide moratorium on hyperscale data-center development and permitting. Runs alongside the MARL transmission-line eminent-domain fight in western PA (WESA / Allegheny Front). Referred to Local Government, 2026-06-04.
referred to Local Government
2026-06-04

New cases + status changes are surfaced daily in the digest's Eminent Domain section from federal condemnation dockets (CourtListener / PACER, Natural Gas Act §717f(h)), FERC certificate notices (Federal Register), state PUC dockets, LegiScan, and local + trade press. Each row links out to its sources, dockets, and court cases; the date shows when the entry was last confirmed (entries > 14d are flagged stale).

14 active projects 265 miles 330+ properties 14,593 MW BTM gas
2,811,082 miles of U.S. gas pipeline already in the ground (300,158 transmission · 2,397,775 distribution · 113,148 gathering). The takings below extend that network. Source: PHMSA annual-report mileage.
14 entries > 14d stale—flagged below for status re-check
🗺 Not Yours Anymore—the StoryMap of land being taken →
Loading live federal condemnation filings…
Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Ashley Park–Wansley 500kV (Project Sail)
Georgia Power · GA  stale · 23d (2026-06-21)
AJC↗ · FOX5 Atlanta—Coweta approves Project Sail↗ · 11Alive—Coweta homeowner eminent-domain dispute↗
condemnation_active
litigation
330
Dominion Golden to Mars 500kV (Loudoun)
Dominion Energy Virginia · VA  stale · 23d (2026-06-21)
Patch—SCC sets school-board easement deadline↗ · Virginia Mercury—SCC approves Loudoun line↗ · Virginia Mercury—Loudoun neighbors fight lines↗
certificate_granted
litigation
contingent—fallback Route 3a (~182 homes within 500 ft); condemnation not executed
Enbridge Chatham County gas pipeline (Siler City–Moncure, NC)
Enbridge · NC  stale · 23d (2026-06-21)
Chatham Journal—Enbridge pipeline debate↗ · Inside Climate News↗ · Canary Media↗ · PHMSA #4060↗
condemnation_active
litigation
Chatham County landowners receiving condemnation-warning letters (e.g. John Alderman); count not yet public
ANR Pipeline—Heartland Project condemnations (N. Illinois)
ANR Pipeline Company, LLC · IL, WI  stale · 23d (2026-06-21)
CourtListener (RECAP / PACER)↗ · U.S. District Court, N.D. Illinois↗ · U.S. District Court, N.D. Illinois↗ · PHMSA #405↗
condemnation_active
litigation
estimated_>3
Transco—Northeast Supply Enhancement (Compressor Station 206, NJ)
Transcontinental Gas Pipe Line Company, LLC · PA, NJ, NY  stale · 23d (2026-06-21)
CourtListener (RECAP / PACER)↗ · Federal Register—NESE Notice of Application (FERC CP17-101)↗ · FERC docket↗ · U.S. District Court, D. New Jersey↗ · PHMSA #19570↗
condemnation_active
litigation
estimated_>1
Columbia Gas—Virginia Reliability Project (VA) + Seville Loop (OH)
Columbia Gas Transmission, LLC · VA, OH  stale · 23d (2026-06-21)
CourtListener (RECAP / PACER)↗ · Federal Register—VRP Final EIS notice (FERC CP22-502)↗ · FERC docket↗ · U.S. District Court, N.D. Ohio↗ · U.S. District Court, E.D. Virginia↗ · PHMSA #2616↗
condemnation_active
litigation
estimated_>2
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX  stale · 23d (2026-06-21)
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA  stale · 23d (2026-06-21)
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX  stale · 23d (2026-06-21)
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH  stale · 23d (2026-06-21)
no link
construction18
Meta Beaver Dam Site Transmission + Substation (Dodge County Interconnection)
American Transmission Company (ATC) · WI  stale · 23d (2026-06-21)
PSC of Wisconsin—Dodge County Distribution Interconnection (Docket 137-CE-210)↗ · ABC30↗ · Wisconsin PSC docket↗
certificate_grantedunconfirmed (no condemnation filing found)
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA  stale · 23d (2026-06-21)
WV MetroNews—MARL evidentiary hearing set↗ · WESA↗ · Allegheny Front↗ · FERC docket↗
certificate_filedestimated_>500
Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
Transwestern Pipeline Company (Energy Transfer subsidiary) · NM  stale · 23d (2026-06-21)
Pipeline & Gas Journal↗ · BLM—Green Chile right-of-way↗ · Source NM↗ · FERC docket↗
certificate_filedpotential—FERC §7 authority; no private condemnation filed (route mostly federal BLM + state land)
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX  stale · 23d (2026-06-21)
TechCrunch↗
announcedminimal_industrial_site

Federal condemnation cases—docket & latest filing pulled from CourtListener/PACER 2026-06-21
Case (docket)Latest filing / status
ANR Pipeline Company, LLC v. Haugh↗
U.S. District Court, N.D. Illinois · 3:26-cv-50202 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
ANR Pipeline Company v. Brener↗
U.S. District Court, N.D. Illinois · 1:26-cv-05668 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company
2026-05-15
ANR Pipeline Company, LLC v. Cooper↗
U.S. District Court, N.D. Illinois · 1:26-cv-05664 · filed 2026-05-15 · 5 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
TRANSCONTINENTAL GAS PIPE LINE COMPANY, LLC v. 1.451 ACRES OF PERMANEN↗
U.S. District Court, D. New Jersey · 3:26-cv-00018 · filed 2026-01-02 · 25 filings
OPINION filed. Signed by Judge Zahid N. Quraishi on 2/20/2026. (mlh)
2026-02-20
Columbia Gas Transmission, LLC v. Gearing↗
U.S. District Court, N.D. Ohio · 1:25-cv-00181 · filed 2025-01-31 · 11 filings
Order [non-document] Counsel and the parties are hereby advised that this Court will not accept ex parte telephone calls to Chambers regardi
2025-01-31
Columbia Gas Transmission, LLC v. 0.068 Acres of Land, Located in Ches↗
U.S. District Court, E.D. Virginia · 2:24-cv-00548 · filed 2024-09-09 · 1 filings
closed/terminated 2024-12-03
2024-12-03
ANR Pipeline Company v. 1.92 Acres More or Less in Washington County W↗
U.S. District Court, E.D. Wisconsin (2024) · 2:24-cv-00530 · filed 2024-05-01 · 21 filings
closed/terminated 2024-07-24
2024-05-15

State legislative pushback
StateActionStatus / Date
NCNC S730—Ratepayer Protection Act
The bill NC reporting (WRAL) identifies as limiting data-center-driven eminent domain and ratepayer cost-shifting for transmission primarily serving data-center load; full text pending. Status: Ref to Senate Rules & Operations, 2026-06-08.
in Senate Rules committee
2026-06-08
OHOH SB381—PUCO approval to connect data centers to the grid
Requires Public Utilities Commission of Ohio approval of agreements to interconnect a data center to the electric grid (enacts R.C. ch. 4908). Referred to Senate Public Utilities, 2026-03-25.
in committee (Public Utilities)
2026-03-25
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA SB334—Conveyances of interests in real property; public hearing required
Would require a locality to hold a public hearing before disposing of any permanent easement or right-of-way for new >69 kV electric transmission/distribution or for data-center operations. Tabled in Appropriations 2026-02-16 (21-Y 0-N 1-A).
tabled in Appropriations
2026-02-16
PAPA SB1359—statewide hyperscale data-center moratorium
Imposes a statewide moratorium on hyperscale data-center development and permitting. Runs alongside the MARL transmission-line eminent-domain fight in western PA (WESA / Allegheny Front). Referred to Local Government, 2026-06-04.
referred to Local Government
2026-06-04

New cases + status changes are surfaced daily in the digest's Eminent Domain section from federal condemnation dockets (CourtListener / PACER, Natural Gas Act §717f(h)), FERC certificate notices (Federal Register), state PUC dockets, LegiScan, and local + trade press. Each row links out to its sources, dockets, and court cases; the date shows when the entry was last confirmed (entries > 14d are flagged stale).

14 active projects 265 miles 330+ properties 14,593 MW BTM gas
2,811,082 miles of U.S. gas pipeline already in the ground (300,158 transmission · 2,397,775 distribution · 113,148 gathering). The takings below extend that network. Source: PHMSA annual-report mileage.
14 entries > 14d stale—flagged below for status re-check
🗺 Not Yours Anymore—the StoryMap of land being taken →
Loading live federal condemnation filings…
Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Ashley Park–Wansley 500kV (Project Sail)
Georgia Power · GA  stale · 22d (2026-06-21)
AJC↗ · FOX5 Atlanta—Coweta approves Project Sail↗ · 11Alive—Coweta homeowner eminent-domain dispute↗
condemnation_active
litigation
330
Dominion Golden to Mars 500kV (Loudoun)
Dominion Energy Virginia · VA  stale · 22d (2026-06-21)
Patch—SCC sets school-board easement deadline↗ · Virginia Mercury—SCC approves Loudoun line↗ · Virginia Mercury—Loudoun neighbors fight lines↗
certificate_granted
litigation
contingent—fallback Route 3a (~182 homes within 500 ft); condemnation not executed
Enbridge Chatham County gas pipeline (Siler City–Moncure, NC)
Enbridge · NC  stale · 22d (2026-06-21)
Chatham Journal—Enbridge pipeline debate↗ · Inside Climate News↗ · Canary Media↗ · PHMSA #4060↗
condemnation_active
litigation
Chatham County landowners receiving condemnation-warning letters (e.g. John Alderman); count not yet public
ANR Pipeline—Heartland Project condemnations (N. Illinois)
ANR Pipeline Company, LLC · IL, WI  stale · 22d (2026-06-21)
CourtListener (RECAP / PACER)↗ · U.S. District Court, N.D. Illinois↗ · U.S. District Court, N.D. Illinois↗ · PHMSA #405↗
condemnation_active
litigation
estimated_>3
Transco—Northeast Supply Enhancement (Compressor Station 206, NJ)
Transcontinental Gas Pipe Line Company, LLC · PA, NJ, NY  stale · 22d (2026-06-21)
CourtListener (RECAP / PACER)↗ · Federal Register—NESE Notice of Application (FERC CP17-101)↗ · FERC docket↗ · U.S. District Court, D. New Jersey↗ · PHMSA #19570↗
condemnation_active
litigation
estimated_>1
Columbia Gas—Virginia Reliability Project (VA) + Seville Loop (OH)
Columbia Gas Transmission, LLC · VA, OH  stale · 22d (2026-06-21)
CourtListener (RECAP / PACER)↗ · Federal Register—VRP Final EIS notice (FERC CP22-502)↗ · FERC docket↗ · U.S. District Court, N.D. Ohio↗ · U.S. District Court, E.D. Virginia↗ · PHMSA #2616↗
condemnation_active
litigation
estimated_>2
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX  stale · 22d (2026-06-21)
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA  stale · 22d (2026-06-21)
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX  stale · 22d (2026-06-21)
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH  stale · 22d (2026-06-21)
no link
construction18
Meta Beaver Dam Site Transmission + Substation (Dodge County Interconnection)
American Transmission Company (ATC) · WI  stale · 22d (2026-06-21)
PSC of Wisconsin—Dodge County Distribution Interconnection (Docket 137-CE-210)↗ · ABC30↗ · Wisconsin PSC docket↗
certificate_grantedunconfirmed (no condemnation filing found)
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA  stale · 22d (2026-06-21)
WV MetroNews—MARL evidentiary hearing set↗ · WESA↗ · Allegheny Front↗ · FERC docket↗
certificate_filedestimated_>500
Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
Transwestern Pipeline Company (Energy Transfer subsidiary) · NM  stale · 22d (2026-06-21)
Pipeline & Gas Journal↗ · BLM—Green Chile right-of-way↗ · Source NM↗ · FERC docket↗
certificate_filedpotential—FERC §7 authority; no private condemnation filed (route mostly federal BLM + state land)
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX  stale · 22d (2026-06-21)
TechCrunch↗
announcedminimal_industrial_site

Federal condemnation cases—docket & latest filing pulled from CourtListener/PACER 2026-06-21
Case (docket)Latest filing / status
ANR Pipeline Company, LLC v. Haugh↗
U.S. District Court, N.D. Illinois · 3:26-cv-50202 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
ANR Pipeline Company v. Brener↗
U.S. District Court, N.D. Illinois · 1:26-cv-05668 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company
2026-05-15
ANR Pipeline Company, LLC v. Cooper↗
U.S. District Court, N.D. Illinois · 1:26-cv-05664 · filed 2026-05-15 · 5 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
TRANSCONTINENTAL GAS PIPE LINE COMPANY, LLC v. 1.451 ACRES OF PERMANEN↗
U.S. District Court, D. New Jersey · 3:26-cv-00018 · filed 2026-01-02 · 25 filings
OPINION filed. Signed by Judge Zahid N. Quraishi on 2/20/2026. (mlh)
2026-02-20
Columbia Gas Transmission, LLC v. Gearing↗
U.S. District Court, N.D. Ohio · 1:25-cv-00181 · filed 2025-01-31 · 11 filings
Order [non-document] Counsel and the parties are hereby advised that this Court will not accept ex parte telephone calls to Chambers regardi
2025-01-31
Columbia Gas Transmission, LLC v. 0.068 Acres of Land, Located in Ches↗
U.S. District Court, E.D. Virginia · 2:24-cv-00548 · filed 2024-09-09 · 1 filings
closed/terminated 2024-12-03
2024-12-03
ANR Pipeline Company v. 1.92 Acres More or Less in Washington County W↗
U.S. District Court, E.D. Wisconsin (2024) · 2:24-cv-00530 · filed 2024-05-01 · 21 filings
closed/terminated 2024-07-24
2024-05-15

State legislative pushback
StateActionStatus / Date
NCNC S730—Ratepayer Protection Act
The bill NC reporting (WRAL) identifies as limiting data-center-driven eminent domain and ratepayer cost-shifting for transmission primarily serving data-center load; full text pending. Status: Ref to Senate Rules & Operations, 2026-06-08.
in Senate Rules committee
2026-06-08
OHOH SB381—PUCO approval to connect data centers to the grid
Requires Public Utilities Commission of Ohio approval of agreements to interconnect a data center to the electric grid (enacts R.C. ch. 4908). Referred to Senate Public Utilities, 2026-03-25.
in committee (Public Utilities)
2026-03-25
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA SB334—Conveyances of interests in real property; public hearing required
Would require a locality to hold a public hearing before disposing of any permanent easement or right-of-way for new >69 kV electric transmission/distribution or for data-center operations. Tabled in Appropriations 2026-02-16 (21-Y 0-N 1-A).
tabled in Appropriations
2026-02-16
PAPA SB1359—statewide hyperscale data-center moratorium
Imposes a statewide moratorium on hyperscale data-center development and permitting. Runs alongside the MARL transmission-line eminent-domain fight in western PA (WESA / Allegheny Front). Referred to Local Government, 2026-06-04.
referred to Local Government
2026-06-04

New cases + status changes are surfaced daily in the digest's Eminent Domain section from federal condemnation dockets (CourtListener / PACER, Natural Gas Act §717f(h)), FERC certificate notices (Federal Register), state PUC dockets, LegiScan, and local + trade press. Each row links out to its sources, dockets, and court cases; the date shows when the entry was last confirmed (entries > 14d are flagged stale).

14 active projects 265 miles 330+ properties 14,593 MW BTM gas
2,811,082 miles of U.S. gas pipeline already in the ground (300,158 transmission · 2,397,775 distribution · 113,148 gathering). The takings below extend that network. Source: PHMSA annual-report mileage.
14 entries > 14d stale—flagged below for status re-check
🗺 Not Yours Anymore—the StoryMap of land being taken →
Loading live federal condemnation filings…
Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Ashley Park–Wansley 500kV (Project Sail)
Georgia Power · GA  stale · 21d (2026-06-21)
AJC↗ · FOX5 Atlanta—Coweta approves Project Sail↗ · 11Alive—Coweta homeowner eminent-domain dispute↗
condemnation_active
litigation
330
Dominion Golden to Mars 500kV (Loudoun)
Dominion Energy Virginia · VA  stale · 21d (2026-06-21)
Patch—SCC sets school-board easement deadline↗ · Virginia Mercury—SCC approves Loudoun line↗ · Virginia Mercury—Loudoun neighbors fight lines↗
certificate_granted
litigation
contingent—fallback Route 3a (~182 homes within 500 ft); condemnation not executed
Enbridge Chatham County gas pipeline (Siler City–Moncure, NC)
Enbridge · NC  stale · 21d (2026-06-21)
Chatham Journal—Enbridge pipeline debate↗ · Inside Climate News↗ · Canary Media↗ · PHMSA #4060↗
condemnation_active
litigation
Chatham County landowners receiving condemnation-warning letters (e.g. John Alderman); count not yet public
ANR Pipeline—Heartland Project condemnations (N. Illinois)
ANR Pipeline Company, LLC · IL, WI  stale · 21d (2026-06-21)
CourtListener (RECAP / PACER)↗ · U.S. District Court, N.D. Illinois↗ · U.S. District Court, N.D. Illinois↗ · PHMSA #405↗
condemnation_active
litigation
estimated_>3
Transco—Northeast Supply Enhancement (Compressor Station 206, NJ)
Transcontinental Gas Pipe Line Company, LLC · PA, NJ, NY  stale · 21d (2026-06-21)
CourtListener (RECAP / PACER)↗ · Federal Register—NESE Notice of Application (FERC CP17-101)↗ · FERC docket↗ · U.S. District Court, D. New Jersey↗ · PHMSA #19570↗
condemnation_active
litigation
estimated_>1
Columbia Gas—Virginia Reliability Project (VA) + Seville Loop (OH)
Columbia Gas Transmission, LLC · VA, OH  stale · 21d (2026-06-21)
CourtListener (RECAP / PACER)↗ · Federal Register—VRP Final EIS notice (FERC CP22-502)↗ · FERC docket↗ · U.S. District Court, N.D. Ohio↗ · U.S. District Court, E.D. Virginia↗ · PHMSA #2616↗
condemnation_active
litigation
estimated_>2
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX  stale · 21d (2026-06-21)
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA  stale · 21d (2026-06-21)
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX  stale · 21d (2026-06-21)
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH  stale · 21d (2026-06-21)
no link
construction18
Meta Beaver Dam Site Transmission + Substation (Dodge County Interconnection)
American Transmission Company (ATC) · WI  stale · 21d (2026-06-21)
PSC of Wisconsin—Dodge County Distribution Interconnection (Docket 137-CE-210)↗ · ABC30↗ · Wisconsin PSC docket↗
certificate_grantedunconfirmed (no condemnation filing found)
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA  stale · 21d (2026-06-21)
WV MetroNews—MARL evidentiary hearing set↗ · WESA↗ · Allegheny Front↗ · FERC docket↗
certificate_filedestimated_>500
Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
Transwestern Pipeline Company (Energy Transfer subsidiary) · NM  stale · 21d (2026-06-21)
Pipeline & Gas Journal↗ · BLM—Green Chile right-of-way↗ · Source NM↗ · FERC docket↗
certificate_filedpotential—FERC §7 authority; no private condemnation filed (route mostly federal BLM + state land)
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX  stale · 21d (2026-06-21)
TechCrunch↗
announcedminimal_industrial_site

Federal condemnation cases—docket & latest filing pulled from CourtListener/PACER 2026-06-21
Case (docket)Latest filing / status
ANR Pipeline Company, LLC v. Haugh↗
U.S. District Court, N.D. Illinois · 3:26-cv-50202 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
ANR Pipeline Company v. Brener↗
U.S. District Court, N.D. Illinois · 1:26-cv-05668 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company
2026-05-15
ANR Pipeline Company, LLC v. Cooper↗
U.S. District Court, N.D. Illinois · 1:26-cv-05664 · filed 2026-05-15 · 5 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
TRANSCONTINENTAL GAS PIPE LINE COMPANY, LLC v. 1.451 ACRES OF PERMANEN↗
U.S. District Court, D. New Jersey · 3:26-cv-00018 · filed 2026-01-02 · 25 filings
OPINION filed. Signed by Judge Zahid N. Quraishi on 2/20/2026. (mlh)
2026-02-20
Columbia Gas Transmission, LLC v. Gearing↗
U.S. District Court, N.D. Ohio · 1:25-cv-00181 · filed 2025-01-31 · 11 filings
Order [non-document] Counsel and the parties are hereby advised that this Court will not accept ex parte telephone calls to Chambers regardi
2025-01-31
Columbia Gas Transmission, LLC v. 0.068 Acres of Land, Located in Ches↗
U.S. District Court, E.D. Virginia · 2:24-cv-00548 · filed 2024-09-09 · 1 filings
closed/terminated 2024-12-03
2024-12-03
ANR Pipeline Company v. 1.92 Acres More or Less in Washington County W↗
U.S. District Court, E.D. Wisconsin (2024) · 2:24-cv-00530 · filed 2024-05-01 · 21 filings
closed/terminated 2024-07-24
2024-05-15

State legislative pushback
StateActionStatus / Date
NCNC S730—Ratepayer Protection Act
The bill NC reporting (WRAL) identifies as limiting data-center-driven eminent domain and ratepayer cost-shifting for transmission primarily serving data-center load; full text pending. Status: Ref to Senate Rules & Operations, 2026-06-08.
in Senate Rules committee
2026-06-08
OHOH SB381—PUCO approval to connect data centers to the grid
Requires Public Utilities Commission of Ohio approval of agreements to interconnect a data center to the electric grid (enacts R.C. ch. 4908). Referred to Senate Public Utilities, 2026-03-25.
in committee (Public Utilities)
2026-03-25
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA SB334—Conveyances of interests in real property; public hearing required
Would require a locality to hold a public hearing before disposing of any permanent easement or right-of-way for new >69 kV electric transmission/distribution or for data-center operations. Tabled in Appropriations 2026-02-16 (21-Y 0-N 1-A).
tabled in Appropriations
2026-02-16
PAPA SB1359—statewide hyperscale data-center moratorium
Imposes a statewide moratorium on hyperscale data-center development and permitting. Runs alongside the MARL transmission-line eminent-domain fight in western PA (WESA / Allegheny Front). Referred to Local Government, 2026-06-04.
referred to Local Government
2026-06-04

New cases + status changes are surfaced daily in the digest's Eminent Domain section from federal condemnation dockets (CourtListener / PACER, Natural Gas Act §717f(h)), FERC certificate notices (Federal Register), state PUC dockets, LegiScan, and local + trade press. Each row links out to its sources, dockets, and court cases; the date shows when the entry was last confirmed (entries > 14d are flagged stale).

14 active projects 265 miles 330+ properties 14,593 MW BTM gas
2,811,082 miles of U.S. gas pipeline already in the ground (300,158 transmission · 2,397,775 distribution · 113,148 gathering). The takings below extend that network. Source: PHMSA annual-report mileage.
14 entries > 14d stale—flagged below for status re-check
🗺 Not Yours Anymore—the StoryMap of land being taken →
Loading live federal condemnation filings…
Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Ashley Park–Wansley 500kV (Project Sail)
Georgia Power · GA  stale · 20d (2026-06-21)
AJC↗ · FOX5 Atlanta—Coweta approves Project Sail↗ · 11Alive—Coweta homeowner eminent-domain dispute↗
condemnation_active
litigation
330
Dominion Golden to Mars 500kV (Loudoun)
Dominion Energy Virginia · VA  stale · 20d (2026-06-21)
Patch—SCC sets school-board easement deadline↗ · Virginia Mercury—SCC approves Loudoun line↗ · Virginia Mercury—Loudoun neighbors fight lines↗
certificate_granted
litigation
contingent—fallback Route 3a (~182 homes within 500 ft); condemnation not executed
Enbridge Chatham County gas pipeline (Siler City–Moncure, NC)
Enbridge · NC  stale · 20d (2026-06-21)
Chatham Journal—Enbridge pipeline debate↗ · Inside Climate News↗ · Canary Media↗ · PHMSA #4060↗
condemnation_active
litigation
Chatham County landowners receiving condemnation-warning letters (e.g. John Alderman); count not yet public
ANR Pipeline—Heartland Project condemnations (N. Illinois)
ANR Pipeline Company, LLC · IL, WI  stale · 20d (2026-06-21)
CourtListener (RECAP / PACER)↗ · U.S. District Court, N.D. Illinois↗ · U.S. District Court, N.D. Illinois↗ · PHMSA #405↗
condemnation_active
litigation
estimated_>3
Transco—Northeast Supply Enhancement (Compressor Station 206, NJ)
Transcontinental Gas Pipe Line Company, LLC · PA, NJ, NY  stale · 20d (2026-06-21)
CourtListener (RECAP / PACER)↗ · Federal Register—NESE Notice of Application (FERC CP17-101)↗ · FERC docket↗ · U.S. District Court, D. New Jersey↗ · PHMSA #19570↗
condemnation_active
litigation
estimated_>1
Columbia Gas—Virginia Reliability Project (VA) + Seville Loop (OH)
Columbia Gas Transmission, LLC · VA, OH  stale · 20d (2026-06-21)
CourtListener (RECAP / PACER)↗ · Federal Register—VRP Final EIS notice (FERC CP22-502)↗ · FERC docket↗ · U.S. District Court, N.D. Ohio↗ · U.S. District Court, E.D. Virginia↗ · PHMSA #2616↗
condemnation_active
litigation
estimated_>2
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX  stale · 20d (2026-06-21)
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA  stale · 20d (2026-06-21)
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX  stale · 20d (2026-06-21)
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH  stale · 20d (2026-06-21)
no link
construction18
Meta Beaver Dam Site Transmission + Substation (Dodge County Interconnection)
American Transmission Company (ATC) · WI  stale · 20d (2026-06-21)
PSC of Wisconsin—Dodge County Distribution Interconnection (Docket 137-CE-210)↗ · ABC30↗ · Wisconsin PSC docket↗
certificate_grantedunconfirmed (no condemnation filing found)
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA  stale · 20d (2026-06-21)
WV MetroNews—MARL evidentiary hearing set↗ · WESA↗ · Allegheny Front↗ · FERC docket↗
certificate_filedestimated_>500
Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
Transwestern Pipeline Company (Energy Transfer subsidiary) · NM  stale · 20d (2026-06-21)
Pipeline & Gas Journal↗ · BLM—Green Chile right-of-way↗ · Source NM↗ · FERC docket↗
certificate_filedpotential—FERC §7 authority; no private condemnation filed (route mostly federal BLM + state land)
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX  stale · 20d (2026-06-21)
TechCrunch↗
announcedminimal_industrial_site

Federal condemnation cases—docket & latest filing pulled from CourtListener/PACER 2026-06-21
Case (docket)Latest filing / status
ANR Pipeline Company, LLC v. Haugh↗
U.S. District Court, N.D. Illinois · 3:26-cv-50202 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
ANR Pipeline Company v. Brener↗
U.S. District Court, N.D. Illinois · 1:26-cv-05668 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company
2026-05-15
ANR Pipeline Company, LLC v. Cooper↗
U.S. District Court, N.D. Illinois · 1:26-cv-05664 · filed 2026-05-15 · 5 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
TRANSCONTINENTAL GAS PIPE LINE COMPANY, LLC v. 1.451 ACRES OF PERMANEN↗
U.S. District Court, D. New Jersey · 3:26-cv-00018 · filed 2026-01-02 · 25 filings
OPINION filed. Signed by Judge Zahid N. Quraishi on 2/20/2026. (mlh)
2026-02-20
Columbia Gas Transmission, LLC v. Gearing↗
U.S. District Court, N.D. Ohio · 1:25-cv-00181 · filed 2025-01-31 · 11 filings
Order [non-document] Counsel and the parties are hereby advised that this Court will not accept ex parte telephone calls to Chambers regardi
2025-01-31
Columbia Gas Transmission, LLC v. 0.068 Acres of Land, Located in Ches↗
U.S. District Court, E.D. Virginia · 2:24-cv-00548 · filed 2024-09-09 · 1 filings
closed/terminated 2024-12-03
2024-12-03
ANR Pipeline Company v. 1.92 Acres More or Less in Washington County W↗
U.S. District Court, E.D. Wisconsin (2024) · 2:24-cv-00530 · filed 2024-05-01 · 21 filings
closed/terminated 2024-07-24
2024-05-15

State legislative pushback
StateActionStatus / Date
NCNC S730—Ratepayer Protection Act
The bill NC reporting (WRAL) identifies as limiting data-center-driven eminent domain and ratepayer cost-shifting for transmission primarily serving data-center load; full text pending. Status: Ref to Senate Rules & Operations, 2026-06-08.
in Senate Rules committee
2026-06-08
OHOH SB381—PUCO approval to connect data centers to the grid
Requires Public Utilities Commission of Ohio approval of agreements to interconnect a data center to the electric grid (enacts R.C. ch. 4908). Referred to Senate Public Utilities, 2026-03-25.
in committee (Public Utilities)
2026-03-25
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA SB334—Conveyances of interests in real property; public hearing required
Would require a locality to hold a public hearing before disposing of any permanent easement or right-of-way for new >69 kV electric transmission/distribution or for data-center operations. Tabled in Appropriations 2026-02-16 (21-Y 0-N 1-A).
tabled in Appropriations
2026-02-16
PAPA SB1359—statewide hyperscale data-center moratorium
Imposes a statewide moratorium on hyperscale data-center development and permitting. Runs alongside the MARL transmission-line eminent-domain fight in western PA (WESA / Allegheny Front). Referred to Local Government, 2026-06-04.
referred to Local Government
2026-06-04

New cases + status changes are surfaced daily in the digest's Eminent Domain section from federal condemnation dockets (CourtListener / PACER, Natural Gas Act §717f(h)), FERC certificate notices (Federal Register), state PUC dockets, LegiScan, and local + trade press. Each row links out to its sources, dockets, and court cases; the date shows when the entry was last confirmed (entries > 14d are flagged stale).

14 active projects 265 miles 330+ properties 14,593 MW BTM gas
2,811,082 miles of U.S. gas pipeline already in the ground (300,158 transmission · 2,397,775 distribution · 113,148 gathering). The takings below extend that network. Source: PHMSA annual-report mileage.
14 entries > 14d stale—flagged below for status re-check
🗺 Not Yours Anymore—the StoryMap of land being taken →
Loading live federal condemnation filings…
Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Ashley Park–Wansley 500kV (Project Sail)
Georgia Power · GA  stale · 19d (2026-06-21)
AJC↗ · FOX5 Atlanta—Coweta approves Project Sail↗ · 11Alive—Coweta homeowner eminent-domain dispute↗
condemnation_active
litigation
330
Dominion Golden to Mars 500kV (Loudoun)
Dominion Energy Virginia · VA  stale · 19d (2026-06-21)
Patch—SCC sets school-board easement deadline↗ · Virginia Mercury—SCC approves Loudoun line↗ · Virginia Mercury—Loudoun neighbors fight lines↗
certificate_granted
litigation
contingent—fallback Route 3a (~182 homes within 500 ft); condemnation not executed
Enbridge Chatham County gas pipeline (Siler City–Moncure, NC)
Enbridge · NC  stale · 19d (2026-06-21)
Chatham Journal—Enbridge pipeline debate↗ · Inside Climate News↗ · Canary Media↗ · PHMSA #4060↗
condemnation_active
litigation
Chatham County landowners receiving condemnation-warning letters (e.g. John Alderman); count not yet public
ANR Pipeline—Heartland Project condemnations (N. Illinois)
ANR Pipeline Company, LLC · IL, WI  stale · 19d (2026-06-21)
CourtListener (RECAP / PACER)↗ · U.S. District Court, N.D. Illinois↗ · U.S. District Court, N.D. Illinois↗ · PHMSA #405↗
condemnation_active
litigation
estimated_>3
Transco—Northeast Supply Enhancement (Compressor Station 206, NJ)
Transcontinental Gas Pipe Line Company, LLC · PA, NJ, NY  stale · 19d (2026-06-21)
CourtListener (RECAP / PACER)↗ · Federal Register—NESE Notice of Application (FERC CP17-101)↗ · FERC docket↗ · U.S. District Court, D. New Jersey↗ · PHMSA #19570↗
condemnation_active
litigation
estimated_>1
Columbia Gas—Virginia Reliability Project (VA) + Seville Loop (OH)
Columbia Gas Transmission, LLC · VA, OH  stale · 19d (2026-06-21)
CourtListener (RECAP / PACER)↗ · Federal Register—VRP Final EIS notice (FERC CP22-502)↗ · FERC docket↗ · U.S. District Court, N.D. Ohio↗ · U.S. District Court, E.D. Virginia↗ · PHMSA #2616↗
condemnation_active
litigation
estimated_>2
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX  stale · 19d (2026-06-21)
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA  stale · 19d (2026-06-21)
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX  stale · 19d (2026-06-21)
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH  stale · 19d (2026-06-21)
no link
construction18
Meta Beaver Dam Site Transmission + Substation (Dodge County Interconnection)
American Transmission Company (ATC) · WI  stale · 19d (2026-06-21)
PSC of Wisconsin—Dodge County Distribution Interconnection (Docket 137-CE-210)↗ · ABC30↗ · Wisconsin PSC docket↗
certificate_grantedunconfirmed (no condemnation filing found)
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA  stale · 19d (2026-06-21)
WV MetroNews—MARL evidentiary hearing set↗ · WESA↗ · Allegheny Front↗ · FERC docket↗
certificate_filedestimated_>500
Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
Transwestern Pipeline Company (Energy Transfer subsidiary) · NM  stale · 19d (2026-06-21)
Pipeline & Gas Journal↗ · BLM—Green Chile right-of-way↗ · Source NM↗ · FERC docket↗
certificate_filedpotential—FERC §7 authority; no private condemnation filed (route mostly federal BLM + state land)
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX  stale · 19d (2026-06-21)
TechCrunch↗
announcedminimal_industrial_site

Federal condemnation cases—docket & latest filing pulled from CourtListener/PACER 2026-06-21
Case (docket)Latest filing / status
ANR Pipeline Company, LLC v. Haugh↗
U.S. District Court, N.D. Illinois · 3:26-cv-50202 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
ANR Pipeline Company v. Brener↗
U.S. District Court, N.D. Illinois · 1:26-cv-05668 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company
2026-05-15
ANR Pipeline Company, LLC v. Cooper↗
U.S. District Court, N.D. Illinois · 1:26-cv-05664 · filed 2026-05-15 · 5 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
TRANSCONTINENTAL GAS PIPE LINE COMPANY, LLC v. 1.451 ACRES OF PERMANEN↗
U.S. District Court, D. New Jersey · 3:26-cv-00018 · filed 2026-01-02 · 25 filings
OPINION filed. Signed by Judge Zahid N. Quraishi on 2/20/2026. (mlh)
2026-02-20
Columbia Gas Transmission, LLC v. Gearing↗
U.S. District Court, N.D. Ohio · 1:25-cv-00181 · filed 2025-01-31 · 11 filings
Order [non-document] Counsel and the parties are hereby advised that this Court will not accept ex parte telephone calls to Chambers regardi
2025-01-31
Columbia Gas Transmission, LLC v. 0.068 Acres of Land, Located in Ches↗
U.S. District Court, E.D. Virginia · 2:24-cv-00548 · filed 2024-09-09 · 1 filings
closed/terminated 2024-12-03
2024-12-03
ANR Pipeline Company v. 1.92 Acres More or Less in Washington County W↗
U.S. District Court, E.D. Wisconsin (2024) · 2:24-cv-00530 · filed 2024-05-01 · 21 filings
closed/terminated 2024-07-24
2024-05-15

State legislative pushback
StateActionStatus / Date
NCNC S730—Ratepayer Protection Act
The bill NC reporting (WRAL) identifies as limiting data-center-driven eminent domain and ratepayer cost-shifting for transmission primarily serving data-center load; full text pending. Status: Ref to Senate Rules & Operations, 2026-06-08.
in Senate Rules committee
2026-06-08
OHOH SB381—PUCO approval to connect data centers to the grid
Requires Public Utilities Commission of Ohio approval of agreements to interconnect a data center to the electric grid (enacts R.C. ch. 4908). Referred to Senate Public Utilities, 2026-03-25.
in committee (Public Utilities)
2026-03-25
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA SB334—Conveyances of interests in real property; public hearing required
Would require a locality to hold a public hearing before disposing of any permanent easement or right-of-way for new >69 kV electric transmission/distribution or for data-center operations. Tabled in Appropriations 2026-02-16 (21-Y 0-N 1-A).
tabled in Appropriations
2026-02-16
PAPA SB1359—statewide hyperscale data-center moratorium
Imposes a statewide moratorium on hyperscale data-center development and permitting. Runs alongside the MARL transmission-line eminent-domain fight in western PA (WESA / Allegheny Front). Referred to Local Government, 2026-06-04.
referred to Local Government
2026-06-04

New cases + status changes are surfaced daily in the digest's Eminent Domain section from federal condemnation dockets (CourtListener / PACER, Natural Gas Act §717f(h)), FERC certificate notices (Federal Register), state PUC dockets, LegiScan, and local + trade press. Each row links out to its sources, dockets, and court cases; the date shows when the entry was last confirmed (entries > 14d are flagged stale).

14 active projects 265 miles 330+ properties 14,593 MW BTM gas
2,811,082 miles of U.S. gas pipeline already in the ground (300,158 transmission · 2,397,775 distribution · 113,148 gathering). The takings below extend that network. Source: PHMSA annual-report mileage.
14 entries > 14d stale—flagged below for status re-check
🗺 Not Yours Anymore—the StoryMap of land being taken →
Loading live federal condemnation filings…
Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Ashley Park–Wansley 500kV (Project Sail)
Georgia Power · GA  stale · 18d (2026-06-21)
AJC↗ · FOX5 Atlanta—Coweta approves Project Sail↗ · 11Alive—Coweta homeowner eminent-domain dispute↗
condemnation_active
litigation
330
Dominion Golden to Mars 500kV (Loudoun)
Dominion Energy Virginia · VA  stale · 18d (2026-06-21)
Patch—SCC sets school-board easement deadline↗ · Virginia Mercury—SCC approves Loudoun line↗ · Virginia Mercury—Loudoun neighbors fight lines↗
certificate_granted
litigation
contingent—fallback Route 3a (~182 homes within 500 ft); condemnation not executed
Enbridge Chatham County gas pipeline (Siler City–Moncure, NC)
Enbridge · NC  stale · 18d (2026-06-21)
Chatham Journal—Enbridge pipeline debate↗ · Inside Climate News↗ · Canary Media↗ · PHMSA #4060↗
condemnation_active
litigation
Chatham County landowners receiving condemnation-warning letters (e.g. John Alderman); count not yet public
ANR Pipeline—Heartland Project condemnations (N. Illinois)
ANR Pipeline Company, LLC · IL, WI  stale · 18d (2026-06-21)
CourtListener (RECAP / PACER)↗ · U.S. District Court, N.D. Illinois↗ · U.S. District Court, N.D. Illinois↗ · PHMSA #405↗
condemnation_active
litigation
estimated_>3
Transco—Northeast Supply Enhancement (Compressor Station 206, NJ)
Transcontinental Gas Pipe Line Company, LLC · PA, NJ, NY  stale · 18d (2026-06-21)
CourtListener (RECAP / PACER)↗ · Federal Register—NESE Notice of Application (FERC CP17-101)↗ · FERC docket↗ · U.S. District Court, D. New Jersey↗ · PHMSA #19570↗
condemnation_active
litigation
estimated_>1
Columbia Gas—Virginia Reliability Project (VA) + Seville Loop (OH)
Columbia Gas Transmission, LLC · VA, OH  stale · 18d (2026-06-21)
CourtListener (RECAP / PACER)↗ · Federal Register—VRP Final EIS notice (FERC CP22-502)↗ · FERC docket↗ · U.S. District Court, N.D. Ohio↗ · U.S. District Court, E.D. Virginia↗ · PHMSA #2616↗
condemnation_active
litigation
estimated_>2
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX  stale · 18d (2026-06-21)
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA  stale · 18d (2026-06-21)
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX  stale · 18d (2026-06-21)
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH  stale · 18d (2026-06-21)
no link
construction18
Meta Beaver Dam Site Transmission + Substation (Dodge County Interconnection)
American Transmission Company (ATC) · WI  stale · 18d (2026-06-21)
PSC of Wisconsin—Dodge County Distribution Interconnection (Docket 137-CE-210)↗ · ABC30↗ · Wisconsin PSC docket↗
certificate_grantedunconfirmed (no condemnation filing found)
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA  stale · 18d (2026-06-21)
WV MetroNews—MARL evidentiary hearing set↗ · WESA↗ · Allegheny Front↗ · FERC docket↗
certificate_filedestimated_>500
Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
Transwestern Pipeline Company (Energy Transfer subsidiary) · NM  stale · 18d (2026-06-21)
Pipeline & Gas Journal↗ · BLM—Green Chile right-of-way↗ · Source NM↗ · FERC docket↗
certificate_filedpotential—FERC §7 authority; no private condemnation filed (route mostly federal BLM + state land)
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX  stale · 18d (2026-06-21)
TechCrunch↗
announcedminimal_industrial_site

Federal condemnation cases—docket & latest filing pulled from CourtListener/PACER 2026-06-21
Case (docket)Latest filing / status
ANR Pipeline Company, LLC v. Haugh↗
U.S. District Court, N.D. Illinois · 3:26-cv-50202 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
ANR Pipeline Company v. Brener↗
U.S. District Court, N.D. Illinois · 1:26-cv-05668 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company
2026-05-15
ANR Pipeline Company, LLC v. Cooper↗
U.S. District Court, N.D. Illinois · 1:26-cv-05664 · filed 2026-05-15 · 5 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
TRANSCONTINENTAL GAS PIPE LINE COMPANY, LLC v. 1.451 ACRES OF PERMANEN↗
U.S. District Court, D. New Jersey · 3:26-cv-00018 · filed 2026-01-02 · 25 filings
OPINION filed. Signed by Judge Zahid N. Quraishi on 2/20/2026. (mlh)
2026-02-20
Columbia Gas Transmission, LLC v. Gearing↗
U.S. District Court, N.D. Ohio · 1:25-cv-00181 · filed 2025-01-31 · 11 filings
Order [non-document] Counsel and the parties are hereby advised that this Court will not accept ex parte telephone calls to Chambers regardi
2025-01-31
Columbia Gas Transmission, LLC v. 0.068 Acres of Land, Located in Ches↗
U.S. District Court, E.D. Virginia · 2:24-cv-00548 · filed 2024-09-09 · 1 filings
closed/terminated 2024-12-03
2024-12-03
ANR Pipeline Company v. 1.92 Acres More or Less in Washington County W↗
U.S. District Court, E.D. Wisconsin (2024) · 2:24-cv-00530 · filed 2024-05-01 · 21 filings
closed/terminated 2024-07-24
2024-05-15

State legislative pushback
StateActionStatus / Date
NCNC S730—Ratepayer Protection Act
The bill NC reporting (WRAL) identifies as limiting data-center-driven eminent domain and ratepayer cost-shifting for transmission primarily serving data-center load; full text pending. Status: Ref to Senate Rules & Operations, 2026-06-08.
in Senate Rules committee
2026-06-08
OHOH SB381—PUCO approval to connect data centers to the grid
Requires Public Utilities Commission of Ohio approval of agreements to interconnect a data center to the electric grid (enacts R.C. ch. 4908). Referred to Senate Public Utilities, 2026-03-25.
in committee (Public Utilities)
2026-03-25
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA SB334—Conveyances of interests in real property; public hearing required
Would require a locality to hold a public hearing before disposing of any permanent easement or right-of-way for new >69 kV electric transmission/distribution or for data-center operations. Tabled in Appropriations 2026-02-16 (21-Y 0-N 1-A).
tabled in Appropriations
2026-02-16
PAPA SB1359—statewide hyperscale data-center moratorium
Imposes a statewide moratorium on hyperscale data-center development and permitting. Runs alongside the MARL transmission-line eminent-domain fight in western PA (WESA / Allegheny Front). Referred to Local Government, 2026-06-04.
referred to Local Government
2026-06-04

New cases + status changes are surfaced daily in the digest's Eminent Domain section from federal condemnation dockets (CourtListener / PACER, Natural Gas Act §717f(h)), FERC certificate notices (Federal Register), state PUC dockets, LegiScan, and local + trade press. Each row links out to its sources, dockets, and court cases; the date shows when the entry was last confirmed (entries > 14d are flagged stale).

14 active projects 265 miles 330+ properties 14,593 MW BTM gas
2,811,082 miles of U.S. gas pipeline already in the ground (300,158 transmission · 2,397,775 distribution · 113,148 gathering). The takings below extend that network. Source: PHMSA annual-report mileage.
14 entries > 14d stale—flagged below for status re-check
🗺 Not Yours Anymore—the StoryMap of land being taken →
Loading live federal condemnation filings…
Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Ashley Park–Wansley 500kV (Project Sail)
Georgia Power · GA  stale · 17d (2026-06-21)
AJC↗ · FOX5 Atlanta—Coweta approves Project Sail↗ · 11Alive—Coweta homeowner eminent-domain dispute↗
condemnation_active
litigation
330
Dominion Golden to Mars 500kV (Loudoun)
Dominion Energy Virginia · VA  stale · 17d (2026-06-21)
Patch—SCC sets school-board easement deadline↗ · Virginia Mercury—SCC approves Loudoun line↗ · Virginia Mercury—Loudoun neighbors fight lines↗
certificate_granted
litigation
contingent—fallback Route 3a (~182 homes within 500 ft); condemnation not executed
Enbridge Chatham County gas pipeline (Siler City–Moncure, NC)
Enbridge · NC  stale · 17d (2026-06-21)
Chatham Journal—Enbridge pipeline debate↗ · Inside Climate News↗ · Canary Media↗ · PHMSA #4060↗
condemnation_active
litigation
Chatham County landowners receiving condemnation-warning letters (e.g. John Alderman); count not yet public
ANR Pipeline—Heartland Project condemnations (N. Illinois)
ANR Pipeline Company, LLC · IL, WI  stale · 17d (2026-06-21)
CourtListener (RECAP / PACER)↗ · U.S. District Court, N.D. Illinois↗ · U.S. District Court, N.D. Illinois↗ · PHMSA #405↗
condemnation_active
litigation
estimated_>3
Transco—Northeast Supply Enhancement (Compressor Station 206, NJ)
Transcontinental Gas Pipe Line Company, LLC · PA, NJ, NY  stale · 17d (2026-06-21)
CourtListener (RECAP / PACER)↗ · Federal Register—NESE Notice of Application (FERC CP17-101)↗ · FERC docket↗ · U.S. District Court, D. New Jersey↗ · PHMSA #19570↗
condemnation_active
litigation
estimated_>1
Columbia Gas—Virginia Reliability Project (VA) + Seville Loop (OH)
Columbia Gas Transmission, LLC · VA, OH  stale · 17d (2026-06-21)
CourtListener (RECAP / PACER)↗ · Federal Register—VRP Final EIS notice (FERC CP22-502)↗ · FERC docket↗ · U.S. District Court, N.D. Ohio↗ · U.S. District Court, E.D. Virginia↗ · PHMSA #2616↗
condemnation_active
litigation
estimated_>2
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX  stale · 17d (2026-06-21)
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA  stale · 17d (2026-06-21)
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX  stale · 17d (2026-06-21)
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH  stale · 17d (2026-06-21)
no link
construction18
Meta Beaver Dam Site Transmission + Substation (Dodge County Interconnection)
American Transmission Company (ATC) · WI  stale · 17d (2026-06-21)
PSC of Wisconsin—Dodge County Distribution Interconnection (Docket 137-CE-210)↗ · ABC30↗ · Wisconsin PSC docket↗
certificate_grantedunconfirmed (no condemnation filing found)
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA  stale · 17d (2026-06-21)
WV MetroNews—MARL evidentiary hearing set↗ · WESA↗ · Allegheny Front↗ · FERC docket↗
certificate_filedestimated_>500
Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
Transwestern Pipeline Company (Energy Transfer subsidiary) · NM  stale · 17d (2026-06-21)
Pipeline & Gas Journal↗ · BLM—Green Chile right-of-way↗ · Source NM↗ · FERC docket↗
certificate_filedpotential—FERC §7 authority; no private condemnation filed (route mostly federal BLM + state land)
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX  stale · 17d (2026-06-21)
TechCrunch↗
announcedminimal_industrial_site

Federal condemnation cases—docket & latest filing pulled from CourtListener/PACER 2026-06-21
Case (docket)Latest filing / status
ANR Pipeline Company, LLC v. Haugh↗
U.S. District Court, N.D. Illinois · 3:26-cv-50202 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
ANR Pipeline Company v. Brener↗
U.S. District Court, N.D. Illinois · 1:26-cv-05668 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company
2026-05-15
ANR Pipeline Company, LLC v. Cooper↗
U.S. District Court, N.D. Illinois · 1:26-cv-05664 · filed 2026-05-15 · 5 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
TRANSCONTINENTAL GAS PIPE LINE COMPANY, LLC v. 1.451 ACRES OF PERMANEN↗
U.S. District Court, D. New Jersey · 3:26-cv-00018 · filed 2026-01-02 · 25 filings
OPINION filed. Signed by Judge Zahid N. Quraishi on 2/20/2026. (mlh)
2026-02-20
Columbia Gas Transmission, LLC v. Gearing↗
U.S. District Court, N.D. Ohio · 1:25-cv-00181 · filed 2025-01-31 · 11 filings
Order [non-document] Counsel and the parties are hereby advised that this Court will not accept ex parte telephone calls to Chambers regardi
2025-01-31
Columbia Gas Transmission, LLC v. 0.068 Acres of Land, Located in Ches↗
U.S. District Court, E.D. Virginia · 2:24-cv-00548 · filed 2024-09-09 · 1 filings
closed/terminated 2024-12-03
2024-12-03
ANR Pipeline Company v. 1.92 Acres More or Less in Washington County W↗
U.S. District Court, E.D. Wisconsin (2024) · 2:24-cv-00530 · filed 2024-05-01 · 21 filings
closed/terminated 2024-07-24
2024-05-15

State legislative pushback
StateActionStatus / Date
NCNC S730—Ratepayer Protection Act
The bill NC reporting (WRAL) identifies as limiting data-center-driven eminent domain and ratepayer cost-shifting for transmission primarily serving data-center load; full text pending. Status: Ref to Senate Rules & Operations, 2026-06-08.
in Senate Rules committee
2026-06-08
OHOH SB381—PUCO approval to connect data centers to the grid
Requires Public Utilities Commission of Ohio approval of agreements to interconnect a data center to the electric grid (enacts R.C. ch. 4908). Referred to Senate Public Utilities, 2026-03-25.
in committee (Public Utilities)
2026-03-25
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA SB334—Conveyances of interests in real property; public hearing required
Would require a locality to hold a public hearing before disposing of any permanent easement or right-of-way for new >69 kV electric transmission/distribution or for data-center operations. Tabled in Appropriations 2026-02-16 (21-Y 0-N 1-A).
tabled in Appropriations
2026-02-16
PAPA SB1359—statewide hyperscale data-center moratorium
Imposes a statewide moratorium on hyperscale data-center development and permitting. Runs alongside the MARL transmission-line eminent-domain fight in western PA (WESA / Allegheny Front). Referred to Local Government, 2026-06-04.
referred to Local Government
2026-06-04

New cases + status changes are surfaced daily in the digest's Eminent Domain section from federal condemnation dockets (CourtListener / PACER, Natural Gas Act §717f(h)), FERC certificate notices (Federal Register), state PUC dockets, LegiScan, and local + trade press. Each row links out to its sources, dockets, and court cases; the date shows when the entry was last confirmed (entries > 14d are flagged stale).

14 active projects 265 miles 330+ properties 14,593 MW BTM gas
2,811,082 miles of U.S. gas pipeline already in the ground (300,158 transmission · 2,397,775 distribution · 113,148 gathering). The takings below extend that network. Source: PHMSA annual-report mileage.
14 entries > 14d stale—flagged below for status re-check
🗺 Not Yours Anymore—the StoryMap of land being taken →
Loading live federal condemnation filings…
Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Ashley Park–Wansley 500kV (Project Sail)
Georgia Power · GA  stale · 16d (2026-06-21)
AJC↗ · FOX5 Atlanta—Coweta approves Project Sail↗ · 11Alive—Coweta homeowner eminent-domain dispute↗
condemnation_active
litigation
330
Dominion Golden to Mars 500kV (Loudoun)
Dominion Energy Virginia · VA  stale · 16d (2026-06-21)
Patch—SCC sets school-board easement deadline↗ · Virginia Mercury—SCC approves Loudoun line↗ · Virginia Mercury—Loudoun neighbors fight lines↗
certificate_granted
litigation
contingent—fallback Route 3a (~182 homes within 500 ft); condemnation not executed
Enbridge Chatham County gas pipeline (Siler City–Moncure, NC)
Enbridge · NC  stale · 16d (2026-06-21)
Chatham Journal—Enbridge pipeline debate↗ · Inside Climate News↗ · Canary Media↗ · PHMSA #4060↗
condemnation_active
litigation
Chatham County landowners receiving condemnation-warning letters (e.g. John Alderman); count not yet public
ANR Pipeline—Heartland Project condemnations (N. Illinois)
ANR Pipeline Company, LLC · IL, WI  stale · 16d (2026-06-21)
CourtListener (RECAP / PACER)↗ · U.S. District Court, N.D. Illinois↗ · U.S. District Court, N.D. Illinois↗ · PHMSA #405↗
condemnation_active
litigation
estimated_>3
Transco—Northeast Supply Enhancement (Compressor Station 206, NJ)
Transcontinental Gas Pipe Line Company, LLC · PA, NJ, NY  stale · 16d (2026-06-21)
CourtListener (RECAP / PACER)↗ · Federal Register—NESE Notice of Application (FERC CP17-101)↗ · FERC docket↗ · U.S. District Court, D. New Jersey↗ · PHMSA #19570↗
condemnation_active
litigation
estimated_>1
Columbia Gas—Virginia Reliability Project (VA) + Seville Loop (OH)
Columbia Gas Transmission, LLC · VA, OH  stale · 16d (2026-06-21)
CourtListener (RECAP / PACER)↗ · Federal Register—VRP Final EIS notice (FERC CP22-502)↗ · FERC docket↗ · U.S. District Court, N.D. Ohio↗ · U.S. District Court, E.D. Virginia↗ · PHMSA #2616↗
condemnation_active
litigation
estimated_>2
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX  stale · 16d (2026-06-21)
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA  stale · 16d (2026-06-21)
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX  stale · 16d (2026-06-21)
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH  stale · 16d (2026-06-21)
no link
construction18
Meta Beaver Dam Site Transmission + Substation (Dodge County Interconnection)
American Transmission Company (ATC) · WI  stale · 16d (2026-06-21)
PSC of Wisconsin—Dodge County Distribution Interconnection (Docket 137-CE-210)↗ · ABC30↗ · Wisconsin PSC docket↗
certificate_grantedunconfirmed (no condemnation filing found)
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA  stale · 16d (2026-06-21)
WV MetroNews—MARL evidentiary hearing set↗ · WESA↗ · Allegheny Front↗ · FERC docket↗
certificate_filedestimated_>500
Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
Transwestern Pipeline Company (Energy Transfer subsidiary) · NM  stale · 16d (2026-06-21)
Pipeline & Gas Journal↗ · BLM—Green Chile right-of-way↗ · Source NM↗ · FERC docket↗
certificate_filedpotential—FERC §7 authority; no private condemnation filed (route mostly federal BLM + state land)
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX  stale · 16d (2026-06-21)
TechCrunch↗
announcedminimal_industrial_site

Federal condemnation cases—docket & latest filing pulled from CourtListener/PACER 2026-06-21
Case (docket)Latest filing / status
ANR Pipeline Company, LLC v. Haugh↗
U.S. District Court, N.D. Illinois · 3:26-cv-50202 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
ANR Pipeline Company v. Brener↗
U.S. District Court, N.D. Illinois · 1:26-cv-05668 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company
2026-05-15
ANR Pipeline Company, LLC v. Cooper↗
U.S. District Court, N.D. Illinois · 1:26-cv-05664 · filed 2026-05-15 · 5 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
TRANSCONTINENTAL GAS PIPE LINE COMPANY, LLC v. 1.451 ACRES OF PERMANEN↗
U.S. District Court, D. New Jersey · 3:26-cv-00018 · filed 2026-01-02 · 25 filings
OPINION filed. Signed by Judge Zahid N. Quraishi on 2/20/2026. (mlh)
2026-02-20
Columbia Gas Transmission, LLC v. Gearing↗
U.S. District Court, N.D. Ohio · 1:25-cv-00181 · filed 2025-01-31 · 11 filings
Order [non-document] Counsel and the parties are hereby advised that this Court will not accept ex parte telephone calls to Chambers regardi
2025-01-31
Columbia Gas Transmission, LLC v. 0.068 Acres of Land, Located in Ches↗
U.S. District Court, E.D. Virginia · 2:24-cv-00548 · filed 2024-09-09 · 1 filings
closed/terminated 2024-12-03
2024-12-03
ANR Pipeline Company v. 1.92 Acres More or Less in Washington County W↗
U.S. District Court, E.D. Wisconsin (2024) · 2:24-cv-00530 · filed 2024-05-01 · 21 filings
closed/terminated 2024-07-24
2024-05-15

State legislative pushback
StateActionStatus / Date
NCNC S730—Ratepayer Protection Act
The bill NC reporting (WRAL) identifies as limiting data-center-driven eminent domain and ratepayer cost-shifting for transmission primarily serving data-center load; full text pending. Status: Ref to Senate Rules & Operations, 2026-06-08.
in Senate Rules committee
2026-06-08
OHOH SB381—PUCO approval to connect data centers to the grid
Requires Public Utilities Commission of Ohio approval of agreements to interconnect a data center to the electric grid (enacts R.C. ch. 4908). Referred to Senate Public Utilities, 2026-03-25.
in committee (Public Utilities)
2026-03-25
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA SB334—Conveyances of interests in real property; public hearing required
Would require a locality to hold a public hearing before disposing of any permanent easement or right-of-way for new >69 kV electric transmission/distribution or for data-center operations. Tabled in Appropriations 2026-02-16 (21-Y 0-N 1-A).
tabled in Appropriations
2026-02-16
PAPA SB1359—statewide hyperscale data-center moratorium
Imposes a statewide moratorium on hyperscale data-center development and permitting. Runs alongside the MARL transmission-line eminent-domain fight in western PA (WESA / Allegheny Front). Referred to Local Government, 2026-06-04.
referred to Local Government
2026-06-04

New cases + status changes are surfaced daily in the digest's Eminent Domain section from federal condemnation dockets (CourtListener / PACER, Natural Gas Act §717f(h)), FERC certificate notices (Federal Register), state PUC dockets, LegiScan, and local + trade press. Each row links out to its sources, dockets, and court cases; the date shows when the entry was last confirmed (entries > 14d are flagged stale).

14 active projects 265 miles 330+ properties 14,593 MW BTM gas
2,811,082 miles of U.S. gas pipeline already in the ground (300,158 transmission · 2,397,775 distribution · 113,148 gathering). The takings below extend that network. Source: PHMSA annual-report mileage.
14 entries > 14d stale—flagged below for status re-check
🗺 Not Yours Anymore—the StoryMap of land being taken →
Loading live federal condemnation filings…
Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Ashley Park–Wansley 500kV (Project Sail)
Georgia Power · GA  stale · 15d (2026-06-21)
AJC↗ · FOX5 Atlanta—Coweta approves Project Sail↗ · 11Alive—Coweta homeowner eminent-domain dispute↗
condemnation_active
litigation
330
Dominion Golden to Mars 500kV (Loudoun)
Dominion Energy Virginia · VA  stale · 15d (2026-06-21)
Patch—SCC sets school-board easement deadline↗ · Virginia Mercury—SCC approves Loudoun line↗ · Virginia Mercury—Loudoun neighbors fight lines↗
certificate_granted
litigation
contingent—fallback Route 3a (~182 homes within 500 ft); condemnation not executed
Enbridge Chatham County gas pipeline (Siler City–Moncure, NC)
Enbridge · NC  stale · 15d (2026-06-21)
Chatham Journal—Enbridge pipeline debate↗ · Inside Climate News↗ · Canary Media↗ · PHMSA #4060↗
condemnation_active
litigation
Chatham County landowners receiving condemnation-warning letters (e.g. John Alderman); count not yet public
ANR Pipeline—Heartland Project condemnations (N. Illinois)
ANR Pipeline Company, LLC · IL, WI  stale · 15d (2026-06-21)
CourtListener (RECAP / PACER)↗ · U.S. District Court, N.D. Illinois↗ · U.S. District Court, N.D. Illinois↗ · PHMSA #405↗
condemnation_active
litigation
estimated_>3
Transco—Northeast Supply Enhancement (Compressor Station 206, NJ)
Transcontinental Gas Pipe Line Company, LLC · PA, NJ, NY  stale · 15d (2026-06-21)
CourtListener (RECAP / PACER)↗ · Federal Register—NESE Notice of Application (FERC CP17-101)↗ · FERC docket↗ · U.S. District Court, D. New Jersey↗ · PHMSA #19570↗
condemnation_active
litigation
estimated_>1
Columbia Gas—Virginia Reliability Project (VA) + Seville Loop (OH)
Columbia Gas Transmission, LLC · VA, OH  stale · 15d (2026-06-21)
CourtListener (RECAP / PACER)↗ · Federal Register—VRP Final EIS notice (FERC CP22-502)↗ · FERC docket↗ · U.S. District Court, N.D. Ohio↗ · U.S. District Court, E.D. Virginia↗ · PHMSA #2616↗
condemnation_active
litigation
estimated_>2
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX  stale · 15d (2026-06-21)
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA  stale · 15d (2026-06-21)
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX  stale · 15d (2026-06-21)
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH  stale · 15d (2026-06-21)
no link
construction18
Meta Beaver Dam Site Transmission + Substation (Dodge County Interconnection)
American Transmission Company (ATC) · WI  stale · 15d (2026-06-21)
PSC of Wisconsin—Dodge County Distribution Interconnection (Docket 137-CE-210)↗ · ABC30↗ · Wisconsin PSC docket↗
certificate_grantedunconfirmed (no condemnation filing found)
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA  stale · 15d (2026-06-21)
WV MetroNews—MARL evidentiary hearing set↗ · WESA↗ · Allegheny Front↗ · FERC docket↗
certificate_filedestimated_>500
Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
Transwestern Pipeline Company (Energy Transfer subsidiary) · NM  stale · 15d (2026-06-21)
Pipeline & Gas Journal↗ · BLM—Green Chile right-of-way↗ · Source NM↗ · FERC docket↗
certificate_filedpotential—FERC §7 authority; no private condemnation filed (route mostly federal BLM + state land)
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX  stale · 15d (2026-06-21)
TechCrunch↗
announcedminimal_industrial_site

Federal condemnation cases—docket & latest filing pulled from CourtListener/PACER 2026-06-21
Case (docket)Latest filing / status
ANR Pipeline Company, LLC v. Haugh↗
U.S. District Court, N.D. Illinois · 3:26-cv-50202 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
ANR Pipeline Company v. Brener↗
U.S. District Court, N.D. Illinois · 1:26-cv-05668 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company
2026-05-15
ANR Pipeline Company, LLC v. Cooper↗
U.S. District Court, N.D. Illinois · 1:26-cv-05664 · filed 2026-05-15 · 5 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
TRANSCONTINENTAL GAS PIPE LINE COMPANY, LLC v. 1.451 ACRES OF PERMANEN↗
U.S. District Court, D. New Jersey · 3:26-cv-00018 · filed 2026-01-02 · 25 filings
OPINION filed. Signed by Judge Zahid N. Quraishi on 2/20/2026. (mlh)
2026-02-20
Columbia Gas Transmission, LLC v. Gearing↗
U.S. District Court, N.D. Ohio · 1:25-cv-00181 · filed 2025-01-31 · 11 filings
Order [non-document] Counsel and the parties are hereby advised that this Court will not accept ex parte telephone calls to Chambers regardi
2025-01-31
Columbia Gas Transmission, LLC v. 0.068 Acres of Land, Located in Ches↗
U.S. District Court, E.D. Virginia · 2:24-cv-00548 · filed 2024-09-09 · 1 filings
closed/terminated 2024-12-03
2024-12-03
ANR Pipeline Company v. 1.92 Acres More or Less in Washington County W↗
U.S. District Court, E.D. Wisconsin (2024) · 2:24-cv-00530 · filed 2024-05-01 · 21 filings
closed/terminated 2024-07-24
2024-05-15

State legislative pushback
StateActionStatus / Date
NCNC S730—Ratepayer Protection Act
The bill NC reporting (WRAL) identifies as limiting data-center-driven eminent domain and ratepayer cost-shifting for transmission primarily serving data-center load; full text pending. Status: Ref to Senate Rules & Operations, 2026-06-08.
in Senate Rules committee
2026-06-08
OHOH SB381—PUCO approval to connect data centers to the grid
Requires Public Utilities Commission of Ohio approval of agreements to interconnect a data center to the electric grid (enacts R.C. ch. 4908). Referred to Senate Public Utilities, 2026-03-25.
in committee (Public Utilities)
2026-03-25
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA SB334—Conveyances of interests in real property; public hearing required
Would require a locality to hold a public hearing before disposing of any permanent easement or right-of-way for new >69 kV electric transmission/distribution or for data-center operations. Tabled in Appropriations 2026-02-16 (21-Y 0-N 1-A).
tabled in Appropriations
2026-02-16
PAPA SB1359—statewide hyperscale data-center moratorium
Imposes a statewide moratorium on hyperscale data-center development and permitting. Runs alongside the MARL transmission-line eminent-domain fight in western PA (WESA / Allegheny Front). Referred to Local Government, 2026-06-04.
referred to Local Government
2026-06-04

New cases + status changes are surfaced daily in the digest's Eminent Domain section from federal condemnation dockets (CourtListener / PACER, Natural Gas Act §717f(h)), FERC certificate notices (Federal Register), state PUC dockets, LegiScan, and local + trade press. Each row links out to its sources, dockets, and court cases; the date shows when the entry was last confirmed (entries > 14d are flagged stale).

14 active projects 265 miles 330+ properties 14,593 MW BTM gas
2,811,082 miles of U.S. gas pipeline already in the ground (300,158 transmission · 2,397,775 distribution · 113,148 gathering). The takings below extend that network. Source: PHMSA annual-report mileage.
all current—freshest entry 14d old
🗺 Not Yours Anymore—the StoryMap of land being taken →
Loading live federal condemnation filings…
Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Ashley Park–Wansley 500kV (Project Sail)
Georgia Power · GA  updated 2026-06-21
AJC↗ · FOX5 Atlanta—Coweta approves Project Sail↗ · 11Alive—Coweta homeowner eminent-domain dispute↗
condemnation_active
litigation
330
Dominion Golden to Mars 500kV (Loudoun)
Dominion Energy Virginia · VA  updated 2026-06-21
Patch—SCC sets school-board easement deadline↗ · Virginia Mercury—SCC approves Loudoun line↗ · Virginia Mercury—Loudoun neighbors fight lines↗
certificate_granted
litigation
contingent—fallback Route 3a (~182 homes within 500 ft); condemnation not executed
Enbridge Chatham County gas pipeline (Siler City–Moncure, NC)
Enbridge · NC  updated 2026-06-21
Chatham Journal—Enbridge pipeline debate↗ · Inside Climate News↗ · Canary Media↗ · PHMSA #4060↗
condemnation_active
litigation
Chatham County landowners receiving condemnation-warning letters (e.g. John Alderman); count not yet public
ANR Pipeline—Heartland Project condemnations (N. Illinois)
ANR Pipeline Company, LLC · IL, WI  updated 2026-06-21
CourtListener (RECAP / PACER)↗ · U.S. District Court, N.D. Illinois↗ · U.S. District Court, N.D. Illinois↗ · PHMSA #405↗
condemnation_active
litigation
estimated_>3
Transco—Northeast Supply Enhancement (Compressor Station 206, NJ)
Transcontinental Gas Pipe Line Company, LLC · PA, NJ, NY  updated 2026-06-21
CourtListener (RECAP / PACER)↗ · Federal Register—NESE Notice of Application (FERC CP17-101)↗ · FERC docket↗ · U.S. District Court, D. New Jersey↗ · PHMSA #19570↗
condemnation_active
litigation
estimated_>1
Columbia Gas—Virginia Reliability Project (VA) + Seville Loop (OH)
Columbia Gas Transmission, LLC · VA, OH  updated 2026-06-21
CourtListener (RECAP / PACER)↗ · Federal Register—VRP Final EIS notice (FERC CP22-502)↗ · FERC docket↗ · U.S. District Court, N.D. Ohio↗ · U.S. District Court, E.D. Virginia↗ · PHMSA #2616↗
condemnation_active
litigation
estimated_>2
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX  updated 2026-06-21
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA  updated 2026-06-21
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX  updated 2026-06-21
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH  updated 2026-06-21
no link
construction18
Meta Beaver Dam Site Transmission + Substation (Dodge County Interconnection)
American Transmission Company (ATC) · WI  updated 2026-06-21
PSC of Wisconsin—Dodge County Distribution Interconnection (Docket 137-CE-210)↗ · ABC30↗ · Wisconsin PSC docket↗
certificate_grantedunconfirmed (no condemnation filing found)
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA  updated 2026-06-21
WV MetroNews—MARL evidentiary hearing set↗ · WESA↗ · Allegheny Front↗ · FERC docket↗
certificate_filedestimated_>500
Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
Transwestern Pipeline Company (Energy Transfer subsidiary) · NM  updated 2026-06-21
Pipeline & Gas Journal↗ · BLM—Green Chile right-of-way↗ · Source NM↗ · FERC docket↗
certificate_filedpotential—FERC §7 authority; no private condemnation filed (route mostly federal BLM + state land)
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX  updated 2026-06-21
TechCrunch↗
announcedminimal_industrial_site

Federal condemnation cases—docket & latest filing pulled from CourtListener/PACER 2026-06-21
Case (docket)Latest filing / status
ANR Pipeline Company, LLC v. Haugh↗
U.S. District Court, N.D. Illinois · 3:26-cv-50202 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
ANR Pipeline Company v. Brener↗
U.S. District Court, N.D. Illinois · 1:26-cv-05668 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company
2026-05-15
ANR Pipeline Company, LLC v. Cooper↗
U.S. District Court, N.D. Illinois · 1:26-cv-05664 · filed 2026-05-15 · 5 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
TRANSCONTINENTAL GAS PIPE LINE COMPANY, LLC v. 1.451 ACRES OF PERMANEN↗
U.S. District Court, D. New Jersey · 3:26-cv-00018 · filed 2026-01-02 · 25 filings
OPINION filed. Signed by Judge Zahid N. Quraishi on 2/20/2026. (mlh)
2026-02-20
Columbia Gas Transmission, LLC v. Gearing↗
U.S. District Court, N.D. Ohio · 1:25-cv-00181 · filed 2025-01-31 · 11 filings
Order [non-document] Counsel and the parties are hereby advised that this Court will not accept ex parte telephone calls to Chambers regardi
2025-01-31
Columbia Gas Transmission, LLC v. 0.068 Acres of Land, Located in Ches↗
U.S. District Court, E.D. Virginia · 2:24-cv-00548 · filed 2024-09-09 · 1 filings
closed/terminated 2024-12-03
2024-12-03
ANR Pipeline Company v. 1.92 Acres More or Less in Washington County W↗
U.S. District Court, E.D. Wisconsin (2024) · 2:24-cv-00530 · filed 2024-05-01 · 21 filings
closed/terminated 2024-07-24
2024-05-15

State legislative pushback
StateActionStatus / Date
NCNC S730—Ratepayer Protection Act
The bill NC reporting (WRAL) identifies as limiting data-center-driven eminent domain and ratepayer cost-shifting for transmission primarily serving data-center load; full text pending. Status: Ref to Senate Rules & Operations, 2026-06-08.
in Senate Rules committee
2026-06-08
OHOH SB381—PUCO approval to connect data centers to the grid
Requires Public Utilities Commission of Ohio approval of agreements to interconnect a data center to the electric grid (enacts R.C. ch. 4908). Referred to Senate Public Utilities, 2026-03-25.
in committee (Public Utilities)
2026-03-25
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA SB334—Conveyances of interests in real property; public hearing required
Would require a locality to hold a public hearing before disposing of any permanent easement or right-of-way for new >69 kV electric transmission/distribution or for data-center operations. Tabled in Appropriations 2026-02-16 (21-Y 0-N 1-A).
tabled in Appropriations
2026-02-16
PAPA SB1359—statewide hyperscale data-center moratorium
Imposes a statewide moratorium on hyperscale data-center development and permitting. Runs alongside the MARL transmission-line eminent-domain fight in western PA (WESA / Allegheny Front). Referred to Local Government, 2026-06-04.
referred to Local Government
2026-06-04

New cases + status changes are surfaced daily in the digest's Eminent Domain section from federal condemnation dockets (CourtListener / PACER, Natural Gas Act §717f(h)), FERC certificate notices (Federal Register), state PUC dockets, LegiScan, and local + trade press. Each row links out to its sources, dockets, and court cases; the date shows when the entry was last confirmed (entries > 14d are flagged stale).

14 active projects 265 miles 330+ properties 14,593 MW BTM gas
2,811,082 miles of U.S. gas pipeline already in the ground (300,158 transmission · 2,397,775 distribution · 113,148 gathering). The takings below extend that network. Source: PHMSA annual-report mileage.
all current—freshest entry 13d old
🗺 Not Yours Anymore—the StoryMap of land being taken →
Loading live federal condemnation filings…
Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Ashley Park–Wansley 500kV (Project Sail)
Georgia Power · GA  updated 2026-06-21
AJC↗ · FOX5 Atlanta—Coweta approves Project Sail↗ · 11Alive—Coweta homeowner eminent-domain dispute↗
condemnation_active
litigation
330
Dominion Golden to Mars 500kV (Loudoun)
Dominion Energy Virginia · VA  updated 2026-06-21
Patch—SCC sets school-board easement deadline↗ · Virginia Mercury—SCC approves Loudoun line↗ · Virginia Mercury—Loudoun neighbors fight lines↗
certificate_granted
litigation
contingent—fallback Route 3a (~182 homes within 500 ft); condemnation not executed
Enbridge Chatham County gas pipeline (Siler City–Moncure, NC)
Enbridge · NC  updated 2026-06-21
Chatham Journal—Enbridge pipeline debate↗ · Inside Climate News↗ · Canary Media↗ · PHMSA #4060↗
condemnation_active
litigation
Chatham County landowners receiving condemnation-warning letters (e.g. John Alderman); count not yet public
ANR Pipeline—Heartland Project condemnations (N. Illinois)
ANR Pipeline Company, LLC · IL, WI  updated 2026-06-21
CourtListener (RECAP / PACER)↗ · U.S. District Court, N.D. Illinois↗ · U.S. District Court, N.D. Illinois↗ · PHMSA #405↗
condemnation_active
litigation
estimated_>3
Transco—Northeast Supply Enhancement (Compressor Station 206, NJ)
Transcontinental Gas Pipe Line Company, LLC · PA, NJ, NY  updated 2026-06-21
CourtListener (RECAP / PACER)↗ · Federal Register—NESE Notice of Application (FERC CP17-101)↗ · FERC docket↗ · U.S. District Court, D. New Jersey↗ · PHMSA #19570↗
condemnation_active
litigation
estimated_>1
Columbia Gas—Virginia Reliability Project (VA) + Seville Loop (OH)
Columbia Gas Transmission, LLC · VA, OH  updated 2026-06-21
CourtListener (RECAP / PACER)↗ · Federal Register—VRP Final EIS notice (FERC CP22-502)↗ · FERC docket↗ · U.S. District Court, N.D. Ohio↗ · U.S. District Court, E.D. Virginia↗ · PHMSA #2616↗
condemnation_active
litigation
estimated_>2
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX  updated 2026-06-21
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA  updated 2026-06-21
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX  updated 2026-06-21
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH  updated 2026-06-21
no link
construction18
Meta Beaver Dam Site Transmission + Substation (Dodge County Interconnection)
American Transmission Company (ATC) · WI  updated 2026-06-21
PSC of Wisconsin—Dodge County Distribution Interconnection (Docket 137-CE-210)↗ · ABC30↗ · Wisconsin PSC docket↗
certificate_grantedunconfirmed (no condemnation filing found)
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA  updated 2026-06-21
WV MetroNews—MARL evidentiary hearing set↗ · WESA↗ · Allegheny Front↗ · FERC docket↗
certificate_filedestimated_>500
Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
Transwestern Pipeline Company (Energy Transfer subsidiary) · NM  updated 2026-06-21
Pipeline & Gas Journal↗ · BLM—Green Chile right-of-way↗ · Source NM↗ · FERC docket↗
certificate_filedpotential—FERC §7 authority; no private condemnation filed (route mostly federal BLM + state land)
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX  updated 2026-06-21
TechCrunch↗
announcedminimal_industrial_site

Federal condemnation cases—docket & latest filing pulled from CourtListener/PACER 2026-06-21
Case (docket)Latest filing / status
ANR Pipeline Company, LLC v. Haugh↗
U.S. District Court, N.D. Illinois · 3:26-cv-50202 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
ANR Pipeline Company v. Brener↗
U.S. District Court, N.D. Illinois · 1:26-cv-05668 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company
2026-05-15
ANR Pipeline Company, LLC v. Cooper↗
U.S. District Court, N.D. Illinois · 1:26-cv-05664 · filed 2026-05-15 · 5 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
TRANSCONTINENTAL GAS PIPE LINE COMPANY, LLC v. 1.451 ACRES OF PERMANEN↗
U.S. District Court, D. New Jersey · 3:26-cv-00018 · filed 2026-01-02 · 25 filings
OPINION filed. Signed by Judge Zahid N. Quraishi on 2/20/2026. (mlh)
2026-02-20
Columbia Gas Transmission, LLC v. Gearing↗
U.S. District Court, N.D. Ohio · 1:25-cv-00181 · filed 2025-01-31 · 11 filings
Order [non-document] Counsel and the parties are hereby advised that this Court will not accept ex parte telephone calls to Chambers regardi
2025-01-31
Columbia Gas Transmission, LLC v. 0.068 Acres of Land, Located in Ches↗
U.S. District Court, E.D. Virginia · 2:24-cv-00548 · filed 2024-09-09 · 1 filings
closed/terminated 2024-12-03
2024-12-03
ANR Pipeline Company v. 1.92 Acres More or Less in Washington County W↗
U.S. District Court, E.D. Wisconsin (2024) · 2:24-cv-00530 · filed 2024-05-01 · 21 filings
closed/terminated 2024-07-24
2024-05-15

State legislative pushback
StateActionStatus / Date
NCNC S730—Ratepayer Protection Act
The bill NC reporting (WRAL) identifies as limiting data-center-driven eminent domain and ratepayer cost-shifting for transmission primarily serving data-center load; full text pending. Status: Ref to Senate Rules & Operations, 2026-06-08.
in Senate Rules committee
2026-06-08
OHOH SB381—PUCO approval to connect data centers to the grid
Requires Public Utilities Commission of Ohio approval of agreements to interconnect a data center to the electric grid (enacts R.C. ch. 4908). Referred to Senate Public Utilities, 2026-03-25.
in committee (Public Utilities)
2026-03-25
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA SB334—Conveyances of interests in real property; public hearing required
Would require a locality to hold a public hearing before disposing of any permanent easement or right-of-way for new >69 kV electric transmission/distribution or for data-center operations. Tabled in Appropriations 2026-02-16 (21-Y 0-N 1-A).
tabled in Appropriations
2026-02-16
PAPA SB1359—statewide hyperscale data-center moratorium
Imposes a statewide moratorium on hyperscale data-center development and permitting. Runs alongside the MARL transmission-line eminent-domain fight in western PA (WESA / Allegheny Front). Referred to Local Government, 2026-06-04.
referred to Local Government
2026-06-04

New cases + status changes are surfaced daily in the digest's Eminent Domain section from federal condemnation dockets (CourtListener / PACER, Natural Gas Act §717f(h)), FERC certificate notices (Federal Register), state PUC dockets, LegiScan, and local + trade press. Each row links out to its sources, dockets, and court cases; the date shows when the entry was last confirmed (entries > 14d are flagged stale).

14 active projects 265 miles 330+ properties 14,593 MW BTM gas
2,811,082 miles of U.S. gas pipeline already in the ground (300,158 transmission · 2,397,775 distribution · 113,148 gathering). The takings below extend that network. Source: PHMSA annual-report mileage.
all current—freshest entry 12d old
🗺 Not Yours Anymore—the StoryMap of land being taken →
Loading live federal condemnation filings…
Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Ashley Park–Wansley 500kV (Project Sail)
Georgia Power · GA  updated 2026-06-21
AJC↗ · FOX5 Atlanta—Coweta approves Project Sail↗ · 11Alive—Coweta homeowner eminent-domain dispute↗
condemnation_active
litigation
330
Dominion Golden to Mars 500kV (Loudoun)
Dominion Energy Virginia · VA  updated 2026-06-21
Patch—SCC sets school-board easement deadline↗ · Virginia Mercury—SCC approves Loudoun line↗ · Virginia Mercury—Loudoun neighbors fight lines↗
certificate_granted
litigation
contingent—fallback Route 3a (~182 homes within 500 ft); condemnation not executed
Enbridge Chatham County gas pipeline (Siler City–Moncure, NC)
Enbridge · NC  updated 2026-06-21
Chatham Journal—Enbridge pipeline debate↗ · Inside Climate News↗ · Canary Media↗ · PHMSA #4060↗
condemnation_active
litigation
Chatham County landowners receiving condemnation-warning letters (e.g. John Alderman); count not yet public
ANR Pipeline—Heartland Project condemnations (N. Illinois)
ANR Pipeline Company, LLC · IL, WI  updated 2026-06-21
CourtListener (RECAP / PACER)↗ · U.S. District Court, N.D. Illinois↗ · U.S. District Court, N.D. Illinois↗ · PHMSA #405↗
condemnation_active
litigation
estimated_>3
Transco—Northeast Supply Enhancement (Compressor Station 206, NJ)
Transcontinental Gas Pipe Line Company, LLC · PA, NJ, NY  updated 2026-06-21
CourtListener (RECAP / PACER)↗ · Federal Register—NESE Notice of Application (FERC CP17-101)↗ · FERC docket↗ · U.S. District Court, D. New Jersey↗ · PHMSA #19570↗
condemnation_active
litigation
estimated_>1
Columbia Gas—Virginia Reliability Project (VA) + Seville Loop (OH)
Columbia Gas Transmission, LLC · VA, OH  updated 2026-06-21
CourtListener (RECAP / PACER)↗ · Federal Register—VRP Final EIS notice (FERC CP22-502)↗ · FERC docket↗ · U.S. District Court, N.D. Ohio↗ · U.S. District Court, E.D. Virginia↗ · PHMSA #2616↗
condemnation_active
litigation
estimated_>2
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX  updated 2026-06-21
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA  updated 2026-06-21
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX  updated 2026-06-21
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH  updated 2026-06-21
no link
construction18
Meta Beaver Dam Site Transmission + Substation (Dodge County Interconnection)
American Transmission Company (ATC) · WI  updated 2026-06-21
PSC of Wisconsin—Dodge County Distribution Interconnection (Docket 137-CE-210)↗ · ABC30↗ · Wisconsin PSC docket↗
certificate_grantedunconfirmed (no condemnation filing found)
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA  updated 2026-06-21
WV MetroNews—MARL evidentiary hearing set↗ · WESA↗ · Allegheny Front↗ · FERC docket↗
certificate_filedestimated_>500
Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
Transwestern Pipeline Company (Energy Transfer subsidiary) · NM  updated 2026-06-21
Pipeline & Gas Journal↗ · BLM—Green Chile right-of-way↗ · Source NM↗ · FERC docket↗
certificate_filedpotential—FERC §7 authority; no private condemnation filed (route mostly federal BLM + state land)
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX  updated 2026-06-21
TechCrunch↗
announcedminimal_industrial_site

Federal condemnation cases—docket & latest filing pulled from CourtListener/PACER 2026-06-21
Case (docket)Latest filing / status
ANR Pipeline Company, LLC v. Haugh↗
U.S. District Court, N.D. Illinois · 3:26-cv-50202 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
ANR Pipeline Company v. Brener↗
U.S. District Court, N.D. Illinois · 1:26-cv-05668 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company
2026-05-15
ANR Pipeline Company, LLC v. Cooper↗
U.S. District Court, N.D. Illinois · 1:26-cv-05664 · filed 2026-05-15 · 5 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
TRANSCONTINENTAL GAS PIPE LINE COMPANY, LLC v. 1.451 ACRES OF PERMANEN↗
U.S. District Court, D. New Jersey · 3:26-cv-00018 · filed 2026-01-02 · 25 filings
OPINION filed. Signed by Judge Zahid N. Quraishi on 2/20/2026. (mlh)
2026-02-20
Columbia Gas Transmission, LLC v. Gearing↗
U.S. District Court, N.D. Ohio · 1:25-cv-00181 · filed 2025-01-31 · 11 filings
Order [non-document] Counsel and the parties are hereby advised that this Court will not accept ex parte telephone calls to Chambers regardi
2025-01-31
Columbia Gas Transmission, LLC v. 0.068 Acres of Land, Located in Ches↗
U.S. District Court, E.D. Virginia · 2:24-cv-00548 · filed 2024-09-09 · 1 filings
closed/terminated 2024-12-03
2024-12-03
ANR Pipeline Company v. 1.92 Acres More or Less in Washington County W↗
U.S. District Court, E.D. Wisconsin (2024) · 2:24-cv-00530 · filed 2024-05-01 · 21 filings
closed/terminated 2024-07-24
2024-05-15

State legislative pushback
StateActionStatus / Date
NCNC S730—Ratepayer Protection Act
The bill NC reporting (WRAL) identifies as limiting data-center-driven eminent domain and ratepayer cost-shifting for transmission primarily serving data-center load; full text pending. Status: Ref to Senate Rules & Operations, 2026-06-08.
in Senate Rules committee
2026-06-08
OHOH SB381—PUCO approval to connect data centers to the grid
Requires Public Utilities Commission of Ohio approval of agreements to interconnect a data center to the electric grid (enacts R.C. ch. 4908). Referred to Senate Public Utilities, 2026-03-25.
in committee (Public Utilities)
2026-03-25
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA SB334—Conveyances of interests in real property; public hearing required
Would require a locality to hold a public hearing before disposing of any permanent easement or right-of-way for new >69 kV electric transmission/distribution or for data-center operations. Tabled in Appropriations 2026-02-16 (21-Y 0-N 1-A).
tabled in Appropriations
2026-02-16
PAPA SB1359—statewide hyperscale data-center moratorium
Imposes a statewide moratorium on hyperscale data-center development and permitting. Runs alongside the MARL transmission-line eminent-domain fight in western PA (WESA / Allegheny Front). Referred to Local Government, 2026-06-04.
referred to Local Government
2026-06-04

New cases + status changes are surfaced daily in the digest's Eminent Domain section from federal condemnation dockets (CourtListener / PACER, Natural Gas Act §717f(h)), FERC certificate notices (Federal Register), state PUC dockets, LegiScan, and local + trade press. Each row links out to its sources, dockets, and court cases; the date shows when the entry was last confirmed (entries > 14d are flagged stale).

14 active projects 265 miles 330+ properties 14,593 MW BTM gas
2,811,082 miles of U.S. gas pipeline already in the ground (300,158 transmission · 2,397,775 distribution · 113,148 gathering). The takings below extend that network. Source: PHMSA annual-report mileage.
all current—freshest entry 11d old
🗺 Not Yours Anymore—the StoryMap of land being taken →
Loading live federal condemnation filings…
Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Ashley Park–Wansley 500kV (Project Sail)
Georgia Power · GA  updated 2026-06-21
AJC↗ · FOX5 Atlanta—Coweta approves Project Sail↗ · 11Alive—Coweta homeowner eminent-domain dispute↗
condemnation_active
litigation
330
Dominion Golden to Mars 500kV (Loudoun)
Dominion Energy Virginia · VA  updated 2026-06-21
Patch—SCC sets school-board easement deadline↗ · Virginia Mercury—SCC approves Loudoun line↗ · Virginia Mercury—Loudoun neighbors fight lines↗
certificate_granted
litigation
contingent—fallback Route 3a (~182 homes within 500 ft); condemnation not executed
Enbridge Chatham County gas pipeline (Siler City–Moncure, NC)
Enbridge · NC  updated 2026-06-21
Chatham Journal—Enbridge pipeline debate↗ · Inside Climate News↗ · Canary Media↗ · PHMSA #4060↗
condemnation_active
litigation
Chatham County landowners receiving condemnation-warning letters (e.g. John Alderman); count not yet public
ANR Pipeline—Heartland Project condemnations (N. Illinois)
ANR Pipeline Company, LLC · IL, WI  updated 2026-06-21
CourtListener (RECAP / PACER)↗ · U.S. District Court, N.D. Illinois↗ · U.S. District Court, N.D. Illinois↗ · PHMSA #405↗
condemnation_active
litigation
estimated_>3
Transco—Northeast Supply Enhancement (Compressor Station 206, NJ)
Transcontinental Gas Pipe Line Company, LLC · PA, NJ, NY  updated 2026-06-21
CourtListener (RECAP / PACER)↗ · Federal Register—NESE Notice of Application (FERC CP17-101)↗ · FERC docket↗ · U.S. District Court, D. New Jersey↗ · PHMSA #19570↗
condemnation_active
litigation
estimated_>1
Columbia Gas—Virginia Reliability Project (VA) + Seville Loop (OH)
Columbia Gas Transmission, LLC · VA, OH  updated 2026-06-21
CourtListener (RECAP / PACER)↗ · Federal Register—VRP Final EIS notice (FERC CP22-502)↗ · FERC docket↗ · U.S. District Court, N.D. Ohio↗ · U.S. District Court, E.D. Virginia↗ · PHMSA #2616↗
condemnation_active
litigation
estimated_>2
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX  updated 2026-06-21
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA  updated 2026-06-21
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX  updated 2026-06-21
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH  updated 2026-06-21
no link
construction18
Meta Beaver Dam Site Transmission + Substation (Dodge County Interconnection)
American Transmission Company (ATC) · WI  updated 2026-06-21
PSC of Wisconsin—Dodge County Distribution Interconnection (Docket 137-CE-210)↗ · ABC30↗ · Wisconsin PSC docket↗
certificate_grantedunconfirmed (no condemnation filing found)
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA  updated 2026-06-21
WV MetroNews—MARL evidentiary hearing set↗ · WESA↗ · Allegheny Front↗ · FERC docket↗
certificate_filedestimated_>500
Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
Transwestern Pipeline Company (Energy Transfer subsidiary) · NM  updated 2026-06-21
Pipeline & Gas Journal↗ · BLM—Green Chile right-of-way↗ · Source NM↗ · FERC docket↗
certificate_filedpotential—FERC §7 authority; no private condemnation filed (route mostly federal BLM + state land)
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX  updated 2026-06-21
TechCrunch↗
announcedminimal_industrial_site

Federal condemnation cases—docket & latest filing pulled from CourtListener/PACER 2026-06-21
Case (docket)Latest filing / status
ANR Pipeline Company, LLC v. Haugh↗
U.S. District Court, N.D. Illinois · 3:26-cv-50202 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
ANR Pipeline Company v. Brener↗
U.S. District Court, N.D. Illinois · 1:26-cv-05668 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company
2026-05-15
ANR Pipeline Company, LLC v. Cooper↗
U.S. District Court, N.D. Illinois · 1:26-cv-05664 · filed 2026-05-15 · 5 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
TRANSCONTINENTAL GAS PIPE LINE COMPANY, LLC v. 1.451 ACRES OF PERMANEN↗
U.S. District Court, D. New Jersey · 3:26-cv-00018 · filed 2026-01-02 · 25 filings
OPINION filed. Signed by Judge Zahid N. Quraishi on 2/20/2026. (mlh)
2026-02-20
Columbia Gas Transmission, LLC v. Gearing↗
U.S. District Court, N.D. Ohio · 1:25-cv-00181 · filed 2025-01-31 · 11 filings
Order [non-document] Counsel and the parties are hereby advised that this Court will not accept ex parte telephone calls to Chambers regardi
2025-01-31
Columbia Gas Transmission, LLC v. 0.068 Acres of Land, Located in Ches↗
U.S. District Court, E.D. Virginia · 2:24-cv-00548 · filed 2024-09-09 · 1 filings
closed/terminated 2024-12-03
2024-12-03
ANR Pipeline Company v. 1.92 Acres More or Less in Washington County W↗
U.S. District Court, E.D. Wisconsin (2024) · 2:24-cv-00530 · filed 2024-05-01 · 21 filings
closed/terminated 2024-07-24
2024-05-15

State legislative pushback
StateActionStatus / Date
NCNC S730—Ratepayer Protection Act
The bill NC reporting (WRAL) identifies as limiting data-center-driven eminent domain and ratepayer cost-shifting for transmission primarily serving data-center load; full text pending. Status: Ref to Senate Rules & Operations, 2026-06-08.
in Senate Rules committee
2026-06-08
OHOH SB381—PUCO approval to connect data centers to the grid
Requires Public Utilities Commission of Ohio approval of agreements to interconnect a data center to the electric grid (enacts R.C. ch. 4908). Referred to Senate Public Utilities, 2026-03-25.
in committee (Public Utilities)
2026-03-25
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA SB334—Conveyances of interests in real property; public hearing required
Would require a locality to hold a public hearing before disposing of any permanent easement or right-of-way for new >69 kV electric transmission/distribution or for data-center operations. Tabled in Appropriations 2026-02-16 (21-Y 0-N 1-A).
tabled in Appropriations
2026-02-16
PAPA SB1359—statewide hyperscale data-center moratorium
Imposes a statewide moratorium on hyperscale data-center development and permitting. Runs alongside the MARL transmission-line eminent-domain fight in western PA (WESA / Allegheny Front). Referred to Local Government, 2026-06-04.
referred to Local Government
2026-06-04

New cases + status changes are surfaced daily in the digest's Eminent Domain section from federal condemnation dockets (CourtListener / PACER, Natural Gas Act §717f(h)), FERC certificate notices (Federal Register), state PUC dockets, LegiScan, and local + trade press. Each row links out to its sources, dockets, and court cases; the date shows when the entry was last confirmed (entries > 14d are flagged stale).

14 active projects 265 miles 330+ properties 14,593 MW BTM gas
2,811,082 miles of U.S. gas pipeline already in the ground (300,158 transmission · 2,397,775 distribution · 113,148 gathering). The takings below extend that network. Source: PHMSA annual-report mileage.
all current—freshest entry 10d old
🗺 Not Yours Anymore—the StoryMap of land being taken →
Loading live federal condemnation filings…
Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Ashley Park–Wansley 500kV (Project Sail)
Georgia Power · GA  updated 2026-06-21
AJC↗ · FOX5 Atlanta—Coweta approves Project Sail↗ · 11Alive—Coweta homeowner eminent-domain dispute↗
condemnation_active
litigation
330
Dominion Golden to Mars 500kV (Loudoun)
Dominion Energy Virginia · VA  updated 2026-06-21
Patch—SCC sets school-board easement deadline↗ · Virginia Mercury—SCC approves Loudoun line↗ · Virginia Mercury—Loudoun neighbors fight lines↗
certificate_granted
litigation
contingent—fallback Route 3a (~182 homes within 500 ft); condemnation not executed
Enbridge Chatham County gas pipeline (Siler City–Moncure, NC)
Enbridge · NC  updated 2026-06-21
Chatham Journal—Enbridge pipeline debate↗ · Inside Climate News↗ · Canary Media↗ · PHMSA #4060↗
condemnation_active
litigation
Chatham County landowners receiving condemnation-warning letters (e.g. John Alderman); count not yet public
ANR Pipeline—Heartland Project condemnations (N. Illinois)
ANR Pipeline Company, LLC · IL, WI  updated 2026-06-21
CourtListener (RECAP / PACER)↗ · U.S. District Court, N.D. Illinois↗ · U.S. District Court, N.D. Illinois↗ · PHMSA #405↗
condemnation_active
litigation
estimated_>3
Transco—Northeast Supply Enhancement (Compressor Station 206, NJ)
Transcontinental Gas Pipe Line Company, LLC · PA, NJ, NY  updated 2026-06-21
CourtListener (RECAP / PACER)↗ · Federal Register—NESE Notice of Application (FERC CP17-101)↗ · FERC docket↗ · U.S. District Court, D. New Jersey↗ · PHMSA #19570↗
condemnation_active
litigation
estimated_>1
Columbia Gas—Virginia Reliability Project (VA) + Seville Loop (OH)
Columbia Gas Transmission, LLC · VA, OH  updated 2026-06-21
CourtListener (RECAP / PACER)↗ · Federal Register—VRP Final EIS notice (FERC CP22-502)↗ · FERC docket↗ · U.S. District Court, N.D. Ohio↗ · U.S. District Court, E.D. Virginia↗ · PHMSA #2616↗
condemnation_active
litigation
estimated_>2
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX  updated 2026-06-21
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA  updated 2026-06-21
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX  updated 2026-06-21
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH  updated 2026-06-21
no link
construction18
Meta Beaver Dam Site Transmission + Substation (Dodge County Interconnection)
American Transmission Company (ATC) · WI  updated 2026-06-21
PSC of Wisconsin—Dodge County Distribution Interconnection (Docket 137-CE-210)↗ · ABC30↗ · Wisconsin PSC docket↗
certificate_grantedunconfirmed (no condemnation filing found)
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA  updated 2026-06-21
WV MetroNews—MARL evidentiary hearing set↗ · WESA↗ · Allegheny Front↗ · FERC docket↗
certificate_filedestimated_>500
Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
Transwestern Pipeline Company (Energy Transfer subsidiary) · NM  updated 2026-06-21
Pipeline & Gas Journal↗ · BLM—Green Chile right-of-way↗ · Source NM↗ · FERC docket↗
certificate_filedpotential—FERC §7 authority; no private condemnation filed (route mostly federal BLM + state land)
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX  updated 2026-06-21
TechCrunch↗
announcedminimal_industrial_site

Federal condemnation cases—docket & latest filing pulled from CourtListener/PACER 2026-06-21
Case (docket)Latest filing / status
ANR Pipeline Company, LLC v. Haugh↗
U.S. District Court, N.D. Illinois · 3:26-cv-50202 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
ANR Pipeline Company v. Brener↗
U.S. District Court, N.D. Illinois · 1:26-cv-05668 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company
2026-05-15
ANR Pipeline Company, LLC v. Cooper↗
U.S. District Court, N.D. Illinois · 1:26-cv-05664 · filed 2026-05-15 · 5 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
TRANSCONTINENTAL GAS PIPE LINE COMPANY, LLC v. 1.451 ACRES OF PERMANEN↗
U.S. District Court, D. New Jersey · 3:26-cv-00018 · filed 2026-01-02 · 25 filings
OPINION filed. Signed by Judge Zahid N. Quraishi on 2/20/2026. (mlh)
2026-02-20
Columbia Gas Transmission, LLC v. Gearing↗
U.S. District Court, N.D. Ohio · 1:25-cv-00181 · filed 2025-01-31 · 11 filings
Order [non-document] Counsel and the parties are hereby advised that this Court will not accept ex parte telephone calls to Chambers regardi
2025-01-31
Columbia Gas Transmission, LLC v. 0.068 Acres of Land, Located in Ches↗
U.S. District Court, E.D. Virginia · 2:24-cv-00548 · filed 2024-09-09 · 1 filings
closed/terminated 2024-12-03
2024-12-03
ANR Pipeline Company v. 1.92 Acres More or Less in Washington County W↗
U.S. District Court, E.D. Wisconsin (2024) · 2:24-cv-00530 · filed 2024-05-01 · 21 filings
closed/terminated 2024-07-24
2024-05-15

State legislative pushback
StateActionStatus / Date
NCNC S730—Ratepayer Protection Act
The bill NC reporting (WRAL) identifies as limiting data-center-driven eminent domain and ratepayer cost-shifting for transmission primarily serving data-center load; full text pending. Status: Ref to Senate Rules & Operations, 2026-06-08.
in Senate Rules committee
2026-06-08
OHOH SB381—PUCO approval to connect data centers to the grid
Requires Public Utilities Commission of Ohio approval of agreements to interconnect a data center to the electric grid (enacts R.C. ch. 4908). Referred to Senate Public Utilities, 2026-03-25.
in committee (Public Utilities)
2026-03-25
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA SB334—Conveyances of interests in real property; public hearing required
Would require a locality to hold a public hearing before disposing of any permanent easement or right-of-way for new >69 kV electric transmission/distribution or for data-center operations. Tabled in Appropriations 2026-02-16 (21-Y 0-N 1-A).
tabled in Appropriations
2026-02-16
PAPA SB1359—statewide hyperscale data-center moratorium
Imposes a statewide moratorium on hyperscale data-center development and permitting. Runs alongside the MARL transmission-line eminent-domain fight in western PA (WESA / Allegheny Front). Referred to Local Government, 2026-06-04.
referred to Local Government
2026-06-04

New cases + status changes are surfaced daily in the digest's Eminent Domain section from federal condemnation dockets (CourtListener / PACER, Natural Gas Act §717f(h)), FERC certificate notices (Federal Register), state PUC dockets, LegiScan, and local + trade press. Each row links out to its sources, dockets, and court cases; the date shows when the entry was last confirmed (entries > 14d are flagged stale).

14 active projects 265 miles 330+ properties 14,593 MW BTM gas
2,811,082 miles of U.S. gas pipeline already in the ground (300,158 transmission · 2,397,775 distribution · 113,148 gathering). The takings below extend that network. Source: PHMSA annual-report mileage.
all current—freshest entry 9d old
🗺 Not Yours Anymore—the StoryMap of land being taken →
Loading live federal condemnation filings…
Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Ashley Park–Wansley 500kV (Project Sail)
Georgia Power · GA  updated 2026-06-21
AJC↗ · FOX5 Atlanta—Coweta approves Project Sail↗ · 11Alive—Coweta homeowner eminent-domain dispute↗
condemnation_active
litigation
330
Dominion Golden to Mars 500kV (Loudoun)
Dominion Energy Virginia · VA  updated 2026-06-21
Patch—SCC sets school-board easement deadline↗ · Virginia Mercury—SCC approves Loudoun line↗ · Virginia Mercury—Loudoun neighbors fight lines↗
certificate_granted
litigation
contingent—fallback Route 3a (~182 homes within 500 ft); condemnation not executed
Enbridge Chatham County gas pipeline (Siler City–Moncure, NC)
Enbridge · NC  updated 2026-06-21
Chatham Journal—Enbridge pipeline debate↗ · Inside Climate News↗ · Canary Media↗ · PHMSA #4060↗
condemnation_active
litigation
Chatham County landowners receiving condemnation-warning letters (e.g. John Alderman); count not yet public
ANR Pipeline—Heartland Project condemnations (N. Illinois)
ANR Pipeline Company, LLC · IL, WI  updated 2026-06-21
CourtListener (RECAP / PACER)↗ · U.S. District Court, N.D. Illinois↗ · U.S. District Court, N.D. Illinois↗ · PHMSA #405↗
condemnation_active
litigation
estimated_>3
Transco—Northeast Supply Enhancement (Compressor Station 206, NJ)
Transcontinental Gas Pipe Line Company, LLC · PA, NJ, NY  updated 2026-06-21
CourtListener (RECAP / PACER)↗ · Federal Register—NESE Notice of Application (FERC CP17-101)↗ · FERC docket↗ · U.S. District Court, D. New Jersey↗ · PHMSA #19570↗
condemnation_active
litigation
estimated_>1
Columbia Gas—Virginia Reliability Project (VA) + Seville Loop (OH)
Columbia Gas Transmission, LLC · VA, OH  updated 2026-06-21
CourtListener (RECAP / PACER)↗ · Federal Register—VRP Final EIS notice (FERC CP22-502)↗ · FERC docket↗ · U.S. District Court, N.D. Ohio↗ · U.S. District Court, E.D. Virginia↗ · PHMSA #2616↗
condemnation_active
litigation
estimated_>2
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX  updated 2026-06-21
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA  updated 2026-06-21
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX  updated 2026-06-21
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH  updated 2026-06-21
no link
construction18
Meta Beaver Dam Site Transmission + Substation (Dodge County Interconnection)
American Transmission Company (ATC) · WI  updated 2026-06-21
PSC of Wisconsin—Dodge County Distribution Interconnection (Docket 137-CE-210)↗ · ABC30↗ · Wisconsin PSC docket↗
certificate_grantedunconfirmed (no condemnation filing found)
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA  updated 2026-06-21
WV MetroNews—MARL evidentiary hearing set↗ · WESA↗ · Allegheny Front↗ · FERC docket↗
certificate_filedestimated_>500
Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
Transwestern Pipeline Company (Energy Transfer subsidiary) · NM  updated 2026-06-21
Pipeline & Gas Journal↗ · BLM—Green Chile right-of-way↗ · Source NM↗ · FERC docket↗
certificate_filedpotential—FERC §7 authority; no private condemnation filed (route mostly federal BLM + state land)
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX  updated 2026-06-21
TechCrunch↗
announcedminimal_industrial_site

Federal condemnation cases—docket & latest filing pulled from CourtListener/PACER 2026-06-21
Case (docket)Latest filing / status
ANR Pipeline Company, LLC v. Haugh↗
U.S. District Court, N.D. Illinois · 3:26-cv-50202 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
ANR Pipeline Company v. Brener↗
U.S. District Court, N.D. Illinois · 1:26-cv-05668 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company
2026-05-15
ANR Pipeline Company, LLC v. Cooper↗
U.S. District Court, N.D. Illinois · 1:26-cv-05664 · filed 2026-05-15 · 5 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
TRANSCONTINENTAL GAS PIPE LINE COMPANY, LLC v. 1.451 ACRES OF PERMANEN↗
U.S. District Court, D. New Jersey · 3:26-cv-00018 · filed 2026-01-02 · 25 filings
OPINION filed. Signed by Judge Zahid N. Quraishi on 2/20/2026. (mlh)
2026-02-20
Columbia Gas Transmission, LLC v. Gearing↗
U.S. District Court, N.D. Ohio · 1:25-cv-00181 · filed 2025-01-31 · 11 filings
Order [non-document] Counsel and the parties are hereby advised that this Court will not accept ex parte telephone calls to Chambers regardi
2025-01-31
Columbia Gas Transmission, LLC v. 0.068 Acres of Land, Located in Ches↗
U.S. District Court, E.D. Virginia · 2:24-cv-00548 · filed 2024-09-09 · 1 filings
closed/terminated 2024-12-03
2024-12-03
ANR Pipeline Company v. 1.92 Acres More or Less in Washington County W↗
U.S. District Court, E.D. Wisconsin (2024) · 2:24-cv-00530 · filed 2024-05-01 · 21 filings
closed/terminated 2024-07-24
2024-05-15

State legislative pushback
StateActionStatus / Date
NCNC S730—Ratepayer Protection Act
The bill NC reporting (WRAL) identifies as limiting data-center-driven eminent domain and ratepayer cost-shifting for transmission primarily serving data-center load; full text pending. Status: Ref to Senate Rules & Operations, 2026-06-08.
in Senate Rules committee
2026-06-08
OHOH SB381—PUCO approval to connect data centers to the grid
Requires Public Utilities Commission of Ohio approval of agreements to interconnect a data center to the electric grid (enacts R.C. ch. 4908). Referred to Senate Public Utilities, 2026-03-25.
in committee (Public Utilities)
2026-03-25
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA SB334—Conveyances of interests in real property; public hearing required
Would require a locality to hold a public hearing before disposing of any permanent easement or right-of-way for new >69 kV electric transmission/distribution or for data-center operations. Tabled in Appropriations 2026-02-16 (21-Y 0-N 1-A).
tabled in Appropriations
2026-02-16
PAPA SB1359—statewide hyperscale data-center moratorium
Imposes a statewide moratorium on hyperscale data-center development and permitting. Runs alongside the MARL transmission-line eminent-domain fight in western PA (WESA / Allegheny Front). Referred to Local Government, 2026-06-04.
referred to Local Government
2026-06-04

New cases + status changes are surfaced daily in the digest's Eminent Domain section from federal condemnation dockets (CourtListener / PACER, Natural Gas Act §717f(h)), FERC certificate notices (Federal Register), state PUC dockets, LegiScan, and local + trade press. Each row links out to its sources, dockets, and court cases; the date shows when the entry was last confirmed (entries > 14d are flagged stale).

14 active projects 265 miles 330+ properties 14,593 MW BTM gas
2,811,082 miles of U.S. gas pipeline already in the ground (300,158 transmission · 2,397,775 distribution · 113,148 gathering). The takings below extend that network. Source: PHMSA annual-report mileage.
all current—freshest entry 8d old
🗺 Not Yours Anymore—the StoryMap of land being taken →
Loading live federal condemnation filings…
Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Ashley Park–Wansley 500kV (Project Sail)
Georgia Power · GA  updated 2026-06-21
AJC↗ · FOX5 Atlanta—Coweta approves Project Sail↗ · 11Alive—Coweta homeowner eminent-domain dispute↗
condemnation_active
litigation
330
Dominion Golden to Mars 500kV (Loudoun)
Dominion Energy Virginia · VA  updated 2026-06-21
Patch—SCC sets school-board easement deadline↗ · Virginia Mercury—SCC approves Loudoun line↗ · Virginia Mercury—Loudoun neighbors fight lines↗
certificate_granted
litigation
contingent—fallback Route 3a (~182 homes within 500 ft); condemnation not executed
Enbridge Chatham County gas pipeline (Siler City–Moncure, NC)
Enbridge · NC  updated 2026-06-21
Chatham Journal—Enbridge pipeline debate↗ · Inside Climate News↗ · Canary Media↗ · PHMSA #4060↗
condemnation_active
litigation
Chatham County landowners receiving condemnation-warning letters (e.g. John Alderman); count not yet public
ANR Pipeline—Heartland Project condemnations (N. Illinois)
ANR Pipeline Company, LLC · IL, WI  updated 2026-06-21
CourtListener (RECAP / PACER)↗ · U.S. District Court, N.D. Illinois↗ · U.S. District Court, N.D. Illinois↗ · PHMSA #405↗
condemnation_active
litigation
estimated_>3
Transco—Northeast Supply Enhancement (Compressor Station 206, NJ)
Transcontinental Gas Pipe Line Company, LLC · PA, NJ, NY  updated 2026-06-21
CourtListener (RECAP / PACER)↗ · Federal Register—NESE Notice of Application (FERC CP17-101)↗ · FERC docket↗ · U.S. District Court, D. New Jersey↗ · PHMSA #19570↗
condemnation_active
litigation
estimated_>1
Columbia Gas—Virginia Reliability Project (VA) + Seville Loop (OH)
Columbia Gas Transmission, LLC · VA, OH  updated 2026-06-21
CourtListener (RECAP / PACER)↗ · Federal Register—VRP Final EIS notice (FERC CP22-502)↗ · FERC docket↗ · U.S. District Court, N.D. Ohio↗ · U.S. District Court, E.D. Virginia↗ · PHMSA #2616↗
condemnation_active
litigation
estimated_>2
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX  updated 2026-06-21
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA  updated 2026-06-21
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX  updated 2026-06-21
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH  updated 2026-06-21
no link
construction18
Meta Beaver Dam Site Transmission + Substation (Dodge County Interconnection)
American Transmission Company (ATC) · WI  updated 2026-06-21
PSC of Wisconsin—Dodge County Distribution Interconnection (Docket 137-CE-210)↗ · ABC30↗ · Wisconsin PSC docket↗
certificate_grantedunconfirmed (no condemnation filing found)
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA  updated 2026-06-21
WV MetroNews—MARL evidentiary hearing set↗ · WESA↗ · Allegheny Front↗ · FERC docket↗
certificate_filedestimated_>500
Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
Transwestern Pipeline Company (Energy Transfer subsidiary) · NM  updated 2026-06-21
Pipeline & Gas Journal↗ · BLM—Green Chile right-of-way↗ · Source NM↗ · FERC docket↗
certificate_filedpotential—FERC §7 authority; no private condemnation filed (route mostly federal BLM + state land)
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX  updated 2026-06-21
TechCrunch↗
announcedminimal_industrial_site

Federal condemnation cases—docket & latest filing pulled from CourtListener/PACER 2026-06-21
Case (docket)Latest filing / status
ANR Pipeline Company, LLC v. Haugh↗
U.S. District Court, N.D. Illinois · 3:26-cv-50202 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
ANR Pipeline Company v. Brener↗
U.S. District Court, N.D. Illinois · 1:26-cv-05668 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company
2026-05-15
ANR Pipeline Company, LLC v. Cooper↗
U.S. District Court, N.D. Illinois · 1:26-cv-05664 · filed 2026-05-15 · 5 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
TRANSCONTINENTAL GAS PIPE LINE COMPANY, LLC v. 1.451 ACRES OF PERMANEN↗
U.S. District Court, D. New Jersey · 3:26-cv-00018 · filed 2026-01-02 · 25 filings
OPINION filed. Signed by Judge Zahid N. Quraishi on 2/20/2026. (mlh)
2026-02-20
Columbia Gas Transmission, LLC v. Gearing↗
U.S. District Court, N.D. Ohio · 1:25-cv-00181 · filed 2025-01-31 · 11 filings
Order [non-document] Counsel and the parties are hereby advised that this Court will not accept ex parte telephone calls to Chambers regardi
2025-01-31
Columbia Gas Transmission, LLC v. 0.068 Acres of Land, Located in Ches↗
U.S. District Court, E.D. Virginia · 2:24-cv-00548 · filed 2024-09-09 · 1 filings
closed/terminated 2024-12-03
2024-12-03
ANR Pipeline Company v. 1.92 Acres More or Less in Washington County W↗
U.S. District Court, E.D. Wisconsin (2024) · 2:24-cv-00530 · filed 2024-05-01 · 21 filings
closed/terminated 2024-07-24
2024-05-15

State legislative pushback
StateActionStatus / Date
NCNC S730—Ratepayer Protection Act
The bill NC reporting (WRAL) identifies as limiting data-center-driven eminent domain and ratepayer cost-shifting for transmission primarily serving data-center load; full text pending. Status: Ref to Senate Rules & Operations, 2026-06-08.
in Senate Rules committee
2026-06-08
OHOH SB381—PUCO approval to connect data centers to the grid
Requires Public Utilities Commission of Ohio approval of agreements to interconnect a data center to the electric grid (enacts R.C. ch. 4908). Referred to Senate Public Utilities, 2026-03-25.
in committee (Public Utilities)
2026-03-25
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA SB334—Conveyances of interests in real property; public hearing required
Would require a locality to hold a public hearing before disposing of any permanent easement or right-of-way for new >69 kV electric transmission/distribution or for data-center operations. Tabled in Appropriations 2026-02-16 (21-Y 0-N 1-A).
tabled in Appropriations
2026-02-16
PAPA SB1359—statewide hyperscale data-center moratorium
Imposes a statewide moratorium on hyperscale data-center development and permitting. Runs alongside the MARL transmission-line eminent-domain fight in western PA (WESA / Allegheny Front). Referred to Local Government, 2026-06-04.
referred to Local Government
2026-06-04

New cases + status changes are surfaced daily in the digest's Eminent Domain section from federal condemnation dockets (CourtListener / PACER, Natural Gas Act §717f(h)), FERC certificate notices (Federal Register), state PUC dockets, LegiScan, and local + trade press. Each row links out to its sources, dockets, and court cases; the date shows when the entry was last confirmed (entries > 14d are flagged stale).

14 active projects 265 miles 330+ properties 14,593 MW BTM gas
2,811,082 miles of U.S. gas pipeline already in the ground (300,158 transmission · 2,397,775 distribution · 113,148 gathering). The takings below extend that network. Source: PHMSA annual-report mileage.
all current—freshest entry 7d old
🗺 Not Yours Anymore—the StoryMap of land being taken →
Loading live federal condemnation filings…
Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Ashley Park–Wansley 500kV (Project Sail)
Georgia Power · GA  updated 2026-06-21
AJC↗ · FOX5 Atlanta—Coweta approves Project Sail↗ · 11Alive—Coweta homeowner eminent-domain dispute↗
condemnation_active
litigation
330
Dominion Golden to Mars 500kV (Loudoun)
Dominion Energy Virginia · VA  updated 2026-06-21
Patch—SCC sets school-board easement deadline↗ · Virginia Mercury—SCC approves Loudoun line↗ · Virginia Mercury—Loudoun neighbors fight lines↗
certificate_granted
litigation
contingent—fallback Route 3a (~182 homes within 500 ft); condemnation not executed
Enbridge Chatham County gas pipeline (Siler City–Moncure, NC)
Enbridge · NC  updated 2026-06-21
Chatham Journal—Enbridge pipeline debate↗ · Inside Climate News↗ · Canary Media↗ · PHMSA #4060↗
condemnation_active
litigation
Chatham County landowners receiving condemnation-warning letters (e.g. John Alderman); count not yet public
ANR Pipeline—Heartland Project condemnations (N. Illinois)
ANR Pipeline Company, LLC · IL, WI  updated 2026-06-21
CourtListener (RECAP / PACER)↗ · U.S. District Court, N.D. Illinois↗ · U.S. District Court, N.D. Illinois↗ · PHMSA #405↗
condemnation_active
litigation
estimated_>3
Transco—Northeast Supply Enhancement (Compressor Station 206, NJ)
Transcontinental Gas Pipe Line Company, LLC · PA, NJ, NY  updated 2026-06-21
CourtListener (RECAP / PACER)↗ · Federal Register—NESE Notice of Application (FERC CP17-101)↗ · FERC docket↗ · U.S. District Court, D. New Jersey↗ · PHMSA #19570↗
condemnation_active
litigation
estimated_>1
Columbia Gas—Virginia Reliability Project (VA) + Seville Loop (OH)
Columbia Gas Transmission, LLC · VA, OH  updated 2026-06-21
CourtListener (RECAP / PACER)↗ · Federal Register—VRP Final EIS notice (FERC CP22-502)↗ · FERC docket↗ · U.S. District Court, N.D. Ohio↗ · U.S. District Court, E.D. Virginia↗ · PHMSA #2616↗
condemnation_active
litigation
estimated_>2
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX  updated 2026-06-21
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA  updated 2026-06-21
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX  updated 2026-06-21
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH  updated 2026-06-21
no link
construction18
Meta Beaver Dam Site Transmission + Substation (Dodge County Interconnection)
American Transmission Company (ATC) · WI  updated 2026-06-21
PSC of Wisconsin—Dodge County Distribution Interconnection (Docket 137-CE-210)↗ · ABC30↗ · Wisconsin PSC docket↗
certificate_grantedunconfirmed (no condemnation filing found)
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA  updated 2026-06-21
WV MetroNews—MARL evidentiary hearing set↗ · WESA↗ · Allegheny Front↗ · FERC docket↗
certificate_filedestimated_>500
Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
Transwestern Pipeline Company (Energy Transfer subsidiary) · NM  updated 2026-06-21
Pipeline & Gas Journal↗ · BLM—Green Chile right-of-way↗ · Source NM↗ · FERC docket↗
certificate_filedpotential—FERC §7 authority; no private condemnation filed (route mostly federal BLM + state land)
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX  updated 2026-06-21
TechCrunch↗
announcedminimal_industrial_site

Federal condemnation cases—docket & latest filing pulled from CourtListener/PACER 2026-06-21
Case (docket)Latest filing / status
ANR Pipeline Company, LLC v. Haugh↗
U.S. District Court, N.D. Illinois · 3:26-cv-50202 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
ANR Pipeline Company v. Brener↗
U.S. District Court, N.D. Illinois · 1:26-cv-05668 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company
2026-05-15
ANR Pipeline Company, LLC v. Cooper↗
U.S. District Court, N.D. Illinois · 1:26-cv-05664 · filed 2026-05-15 · 5 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
TRANSCONTINENTAL GAS PIPE LINE COMPANY, LLC v. 1.451 ACRES OF PERMANEN↗
U.S. District Court, D. New Jersey · 3:26-cv-00018 · filed 2026-01-02 · 25 filings
OPINION filed. Signed by Judge Zahid N. Quraishi on 2/20/2026. (mlh)
2026-02-20
Columbia Gas Transmission, LLC v. Gearing↗
U.S. District Court, N.D. Ohio · 1:25-cv-00181 · filed 2025-01-31 · 11 filings
Order [non-document] Counsel and the parties are hereby advised that this Court will not accept ex parte telephone calls to Chambers regardi
2025-01-31
Columbia Gas Transmission, LLC v. 0.068 Acres of Land, Located in Ches↗
U.S. District Court, E.D. Virginia · 2:24-cv-00548 · filed 2024-09-09 · 1 filings
closed/terminated 2024-12-03
2024-12-03
ANR Pipeline Company v. 1.92 Acres More or Less in Washington County W↗
U.S. District Court, E.D. Wisconsin (2024) · 2:24-cv-00530 · filed 2024-05-01 · 21 filings
closed/terminated 2024-07-24
2024-05-15

State legislative pushback
StateActionStatus / Date
NCNC S730—Ratepayer Protection Act
The bill NC reporting (WRAL) identifies as limiting data-center-driven eminent domain and ratepayer cost-shifting for transmission primarily serving data-center load; full text pending. Status: Ref to Senate Rules & Operations, 2026-06-08.
in Senate Rules committee
2026-06-08
OHOH SB381—PUCO approval to connect data centers to the grid
Requires Public Utilities Commission of Ohio approval of agreements to interconnect a data center to the electric grid (enacts R.C. ch. 4908). Referred to Senate Public Utilities, 2026-03-25.
in committee (Public Utilities)
2026-03-25
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA SB334—Conveyances of interests in real property; public hearing required
Would require a locality to hold a public hearing before disposing of any permanent easement or right-of-way for new >69 kV electric transmission/distribution or for data-center operations. Tabled in Appropriations 2026-02-16 (21-Y 0-N 1-A).
tabled in Appropriations
2026-02-16
PAPA SB1359—statewide hyperscale data-center moratorium
Imposes a statewide moratorium on hyperscale data-center development and permitting. Runs alongside the MARL transmission-line eminent-domain fight in western PA (WESA / Allegheny Front). Referred to Local Government, 2026-06-04.
referred to Local Government
2026-06-04

New cases + status changes are surfaced daily in the digest's Eminent Domain section from federal condemnation dockets (CourtListener / PACER, Natural Gas Act §717f(h)), FERC certificate notices (Federal Register), state PUC dockets, LegiScan, and local + trade press. Each row links out to its sources, dockets, and court cases; the date shows when the entry was last confirmed (entries > 14d are flagged stale).

14 active projects 265 miles 330+ properties 14,593 MW BTM gas
2,811,082 miles of U.S. gas pipeline already in the ground (300,158 transmission · 2,397,775 distribution · 113,148 gathering). The takings below extend that network. Source: PHMSA annual-report mileage.
all current—freshest entry 6d old
🗺 Not Yours Anymore—the StoryMap of land being taken →
Loading live federal condemnation filings…
Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Ashley Park–Wansley 500kV (Project Sail)
Georgia Power · GA  updated 2026-06-21
AJC↗ · FOX5 Atlanta—Coweta approves Project Sail↗ · 11Alive—Coweta homeowner eminent-domain dispute↗
condemnation_active
litigation
330
Dominion Golden to Mars 500kV (Loudoun)
Dominion Energy Virginia · VA  updated 2026-06-21
Patch—SCC sets school-board easement deadline↗ · Virginia Mercury—SCC approves Loudoun line↗ · Virginia Mercury—Loudoun neighbors fight lines↗
certificate_granted
litigation
contingent—fallback Route 3a (~182 homes within 500 ft); condemnation not executed
Enbridge Chatham County gas pipeline (Siler City–Moncure, NC)
Enbridge · NC  updated 2026-06-21
Chatham Journal—Enbridge pipeline debate↗ · Inside Climate News↗ · Canary Media↗ · PHMSA #4060↗
condemnation_active
litigation
Chatham County landowners receiving condemnation-warning letters (e.g. John Alderman); count not yet public
ANR Pipeline—Heartland Project condemnations (N. Illinois)
ANR Pipeline Company, LLC · IL, WI  updated 2026-06-21
CourtListener (RECAP / PACER)↗ · U.S. District Court, N.D. Illinois↗ · U.S. District Court, N.D. Illinois↗ · PHMSA #405↗
condemnation_active
litigation
estimated_>3
Transco—Northeast Supply Enhancement (Compressor Station 206, NJ)
Transcontinental Gas Pipe Line Company, LLC · PA, NJ, NY  updated 2026-06-21
CourtListener (RECAP / PACER)↗ · Federal Register—NESE Notice of Application (FERC CP17-101)↗ · FERC docket↗ · U.S. District Court, D. New Jersey↗ · PHMSA #19570↗
condemnation_active
litigation
estimated_>1
Columbia Gas—Virginia Reliability Project (VA) + Seville Loop (OH)
Columbia Gas Transmission, LLC · VA, OH  updated 2026-06-21
CourtListener (RECAP / PACER)↗ · Federal Register—VRP Final EIS notice (FERC CP22-502)↗ · FERC docket↗ · U.S. District Court, N.D. Ohio↗ · U.S. District Court, E.D. Virginia↗ · PHMSA #2616↗
condemnation_active
litigation
estimated_>2
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX  updated 2026-06-21
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA  updated 2026-06-21
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX  updated 2026-06-21
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH  updated 2026-06-21
no link
construction18
Meta Beaver Dam Site Transmission + Substation (Dodge County Interconnection)
American Transmission Company (ATC) · WI  updated 2026-06-21
PSC of Wisconsin—Dodge County Distribution Interconnection (Docket 137-CE-210)↗ · ABC30↗ · Wisconsin PSC docket↗
certificate_grantedunconfirmed (no condemnation filing found)
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA  updated 2026-06-21
WV MetroNews—MARL evidentiary hearing set↗ · WESA↗ · Allegheny Front↗ · FERC docket↗
certificate_filedestimated_>500
Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
Transwestern Pipeline Company (Energy Transfer subsidiary) · NM  updated 2026-06-21
Pipeline & Gas Journal↗ · BLM—Green Chile right-of-way↗ · Source NM↗ · FERC docket↗
certificate_filedpotential—FERC §7 authority; no private condemnation filed (route mostly federal BLM + state land)
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX  updated 2026-06-21
TechCrunch↗
announcedminimal_industrial_site

Federal condemnation cases—docket & latest filing pulled from CourtListener/PACER 2026-06-21
Case (docket)Latest filing / status
ANR Pipeline Company, LLC v. Haugh↗
U.S. District Court, N.D. Illinois · 3:26-cv-50202 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
ANR Pipeline Company v. Brener↗
U.S. District Court, N.D. Illinois · 1:26-cv-05668 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company
2026-05-15
ANR Pipeline Company, LLC v. Cooper↗
U.S. District Court, N.D. Illinois · 1:26-cv-05664 · filed 2026-05-15 · 5 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
TRANSCONTINENTAL GAS PIPE LINE COMPANY, LLC v. 1.451 ACRES OF PERMANEN↗
U.S. District Court, D. New Jersey · 3:26-cv-00018 · filed 2026-01-02 · 25 filings
OPINION filed. Signed by Judge Zahid N. Quraishi on 2/20/2026. (mlh)
2026-02-20
Columbia Gas Transmission, LLC v. Gearing↗
U.S. District Court, N.D. Ohio · 1:25-cv-00181 · filed 2025-01-31 · 11 filings
Order [non-document] Counsel and the parties are hereby advised that this Court will not accept ex parte telephone calls to Chambers regardi
2025-01-31
Columbia Gas Transmission, LLC v. 0.068 Acres of Land, Located in Ches↗
U.S. District Court, E.D. Virginia · 2:24-cv-00548 · filed 2024-09-09 · 1 filings
closed/terminated 2024-12-03
2024-12-03
ANR Pipeline Company v. 1.92 Acres More or Less in Washington County W↗
U.S. District Court, E.D. Wisconsin (2024) · 2:24-cv-00530 · filed 2024-05-01 · 21 filings
closed/terminated 2024-07-24
2024-05-15

State legislative pushback
StateActionStatus / Date
NCNC S730—Ratepayer Protection Act
The bill NC reporting (WRAL) identifies as limiting data-center-driven eminent domain and ratepayer cost-shifting for transmission primarily serving data-center load; full text pending. Status: Ref to Senate Rules & Operations, 2026-06-08.
in Senate Rules committee
2026-06-08
OHOH SB381—PUCO approval to connect data centers to the grid
Requires Public Utilities Commission of Ohio approval of agreements to interconnect a data center to the electric grid (enacts R.C. ch. 4908). Referred to Senate Public Utilities, 2026-03-25.
in committee (Public Utilities)
2026-03-25
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA SB334—Conveyances of interests in real property; public hearing required
Would require a locality to hold a public hearing before disposing of any permanent easement or right-of-way for new >69 kV electric transmission/distribution or for data-center operations. Tabled in Appropriations 2026-02-16 (21-Y 0-N 1-A).
tabled in Appropriations
2026-02-16
PAPA SB1359—statewide hyperscale data-center moratorium
Imposes a statewide moratorium on hyperscale data-center development and permitting. Runs alongside the MARL transmission-line eminent-domain fight in western PA (WESA / Allegheny Front). Referred to Local Government, 2026-06-04.
referred to Local Government
2026-06-04

New cases + status changes are surfaced daily in the digest's Eminent Domain section from federal condemnation dockets (CourtListener / PACER, Natural Gas Act §717f(h)), FERC certificate notices (Federal Register), state PUC dockets, LegiScan, and local + trade press. Each row links out to its sources, dockets, and court cases; the date shows when the entry was last confirmed (entries > 14d are flagged stale).

14 active projects 265 miles 330+ properties 14,593 MW BTM gas
2,811,082 miles of U.S. gas pipeline already in the ground (300,158 transmission · 2,397,775 distribution · 113,148 gathering). The takings below extend that network. Source: PHMSA annual-report mileage.
all current—freshest entry 5d old
🗺 Not Yours Anymore—the StoryMap of land being taken →
Loading live federal condemnation filings…
Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Ashley Park–Wansley 500kV (Project Sail)
Georgia Power · GA  updated 2026-06-21
AJC↗ · FOX5 Atlanta—Coweta approves Project Sail↗ · 11Alive—Coweta homeowner eminent-domain dispute↗
condemnation_active
litigation
330
Dominion Golden to Mars 500kV (Loudoun)
Dominion Energy Virginia · VA  updated 2026-06-21
Patch—SCC sets school-board easement deadline↗ · Virginia Mercury—SCC approves Loudoun line↗ · Virginia Mercury—Loudoun neighbors fight lines↗
certificate_granted
litigation
contingent—fallback Route 3a (~182 homes within 500 ft); condemnation not executed
Enbridge Chatham County gas pipeline (Siler City–Moncure, NC)
Enbridge · NC  updated 2026-06-21
Chatham Journal—Enbridge pipeline debate↗ · Inside Climate News↗ · Canary Media↗ · PHMSA #4060↗
condemnation_active
litigation
Chatham County landowners receiving condemnation-warning letters (e.g. John Alderman); count not yet public
ANR Pipeline—Heartland Project condemnations (N. Illinois)
ANR Pipeline Company, LLC · IL, WI  updated 2026-06-21
CourtListener (RECAP / PACER)↗ · U.S. District Court, N.D. Illinois↗ · U.S. District Court, N.D. Illinois↗ · PHMSA #405↗
condemnation_active
litigation
estimated_>3
Transco—Northeast Supply Enhancement (Compressor Station 206, NJ)
Transcontinental Gas Pipe Line Company, LLC · PA, NJ, NY  updated 2026-06-21
CourtListener (RECAP / PACER)↗ · Federal Register—NESE Notice of Application (FERC CP17-101)↗ · FERC docket↗ · U.S. District Court, D. New Jersey↗ · PHMSA #19570↗
condemnation_active
litigation
estimated_>1
Columbia Gas—Virginia Reliability Project (VA) + Seville Loop (OH)
Columbia Gas Transmission, LLC · VA, OH  updated 2026-06-21
CourtListener (RECAP / PACER)↗ · Federal Register—VRP Final EIS notice (FERC CP22-502)↗ · FERC docket↗ · U.S. District Court, N.D. Ohio↗ · U.S. District Court, E.D. Virginia↗ · PHMSA #2616↗
condemnation_active
litigation
estimated_>2
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX  updated 2026-06-21
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA  updated 2026-06-21
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX  updated 2026-06-21
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH  updated 2026-06-21
no link
construction18
Meta Beaver Dam Site Transmission + Substation (Dodge County Interconnection)
American Transmission Company (ATC) · WI  updated 2026-06-21
PSC of Wisconsin—Dodge County Distribution Interconnection (Docket 137-CE-210)↗ · ABC30↗ · Wisconsin PSC docket↗
certificate_grantedunconfirmed (no condemnation filing found)
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA  updated 2026-06-21
WV MetroNews—MARL evidentiary hearing set↗ · WESA↗ · Allegheny Front↗ · FERC docket↗
certificate_filedestimated_>500
Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
Transwestern Pipeline Company (Energy Transfer subsidiary) · NM  updated 2026-06-21
Pipeline & Gas Journal↗ · BLM—Green Chile right-of-way↗ · Source NM↗ · FERC docket↗
certificate_filedpotential—FERC §7 authority; no private condemnation filed (route mostly federal BLM + state land)
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX  updated 2026-06-21
TechCrunch↗
announcedminimal_industrial_site

Federal condemnation cases—docket & latest filing pulled from CourtListener/PACER 2026-06-21
Case (docket)Latest filing / status
ANR Pipeline Company, LLC v. Haugh↗
U.S. District Court, N.D. Illinois · 3:26-cv-50202 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
ANR Pipeline Company v. Brener↗
U.S. District Court, N.D. Illinois · 1:26-cv-05668 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company
2026-05-15
ANR Pipeline Company, LLC v. Cooper↗
U.S. District Court, N.D. Illinois · 1:26-cv-05664 · filed 2026-05-15 · 5 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
TRANSCONTINENTAL GAS PIPE LINE COMPANY, LLC v. 1.451 ACRES OF PERMANEN↗
U.S. District Court, D. New Jersey · 3:26-cv-00018 · filed 2026-01-02 · 25 filings
OPINION filed. Signed by Judge Zahid N. Quraishi on 2/20/2026. (mlh)
2026-02-20
Columbia Gas Transmission, LLC v. Gearing↗
U.S. District Court, N.D. Ohio · 1:25-cv-00181 · filed 2025-01-31 · 11 filings
Order [non-document] Counsel and the parties are hereby advised that this Court will not accept ex parte telephone calls to Chambers regardi
2025-01-31
Columbia Gas Transmission, LLC v. 0.068 Acres of Land, Located in Ches↗
U.S. District Court, E.D. Virginia · 2:24-cv-00548 · filed 2024-09-09 · 1 filings
closed/terminated 2024-12-03
2024-12-03
ANR Pipeline Company v. 1.92 Acres More or Less in Washington County W↗
U.S. District Court, E.D. Wisconsin (2024) · 2:24-cv-00530 · filed 2024-05-01 · 21 filings
closed/terminated 2024-07-24
2024-05-15

State legislative pushback
StateActionStatus / Date
NCNC S730—Ratepayer Protection Act
The bill NC reporting (WRAL) identifies as limiting data-center-driven eminent domain and ratepayer cost-shifting for transmission primarily serving data-center load; full text pending. Status: Ref to Senate Rules & Operations, 2026-06-08.
in Senate Rules committee
2026-06-08
OHOH SB381—PUCO approval to connect data centers to the grid
Requires Public Utilities Commission of Ohio approval of agreements to interconnect a data center to the electric grid (enacts R.C. ch. 4908). Referred to Senate Public Utilities, 2026-03-25.
in committee (Public Utilities)
2026-03-25
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA SB334—Conveyances of interests in real property; public hearing required
Would require a locality to hold a public hearing before disposing of any permanent easement or right-of-way for new >69 kV electric transmission/distribution or for data-center operations. Tabled in Appropriations 2026-02-16 (21-Y 0-N 1-A).
tabled in Appropriations
2026-02-16
PAPA SB1359—statewide hyperscale data-center moratorium
Imposes a statewide moratorium on hyperscale data-center development and permitting. Runs alongside the MARL transmission-line eminent-domain fight in western PA (WESA / Allegheny Front). Referred to Local Government, 2026-06-04.
referred to Local Government
2026-06-04

New cases + status changes are surfaced daily in the digest's Eminent Domain section from federal condemnation dockets (CourtListener / PACER, Natural Gas Act §717f(h)), FERC certificate notices (Federal Register), state PUC dockets, LegiScan, and local + trade press. Each row links out to its sources, dockets, and court cases; the date shows when the entry was last confirmed (entries > 14d are flagged stale).

14 active projects 265 miles 330+ properties 14,593 MW BTM gas
2,811,082 miles of U.S. gas pipeline already in the ground (300,158 transmission · 2,397,775 distribution · 113,148 gathering). The takings below extend that network. Source: PHMSA annual-report mileage.
all current—freshest entry 4d old
🗺 Not Yours Anymore—the StoryMap of land being taken → Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Ashley Park–Wansley 500kV (Project Sail)
Georgia Power · GA  updated 2026-06-21
AJC↗ · FOX5 Atlanta—Coweta approves Project Sail↗ · 11Alive—Coweta homeowner eminent-domain dispute↗
condemnation_active
litigation
330
Dominion Golden to Mars 500kV (Loudoun)
Dominion Energy Virginia · VA  updated 2026-06-21
Patch—SCC sets school-board easement deadline↗ · Virginia Mercury—SCC approves Loudoun line↗ · Virginia Mercury—Loudoun neighbors fight lines↗
certificate_granted
litigation
contingent—fallback Route 3a (~182 homes within 500 ft); condemnation not executed
Enbridge Chatham County gas pipeline (Siler City–Moncure, NC)
Enbridge · NC  updated 2026-06-21
Chatham Journal—Enbridge pipeline debate↗ · Inside Climate News↗ · Canary Media↗ · PHMSA #4060↗
condemnation_active
litigation
Chatham County landowners receiving condemnation-warning letters (e.g. John Alderman); count not yet public
ANR Pipeline—Heartland Project condemnations (N. Illinois)
ANR Pipeline Company, LLC · IL, WI  updated 2026-06-21
CourtListener (RECAP / PACER)↗ · U.S. District Court, N.D. Illinois↗ · U.S. District Court, N.D. Illinois↗ · PHMSA #405↗
condemnation_active
litigation
estimated_>3
Transco—Northeast Supply Enhancement (Compressor Station 206, NJ)
Transcontinental Gas Pipe Line Company, LLC · PA, NJ, NY  updated 2026-06-21
CourtListener (RECAP / PACER)↗ · Federal Register—NESE Notice of Application (FERC CP17-101)↗ · FERC docket↗ · U.S. District Court, D. New Jersey↗ · PHMSA #19570↗
condemnation_active
litigation
estimated_>1
Columbia Gas—Virginia Reliability Project (VA) + Seville Loop (OH)
Columbia Gas Transmission, LLC · VA, OH  updated 2026-06-21
CourtListener (RECAP / PACER)↗ · Federal Register—VRP Final EIS notice (FERC CP22-502)↗ · FERC docket↗ · U.S. District Court, N.D. Ohio↗ · U.S. District Court, E.D. Virginia↗ · PHMSA #2616↗
condemnation_active
litigation
estimated_>2
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX  updated 2026-06-21
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA  updated 2026-06-21
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX  updated 2026-06-21
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH  updated 2026-06-21
no link
construction18
Meta Beaver Dam Site Transmission + Substation (Dodge County Interconnection)
American Transmission Company (ATC) · WI  updated 2026-06-21
PSC of Wisconsin—Dodge County Distribution Interconnection (Docket 137-CE-210)↗ · ABC30↗ · Wisconsin PSC docket↗
certificate_grantedunconfirmed (no condemnation filing found)
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA  updated 2026-06-21
WV MetroNews—MARL evidentiary hearing set↗ · WESA↗ · Allegheny Front↗ · FERC docket↗
certificate_filedestimated_>500
Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
Transwestern Pipeline Company (Energy Transfer subsidiary) · NM  updated 2026-06-21
Pipeline & Gas Journal↗ · BLM—Green Chile right-of-way↗ · Source NM↗ · FERC docket↗
certificate_filedpotential—FERC §7 authority; no private condemnation filed (route mostly federal BLM + state land)
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX  updated 2026-06-21
TechCrunch↗
announcedminimal_industrial_site

Federal condemnation cases—docket & latest filing pulled from CourtListener/PACER 2026-06-21
Case (docket)Latest filing / status
ANR Pipeline Company, LLC v. Haugh↗
U.S. District Court, N.D. Illinois · 3:26-cv-50202 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
ANR Pipeline Company v. Brener↗
U.S. District Court, N.D. Illinois · 1:26-cv-05668 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company
2026-05-15
ANR Pipeline Company, LLC v. Cooper↗
U.S. District Court, N.D. Illinois · 1:26-cv-05664 · filed 2026-05-15 · 5 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
TRANSCONTINENTAL GAS PIPE LINE COMPANY, LLC v. 1.451 ACRES OF PERMANEN↗
U.S. District Court, D. New Jersey · 3:26-cv-00018 · filed 2026-01-02 · 25 filings
OPINION filed. Signed by Judge Zahid N. Quraishi on 2/20/2026. (mlh)
2026-02-20
Columbia Gas Transmission, LLC v. Gearing↗
U.S. District Court, N.D. Ohio · 1:25-cv-00181 · filed 2025-01-31 · 11 filings
Order [non-document] Counsel and the parties are hereby advised that this Court will not accept ex parte telephone calls to Chambers regardi
2025-01-31
Columbia Gas Transmission, LLC v. 0.068 Acres of Land, Located in Ches↗
U.S. District Court, E.D. Virginia · 2:24-cv-00548 · filed 2024-09-09 · 1 filings
closed/terminated 2024-12-03
2024-12-03
ANR Pipeline Company v. 1.92 Acres More or Less in Washington County W↗
U.S. District Court, E.D. Wisconsin (2024) · 2:24-cv-00530 · filed 2024-05-01 · 21 filings
closed/terminated 2024-07-24
2024-05-15

State legislative pushback
StateActionStatus / Date
NCNC S730—Ratepayer Protection Act
The bill NC reporting (WRAL) identifies as limiting data-center-driven eminent domain and ratepayer cost-shifting for transmission primarily serving data-center load; full text pending. Status: Ref to Senate Rules & Operations, 2026-06-08.
in Senate Rules committee
2026-06-08
OHOH SB381—PUCO approval to connect data centers to the grid
Requires Public Utilities Commission of Ohio approval of agreements to interconnect a data center to the electric grid (enacts R.C. ch. 4908). Referred to Senate Public Utilities, 2026-03-25.
in committee (Public Utilities)
2026-03-25
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA SB334—Conveyances of interests in real property; public hearing required
Would require a locality to hold a public hearing before disposing of any permanent easement or right-of-way for new >69 kV electric transmission/distribution or for data-center operations. Tabled in Appropriations 2026-02-16 (21-Y 0-N 1-A).
tabled in Appropriations
2026-02-16
PAPA SB1359—statewide hyperscale data-center moratorium
Imposes a statewide moratorium on hyperscale data-center development and permitting. Runs alongside the MARL transmission-line eminent-domain fight in western PA (WESA / Allegheny Front). Referred to Local Government, 2026-06-04.
referred to Local Government
2026-06-04

New cases + status changes are surfaced daily in the digest's Eminent Domain section from federal condemnation dockets (CourtListener / PACER, Natural Gas Act §717f(h)), FERC certificate notices (Federal Register), state PUC dockets, LegiScan, and local + trade press. Each row links out to its sources, dockets, and court cases; the date shows when the entry was last confirmed (entries > 14d are flagged stale).

14 active projects 265 miles 330+ properties 14,593 MW BTM gas
2,811,082 miles of U.S. gas pipeline already in the ground (300,158 transmission · 2,397,775 distribution · 113,148 gathering). The takings below extend that network. Source: PHMSA annual-report mileage.
all current—freshest entry 3d old
🗺 Not Yours Anymore—the StoryMap of land being taken → Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Ashley Park–Wansley 500kV (Project Sail)
Georgia Power · GA  updated 2026-06-21 NEW
AJC↗ · FOX5 Atlanta—Coweta approves Project Sail↗ · 11Alive—Coweta homeowner eminent-domain dispute↗
condemnation_active
litigation
330
Dominion Golden to Mars 500kV (Loudoun)
Dominion Energy Virginia · VA  updated 2026-06-21 NEW
Patch—SCC sets school-board easement deadline↗ · Virginia Mercury—SCC approves Loudoun line↗ · Virginia Mercury—Loudoun neighbors fight lines↗
certificate_granted
litigation
contingent—fallback Route 3a (~182 homes within 500 ft); condemnation not executed
Enbridge Chatham County gas pipeline (Siler City–Moncure, NC)
Enbridge · NC  updated 2026-06-21 NEW
Chatham Journal—Enbridge pipeline debate↗ · Inside Climate News↗ · Canary Media↗ · PHMSA #4060↗
condemnation_active
litigation
Chatham County landowners receiving condemnation-warning letters (e.g. John Alderman); count not yet public
ANR Pipeline—Heartland Project condemnations (N. Illinois)
ANR Pipeline Company, LLC · IL, WI  updated 2026-06-21 NEW
CourtListener (RECAP / PACER)↗ · U.S. District Court, N.D. Illinois↗ · U.S. District Court, N.D. Illinois↗ · PHMSA #405↗
condemnation_active
litigation
estimated_>3
Transco—Northeast Supply Enhancement (Compressor Station 206, NJ)
Transcontinental Gas Pipe Line Company, LLC · PA, NJ, NY  updated 2026-06-21 NEW
CourtListener (RECAP / PACER)↗ · Federal Register—NESE Notice of Application (FERC CP17-101)↗ · FERC docket↗ · U.S. District Court, D. New Jersey↗ · PHMSA #19570↗
condemnation_active
litigation
estimated_>1
Columbia Gas—Virginia Reliability Project (VA) + Seville Loop (OH)
Columbia Gas Transmission, LLC · VA, OH  updated 2026-06-21 NEW
CourtListener (RECAP / PACER)↗ · Federal Register—VRP Final EIS notice (FERC CP22-502)↗ · FERC docket↗ · U.S. District Court, N.D. Ohio↗ · U.S. District Court, E.D. Virginia↗ · PHMSA #2616↗
condemnation_active
litigation
estimated_>2
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX  updated 2026-06-21 NEW
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA  updated 2026-06-21 NEW
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX  updated 2026-06-21 NEW
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH  updated 2026-06-21 NEW
no link
construction18
Meta Beaver Dam Site Transmission + Substation (Dodge County Interconnection)
American Transmission Company (ATC) · WI  updated 2026-06-21 NEW
PSC of Wisconsin—Dodge County Distribution Interconnection (Docket 137-CE-210)↗ · ABC30↗ · Wisconsin PSC docket↗
certificate_grantedunconfirmed (no condemnation filing found)
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA  updated 2026-06-21 NEW
WV MetroNews—MARL evidentiary hearing set↗ · WESA↗ · Allegheny Front↗ · FERC docket↗
certificate_filedestimated_>500
Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
Transwestern Pipeline Company (Energy Transfer subsidiary) · NM  updated 2026-06-21 NEW
Pipeline & Gas Journal↗ · BLM—Green Chile right-of-way↗ · Source NM↗ · FERC docket↗
certificate_filedpotential—FERC §7 authority; no private condemnation filed (route mostly federal BLM + state land)
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX  updated 2026-06-21 NEW
TechCrunch↗
announcedminimal_industrial_site

Federal condemnation cases—docket & latest filing pulled from CourtListener/PACER 2026-06-21
Case (docket)Latest filing / status
ANR Pipeline Company, LLC v. Haugh↗
U.S. District Court, N.D. Illinois · 3:26-cv-50202 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
ANR Pipeline Company v. Brener↗
U.S. District Court, N.D. Illinois · 1:26-cv-05668 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company
2026-05-15
ANR Pipeline Company, LLC v. Cooper↗
U.S. District Court, N.D. Illinois · 1:26-cv-05664 · filed 2026-05-15 · 5 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
TRANSCONTINENTAL GAS PIPE LINE COMPANY, LLC v. 1.451 ACRES OF PERMANEN↗
U.S. District Court, D. New Jersey · 3:26-cv-00018 · filed 2026-01-02 · 25 filings
OPINION filed. Signed by Judge Zahid N. Quraishi on 2/20/2026. (mlh)
2026-02-20
Columbia Gas Transmission, LLC v. Gearing↗
U.S. District Court, N.D. Ohio · 1:25-cv-00181 · filed 2025-01-31 · 11 filings
Order [non-document] Counsel and the parties are hereby advised that this Court will not accept ex parte telephone calls to Chambers regardi
2025-01-31
Columbia Gas Transmission, LLC v. 0.068 Acres of Land, Located in Ches↗
U.S. District Court, E.D. Virginia · 2:24-cv-00548 · filed 2024-09-09 · 1 filings
closed/terminated 2024-12-03
2024-12-03
ANR Pipeline Company v. 1.92 Acres More or Less in Washington County W↗
U.S. District Court, E.D. Wisconsin (2024) · 2:24-cv-00530 · filed 2024-05-01 · 21 filings
closed/terminated 2024-07-24
2024-05-15

State legislative pushback
StateActionStatus / Date
NCNC S730—Ratepayer Protection Act
The bill NC reporting (WRAL) identifies as limiting data-center-driven eminent domain and ratepayer cost-shifting for transmission primarily serving data-center load; full text pending. Status: Ref to Senate Rules & Operations, 2026-06-08.
in Senate Rules committee
2026-06-08
OHOH SB381—PUCO approval to connect data centers to the grid
Requires Public Utilities Commission of Ohio approval of agreements to interconnect a data center to the electric grid (enacts R.C. ch. 4908). Referred to Senate Public Utilities, 2026-03-25.
in committee (Public Utilities)
2026-03-25
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA SB334—Conveyances of interests in real property; public hearing required
Would require a locality to hold a public hearing before disposing of any permanent easement or right-of-way for new >69 kV electric transmission/distribution or for data-center operations. Tabled in Appropriations 2026-02-16 (21-Y 0-N 1-A).
tabled in Appropriations
2026-02-16
PAPA SB1359—statewide hyperscale data-center moratorium
Imposes a statewide moratorium on hyperscale data-center development and permitting. Runs alongside the MARL transmission-line eminent-domain fight in western PA (WESA / Allegheny Front). Referred to Local Government, 2026-06-04.
referred to Local Government
2026-06-04

New cases + status changes are surfaced daily in the digest's Eminent Domain section from federal condemnation dockets (CourtListener / PACER, Natural Gas Act §717f(h)), FERC certificate notices (Federal Register), state PUC dockets, LegiScan, and local + trade press. Each row links out to its sources, dockets, and court cases; the date shows when the entry was last confirmed (entries > 14d are flagged stale).

14 active projects 265 miles 330+ properties 14,593 MW BTM gas
2,811,082 miles of U.S. gas pipeline already in the ground (300,158 transmission · 2,397,775 distribution · 113,148 gathering). The takings below extend that network. Source: PHMSA annual-report mileage.
all current—freshest entry 2d old
🗺 Not Yours Anymore—the StoryMap of land being taken → Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Ashley Park–Wansley 500kV (Project Sail)
Georgia Power · GA  updated 2026-06-21 NEW
AJC↗ · FOX5 Atlanta—Coweta approves Project Sail↗ · 11Alive—Coweta homeowner eminent-domain dispute↗
condemnation_active
litigation
330
Dominion Golden to Mars 500kV (Loudoun)
Dominion Energy Virginia · VA  updated 2026-06-21 NEW
Patch—SCC sets school-board easement deadline↗ · Virginia Mercury—SCC approves Loudoun line↗ · Virginia Mercury—Loudoun neighbors fight lines↗
certificate_granted
litigation
contingent—fallback Route 3a (~182 homes within 500 ft); condemnation not executed
Enbridge Chatham County gas pipeline (Siler City–Moncure, NC)
Enbridge · NC  updated 2026-06-21 NEW
Chatham Journal—Enbridge pipeline debate↗ · Inside Climate News↗ · Canary Media↗ · PHMSA #4060↗
condemnation_active
litigation
Chatham County landowners receiving condemnation-warning letters (e.g. John Alderman); count not yet public
ANR Pipeline—Heartland Project condemnations (N. Illinois)
ANR Pipeline Company, LLC · IL, WI  updated 2026-06-21 NEW
CourtListener (RECAP / PACER)↗ · U.S. District Court, N.D. Illinois↗ · U.S. District Court, N.D. Illinois↗ · PHMSA #405↗
condemnation_active
litigation
estimated_>3
Transco—Northeast Supply Enhancement (Compressor Station 206, NJ)
Transcontinental Gas Pipe Line Company, LLC · PA, NJ, NY  updated 2026-06-21 NEW
CourtListener (RECAP / PACER)↗ · Federal Register—NESE Notice of Application (FERC CP17-101)↗ · FERC docket↗ · U.S. District Court, D. New Jersey↗ · PHMSA #19570↗
condemnation_active
litigation
estimated_>1
Columbia Gas—Virginia Reliability Project (VA) + Seville Loop (OH)
Columbia Gas Transmission, LLC · VA, OH  updated 2026-06-21 NEW
CourtListener (RECAP / PACER)↗ · Federal Register—VRP Final EIS notice (FERC CP22-502)↗ · FERC docket↗ · U.S. District Court, N.D. Ohio↗ · U.S. District Court, E.D. Virginia↗ · PHMSA #2616↗
condemnation_active
litigation
estimated_>2
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX  updated 2026-06-21 NEW
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA  updated 2026-06-21 NEW
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX  updated 2026-06-21 NEW
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH  updated 2026-06-21 NEW
no link
construction18
Meta Beaver Dam Site Transmission + Substation (Dodge County Interconnection)
American Transmission Company (ATC) · WI  updated 2026-06-21 NEW
PSC of Wisconsin—Dodge County Distribution Interconnection (Docket 137-CE-210)↗ · ABC30↗ · Wisconsin PSC docket↗
certificate_grantedunconfirmed (no condemnation filing found)
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA  updated 2026-06-21 NEW
WV MetroNews—MARL evidentiary hearing set↗ · WESA↗ · Allegheny Front↗ · FERC docket↗
certificate_filedestimated_>500
Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
Transwestern Pipeline Company (Energy Transfer subsidiary) · NM  updated 2026-06-21 NEW
Pipeline & Gas Journal↗ · BLM—Green Chile right-of-way↗ · Source NM↗ · FERC docket↗
certificate_filedpotential—FERC §7 authority; no private condemnation filed (route mostly federal BLM + state land)
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX  updated 2026-06-21 NEW
TechCrunch↗
announcedminimal_industrial_site

Federal condemnation cases—docket & latest filing pulled from CourtListener/PACER 2026-06-21
Case (docket)Latest filing / status
ANR Pipeline Company, LLC v. Haugh↗
U.S. District Court, N.D. Illinois · 3:26-cv-50202 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
ANR Pipeline Company v. Brener↗
U.S. District Court, N.D. Illinois · 1:26-cv-05668 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company
2026-05-15
ANR Pipeline Company, LLC v. Cooper↗
U.S. District Court, N.D. Illinois · 1:26-cv-05664 · filed 2026-05-15 · 5 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
TRANSCONTINENTAL GAS PIPE LINE COMPANY, LLC v. 1.451 ACRES OF PERMANEN↗
U.S. District Court, D. New Jersey · 3:26-cv-00018 · filed 2026-01-02 · 25 filings
OPINION filed. Signed by Judge Zahid N. Quraishi on 2/20/2026. (mlh)
2026-02-20
Columbia Gas Transmission, LLC v. Gearing↗
U.S. District Court, N.D. Ohio · 1:25-cv-00181 · filed 2025-01-31 · 11 filings
Order [non-document] Counsel and the parties are hereby advised that this Court will not accept ex parte telephone calls to Chambers regardi
2025-01-31
Columbia Gas Transmission, LLC v. 0.068 Acres of Land, Located in Ches↗
U.S. District Court, E.D. Virginia · 2:24-cv-00548 · filed 2024-09-09 · 1 filings
closed/terminated 2024-12-03
2024-12-03
ANR Pipeline Company v. 1.92 Acres More or Less in Washington County W↗
U.S. District Court, E.D. Wisconsin (2024) · 2:24-cv-00530 · filed 2024-05-01 · 21 filings
closed/terminated 2024-07-24
2024-05-15

State legislative pushback
StateActionStatus / Date
NCNC S730—Ratepayer Protection Act
The bill NC reporting (WRAL) identifies as limiting data-center-driven eminent domain and ratepayer cost-shifting for transmission primarily serving data-center load; full text pending. Status: Ref to Senate Rules & Operations, 2026-06-08.
in Senate Rules committee
2026-06-08
OHOH SB381—PUCO approval to connect data centers to the grid
Requires Public Utilities Commission of Ohio approval of agreements to interconnect a data center to the electric grid (enacts R.C. ch. 4908). Referred to Senate Public Utilities, 2026-03-25.
in committee (Public Utilities)
2026-03-25
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA SB334—Conveyances of interests in real property; public hearing required
Would require a locality to hold a public hearing before disposing of any permanent easement or right-of-way for new >69 kV electric transmission/distribution or for data-center operations. Tabled in Appropriations 2026-02-16 (21-Y 0-N 1-A).
tabled in Appropriations
2026-02-16
PAPA SB1359—statewide hyperscale data-center moratorium
Imposes a statewide moratorium on hyperscale data-center development and permitting. Runs alongside the MARL transmission-line eminent-domain fight in western PA (WESA / Allegheny Front). Referred to Local Government, 2026-06-04.
referred to Local Government
2026-06-04

New cases + status changes are surfaced daily in the digest's Eminent Domain section from federal condemnation dockets (CourtListener / PACER, Natural Gas Act §717f(h)), FERC certificate notices (Federal Register), state PUC dockets, LegiScan, and local + trade press. Each row links out to its sources, dockets, and court cases; the date shows when the entry was last confirmed (entries > 14d are flagged stale).

14 active projects 265 miles 330+ properties 14,593 MW BTM gas
2,811,082 miles of U.S. gas pipeline already in the ground (300,158 transmission · 2,397,775 distribution · 113,148 gathering). The takings below extend that network. Source: PHMSA annual-report mileage.
all current—freshest entry 1d old
🗺 Not Yours Anymore—the StoryMap of land being taken → Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Ashley Park–Wansley 500kV (Project Sail)
Georgia Power · GA  updated 2026-06-21 NEW
AJC↗ · FOX5 Atlanta—Coweta approves Project Sail↗ · 11Alive—Coweta homeowner eminent-domain dispute↗
condemnation_active
litigation
330
Dominion Golden to Mars 500kV (Loudoun)
Dominion Energy Virginia · VA  updated 2026-06-21 NEW
Patch—SCC sets school-board easement deadline↗ · Virginia Mercury—SCC approves Loudoun line↗ · Virginia Mercury—Loudoun neighbors fight lines↗
certificate_granted
litigation
contingent—fallback Route 3a (~182 homes within 500 ft); condemnation not executed
Enbridge Chatham County gas pipeline (Siler City–Moncure, NC)
Enbridge · NC  updated 2026-06-21 NEW
Chatham Journal—Enbridge pipeline debate↗ · Inside Climate News↗ · Canary Media↗ · PHMSA #4060↗
condemnation_active
litigation
Chatham County landowners receiving condemnation-warning letters (e.g. John Alderman); count not yet public
ANR Pipeline—Heartland Project condemnations (N. Illinois)
ANR Pipeline Company, LLC · IL, WI  updated 2026-06-21 NEW
CourtListener (RECAP / PACER)↗ · U.S. District Court, N.D. Illinois↗ · U.S. District Court, N.D. Illinois↗ · PHMSA #405↗
condemnation_active
litigation
estimated_>3
Transco—Northeast Supply Enhancement (Compressor Station 206, NJ)
Transcontinental Gas Pipe Line Company, LLC · PA, NJ, NY  updated 2026-06-21 NEW
CourtListener (RECAP / PACER)↗ · Federal Register—NESE Notice of Application (FERC CP17-101)↗ · FERC docket↗ · U.S. District Court, D. New Jersey↗ · PHMSA #19570↗
condemnation_active
litigation
estimated_>1
Columbia Gas—Virginia Reliability Project (VA) + Seville Loop (OH)
Columbia Gas Transmission, LLC · VA, OH  updated 2026-06-21 NEW
CourtListener (RECAP / PACER)↗ · Federal Register—VRP Final EIS notice (FERC CP22-502)↗ · FERC docket↗ · U.S. District Court, N.D. Ohio↗ · U.S. District Court, E.D. Virginia↗ · PHMSA #2616↗
condemnation_active
litigation
estimated_>2
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX  updated 2026-06-21 NEW
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA  updated 2026-06-21 NEW
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX  updated 2026-06-21 NEW
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH  updated 2026-06-21 NEW
no link
construction18
Meta Beaver Dam Site Transmission + Substation (Dodge County Interconnection)
American Transmission Company (ATC) · WI  updated 2026-06-21 NEW
PSC of Wisconsin—Dodge County Distribution Interconnection (Docket 137-CE-210)↗ · ABC30↗ · Wisconsin PSC docket↗
certificate_grantedunconfirmed (no condemnation filing found)
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA  updated 2026-06-21 NEW
WV MetroNews—MARL evidentiary hearing set↗ · WESA↗ · Allegheny Front↗ · FERC docket↗
certificate_filedestimated_>500
Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
Transwestern Pipeline Company (Energy Transfer subsidiary) · NM  updated 2026-06-21 NEW
Pipeline & Gas Journal↗ · BLM—Green Chile right-of-way↗ · Source NM↗ · FERC docket↗
certificate_filedpotential—FERC §7 authority; no private condemnation filed (route mostly federal BLM + state land)
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX  updated 2026-06-21 NEW
TechCrunch↗
announcedminimal_industrial_site

Federal condemnation cases—docket & latest filing pulled from CourtListener/PACER 2026-06-21
Case (docket)Latest filing / status
ANR Pipeline Company, LLC v. Haugh↗
U.S. District Court, N.D. Illinois · 3:26-cv-50202 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
ANR Pipeline Company v. Brener↗
U.S. District Court, N.D. Illinois · 1:26-cv-05668 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company
2026-05-15
ANR Pipeline Company, LLC v. Cooper↗
U.S. District Court, N.D. Illinois · 1:26-cv-05664 · filed 2026-05-15 · 5 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
TRANSCONTINENTAL GAS PIPE LINE COMPANY, LLC v. 1.451 ACRES OF PERMANEN↗
U.S. District Court, D. New Jersey · 3:26-cv-00018 · filed 2026-01-02 · 25 filings
OPINION filed. Signed by Judge Zahid N. Quraishi on 2/20/2026. (mlh)
2026-02-20
Columbia Gas Transmission, LLC v. Gearing↗
U.S. District Court, N.D. Ohio · 1:25-cv-00181 · filed 2025-01-31 · 11 filings
Order [non-document] Counsel and the parties are hereby advised that this Court will not accept ex parte telephone calls to Chambers regardi
2025-01-31
Columbia Gas Transmission, LLC v. 0.068 Acres of Land, Located in Ches↗
U.S. District Court, E.D. Virginia · 2:24-cv-00548 · filed 2024-09-09 · 1 filings
closed/terminated 2024-12-03
2024-12-03
ANR Pipeline Company v. 1.92 Acres More or Less in Washington County W↗
U.S. District Court, E.D. Wisconsin (2024) · 2:24-cv-00530 · filed 2024-05-01 · 21 filings
closed/terminated 2024-07-24
2024-05-15

State legislative pushback
StateActionStatus / Date
NCNC S730—Ratepayer Protection Act
The bill NC reporting (WRAL) identifies as limiting data-center-driven eminent domain and ratepayer cost-shifting for transmission primarily serving data-center load; full text pending. Status: Ref to Senate Rules & Operations, 2026-06-08.
in Senate Rules committee
2026-06-08
OHOH SB381—PUCO approval to connect data centers to the grid
Requires Public Utilities Commission of Ohio approval of agreements to interconnect a data center to the electric grid (enacts R.C. ch. 4908). Referred to Senate Public Utilities, 2026-03-25.
in committee (Public Utilities)
2026-03-25
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA SB334—Conveyances of interests in real property; public hearing required
Would require a locality to hold a public hearing before disposing of any permanent easement or right-of-way for new >69 kV electric transmission/distribution or for data-center operations. Tabled in Appropriations 2026-02-16 (21-Y 0-N 1-A).
tabled in Appropriations
2026-02-16
PAPA SB1359—statewide hyperscale data-center moratorium
Imposes a statewide moratorium on hyperscale data-center development and permitting. Runs alongside the MARL transmission-line eminent-domain fight in western PA (WESA / Allegheny Front). Referred to Local Government, 2026-06-04.
referred to Local Government
2026-06-04

New cases + status changes are surfaced daily in the digest's Eminent Domain section from federal condemnation dockets (CourtListener / PACER, Natural Gas Act §717f(h)), FERC certificate notices (Federal Register), state PUC dockets, LegiScan, and local + trade press. Each row links out to its sources, dockets, and court cases; the date shows when the entry was last confirmed (entries > 14d are flagged stale).

14 active projects 265 miles 330+ properties 14,593 MW BTM gas
2,811,082 miles of U.S. gas pipeline already in the ground (300,158 transmission · 2,397,775 distribution · 113,148 gathering). The takings below extend that network. Source: PHMSA annual-report mileage.
all current—freshest entry 0d old
🗺 Not Yours Anymore—the StoryMap of land being taken → Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Ashley Park–Wansley 500kV (Project Sail)
Georgia Power · GA  updated 2026-06-21 NEW
AJC↗ · FOX5 Atlanta—Coweta approves Project Sail↗ · 11Alive—Coweta homeowner eminent-domain dispute↗
condemnation_active
litigation
330
Dominion Golden to Mars 500kV (Loudoun)
Dominion Energy Virginia · VA  updated 2026-06-21 NEW
Patch—SCC sets school-board easement deadline↗ · Virginia Mercury—SCC approves Loudoun line↗ · Virginia Mercury—Loudoun neighbors fight lines↗
certificate_granted
litigation
contingent—fallback Route 3a (~182 homes within 500 ft); condemnation not executed
Enbridge Chatham County gas pipeline (Siler City–Moncure, NC)
Enbridge · NC  updated 2026-06-21 NEW
Chatham Journal—Enbridge pipeline debate↗ · Inside Climate News↗ · Canary Media↗ · PHMSA #4060↗
condemnation_active
litigation
Chatham County landowners receiving condemnation-warning letters (e.g. John Alderman); count not yet public
ANR Pipeline—Heartland Project condemnations (N. Illinois)
ANR Pipeline Company, LLC · IL, WI  updated 2026-06-21 NEW
CourtListener (RECAP / PACER)↗ · U.S. District Court, N.D. Illinois↗ · U.S. District Court, N.D. Illinois↗ · PHMSA #405↗
condemnation_active
litigation
estimated_>3
Transco—Northeast Supply Enhancement (Compressor Station 206, NJ)
Transcontinental Gas Pipe Line Company, LLC · PA, NJ, NY  updated 2026-06-21 NEW
CourtListener (RECAP / PACER)↗ · Federal Register—NESE Notice of Application (FERC CP17-101)↗ · FERC docket↗ · U.S. District Court, D. New Jersey↗ · PHMSA #19570↗
condemnation_active
litigation
estimated_>1
Columbia Gas—Virginia Reliability Project (VA) + Seville Loop (OH)
Columbia Gas Transmission, LLC · VA, OH  updated 2026-06-21 NEW
CourtListener (RECAP / PACER)↗ · Federal Register—VRP Final EIS notice (FERC CP22-502)↗ · FERC docket↗ · U.S. District Court, N.D. Ohio↗ · U.S. District Court, E.D. Virginia↗ · PHMSA #2616↗
condemnation_active
litigation
estimated_>2
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX  updated 2026-06-21 NEW
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA  updated 2026-06-21 NEW
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX  updated 2026-06-21 NEW
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH  updated 2026-06-21 NEW
no link
construction18
Meta Beaver Dam Site Transmission + Substation (Dodge County Interconnection)
American Transmission Company (ATC) · WI  updated 2026-06-21 NEW
PSC of Wisconsin—Dodge County Distribution Interconnection (Docket 137-CE-210)↗ · ABC30↗ · Wisconsin PSC docket↗
certificate_grantedunconfirmed (no condemnation filing found)
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA  updated 2026-06-21 NEW
WV MetroNews—MARL evidentiary hearing set↗ · WESA↗ · Allegheny Front↗ · FERC docket↗
certificate_filedestimated_>500
Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
Transwestern Pipeline Company (Energy Transfer subsidiary) · NM  updated 2026-06-21 NEW
Pipeline & Gas Journal↗ · BLM—Green Chile right-of-way↗ · Source NM↗ · FERC docket↗
certificate_filedpotential—FERC §7 authority; no private condemnation filed (route mostly federal BLM + state land)
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX  updated 2026-06-21 NEW
TechCrunch↗
announcedminimal_industrial_site

Federal condemnation cases—docket & latest filing pulled from CourtListener/PACER 2026-06-21
Case (docket)Latest filing / status
ANR Pipeline Company, LLC v. Haugh↗
U.S. District Court, N.D. Illinois · 3:26-cv-50202 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
ANR Pipeline Company v. Brener↗
U.S. District Court, N.D. Illinois · 1:26-cv-05668 · filed 2026-05-15 · 4 filings
COMPLAINT filed by ANR Pipeline Company
2026-05-15
ANR Pipeline Company, LLC v. Cooper↗
U.S. District Court, N.D. Illinois · 1:26-cv-05664 · filed 2026-05-15 · 5 filings
COMPLAINT filed by ANR Pipeline Company, LLC
2026-05-15
TRANSCONTINENTAL GAS PIPE LINE COMPANY, LLC v. 1.451 ACRES OF PERMANEN↗
U.S. District Court, D. New Jersey · 3:26-cv-00018 · filed 2026-01-02 · 25 filings
OPINION filed. Signed by Judge Zahid N. Quraishi on 2/20/2026. (mlh)
2026-02-20
Columbia Gas Transmission, LLC v. Gearing↗
U.S. District Court, N.D. Ohio · 1:25-cv-00181 · filed 2025-01-31 · 11 filings
Order [non-document] Counsel and the parties are hereby advised that this Court will not accept ex parte telephone calls to Chambers regardi
2025-01-31
Columbia Gas Transmission, LLC v. 0.068 Acres of Land, Located in Ches↗
U.S. District Court, E.D. Virginia · 2:24-cv-00548 · filed 2024-09-09 · 1 filings
closed/terminated 2024-12-03
2024-12-03
ANR Pipeline Company v. 1.92 Acres More or Less in Washington County W↗
U.S. District Court, E.D. Wisconsin (2024) · 2:24-cv-00530 · filed 2024-05-01 · 21 filings
closed/terminated 2024-07-24
2024-05-15

State legislative pushback
StateActionStatus / Date
NCNC S730—Ratepayer Protection Act
The bill NC reporting (WRAL) identifies as limiting data-center-driven eminent domain and ratepayer cost-shifting for transmission primarily serving data-center load; full text pending. Status: Ref to Senate Rules & Operations, 2026-06-08.
in Senate Rules committee
2026-06-08
OHOH SB381—PUCO approval to connect data centers to the grid
Requires Public Utilities Commission of Ohio approval of agreements to interconnect a data center to the electric grid (enacts R.C. ch. 4908). Referred to Senate Public Utilities, 2026-03-25.
in committee (Public Utilities)
2026-03-25
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA SB334—Conveyances of interests in real property; public hearing required
Would require a locality to hold a public hearing before disposing of any permanent easement or right-of-way for new >69 kV electric transmission/distribution or for data-center operations. Tabled in Appropriations 2026-02-16 (21-Y 0-N 1-A).
tabled in Appropriations
2026-02-16
PAPA SB1359—statewide hyperscale data-center moratorium
Imposes a statewide moratorium on hyperscale data-center development and permitting. Runs alongside the MARL transmission-line eminent-domain fight in western PA (WESA / Allegheny Front). Referred to Local Government, 2026-06-04.
referred to Local Government
2026-06-04

New cases + status changes are surfaced daily in the digest's Eminent Domain section from federal condemnation dockets (CourtListener / PACER, Natural Gas Act §717f(h)), FERC certificate notices (Federal Register), state PUC dockets, LegiScan, and local + trade press. Each row links out to its sources, dockets, and court cases; the date shows when the entry was last confirmed (entries > 14d are flagged stale).

14 active projects 243 miles 330+ properties 14,593 MW BTM gas
2,811,082 miles of U.S. gas pipeline already in the ground (300,158 transmission · 2,397,775 distribution · 113,148 gathering). The takings below extend that network. Source: PHMSA annual-report mileage.
14 entries > 14d stale—flagged below for status re-check
🗺 Not Yours Anymore—the StoryMap of land being taken → Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Ashley Park–Wansley 500kV (Project Sail)
Georgia Power · GA  stale · 15d (2026-06-05)
AJC↗ · FOX5 Atlanta—Coweta approves Project Sail↗ · 11Alive—Coweta homeowner eminent-domain dispute↗
condemnation_active
litigation
330
Dominion Golden to Mars 500kV (Loudoun)
Dominion Energy Virginia · VA  stale · 15d (2026-06-05)
Virginia Mercury—SCC approves Loudoun line↗ · Virginia Mercury—Loudoun neighbors fight lines↗ · Bay Journal↗
certificate_granted
litigation
contingent—fallback Route 3a (~182 homes within 500 ft); condemnation not executed
Meta Beaver Dam Site Transmission + Substation Extension
We Energies (WEC) · WI  stale · 24d (2026-05-27)
ABC30↗
certificate_filed
litigation
47
Enbridge Chatham County gas pipeline (Siler City–Moncure, NC)
Enbridge · NC  stale · 15d (2026-06-05)
Inside Climate News↗ · Canary Media↗ · WRAL—NC SB 730 (bill to limit DC eminent domain)↗ · PHMSA #4060↗
condemnation_active
litigation
Chatham County landowners receiving condemnation-warning letters (e.g. John Alderman); count not yet public
ANR Pipeline—Heartland Project condemnations (N. Illinois)
ANR Pipeline Company, LLC · IL, WI  stale · 15d (2026-06-05)
CourtListener (RECAP / PACER)↗ · U.S. District Court, N.D. Illinois↗ · U.S. District Court, N.D. Illinois↗ · PHMSA #405↗
condemnation_active
litigation
estimated_>3
Transco—Northeast Supply Enhancement (Compressor Station 206, NJ)
Transcontinental Gas Pipe Line Company, LLC · PA, NJ, NY  stale · 15d (2026-06-05)
CourtListener (RECAP / PACER)↗ · Federal Register—NESE Notice of Application (FERC CP17-101)↗ · FERC docket↗ · U.S. District Court, D. New Jersey↗ · PHMSA #19570↗
condemnation_active
litigation
estimated_>1
Columbia Gas—Virginia Reliability Project (VA) + Seville Loop (OH)
Columbia Gas Transmission, LLC · VA, OH  stale · 15d (2026-06-05)
CourtListener (RECAP / PACER)↗ · Federal Register—VRP Final EIS notice (FERC CP22-502)↗ · FERC docket↗ · U.S. District Court, N.D. Ohio↗ · U.S. District Court, E.D. Virginia↗ · PHMSA #2616↗
condemnation_active
litigation
estimated_>2
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX  stale · 24d (2026-05-27)
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA  stale · 24d (2026-05-27)
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX  stale · 24d (2026-05-27)
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH  stale · 24d (2026-05-27)
no link
construction18
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA  stale · 15d (2026-06-05)
WESA↗ · Allegheny Front↗ · West Virginia Watch↗ · FERC docket↗
certificate_filedestimated_>500
Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
Transwestern Pipeline Company (Energy Transfer subsidiary) · NM  stale · 15d (2026-06-05)
Pipeline & Gas Journal↗ · BLM—Green Chile right-of-way↗ · Source NM↗ · FERC docket↗
certificate_filedpotential—FERC §7 authority; no private condemnation filed (route mostly federal BLM + state land)
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX  stale · 24d (2026-05-27)
TechCrunch↗
announcedminimal_industrial_site

State legislative pushback
StateActionStatus / Date
NCNC HB-2026-XXX (Data Center Eminent Domain Restrictions)
Would bar utility use of eminent domain when transmission line is primarily serving identified data center customers.
introduced
2026-05
OHOhio behind-the-meter requirement proposal
Prohibits utilities from connecting a data center to the grid unless the data center provides its own BTM power OR pays full grid-impact costs.
committee
2026-03
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA HB-2026-XX data-center grid-impact transparency
Requires Dominion to publicly disclose how much new transmission/generation is being built specifically to serve hyperscaler data centers.
introduced
2026-02
PAPA in-state-benefit standard for transmission eminent domain
Discussion of requiring meaningful in-state benefit before PA land can be condemned for transmission lines exporting power to other states.
discussion_phase
2026-04

New cases + status changes are surfaced daily in the digest's Eminent Domain section from federal condemnation dockets (CourtListener / PACER, Natural Gas Act §717f(h)), FERC certificate notices (Federal Register), state PUC dockets, LegiScan, and local + trade press. Each row links out to its sources, dockets, and court cases; the date shows when the entry was last confirmed (entries > 14d are flagged stale).

14 active projects 243 miles 330+ properties 14,593 MW BTM gas
2,811,082 miles of U.S. gas pipeline already in the ground (300,158 transmission · 2,397,775 distribution · 113,148 gathering). The takings below extend that network. Source: PHMSA annual-report mileage.
6 entries > 14d stale—flagged below for status re-check
🗺 Not Yours Anymore—the StoryMap of land being taken → Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Ashley Park–Wansley 500kV (Project Sail)
Georgia Power · GA  updated 2026-06-05
AJC↗ · FOX5 Atlanta—Coweta approves Project Sail↗ · 11Alive—Coweta homeowner eminent-domain dispute↗
condemnation_active
litigation
330
Dominion Golden to Mars 500kV (Loudoun)
Dominion Energy Virginia · VA  updated 2026-06-05
Virginia Mercury—SCC approves Loudoun line↗ · Virginia Mercury—Loudoun neighbors fight lines↗ · Bay Journal↗
certificate_granted
litigation
contingent—fallback Route 3a (~182 homes within 500 ft); condemnation not executed
Meta Beaver Dam Site Transmission + Substation Extension
We Energies (WEC) · WI  stale · 23d (2026-05-27)
ABC30↗
certificate_filed
litigation
47
Enbridge Chatham County gas pipeline (Siler City–Moncure, NC)
Enbridge · NC  updated 2026-06-05
Inside Climate News↗ · Canary Media↗ · WRAL—NC SB 730 (bill to limit DC eminent domain)↗ · PHMSA #4060↗
condemnation_active
litigation
Chatham County landowners receiving condemnation-warning letters (e.g. John Alderman); count not yet public
ANR Pipeline—Heartland Project condemnations (N. Illinois)
ANR Pipeline Company, LLC · IL, WI  updated 2026-06-05
CourtListener (RECAP / PACER)↗ · U.S. District Court, N.D. Illinois↗ · U.S. District Court, N.D. Illinois↗ · PHMSA #405↗
condemnation_active
litigation
estimated_>3
Transco—Northeast Supply Enhancement (Compressor Station 206, NJ)
Transcontinental Gas Pipe Line Company, LLC · PA, NJ, NY  updated 2026-06-05
CourtListener (RECAP / PACER)↗ · Federal Register—NESE Notice of Application (FERC CP17-101)↗ · FERC docket↗ · U.S. District Court, D. New Jersey↗ · PHMSA #19570↗
condemnation_active
litigation
estimated_>1
Columbia Gas—Virginia Reliability Project (VA) + Seville Loop (OH)
Columbia Gas Transmission, LLC · VA, OH  updated 2026-06-05
CourtListener (RECAP / PACER)↗ · Federal Register—VRP Final EIS notice (FERC CP22-502)↗ · FERC docket↗ · U.S. District Court, N.D. Ohio↗ · U.S. District Court, E.D. Virginia↗ · PHMSA #2616↗
condemnation_active
litigation
estimated_>2
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX  stale · 23d (2026-05-27)
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA  stale · 23d (2026-05-27)
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX  stale · 23d (2026-05-27)
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH  stale · 23d (2026-05-27)
no link
construction18
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA  updated 2026-06-05
WESA↗ · Allegheny Front↗ · West Virginia Watch↗ · FERC docket↗
certificate_filedestimated_>500
Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
Transwestern Pipeline Company (Energy Transfer subsidiary) · NM  updated 2026-06-05
Pipeline & Gas Journal↗ · BLM—Green Chile right-of-way↗ · Source NM↗ · FERC docket↗
certificate_filedpotential—FERC §7 authority; no private condemnation filed (route mostly federal BLM + state land)
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX  stale · 23d (2026-05-27)
TechCrunch↗
announcedminimal_industrial_site

State legislative pushback
StateActionStatus / Date
NCNC HB-2026-XXX (Data Center Eminent Domain Restrictions)
Would bar utility use of eminent domain when transmission line is primarily serving identified data center customers.
introduced
2026-05
OHOhio behind-the-meter requirement proposal
Prohibits utilities from connecting a data center to the grid unless the data center provides its own BTM power OR pays full grid-impact costs.
committee
2026-03
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA HB-2026-XX data-center grid-impact transparency
Requires Dominion to publicly disclose how much new transmission/generation is being built specifically to serve hyperscaler data centers.
introduced
2026-02
PAPA in-state-benefit standard for transmission eminent domain
Discussion of requiring meaningful in-state benefit before PA land can be condemned for transmission lines exporting power to other states.
discussion_phase
2026-04

New cases + status changes are surfaced daily in the digest's Eminent Domain section from federal condemnation dockets (CourtListener / PACER, Natural Gas Act §717f(h)), FERC certificate notices (Federal Register), state PUC dockets, LegiScan, and local + trade press. Each row links out to its sources, dockets, and court cases; the date shows when the entry was last confirmed (entries > 14d are flagged stale).

14 active projects 243 miles 330+ properties 14,593 MW BTM gas
2,811,082 miles of U.S. gas pipeline already in the ground (300,158 transmission · 2,397,775 distribution · 113,148 gathering). The takings below extend that network. Source: PHMSA annual-report mileage.
6 entries > 14d stale—flagged below for status re-check
🗺 Not Yours Anymore—the StoryMap of land being taken → Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Ashley Park–Wansley 500kV (Project Sail)
Georgia Power · GA  updated 2026-06-05
AJC↗ · FOX5 Atlanta—Coweta approves Project Sail↗ · 11Alive—Coweta homeowner eminent-domain dispute↗
condemnation_active
litigation
330
Dominion Golden to Mars 500kV (Loudoun)
Dominion Energy Virginia · VA  updated 2026-06-05
Virginia Mercury—SCC approves Loudoun line↗ · Virginia Mercury—Loudoun neighbors fight lines↗ · Bay Journal↗
certificate_granted
litigation
contingent—fallback Route 3a (~182 homes within 500 ft); condemnation not executed
Meta Beaver Dam Site Transmission + Substation Extension
We Energies (WEC) · WI  stale · 22d (2026-05-27)
ABC30↗
certificate_filed
litigation
47
Enbridge Chatham County gas pipeline (Siler City–Moncure, NC)
Enbridge · NC  updated 2026-06-05
Inside Climate News↗ · Canary Media↗ · WRAL—NC SB 730 (bill to limit DC eminent domain)↗ · PHMSA #4060↗
condemnation_active
litigation
Chatham County landowners receiving condemnation-warning letters (e.g. John Alderman); count not yet public
ANR Pipeline—Heartland Project condemnations (N. Illinois)
ANR Pipeline Company, LLC · IL, WI  updated 2026-06-05
CourtListener (RECAP / PACER)↗ · U.S. District Court, N.D. Illinois↗ · U.S. District Court, N.D. Illinois↗ · PHMSA #405↗
condemnation_active
litigation
estimated_>3
Transco—Northeast Supply Enhancement (Compressor Station 206, NJ)
Transcontinental Gas Pipe Line Company, LLC · PA, NJ, NY  updated 2026-06-05
CourtListener (RECAP / PACER)↗ · Federal Register—NESE Notice of Application (FERC CP17-101)↗ · FERC docket↗ · U.S. District Court, D. New Jersey↗ · PHMSA #19570↗
condemnation_active
litigation
estimated_>1
Columbia Gas—Virginia Reliability Project (VA) + Seville Loop (OH)
Columbia Gas Transmission, LLC · VA, OH  updated 2026-06-05
CourtListener (RECAP / PACER)↗ · Federal Register—VRP Final EIS notice (FERC CP22-502)↗ · FERC docket↗ · U.S. District Court, N.D. Ohio↗ · U.S. District Court, E.D. Virginia↗ · PHMSA #2616↗
condemnation_active
litigation
estimated_>2
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX  stale · 22d (2026-05-27)
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA  stale · 22d (2026-05-27)
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX  stale · 22d (2026-05-27)
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH  stale · 22d (2026-05-27)
no link
construction18
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA  updated 2026-06-05
WESA↗ · Allegheny Front↗ · West Virginia Watch↗ · FERC docket↗
certificate_filedestimated_>500
Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
Transwestern Pipeline Company (Energy Transfer subsidiary) · NM  updated 2026-06-05
Pipeline & Gas Journal↗ · BLM—Green Chile right-of-way↗ · Source NM↗ · FERC docket↗
certificate_filedpotential—FERC §7 authority; no private condemnation filed (route mostly federal BLM + state land)
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX  stale · 22d (2026-05-27)
TechCrunch↗
announcedminimal_industrial_site

State legislative pushback
StateActionStatus / Date
NCNC HB-2026-XXX (Data Center Eminent Domain Restrictions)
Would bar utility use of eminent domain when transmission line is primarily serving identified data center customers.
introduced
2026-05
OHOhio behind-the-meter requirement proposal
Prohibits utilities from connecting a data center to the grid unless the data center provides its own BTM power OR pays full grid-impact costs.
committee
2026-03
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA HB-2026-XX data-center grid-impact transparency
Requires Dominion to publicly disclose how much new transmission/generation is being built specifically to serve hyperscaler data centers.
introduced
2026-02
PAPA in-state-benefit standard for transmission eminent domain
Discussion of requiring meaningful in-state benefit before PA land can be condemned for transmission lines exporting power to other states.
discussion_phase
2026-04

New cases + status changes are surfaced daily in the digest's Eminent Domain section from federal condemnation dockets (CourtListener / PACER, Natural Gas Act §717f(h)), FERC certificate notices (Federal Register), state PUC dockets, LegiScan, and local + trade press. Each row links out to its sources, dockets, and court cases; the date shows when the entry was last confirmed (entries > 14d are flagged stale).

14 active projects 243 miles 330+ properties 14,593 MW BTM gas
2,811,082 miles of U.S. gas pipeline already in the ground (300,158 transmission · 2,397,775 distribution · 113,148 gathering). The takings below extend that network. Source: PHMSA annual-report mileage.
6 entries > 14d stale—flagged below for status re-check
🗺 Not Yours Anymore—the StoryMap of land being taken → Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Ashley Park–Wansley 500kV (Project Sail)
Georgia Power · GA  updated 2026-06-05
AJC↗ · FOX5 Atlanta—Coweta approves Project Sail↗ · 11Alive—Coweta homeowner eminent-domain dispute↗
condemnation_active
litigation
330
Dominion Golden to Mars 500kV (Loudoun)
Dominion Energy Virginia · VA  updated 2026-06-05
Virginia Mercury—SCC approves Loudoun line↗ · Virginia Mercury—Loudoun neighbors fight lines↗ · Bay Journal↗
certificate_granted
litigation
contingent—fallback Route 3a (~182 homes within 500 ft); condemnation not executed
Meta Beaver Dam Site Transmission + Substation Extension
We Energies (WEC) · WI  stale · 21d (2026-05-27)
ABC30↗
certificate_filed
litigation
47
Enbridge Chatham County gas pipeline (Siler City–Moncure, NC)
Enbridge · NC  updated 2026-06-05
Inside Climate News↗ · Canary Media↗ · WRAL—NC SB 730 (bill to limit DC eminent domain)↗ · PHMSA #4060↗
condemnation_active
litigation
Chatham County landowners receiving condemnation-warning letters (e.g. John Alderman); count not yet public
ANR Pipeline—Heartland Project condemnations (N. Illinois)
ANR Pipeline Company, LLC · IL, WI  updated 2026-06-05
CourtListener (RECAP / PACER)↗ · U.S. District Court, N.D. Illinois↗ · U.S. District Court, N.D. Illinois↗ · PHMSA #405↗
condemnation_active
litigation
estimated_>3
Transco—Northeast Supply Enhancement (Compressor Station 206, NJ)
Transcontinental Gas Pipe Line Company, LLC · PA, NJ, NY  updated 2026-06-05
CourtListener (RECAP / PACER)↗ · Federal Register—NESE Notice of Application (FERC CP17-101)↗ · FERC docket↗ · U.S. District Court, D. New Jersey↗ · PHMSA #19570↗
condemnation_active
litigation
estimated_>1
Columbia Gas—Virginia Reliability Project (VA) + Seville Loop (OH)
Columbia Gas Transmission, LLC · VA, OH  updated 2026-06-05
CourtListener (RECAP / PACER)↗ · Federal Register—VRP Final EIS notice (FERC CP22-502)↗ · FERC docket↗ · U.S. District Court, N.D. Ohio↗ · U.S. District Court, E.D. Virginia↗ · PHMSA #2616↗
condemnation_active
litigation
estimated_>2
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX  stale · 21d (2026-05-27)
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA  stale · 21d (2026-05-27)
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX  stale · 21d (2026-05-27)
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH  stale · 21d (2026-05-27)
no link
construction18
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA  updated 2026-06-05
WESA↗ · Allegheny Front↗ · West Virginia Watch↗ · FERC docket↗
certificate_filedestimated_>500
Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
Transwestern Pipeline Company (Energy Transfer subsidiary) · NM  updated 2026-06-05
Pipeline & Gas Journal↗ · BLM—Green Chile right-of-way↗ · Source NM↗ · FERC docket↗
certificate_filedpotential—FERC §7 authority; no private condemnation filed (route mostly federal BLM + state land)
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX  stale · 21d (2026-05-27)
TechCrunch↗
announcedminimal_industrial_site

State legislative pushback
StateActionStatus / Date
NCNC HB-2026-XXX (Data Center Eminent Domain Restrictions)
Would bar utility use of eminent domain when transmission line is primarily serving identified data center customers.
introduced
2026-05
OHOhio behind-the-meter requirement proposal
Prohibits utilities from connecting a data center to the grid unless the data center provides its own BTM power OR pays full grid-impact costs.
committee
2026-03
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA HB-2026-XX data-center grid-impact transparency
Requires Dominion to publicly disclose how much new transmission/generation is being built specifically to serve hyperscaler data centers.
introduced
2026-02
PAPA in-state-benefit standard for transmission eminent domain
Discussion of requiring meaningful in-state benefit before PA land can be condemned for transmission lines exporting power to other states.
discussion_phase
2026-04

New cases + status changes are surfaced daily in the digest's Eminent Domain section from federal condemnation dockets (CourtListener / PACER, Natural Gas Act §717f(h)), FERC certificate notices (Federal Register), state PUC dockets, LegiScan, and local + trade press. Each row links out to its sources, dockets, and court cases; the date shows when the entry was last confirmed (entries > 14d are flagged stale).

14 active projects 243 miles 330+ properties 14,593 MW BTM gas
2,811,082 miles of U.S. gas pipeline already in the ground (300,158 transmission · 2,397,775 distribution · 113,148 gathering). The takings below extend that network. Source: PHMSA annual-report mileage.
6 entries > 14d stale—flagged below for status re-check
🗺 Not Yours Anymore—the StoryMap of land being taken → Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Ashley Park–Wansley 500kV (Project Sail)
Georgia Power · GA  updated 2026-06-05
AJC↗ · FOX5 Atlanta—Coweta approves Project Sail↗ · 11Alive—Coweta homeowner eminent-domain dispute↗
condemnation_active
litigation
330
Dominion Golden to Mars 500kV (Loudoun)
Dominion Energy Virginia · VA  updated 2026-06-05
Virginia Mercury—SCC approves Loudoun line↗ · Virginia Mercury—Loudoun neighbors fight lines↗ · Bay Journal↗
certificate_granted
litigation
contingent—fallback Route 3a (~182 homes within 500 ft); condemnation not executed
Meta Beaver Dam Site Transmission + Substation Extension
We Energies (WEC) · WI  stale · 20d (2026-05-27)
ABC30↗
certificate_filed
litigation
47
Enbridge Chatham County gas pipeline (Siler City–Moncure, NC)
Enbridge · NC  updated 2026-06-05
Inside Climate News↗ · Canary Media↗ · WRAL—NC SB 730 (bill to limit DC eminent domain)↗ · PHMSA #4060↗
condemnation_active
litigation
Chatham County landowners receiving condemnation-warning letters (e.g. John Alderman); count not yet public
ANR Pipeline—Heartland Project condemnations (N. Illinois)
ANR Pipeline Company, LLC · IL, WI  updated 2026-06-05
CourtListener (RECAP / PACER)↗ · U.S. District Court, N.D. Illinois↗ · U.S. District Court, N.D. Illinois↗ · PHMSA #405↗
condemnation_active
litigation
estimated_>3
Transco—Northeast Supply Enhancement (Compressor Station 206, NJ)
Transcontinental Gas Pipe Line Company, LLC · PA, NJ, NY  updated 2026-06-05
CourtListener (RECAP / PACER)↗ · Federal Register—NESE Notice of Application (FERC CP17-101)↗ · FERC docket↗ · U.S. District Court, D. New Jersey↗ · PHMSA #19570↗
condemnation_active
litigation
estimated_>1
Columbia Gas—Virginia Reliability Project (VA) + Seville Loop (OH)
Columbia Gas Transmission, LLC · VA, OH  updated 2026-06-05
CourtListener (RECAP / PACER)↗ · Federal Register—VRP Final EIS notice (FERC CP22-502)↗ · FERC docket↗ · U.S. District Court, N.D. Ohio↗ · U.S. District Court, E.D. Virginia↗ · PHMSA #2616↗
condemnation_active
litigation
estimated_>2
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX  stale · 20d (2026-05-27)
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA  stale · 20d (2026-05-27)
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX  stale · 20d (2026-05-27)
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH  stale · 20d (2026-05-27)
no link
construction18
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA  updated 2026-06-05
WESA↗ · Allegheny Front↗ · West Virginia Watch↗ · FERC docket↗
certificate_filedestimated_>500
Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
Transwestern Pipeline Company (Energy Transfer subsidiary) · NM  updated 2026-06-05
Pipeline & Gas Journal↗ · BLM—Green Chile right-of-way↗ · Source NM↗ · FERC docket↗
certificate_filedpotential—FERC §7 authority; no private condemnation filed (route mostly federal BLM + state land)
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX  stale · 20d (2026-05-27)
TechCrunch↗
announcedminimal_industrial_site

State legislative pushback
StateActionStatus / Date
NCNC HB-2026-XXX (Data Center Eminent Domain Restrictions)
Would bar utility use of eminent domain when transmission line is primarily serving identified data center customers.
introduced
2026-05
OHOhio behind-the-meter requirement proposal
Prohibits utilities from connecting a data center to the grid unless the data center provides its own BTM power OR pays full grid-impact costs.
committee
2026-03
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA HB-2026-XX data-center grid-impact transparency
Requires Dominion to publicly disclose how much new transmission/generation is being built specifically to serve hyperscaler data centers.
introduced
2026-02
PAPA in-state-benefit standard for transmission eminent domain
Discussion of requiring meaningful in-state benefit before PA land can be condemned for transmission lines exporting power to other states.
discussion_phase
2026-04

New cases + status changes are surfaced daily in the digest's Eminent Domain section from federal condemnation dockets (CourtListener / PACER, Natural Gas Act §717f(h)), FERC certificate notices (Federal Register), state PUC dockets, LegiScan, and local + trade press. Each row links out to its sources, dockets, and court cases; the date shows when the entry was last confirmed (entries > 14d are flagged stale).

14 active projects 243 miles 330+ properties 14,593 MW BTM gas
2,811,082 miles of U.S. gas pipeline already in the ground (300,158 transmission · 2,397,775 distribution · 113,148 gathering). The takings below extend that network. Source: PHMSA annual-report mileage.
6 entries > 14d stale—flagged below for status re-check
🗺 Not Yours Anymore—the StoryMap of land being taken → Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Ashley Park–Wansley 500kV (Project Sail)
Georgia Power · GA  updated 2026-06-05
AJC↗ · FOX5 Atlanta—Coweta approves Project Sail↗ · 11Alive—Coweta homeowner eminent-domain dispute↗
condemnation_active
litigation
330
Dominion Golden to Mars 500kV (Loudoun)
Dominion Energy Virginia · VA  updated 2026-06-05
Virginia Mercury—SCC approves Loudoun line↗ · Virginia Mercury—Loudoun neighbors fight lines↗ · Bay Journal↗
certificate_granted
litigation
contingent—fallback Route 3a (~182 homes within 500 ft); condemnation not executed
Meta Beaver Dam Site Transmission + Substation Extension
We Energies (WEC) · WI  stale · 19d (2026-05-27)
ABC30↗
certificate_filed
litigation
47
Enbridge Chatham County gas pipeline (Siler City–Moncure, NC)
Enbridge · NC  updated 2026-06-05
Inside Climate News↗ · Canary Media↗ · WRAL—NC SB 730 (bill to limit DC eminent domain)↗ · PHMSA #4060↗
condemnation_active
litigation
Chatham County landowners receiving condemnation-warning letters (e.g. John Alderman); count not yet public
ANR Pipeline—Heartland Project condemnations (N. Illinois)
ANR Pipeline Company, LLC · IL, WI  updated 2026-06-05
CourtListener (RECAP / PACER)↗ · U.S. District Court, N.D. Illinois↗ · U.S. District Court, N.D. Illinois↗ · PHMSA #405↗
condemnation_active
litigation
estimated_>3
Transco—Northeast Supply Enhancement (Compressor Station 206, NJ)
Transcontinental Gas Pipe Line Company, LLC · PA, NJ, NY  updated 2026-06-05
CourtListener (RECAP / PACER)↗ · Federal Register—NESE Notice of Application (FERC CP17-101)↗ · FERC docket↗ · U.S. District Court, D. New Jersey↗ · PHMSA #19570↗
condemnation_active
litigation
estimated_>1
Columbia Gas—Virginia Reliability Project (VA) + Seville Loop (OH)
Columbia Gas Transmission, LLC · VA, OH  updated 2026-06-05
CourtListener (RECAP / PACER)↗ · Federal Register—VRP Final EIS notice (FERC CP22-502)↗ · FERC docket↗ · U.S. District Court, N.D. Ohio↗ · U.S. District Court, E.D. Virginia↗ · PHMSA #2616↗
condemnation_active
litigation
estimated_>2
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX  stale · 19d (2026-05-27)
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA  stale · 19d (2026-05-27)
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX  stale · 19d (2026-05-27)
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH  stale · 19d (2026-05-27)
no link
construction18
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA  updated 2026-06-05
WESA↗ · Allegheny Front↗ · West Virginia Watch↗ · FERC docket↗
certificate_filedestimated_>500
Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
Transwestern Pipeline Company (Energy Transfer subsidiary) · NM  updated 2026-06-05
Pipeline & Gas Journal↗ · BLM—Green Chile right-of-way↗ · Source NM↗ · FERC docket↗
certificate_filedpotential—FERC §7 authority; no private condemnation filed (route mostly federal BLM + state land)
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX  stale · 19d (2026-05-27)
TechCrunch↗
announcedminimal_industrial_site

State legislative pushback
StateActionStatus / Date
NCNC HB-2026-XXX (Data Center Eminent Domain Restrictions)
Would bar utility use of eminent domain when transmission line is primarily serving identified data center customers.
introduced
2026-05
OHOhio behind-the-meter requirement proposal
Prohibits utilities from connecting a data center to the grid unless the data center provides its own BTM power OR pays full grid-impact costs.
committee
2026-03
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA HB-2026-XX data-center grid-impact transparency
Requires Dominion to publicly disclose how much new transmission/generation is being built specifically to serve hyperscaler data centers.
introduced
2026-02
PAPA in-state-benefit standard for transmission eminent domain
Discussion of requiring meaningful in-state benefit before PA land can be condemned for transmission lines exporting power to other states.
discussion_phase
2026-04

New cases + status changes are surfaced daily in the digest's Eminent Domain section from federal condemnation dockets (CourtListener / PACER, Natural Gas Act §717f(h)), FERC certificate notices (Federal Register), state PUC dockets, LegiScan, and local + trade press. Each row links out to its sources, dockets, and court cases; the date shows when the entry was last confirmed (entries > 14d are flagged stale).

14 active projects 243 miles 330+ properties 14,593 MW BTM gas
2,811,082 miles of U.S. gas pipeline already in the ground (300,158 transmission · 2,397,775 distribution · 113,148 gathering). The takings below extend that network. Source: PHMSA annual-report mileage.
6 entries > 14d stale—flagged below for status re-check
🗺 Not Yours Anymore—the StoryMap of land being taken → Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Ashley Park–Wansley 500kV (Project Sail)
Georgia Power · GA  updated 2026-06-05
AJC↗ · FOX5 Atlanta—Coweta approves Project Sail↗ · 11Alive—Coweta homeowner eminent-domain dispute↗
condemnation_active
litigation
330
Dominion Golden to Mars 500kV (Loudoun)
Dominion Energy Virginia · VA  updated 2026-06-05
Virginia Mercury—SCC approves Loudoun line↗ · Virginia Mercury—Loudoun neighbors fight lines↗ · Bay Journal↗
certificate_granted
litigation
contingent—fallback Route 3a (~182 homes within 500 ft); condemnation not executed
Meta Beaver Dam Site Transmission + Substation Extension
We Energies (WEC) · WI  stale · 18d (2026-05-27)
ABC30↗
certificate_filed
litigation
47
Enbridge Chatham County gas pipeline (Siler City–Moncure, NC)
Enbridge · NC  updated 2026-06-05
Inside Climate News↗ · Canary Media↗ · WRAL—NC SB 730 (bill to limit DC eminent domain)↗ · PHMSA #4060↗
condemnation_active
litigation
Chatham County landowners receiving condemnation-warning letters (e.g. John Alderman); count not yet public
ANR Pipeline—Heartland Project condemnations (N. Illinois)
ANR Pipeline Company, LLC · IL, WI  updated 2026-06-05
CourtListener (RECAP / PACER)↗ · U.S. District Court, N.D. Illinois↗ · U.S. District Court, N.D. Illinois↗ · PHMSA #405↗
condemnation_active
litigation
estimated_>3
Transco—Northeast Supply Enhancement (Compressor Station 206, NJ)
Transcontinental Gas Pipe Line Company, LLC · PA, NJ, NY  updated 2026-06-05
CourtListener (RECAP / PACER)↗ · Federal Register—NESE Notice of Application (FERC CP17-101)↗ · FERC docket↗ · U.S. District Court, D. New Jersey↗ · PHMSA #19570↗
condemnation_active
litigation
estimated_>1
Columbia Gas—Virginia Reliability Project (VA) + Seville Loop (OH)
Columbia Gas Transmission, LLC · VA, OH  updated 2026-06-05
CourtListener (RECAP / PACER)↗ · Federal Register—VRP Final EIS notice (FERC CP22-502)↗ · FERC docket↗ · U.S. District Court, N.D. Ohio↗ · U.S. District Court, E.D. Virginia↗ · PHMSA #2616↗
condemnation_active
litigation
estimated_>2
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX  stale · 18d (2026-05-27)
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA  stale · 18d (2026-05-27)
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX  stale · 18d (2026-05-27)
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH  stale · 18d (2026-05-27)
no link
construction18
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA  updated 2026-06-05
WESA↗ · Allegheny Front↗ · West Virginia Watch↗ · FERC docket↗
certificate_filedestimated_>500
Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
Transwestern Pipeline Company (Energy Transfer subsidiary) · NM  updated 2026-06-05
Pipeline & Gas Journal↗ · BLM—Green Chile right-of-way↗ · Source NM↗ · FERC docket↗
certificate_filedpotential—FERC §7 authority; no private condemnation filed (route mostly federal BLM + state land)
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX  stale · 18d (2026-05-27)
TechCrunch↗
announcedminimal_industrial_site

State legislative pushback
StateActionStatus / Date
NCNC HB-2026-XXX (Data Center Eminent Domain Restrictions)
Would bar utility use of eminent domain when transmission line is primarily serving identified data center customers.
introduced
2026-05
OHOhio behind-the-meter requirement proposal
Prohibits utilities from connecting a data center to the grid unless the data center provides its own BTM power OR pays full grid-impact costs.
committee
2026-03
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA HB-2026-XX data-center grid-impact transparency
Requires Dominion to publicly disclose how much new transmission/generation is being built specifically to serve hyperscaler data centers.
introduced
2026-02
PAPA in-state-benefit standard for transmission eminent domain
Discussion of requiring meaningful in-state benefit before PA land can be condemned for transmission lines exporting power to other states.
discussion_phase
2026-04

New cases + status changes are surfaced daily in the digest's Eminent Domain section from federal condemnation dockets (CourtListener / PACER, Natural Gas Act §717f(h)), FERC certificate notices (Federal Register), state PUC dockets, LegiScan, and local + trade press. Each row links out to its sources, dockets, and court cases; the date shows when the entry was last confirmed (entries > 14d are flagged stale).

14 active projects 243 miles 330+ properties 14,593 MW BTM gas
2,811,082 miles of U.S. gas pipeline already in the ground (300,158 transmission · 2,397,775 distribution · 113,148 gathering). The takings below extend that network. Source: PHMSA annual-report mileage.
6 entries > 14d stale—flagged below for status re-check
🗺 Not Yours Anymore—the StoryMap of land being taken → Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Ashley Park–Wansley 500kV (Project Sail)
Georgia Power · GA  updated 2026-06-05
AJC↗ · FOX5 Atlanta—Coweta approves Project Sail↗ · 11Alive—Coweta homeowner eminent-domain dispute↗
condemnation_active
litigation
330
Dominion Golden to Mars 500kV (Loudoun)
Dominion Energy Virginia · VA  updated 2026-06-05
Virginia Mercury—SCC approves Loudoun line↗ · Virginia Mercury—Loudoun neighbors fight lines↗ · Bay Journal↗
certificate_granted
litigation
contingent—fallback Route 3a (~182 homes within 500 ft); condemnation not executed
Meta Beaver Dam Site Transmission + Substation Extension
We Energies (WEC) · WI  stale · 17d (2026-05-27)
ABC30↗
certificate_filed
litigation
47
Enbridge Chatham County gas pipeline (Siler City–Moncure, NC)
Enbridge · NC  updated 2026-06-05
Inside Climate News↗ · Canary Media↗ · WRAL—NC SB 730 (bill to limit DC eminent domain)↗ · PHMSA #4060↗
condemnation_active
litigation
Chatham County landowners receiving condemnation-warning letters (e.g. John Alderman); count not yet public
ANR Pipeline—Heartland Project condemnations (N. Illinois)
ANR Pipeline Company, LLC · IL, WI  updated 2026-06-05
CourtListener (RECAP / PACER)↗ · U.S. District Court, N.D. Illinois↗ · U.S. District Court, N.D. Illinois↗ · PHMSA #405↗
condemnation_active
litigation
estimated_>3
Transco—Northeast Supply Enhancement (Compressor Station 206, NJ)
Transcontinental Gas Pipe Line Company, LLC · PA, NJ, NY  updated 2026-06-05
CourtListener (RECAP / PACER)↗ · Federal Register—NESE Notice of Application (FERC CP17-101)↗ · FERC docket↗ · U.S. District Court, D. New Jersey↗ · PHMSA #19570↗
condemnation_active
litigation
estimated_>1
Columbia Gas—Virginia Reliability Project (VA) + Seville Loop (OH)
Columbia Gas Transmission, LLC · VA, OH  updated 2026-06-05
CourtListener (RECAP / PACER)↗ · Federal Register—VRP Final EIS notice (FERC CP22-502)↗ · FERC docket↗ · U.S. District Court, N.D. Ohio↗ · U.S. District Court, E.D. Virginia↗ · PHMSA #2616↗
condemnation_active
litigation
estimated_>2
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX  stale · 17d (2026-05-27)
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA  stale · 17d (2026-05-27)
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX  stale · 17d (2026-05-27)
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH  stale · 17d (2026-05-27)
no link
construction18
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA  updated 2026-06-05
WESA↗ · Allegheny Front↗ · West Virginia Watch↗ · FERC docket↗
certificate_filedestimated_>500
Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
Transwestern Pipeline Company (Energy Transfer subsidiary) · NM  updated 2026-06-05
Pipeline & Gas Journal↗ · BLM—Green Chile right-of-way↗ · Source NM↗ · FERC docket↗
certificate_filedpotential—FERC §7 authority; no private condemnation filed (route mostly federal BLM + state land)
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX  stale · 17d (2026-05-27)
TechCrunch↗
announcedminimal_industrial_site

State legislative pushback
StateActionStatus / Date
NCNC HB-2026-XXX (Data Center Eminent Domain Restrictions)
Would bar utility use of eminent domain when transmission line is primarily serving identified data center customers.
introduced
2026-05
OHOhio behind-the-meter requirement proposal
Prohibits utilities from connecting a data center to the grid unless the data center provides its own BTM power OR pays full grid-impact costs.
committee
2026-03
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA HB-2026-XX data-center grid-impact transparency
Requires Dominion to publicly disclose how much new transmission/generation is being built specifically to serve hyperscaler data centers.
introduced
2026-02
PAPA in-state-benefit standard for transmission eminent domain
Discussion of requiring meaningful in-state benefit before PA land can be condemned for transmission lines exporting power to other states.
discussion_phase
2026-04

New cases + status changes are surfaced daily in the digest's Eminent Domain section from federal condemnation dockets (CourtListener / PACER, Natural Gas Act §717f(h)), FERC certificate notices (Federal Register), state PUC dockets, LegiScan, and local + trade press. Each row links out to its sources, dockets, and court cases; the date shows when the entry was last confirmed (entries > 14d are flagged stale).

14 active projects 243 miles 330+ properties 14,593 MW BTM gas
2,811,082 miles of U.S. gas pipeline already in the ground (300,158 transmission · 2,397,775 distribution · 113,148 gathering). The takings below extend that network. Source: PHMSA annual-report mileage.
6 entries > 14d stale—flagged below for status re-check
🗺 Not Yours Anymore—the StoryMap of land being taken → Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Ashley Park–Wansley 500kV (Project Sail)
Georgia Power · GA  updated 2026-06-05
AJC↗ · FOX5 Atlanta—Coweta approves Project Sail↗ · 11Alive—Coweta homeowner eminent-domain dispute↗
condemnation_active
litigation
330
Dominion Golden to Mars 500kV (Loudoun)
Dominion Energy Virginia · VA  updated 2026-06-05
Virginia Mercury—SCC approves Loudoun line↗ · Virginia Mercury—Loudoun neighbors fight lines↗ · Bay Journal↗
certificate_granted
litigation
contingent—fallback Route 3a (~182 homes within 500 ft); condemnation not executed
Meta Beaver Dam Site Transmission + Substation Extension
We Energies (WEC) · WI  stale · 16d (2026-05-27)
ABC30↗
certificate_filed
litigation
47
Enbridge Chatham County gas pipeline (Siler City–Moncure, NC)
Enbridge · NC  updated 2026-06-05
Inside Climate News↗ · Canary Media↗ · WRAL—NC SB 730 (bill to limit DC eminent domain)↗ · PHMSA #4060↗
condemnation_active
litigation
Chatham County landowners receiving condemnation-warning letters (e.g. John Alderman); count not yet public
ANR Pipeline—Heartland Project condemnations (N. Illinois)
ANR Pipeline Company, LLC · IL, WI  updated 2026-06-05
CourtListener (RECAP / PACER)↗ · U.S. District Court, N.D. Illinois↗ · U.S. District Court, N.D. Illinois↗ · PHMSA #405↗
condemnation_active
litigation
estimated_>3
Transco—Northeast Supply Enhancement (Compressor Station 206, NJ)
Transcontinental Gas Pipe Line Company, LLC · PA, NJ, NY  updated 2026-06-05
CourtListener (RECAP / PACER)↗ · Federal Register—NESE Notice of Application (FERC CP17-101)↗ · FERC docket↗ · U.S. District Court, D. New Jersey↗ · PHMSA #19570↗
condemnation_active
litigation
estimated_>1
Columbia Gas—Virginia Reliability Project (VA) + Seville Loop (OH)
Columbia Gas Transmission, LLC · VA, OH  updated 2026-06-05
CourtListener (RECAP / PACER)↗ · Federal Register—VRP Final EIS notice (FERC CP22-502)↗ · FERC docket↗ · U.S. District Court, N.D. Ohio↗ · U.S. District Court, E.D. Virginia↗ · PHMSA #2616↗
condemnation_active
litigation
estimated_>2
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX  stale · 16d (2026-05-27)
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA  stale · 16d (2026-05-27)
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX  stale · 16d (2026-05-27)
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH  stale · 16d (2026-05-27)
no link
construction18
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA  updated 2026-06-05
WESA↗ · Allegheny Front↗ · West Virginia Watch↗ · FERC docket↗
certificate_filedestimated_>500
Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
Transwestern Pipeline Company (Energy Transfer subsidiary) · NM  updated 2026-06-05
Pipeline & Gas Journal↗ · BLM—Green Chile right-of-way↗ · Source NM↗ · FERC docket↗
certificate_filedpotential—FERC §7 authority; no private condemnation filed (route mostly federal BLM + state land)
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX  stale · 16d (2026-05-27)
TechCrunch↗
announcedminimal_industrial_site

State legislative pushback
StateActionStatus / Date
NCNC HB-2026-XXX (Data Center Eminent Domain Restrictions)
Would bar utility use of eminent domain when transmission line is primarily serving identified data center customers.
introduced
2026-05
OHOhio behind-the-meter requirement proposal
Prohibits utilities from connecting a data center to the grid unless the data center provides its own BTM power OR pays full grid-impact costs.
committee
2026-03
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA HB-2026-XX data-center grid-impact transparency
Requires Dominion to publicly disclose how much new transmission/generation is being built specifically to serve hyperscaler data centers.
introduced
2026-02
PAPA in-state-benefit standard for transmission eminent domain
Discussion of requiring meaningful in-state benefit before PA land can be condemned for transmission lines exporting power to other states.
discussion_phase
2026-04

New cases + status changes are surfaced daily in the digest's Eminent Domain section from federal condemnation dockets (CourtListener / PACER, Natural Gas Act §717f(h)), FERC certificate notices (Federal Register), state PUC dockets, LegiScan, and local + trade press. Each row links out to its sources, dockets, and court cases; the date shows when the entry was last confirmed (entries > 14d are flagged stale).

14 active projects 243 miles 330+ properties 14,593 MW BTM gas
2,811,082 miles of U.S. gas pipeline already in the ground (300,158 transmission · 2,397,775 distribution · 113,148 gathering). The takings below extend that network. Source: PHMSA annual-report mileage.
6 entries > 14d stale—flagged below for status re-check
🗺 Not Yours Anymore—the StoryMap of land being taken → Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Ashley Park–Wansley 500kV (Project Sail)
Georgia Power · GA  updated 2026-06-05
AJC↗ · FOX5 Atlanta—Coweta approves Project Sail↗ · 11Alive—Coweta homeowner eminent-domain dispute↗
condemnation_active
litigation
330
Dominion Golden to Mars 500kV (Loudoun)
Dominion Energy Virginia · VA  updated 2026-06-05
Virginia Mercury—SCC approves Loudoun line↗ · Virginia Mercury—Loudoun neighbors fight lines↗ · Bay Journal↗
certificate_granted
litigation
contingent—fallback Route 3a (~182 homes within 500 ft); condemnation not executed
Meta Beaver Dam Site Transmission + Substation Extension
We Energies (WEC) · WI  stale · 15d (2026-05-27)
ABC30↗
certificate_filed
litigation
47
Enbridge Chatham County gas pipeline (Siler City–Moncure, NC)
Enbridge · NC  updated 2026-06-05
Inside Climate News↗ · Canary Media↗ · WRAL—NC SB 730 (bill to limit DC eminent domain)↗ · PHMSA #4060↗
condemnation_active
litigation
Chatham County landowners receiving condemnation-warning letters (e.g. John Alderman); count not yet public
ANR Pipeline—Heartland Project condemnations (N. Illinois)
ANR Pipeline Company, LLC · IL, WI  updated 2026-06-05
CourtListener (RECAP / PACER)↗ · U.S. District Court, N.D. Illinois↗ · U.S. District Court, N.D. Illinois↗ · PHMSA #405↗
condemnation_active
litigation
estimated_>3
Transco—Northeast Supply Enhancement (Compressor Station 206, NJ)
Transcontinental Gas Pipe Line Company, LLC · PA, NJ, NY  updated 2026-06-05
CourtListener (RECAP / PACER)↗ · Federal Register—NESE Notice of Application (FERC CP17-101)↗ · FERC docket↗ · U.S. District Court, D. New Jersey↗ · PHMSA #19570↗
condemnation_active
litigation
estimated_>1
Columbia Gas—Virginia Reliability Project (VA) + Seville Loop (OH)
Columbia Gas Transmission, LLC · VA, OH  updated 2026-06-05
CourtListener (RECAP / PACER)↗ · Federal Register—VRP Final EIS notice (FERC CP22-502)↗ · FERC docket↗ · U.S. District Court, N.D. Ohio↗ · U.S. District Court, E.D. Virginia↗ · PHMSA #2616↗
condemnation_active
litigation
estimated_>2
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX  stale · 15d (2026-05-27)
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA  stale · 15d (2026-05-27)
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX  stale · 15d (2026-05-27)
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH  stale · 15d (2026-05-27)
no link
construction18
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA  updated 2026-06-05
WESA↗ · Allegheny Front↗ · West Virginia Watch↗ · FERC docket↗
certificate_filedestimated_>500
Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
Transwestern Pipeline Company (Energy Transfer subsidiary) · NM  updated 2026-06-05
Pipeline & Gas Journal↗ · BLM—Green Chile right-of-way↗ · Source NM↗ · FERC docket↗
certificate_filedpotential—FERC §7 authority; no private condemnation filed (route mostly federal BLM + state land)
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX  stale · 15d (2026-05-27)
TechCrunch↗
announcedminimal_industrial_site

State legislative pushback
StateActionStatus / Date
NCNC HB-2026-XXX (Data Center Eminent Domain Restrictions)
Would bar utility use of eminent domain when transmission line is primarily serving identified data center customers.
introduced
2026-05
OHOhio behind-the-meter requirement proposal
Prohibits utilities from connecting a data center to the grid unless the data center provides its own BTM power OR pays full grid-impact costs.
committee
2026-03
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA HB-2026-XX data-center grid-impact transparency
Requires Dominion to publicly disclose how much new transmission/generation is being built specifically to serve hyperscaler data centers.
introduced
2026-02
PAPA in-state-benefit standard for transmission eminent domain
Discussion of requiring meaningful in-state benefit before PA land can be condemned for transmission lines exporting power to other states.
discussion_phase
2026-04

New cases + status changes are surfaced daily in the digest's Eminent Domain section from federal condemnation dockets (CourtListener / PACER, Natural Gas Act §717f(h)), FERC certificate notices (Federal Register), state PUC dockets, LegiScan, and local + trade press. Each row links out to its sources, dockets, and court cases; the date shows when the entry was last confirmed (entries > 14d are flagged stale).

14 active projects 243 miles 330+ properties 14,593 MW BTM gas
2,811,082 miles of U.S. gas pipeline already in the ground (300,158 transmission · 2,397,775 distribution · 113,148 gathering). The takings below extend that network. Source: PHMSA annual-report mileage.
all current—freshest entry 5d old
🗺 Not Yours Anymore—the StoryMap of land being taken → Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Ashley Park–Wansley 500kV (Project Sail)
Georgia Power · GA  updated 2026-06-05
AJC↗ · FOX5 Atlanta—Coweta approves Project Sail↗ · 11Alive—Coweta homeowner eminent-domain dispute↗
condemnation_active
litigation
330
Dominion Golden to Mars 500kV (Loudoun)
Dominion Energy Virginia · VA  updated 2026-06-05
Virginia Mercury—SCC approves Loudoun line↗ · Virginia Mercury—Loudoun neighbors fight lines↗ · Bay Journal↗
certificate_granted
litigation
contingent—fallback Route 3a (~182 homes within 500 ft); condemnation not executed
Meta Beaver Dam Site Transmission + Substation Extension
We Energies (WEC) · WI  updated 2026-05-27
ABC30↗
certificate_filed
litigation
47
Enbridge Chatham County gas pipeline (Siler City–Moncure, NC)
Enbridge · NC  updated 2026-06-05
Inside Climate News↗ · Canary Media↗ · WRAL—NC SB 730 (bill to limit DC eminent domain)↗ · PHMSA #4060↗
condemnation_active
litigation
Chatham County landowners receiving condemnation-warning letters (e.g. John Alderman); count not yet public
ANR Pipeline—Heartland Project condemnations (N. Illinois)
ANR Pipeline Company, LLC · IL, WI  updated 2026-06-05
CourtListener (RECAP / PACER)↗ · U.S. District Court, N.D. Illinois↗ · U.S. District Court, N.D. Illinois↗ · PHMSA #405↗
condemnation_active
litigation
estimated_>3
Transco—Northeast Supply Enhancement (Compressor Station 206, NJ)
Transcontinental Gas Pipe Line Company, LLC · PA, NJ, NY  updated 2026-06-05
CourtListener (RECAP / PACER)↗ · Federal Register—NESE Notice of Application (FERC CP17-101)↗ · FERC docket↗ · U.S. District Court, D. New Jersey↗ · PHMSA #19570↗
condemnation_active
litigation
estimated_>1
Columbia Gas—Virginia Reliability Project (VA) + Seville Loop (OH)
Columbia Gas Transmission, LLC · VA, OH  updated 2026-06-05
CourtListener (RECAP / PACER)↗ · Federal Register—VRP Final EIS notice (FERC CP22-502)↗ · FERC docket↗ · U.S. District Court, N.D. Ohio↗ · U.S. District Court, E.D. Virginia↗ · PHMSA #2616↗
condemnation_active
litigation
estimated_>2
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX  updated 2026-05-27
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA  updated 2026-05-27
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX  updated 2026-05-27
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH  updated 2026-05-27
no link
construction18
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA  updated 2026-06-05
WESA↗ · Allegheny Front↗ · West Virginia Watch↗ · FERC docket↗
certificate_filedestimated_>500
Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
Transwestern Pipeline Company (Energy Transfer subsidiary) · NM  updated 2026-06-05
Pipeline & Gas Journal↗ · BLM—Green Chile right-of-way↗ · Source NM↗ · FERC docket↗
certificate_filedpotential—FERC §7 authority; no private condemnation filed (route mostly federal BLM + state land)
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX  updated 2026-05-27
TechCrunch↗
announcedminimal_industrial_site

State legislative pushback
StateActionStatus / Date
NCNC HB-2026-XXX (Data Center Eminent Domain Restrictions)
Would bar utility use of eminent domain when transmission line is primarily serving identified data center customers.
introduced
2026-05
OHOhio behind-the-meter requirement proposal
Prohibits utilities from connecting a data center to the grid unless the data center provides its own BTM power OR pays full grid-impact costs.
committee
2026-03
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA HB-2026-XX data-center grid-impact transparency
Requires Dominion to publicly disclose how much new transmission/generation is being built specifically to serve hyperscaler data centers.
introduced
2026-02
PAPA in-state-benefit standard for transmission eminent domain
Discussion of requiring meaningful in-state benefit before PA land can be condemned for transmission lines exporting power to other states.
discussion_phase
2026-04

New cases + status changes are surfaced daily in the digest's Eminent Domain section from federal condemnation dockets (CourtListener / PACER, Natural Gas Act §717f(h)), FERC certificate notices (Federal Register), state PUC dockets, LegiScan, and local + trade press. Each row links out to its sources, dockets, and court cases; the date shows when the entry was last confirmed (entries > 14d are flagged stale).

14 active projects 243 miles 330+ properties 14,593 MW BTM gas
2,811,082 miles of U.S. gas pipeline already in the ground (300,158 transmission · 2,397,775 distribution · 113,148 gathering). The takings below extend that network. Source: PHMSA annual-report mileage.
all current—freshest entry 4d old
🗺 Not Yours Anymore—the StoryMap of land being taken → Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Ashley Park–Wansley 500kV (Project Sail)
Georgia Power · GA  updated 2026-06-05
AJC↗ · FOX5 Atlanta—Coweta approves Project Sail↗ · 11Alive—Coweta homeowner eminent-domain dispute↗
condemnation_active
litigation
330
Dominion Golden to Mars 500kV (Loudoun)
Dominion Energy Virginia · VA  updated 2026-06-05
Virginia Mercury—SCC approves Loudoun line↗ · Virginia Mercury—Loudoun neighbors fight lines↗ · Bay Journal↗
certificate_granted
litigation
contingent—fallback Route 3a (~182 homes within 500 ft); condemnation not executed
Meta Beaver Dam Site Transmission + Substation Extension
We Energies (WEC) · WI  updated 2026-05-27
ABC30↗
certificate_filed
litigation
47
Enbridge Chatham County gas pipeline (Siler City–Moncure, NC)
Enbridge · NC  updated 2026-06-05
Inside Climate News↗ · Canary Media↗ · WRAL—NC SB 730 (bill to limit DC eminent domain)↗ · PHMSA #4060↗
condemnation_active
litigation
Chatham County landowners receiving condemnation-warning letters (e.g. John Alderman); count not yet public
ANR Pipeline—Heartland Project condemnations (N. Illinois)
ANR Pipeline Company, LLC · IL, WI  updated 2026-06-05
CourtListener (RECAP / PACER)↗ · U.S. District Court, N.D. Illinois↗ · U.S. District Court, N.D. Illinois↗ · PHMSA #405↗
condemnation_active
litigation
estimated_>3
Transco—Northeast Supply Enhancement (Compressor Station 206, NJ)
Transcontinental Gas Pipe Line Company, LLC · PA, NJ, NY  updated 2026-06-05
CourtListener (RECAP / PACER)↗ · Federal Register—NESE Notice of Application (FERC CP17-101)↗ · FERC docket↗ · U.S. District Court, D. New Jersey↗ · PHMSA #19570↗
condemnation_active
litigation
estimated_>1
Columbia Gas—Virginia Reliability Project (VA) + Seville Loop (OH)
Columbia Gas Transmission, LLC · VA, OH  updated 2026-06-05
CourtListener (RECAP / PACER)↗ · Federal Register—VRP Final EIS notice (FERC CP22-502)↗ · FERC docket↗ · U.S. District Court, N.D. Ohio↗ · U.S. District Court, E.D. Virginia↗ · PHMSA #2616↗
condemnation_active
litigation
estimated_>2
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX  updated 2026-05-27
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA  updated 2026-05-27
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX  updated 2026-05-27
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH  updated 2026-05-27
no link
construction18
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA  updated 2026-06-05
WESA↗ · Allegheny Front↗ · West Virginia Watch↗ · FERC docket↗
certificate_filedestimated_>500
Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
Transwestern Pipeline Company (Energy Transfer subsidiary) · NM  updated 2026-06-05
Pipeline & Gas Journal↗ · BLM—Green Chile right-of-way↗ · Source NM↗ · FERC docket↗
certificate_filedpotential—FERC §7 authority; no private condemnation filed (route mostly federal BLM + state land)
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX  updated 2026-05-27
TechCrunch↗
announcedminimal_industrial_site

State legislative pushback
StateActionStatus / Date
NCNC HB-2026-XXX (Data Center Eminent Domain Restrictions)
Would bar utility use of eminent domain when transmission line is primarily serving identified data center customers.
introduced
2026-05
OHOhio behind-the-meter requirement proposal
Prohibits utilities from connecting a data center to the grid unless the data center provides its own BTM power OR pays full grid-impact costs.
committee
2026-03
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA HB-2026-XX data-center grid-impact transparency
Requires Dominion to publicly disclose how much new transmission/generation is being built specifically to serve hyperscaler data centers.
introduced
2026-02
PAPA in-state-benefit standard for transmission eminent domain
Discussion of requiring meaningful in-state benefit before PA land can be condemned for transmission lines exporting power to other states.
discussion_phase
2026-04

New cases + status changes are surfaced daily in the digest's Eminent Domain section from federal condemnation dockets (CourtListener / PACER, Natural Gas Act §717f(h)), FERC certificate notices (Federal Register), state PUC dockets, LegiScan, and local + trade press. Each row links out to its sources, dockets, and court cases; the date shows when the entry was last confirmed (entries > 14d are flagged stale).

14 active projects 243 miles 906+ properties 14,593 MW BTM gas
2,811,082 miles of U.S. gas pipeline already in the ground (300,158 transmission · 2,397,775 distribution · 113,148 gathering). The takings below extend that network. Source: PHMSA annual-report mileage.
all current—freshest entry 3d old
🗺 Not Yours Anymore—the StoryMap of land being taken → Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Ashley Park–Wansley 500kV (Project Sail)
Georgia Power · GA  updated 2026-06-05 NEW
AJC↗ · FOX5 Atlanta—Coweta approves Project Sail↗ · 11Alive—Coweta homeowner eminent-domain dispute↗
condemnation_active
litigation
330
Dominion Golden to Mars 500kV (Loudoun)
Dominion Energy Virginia · VA  updated 2026-06-05 NEW
Virginia Mercury—SCC approves Loudoun line↗ · Virginia Mercury—Loudoun neighbors fight lines↗ · Bay Journal↗
certificate_granted
litigation
contingent—fallback Route 3a (~182 homes within 500 ft); condemnation not executed
Meta Beaver Dam Site Transmission + Substation Extension
We Energies (WEC) · WI  updated 2026-05-27
ABC30↗
certificate_filed
litigation
47
Enbridge Chatham County gas pipeline (Siler City–Moncure, NC)
Enbridge · NC  updated 2026-06-05 NEW
Inside Climate News↗ · Canary Media↗ · WRAL—NC SB 730 (bill to limit DC eminent domain)↗ · PHMSA #4060↗
condemnation_active
litigation
Chatham County landowners receiving condemnation-warning letters (e.g. John Alderman); count not yet public
ANR Pipeline—Heartland Project condemnations (N. Illinois)
ANR Pipeline Company, LLC · IL, WI  updated 2026-06-05 NEW
CourtListener (RECAP / PACER)↗ · U.S. District Court, N.D. Illinois↗ · U.S. District Court, N.D. Illinois↗ · PHMSA #405↗
condemnation_active
litigation
estimated_>3
Transco—Northeast Supply Enhancement (Compressor Station 206, NJ)
Transcontinental Gas Pipe Line Company, LLC · PA, NJ, NY  updated 2026-06-05 NEW
CourtListener (RECAP / PACER)↗ · Federal Register—NESE Notice of Application (FERC CP17-101)↗ · FERC docket↗ · U.S. District Court, D. New Jersey↗ · PHMSA #19570↗
condemnation_active
litigation
estimated_>1
Columbia Gas—Virginia Reliability Project (VA) + Seville Loop (OH)
Columbia Gas Transmission, LLC · VA, OH  updated 2026-06-05 NEW
CourtListener (RECAP / PACER)↗ · Federal Register—VRP Final EIS notice (FERC CP22-502)↗ · FERC docket↗ · U.S. District Court, N.D. Ohio↗ · U.S. District Court, E.D. Virginia↗ · PHMSA #2616↗
condemnation_active
litigation
estimated_>2
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX  updated 2026-05-27
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA  updated 2026-05-27
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX  updated 2026-05-27
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH  updated 2026-05-27
no link
construction18
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA  updated 2026-06-05 NEW
WESA↗ · Allegheny Front↗ · West Virginia Watch↗ · FERC docket↗
certificate_filedestimated_>500
Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
Transwestern Pipeline Company (Energy Transfer subsidiary) · NM  updated 2026-06-05 NEW
Pipeline & Gas Journal↗ · BLM—Green Chile right-of-way↗ · Source NM↗ · FERC docket↗
certificate_filedpotential—FERC §7 authority; no private condemnation filed (route mostly federal BLM + state land)
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX  updated 2026-05-27
TechCrunch↗
announcedminimal_industrial_site

State legislative pushback
StateActionStatus / Date
NCNC HB-2026-XXX (Data Center Eminent Domain Restrictions)
Would bar utility use of eminent domain when transmission line is primarily serving identified data center customers.
introduced
2026-05
OHOhio behind-the-meter requirement proposal
Prohibits utilities from connecting a data center to the grid unless the data center provides its own BTM power OR pays full grid-impact costs.
committee
2026-03
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA HB-2026-XX data-center grid-impact transparency
Requires Dominion to publicly disclose how much new transmission/generation is being built specifically to serve hyperscaler data centers.
introduced
2026-02
PAPA in-state-benefit standard for transmission eminent domain
Discussion of requiring meaningful in-state benefit before PA land can be condemned for transmission lines exporting power to other states.
discussion_phase
2026-04

New cases + status changes are surfaced daily in the digest's Eminent Domain section from federal condemnation dockets (CourtListener / PACER, Natural Gas Act §717f(h)), FERC certificate notices (Federal Register), state PUC dockets, LegiScan, and local + trade press. Each row links out to its sources, dockets, and court cases; the date shows when the entry was last confirmed (entries > 14d are flagged stale).

14 active projects 243 miles 906+ properties 14,593 MW BTM gas
2,811,082 miles of U.S. gas pipeline already in the ground (300,158 transmission · 2,397,775 distribution · 113,148 gathering). The takings below extend that network. Source: PHMSA annual-report mileage.
all current—freshest entry 2d old
🗺 Not Yours Anymore—the StoryMap of land being taken → Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Ashley Park–Wansley 500kV (Project Sail)
Georgia Power · GA  updated 2026-06-05 NEW
AJC↗ · FOX5 Atlanta—Coweta approves Project Sail↗ · 11Alive—Coweta homeowner eminent-domain dispute↗
condemnation_active
litigation
330
Dominion Golden to Mars 500kV (Loudoun)
Dominion Energy Virginia · VA  updated 2026-06-05 NEW
Virginia Mercury—SCC approves Loudoun line↗ · Virginia Mercury—Loudoun neighbors fight lines↗ · Bay Journal↗
certificate_granted
litigation
contingent—fallback Route 3a (~182 homes within 500 ft); condemnation not executed
Meta Beaver Dam Site Transmission + Substation Extension
We Energies (WEC) · WI  updated 2026-05-27
ABC30↗
certificate_filed
litigation
47
Enbridge Chatham County gas pipeline (Siler City–Moncure, NC)
Enbridge · NC  updated 2026-06-05 NEW
Inside Climate News↗ · Canary Media↗ · WRAL—NC SB 730 (bill to limit DC eminent domain)↗ · PHMSA #4060↗
condemnation_active
litigation
Chatham County landowners receiving condemnation-warning letters (e.g. John Alderman); count not yet public
ANR Pipeline—Heartland Project condemnations (N. Illinois)
ANR Pipeline Company, LLC · IL, WI  updated 2026-06-05 NEW
CourtListener (RECAP / PACER)↗ · U.S. District Court, N.D. Illinois↗ · U.S. District Court, N.D. Illinois↗ · PHMSA #405↗
condemnation_active
litigation
estimated_>3
Transco—Northeast Supply Enhancement (Compressor Station 206, NJ)
Transcontinental Gas Pipe Line Company, LLC · PA, NJ, NY  updated 2026-06-05 NEW
CourtListener (RECAP / PACER)↗ · Federal Register—NESE Notice of Application (FERC CP17-101)↗ · FERC docket↗ · U.S. District Court, D. New Jersey↗ · PHMSA #19570↗
condemnation_active
litigation
estimated_>1
Columbia Gas—Virginia Reliability Project (VA) + Seville Loop (OH)
Columbia Gas Transmission, LLC · VA, OH  updated 2026-06-05 NEW
CourtListener (RECAP / PACER)↗ · Federal Register—VRP Final EIS notice (FERC CP22-502)↗ · FERC docket↗ · U.S. District Court, N.D. Ohio↗ · U.S. District Court, E.D. Virginia↗ · PHMSA #2616↗
condemnation_active
litigation
estimated_>2
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX  updated 2026-05-27
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA  updated 2026-05-27
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX  updated 2026-05-27
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH  updated 2026-05-27
no link
construction18
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA  updated 2026-06-05 NEW
WESA↗ · Allegheny Front↗ · West Virginia Watch↗ · FERC docket↗
certificate_filedestimated_>500
Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
Transwestern Pipeline Company (Energy Transfer subsidiary) · NM  updated 2026-06-05 NEW
Pipeline & Gas Journal↗ · BLM—Green Chile right-of-way↗ · Source NM↗ · FERC docket↗
certificate_filedpotential—FERC §7 authority; no private condemnation filed (route mostly federal BLM + state land)
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX  updated 2026-05-27
TechCrunch↗
announcedminimal_industrial_site

State legislative pushback
StateActionStatus / Date
NCNC HB-2026-XXX (Data Center Eminent Domain Restrictions)
Would bar utility use of eminent domain when transmission line is primarily serving identified data center customers.
introduced
2026-05
OHOhio behind-the-meter requirement proposal
Prohibits utilities from connecting a data center to the grid unless the data center provides its own BTM power OR pays full grid-impact costs.
committee
2026-03
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA HB-2026-XX data-center grid-impact transparency
Requires Dominion to publicly disclose how much new transmission/generation is being built specifically to serve hyperscaler data centers.
introduced
2026-02
PAPA in-state-benefit standard for transmission eminent domain
Discussion of requiring meaningful in-state benefit before PA land can be condemned for transmission lines exporting power to other states.
discussion_phase
2026-04

New cases + status changes are surfaced daily in the digest's Eminent Domain section from federal condemnation dockets (CourtListener / PACER, Natural Gas Act §717f(h)), FERC certificate notices (Federal Register), state PUC dockets, LegiScan, and local + trade press. Each row links out to its sources, dockets, and court cases; the date shows when the entry was last confirmed (entries > 14d are flagged stale).

14 active projects 243 miles 906+ properties 14,593 MW BTM gas
all current — freshest entry 1d old
🗺 Not Yours Anymore — the StoryMap of land being taken → Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Ashley Park–Wansley 500kV (Project Sail)
Georgia Power · GA  updated 2026-06-05 NEW
AJC↗ · FOX5 Atlanta — Coweta approves Project Sail↗ · 11Alive — Coweta homeowner eminent-domain dispute↗
condemnation_active
litigation
330
Dominion Golden to Mars 500kV (Loudoun)
Dominion Energy Virginia · VA  updated 2026-06-05 NEW
Virginia Mercury — SCC approves Loudoun line↗ · Virginia Mercury — Loudoun neighbors fight lines↗ · Bay Journal↗
certificate_granted
litigation
contingent — fallback Route 3a (~182 homes within 500 ft); condemnation not executed
Meta Beaver Dam Site Transmission + Substation Extension
We Energies (WEC) · WI  updated 2026-05-27
ABC30↗
certificate_filed
litigation
47
Enbridge Chatham County gas pipeline (Siler City–Moncure, NC)
Enbridge · NC  updated 2026-06-05 NEW
Inside Climate News↗ · Canary Media↗ · WRAL — NC SB 730 (bill to limit DC eminent domain)↗
condemnation_active
litigation
Chatham County landowners receiving condemnation-warning letters (e.g. John Alderman); count not yet public
ANR Pipeline — Heartland Project condemnations (N. Illinois)
ANR Pipeline Company, LLC · IL, WI  updated 2026-06-05 NEW
CourtListener (RECAP / PACER)↗ · U.S. District Court, N.D. Illinois↗ · U.S. District Court, N.D. Illinois↗
condemnation_active
litigation
estimated_>3
Transco — Northeast Supply Enhancement (Compressor Station 206, NJ)
Transcontinental Gas Pipe Line Company, LLC · PA, NJ, NY  updated 2026-06-05 NEW
CourtListener (RECAP / PACER)↗ · Federal Register — NESE Notice of Application (FERC CP17-101)↗ · FERC docket↗ · U.S. District Court, D. New Jersey↗
condemnation_active
litigation
estimated_>1
Columbia Gas — Virginia Reliability Project (VA) + Seville Loop (OH)
Columbia Gas Transmission, LLC · VA, OH  updated 2026-06-05 NEW
CourtListener (RECAP / PACER)↗ · Federal Register — VRP Final EIS notice (FERC CP22-502)↗ · FERC docket↗ · U.S. District Court, N.D. Ohio↗ · U.S. District Court, E.D. Virginia↗
condemnation_active
litigation
estimated_>2
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX  updated 2026-05-27
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA  updated 2026-05-27
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX  updated 2026-05-27
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH  updated 2026-05-27
no link
construction18
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA  updated 2026-06-05 NEW
WESA↗ · Allegheny Front↗ · West Virginia Watch↗ · FERC docket↗
certificate_filedestimated_>500
Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
Transwestern Pipeline Company (Energy Transfer subsidiary) · NM  updated 2026-06-05 NEW
Pipeline & Gas Journal↗ · BLM — Green Chile right-of-way↗ · Source NM↗ · FERC docket↗
certificate_filedpotential — FERC §7 authority; no private condemnation filed (route mostly federal BLM + state land)
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX  updated 2026-05-27
TechCrunch↗
announcedminimal_industrial_site

State legislative pushback
StateActionStatus / Date
NCNC HB-2026-XXX (Data Center Eminent Domain Restrictions)
Would bar utility use of eminent domain when transmission line is primarily serving identified data center customers.
introduced
2026-05
OHOhio behind-the-meter requirement proposal
Prohibits utilities from connecting a data center to the grid unless the data center provides its own BTM power OR pays full grid-impact costs.
committee
2026-03
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA HB-2026-XX data-center grid-impact transparency
Requires Dominion to publicly disclose how much new transmission/generation is being built specifically to serve hyperscaler data centers.
introduced
2026-02
PAPA in-state-benefit standard for transmission eminent domain
Discussion of requiring meaningful in-state benefit before PA land can be condemned for transmission lines exporting power to other states.
discussion_phase
2026-04

New cases + status changes are surfaced daily in the digest's Eminent Domain section from federal condemnation dockets (CourtListener / PACER, Natural Gas Act §717f(h)), FERC certificate notices (Federal Register), state PUC dockets, LegiScan, and local + trade press. Each row links out to its sources, dockets, and court cases; the date shows when the entry was last confirmed (entries > 14d are flagged stale).

12 active projects 280 miles 1,140+ properties 14,593 MW BTM gas
Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Project Wansley
Georgia Power · GA
AJC↗ · Pravda Georgia↗ · Energy News Beat↗
condemnation_active
litigation
330
Dominion Northern Virginia Aerial Corridor Expansion
Dominion Energy Virginia · VA
Washington Post (placeholder)↗
certificate_filed
litigation
140
Meta Beaver Dam Site Transmission + Substation Extension
We Energies (WEC) · WI
ABC30↗
certificate_filed
litigation
47
Williams Northeast Supply Enhancement (NESE)
Williams Companies (Transco subsidiary) · NJ, NY
Reuters↗ · Bloomberg↗ · FERC docket↗
constructionprimarily offshore + utility right-of-way
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH
no link
construction18
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA
WESA↗ · Allegheny Front↗ · FERC docket↗
certificate_filedestimated_>500
Energy Transfer New Mexico AI Data Center Pipeline
Energy Transfer LP · NM
Pipeline & Gas Journal↗ · FERC docket↗
certificate_filed12
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX
TechCrunch↗
announcedminimal_industrial_site
Duke Energy Carolinas Data Center Corridor Expansion
Duke Energy Carolinas · NC, SC
WRAL↗
announced88

State legislative pushback
StateActionStatus / Date
NCNC HB-2026-XXX (Data Center Eminent Domain Restrictions)
Would bar utility use of eminent domain when transmission line is primarily serving identified data center customers.
introduced
2026-05
OHOhio behind-the-meter requirement proposal
Prohibits utilities from connecting a data center to the grid unless the data center provides its own BTM power OR pays full grid-impact costs.
committee
2026-03
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA HB-2026-XX data-center grid-impact transparency
Requires Dominion to publicly disclose how much new transmission/generation is being built specifically to serve hyperscaler data centers.
introduced
2026-02
PAPA in-state-benefit standard for transmission eminent domain
Discussion of requiring meaningful in-state benefit before PA land can be condemned for transmission lines exporting power to other states.
discussion_phase
2026-04

Source: hand-curated from FERC eLibrary, state PUC dockets, local press (AJC, WESA, Allegheny Front, WRAL, Ohio Capital Journal), trade press (DCD, PGJ, Bisnow), and LegiScan (state bill tracking). Updated weekly by maintainer; news flagged automatically in the daily digest's Eminent Domain section.

12 active projects 280 miles 1,140+ properties 14,593 MW BTM gas
Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Project Wansley
Georgia Power · GA
AJC↗ · Pravda Georgia↗ · Energy News Beat↗
condemnation_active
litigation
330
Dominion Northern Virginia Aerial Corridor Expansion
Dominion Energy Virginia · VA
Washington Post (placeholder)↗
certificate_filed
litigation
140
Meta Beaver Dam Site Transmission + Substation Extension
We Energies (WEC) · WI
ABC30↗
certificate_filed
litigation
47
Williams Northeast Supply Enhancement (NESE)
Williams Companies (Transco subsidiary) · NJ, NY
Reuters↗ · Bloomberg↗ · FERC docket↗
constructionprimarily offshore + utility right-of-way
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH
no link
construction18
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA
WESA↗ · Allegheny Front↗ · FERC docket↗
certificate_filedestimated_>500
Energy Transfer New Mexico AI Data Center Pipeline
Energy Transfer LP · NM
Pipeline & Gas Journal↗ · FERC docket↗
certificate_filed12
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX
TechCrunch↗
announcedminimal_industrial_site
Duke Energy Carolinas Data Center Corridor Expansion
Duke Energy Carolinas · NC, SC
WRAL↗
announced88

State legislative pushback
StateActionStatus / Date
NCNC HB-2026-XXX (Data Center Eminent Domain Restrictions)
Would bar utility use of eminent domain when transmission line is primarily serving identified data center customers.
introduced
2026-05
OHOhio behind-the-meter requirement proposal
Prohibits utilities from connecting a data center to the grid unless the data center provides its own BTM power OR pays full grid-impact costs.
committee
2026-03
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA HB-2026-XX data-center grid-impact transparency
Requires Dominion to publicly disclose how much new transmission/generation is being built specifically to serve hyperscaler data centers.
introduced
2026-02
PAPA in-state-benefit standard for transmission eminent domain
Discussion of requiring meaningful in-state benefit before PA land can be condemned for transmission lines exporting power to other states.
discussion_phase
2026-04

Source: hand-curated from FERC eLibrary, state PUC dockets, local press (AJC, WESA, Allegheny Front, WRAL, Ohio Capital Journal), trade press (DCD, PGJ, Bisnow), and LegiScan (state bill tracking). Updated weekly by maintainer; news flagged automatically in the daily digest's Eminent Domain section.

12 active projects 280 miles 1,140+ properties 14,593 MW BTM gas
Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Project Wansley
Georgia Power · GA
AJC↗ · Pravda Georgia↗ · Energy News Beat↗
condemnation_active
litigation
330
Dominion Northern Virginia Aerial Corridor Expansion
Dominion Energy Virginia · VA
Washington Post (placeholder)↗
certificate_filed
litigation
140
Meta Beaver Dam Site Transmission + Substation Extension
We Energies (WEC) · WI
ABC30↗
certificate_filed
litigation
47
Williams Northeast Supply Enhancement (NESE)
Williams Companies (Transco subsidiary) · NJ, NY
Reuters↗ · Bloomberg↗ · FERC docket↗
constructionprimarily offshore + utility right-of-way
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH
no link
construction18
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA
WESA↗ · Allegheny Front↗ · FERC docket↗
certificate_filedestimated_>500
Energy Transfer New Mexico AI Data Center Pipeline
Energy Transfer LP · NM
Pipeline & Gas Journal↗ · FERC docket↗
certificate_filed12
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX
TechCrunch↗
announcedminimal_industrial_site
Duke Energy Carolinas Data Center Corridor Expansion
Duke Energy Carolinas · NC, SC
WRAL↗
announced88

State legislative pushback
StateActionStatus / Date
NCNC HB-2026-XXX (Data Center Eminent Domain Restrictions)
Would bar utility use of eminent domain when transmission line is primarily serving identified data center customers.
introduced
2026-05
OHOhio behind-the-meter requirement proposal
Prohibits utilities from connecting a data center to the grid unless the data center provides its own BTM power OR pays full grid-impact costs.
committee
2026-03
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA HB-2026-XX data-center grid-impact transparency
Requires Dominion to publicly disclose how much new transmission/generation is being built specifically to serve hyperscaler data centers.
introduced
2026-02
PAPA in-state-benefit standard for transmission eminent domain
Discussion of requiring meaningful in-state benefit before PA land can be condemned for transmission lines exporting power to other states.
discussion_phase
2026-04

Source: hand-curated from FERC eLibrary, state PUC dockets, local press (AJC, WESA, Allegheny Front, WRAL, Ohio Capital Journal), trade press (DCD, PGJ, Bisnow), and LegiScan (state bill tracking). Updated weekly by maintainer; news flagged automatically in the daily digest's Eminent Domain section.

12 active projects 280 miles 1,140+ properties 14,593 MW BTM gas
Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Project Wansley
Georgia Power · GA
AJC↗ · Pravda Georgia↗ · Energy News Beat↗
condemnation_active
litigation
330
Dominion Northern Virginia Aerial Corridor Expansion
Dominion Energy Virginia · VA
Washington Post (placeholder)↗
certificate_filed
litigation
140
Meta Beaver Dam Site Transmission + Substation Extension
We Energies (WEC) · WI
ABC30↗
certificate_filed
litigation
47
Williams Northeast Supply Enhancement (NESE)
Williams Companies (Transco subsidiary) · NJ, NY
Reuters↗ · Bloomberg↗ · FERC docket↗
constructionprimarily offshore + utility right-of-way
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH
no link
construction18
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA
WESA↗ · Allegheny Front↗ · FERC docket↗
certificate_filedestimated_>500
Energy Transfer New Mexico AI Data Center Pipeline
Energy Transfer LP · NM
Pipeline & Gas Journal↗ · FERC docket↗
certificate_filed12
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX
TechCrunch↗
announcedminimal_industrial_site
Duke Energy Carolinas Data Center Corridor Expansion
Duke Energy Carolinas · NC, SC
WRAL↗
announced88

State legislative pushback
StateActionStatus / Date
NCNC HB-2026-XXX (Data Center Eminent Domain Restrictions)
Would bar utility use of eminent domain when transmission line is primarily serving identified data center customers.
introduced
2026-05
OHOhio behind-the-meter requirement proposal
Prohibits utilities from connecting a data center to the grid unless the data center provides its own BTM power OR pays full grid-impact costs.
committee
2026-03
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA HB-2026-XX data-center grid-impact transparency
Requires Dominion to publicly disclose how much new transmission/generation is being built specifically to serve hyperscaler data centers.
introduced
2026-02
PAPA in-state-benefit standard for transmission eminent domain
Discussion of requiring meaningful in-state benefit before PA land can be condemned for transmission lines exporting power to other states.
discussion_phase
2026-04

Source: hand-curated from FERC eLibrary, state PUC dockets, local press (AJC, WESA, Allegheny Front, WRAL, Ohio Capital Journal), trade press (DCD, PGJ, Bisnow), and LegiScan (state bill tracking). Updated weekly by maintainer; news flagged automatically in the daily digest's Eminent Domain section.

12 active projects 280 miles 1,140+ properties 14,593 MW BTM gas
Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Project Wansley
Georgia Power · GA
AJC↗ · Pravda Georgia↗ · Energy News Beat↗
condemnation_active
litigation
330
Dominion Northern Virginia Aerial Corridor Expansion
Dominion Energy Virginia · VA
Washington Post (placeholder)↗
certificate_filed
litigation
140
Meta Beaver Dam Site Transmission + Substation Extension
We Energies (WEC) · WI
ABC30↗
certificate_filed
litigation
47
Williams Northeast Supply Enhancement (NESE)
Williams Companies (Transco subsidiary) · NJ, NY
Reuters↗ · Bloomberg↗ · FERC docket↗
constructionprimarily offshore + utility right-of-way
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH
no link
construction18
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA
WESA↗ · Allegheny Front↗ · FERC docket↗
certificate_filedestimated_>500
Energy Transfer New Mexico AI Data Center Pipeline
Energy Transfer LP · NM
Pipeline & Gas Journal↗ · FERC docket↗
certificate_filed12
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX
TechCrunch↗
announcedminimal_industrial_site
Duke Energy Carolinas Data Center Corridor Expansion
Duke Energy Carolinas · NC, SC
WRAL↗
announced88

State legislative pushback
StateActionStatus / Date
NCNC HB-2026-XXX (Data Center Eminent Domain Restrictions)
Would bar utility use of eminent domain when transmission line is primarily serving identified data center customers.
introduced
2026-05
OHOhio behind-the-meter requirement proposal
Prohibits utilities from connecting a data center to the grid unless the data center provides its own BTM power OR pays full grid-impact costs.
committee
2026-03
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA HB-2026-XX data-center grid-impact transparency
Requires Dominion to publicly disclose how much new transmission/generation is being built specifically to serve hyperscaler data centers.
introduced
2026-02
PAPA in-state-benefit standard for transmission eminent domain
Discussion of requiring meaningful in-state benefit before PA land can be condemned for transmission lines exporting power to other states.
discussion_phase
2026-04

Source: hand-curated from FERC eLibrary, state PUC dockets, local press (AJC, WESA, Allegheny Front, WRAL, Ohio Capital Journal), trade press (DCD, PGJ, Bisnow), and LegiScan (state bill tracking). Updated weekly by maintainer; news flagged automatically in the daily digest's Eminent Domain section.

12 active projects 280 miles 1,140+ properties 14,593 MW BTM gas
Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Project Wansley
Georgia Power · GA
AJC↗ · Pravda Georgia↗ · Energy News Beat↗
condemnation_active
litigation
330
Dominion Northern Virginia Aerial Corridor Expansion
Dominion Energy Virginia · VA
Washington Post (placeholder)↗
certificate_filed
litigation
140
Meta Beaver Dam Site Transmission + Substation Extension
We Energies (WEC) · WI
ABC30↗
certificate_filed
litigation
47
Williams Northeast Supply Enhancement (NESE)
Williams Companies (Transco subsidiary) · NJ, NY
Reuters↗ · Bloomberg↗ · FERC docket↗
constructionprimarily offshore + utility right-of-way
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH
no link
construction18
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA
WESA↗ · Allegheny Front↗ · FERC docket↗
certificate_filedestimated_>500
Energy Transfer New Mexico AI Data Center Pipeline
Energy Transfer LP · NM
Pipeline & Gas Journal↗ · FERC docket↗
certificate_filed12
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX
TechCrunch↗
announcedminimal_industrial_site
Duke Energy Carolinas Data Center Corridor Expansion
Duke Energy Carolinas · NC, SC
WRAL↗
announced88

State legislative pushback
StateActionStatus / Date
NCNC HB-2026-XXX (Data Center Eminent Domain Restrictions)
Would bar utility use of eminent domain when transmission line is primarily serving identified data center customers.
introduced
2026-05
OHOhio behind-the-meter requirement proposal
Prohibits utilities from connecting a data center to the grid unless the data center provides its own BTM power OR pays full grid-impact costs.
committee
2026-03
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA HB-2026-XX data-center grid-impact transparency
Requires Dominion to publicly disclose how much new transmission/generation is being built specifically to serve hyperscaler data centers.
introduced
2026-02
PAPA in-state-benefit standard for transmission eminent domain
Discussion of requiring meaningful in-state benefit before PA land can be condemned for transmission lines exporting power to other states.
discussion_phase
2026-04

Source: hand-curated from FERC eLibrary, state PUC dockets, local press (AJC, WESA, Allegheny Front, WRAL, Ohio Capital Journal), trade press (DCD, PGJ, Bisnow), and LegiScan (state bill tracking). Updated weekly by maintainer; news flagged automatically in the daily digest's Eminent Domain section.

12 active projects 280 miles 1,140+ properties 14,593 MW BTM gas
Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Project Wansley
Georgia Power · GA
AJC↗ · Pravda Georgia↗ · Energy News Beat↗
condemnation_active
litigation
330
Dominion Northern Virginia Aerial Corridor Expansion
Dominion Energy Virginia · VA
Washington Post (placeholder)↗
certificate_filed
litigation
140
Meta Beaver Dam Site Transmission + Substation Extension
We Energies (WEC) · WI
ABC30↗
certificate_filed
litigation
47
Williams Northeast Supply Enhancement (NESE)
Williams Companies (Transco subsidiary) · NJ, NY
Reuters↗ · Bloomberg↗ · FERC docket↗
constructionprimarily offshore + utility right-of-way
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH
no link
construction18
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA
WESA↗ · Allegheny Front↗ · FERC docket↗
certificate_filedestimated_>500
Energy Transfer New Mexico AI Data Center Pipeline
Energy Transfer LP · NM
Pipeline & Gas Journal↗ · FERC docket↗
certificate_filed12
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX
TechCrunch↗
announcedminimal_industrial_site
Duke Energy Carolinas Data Center Corridor Expansion
Duke Energy Carolinas · NC, SC
WRAL↗
announced88

State legislative pushback
StateActionStatus / Date
NCNC HB-2026-XXX (Data Center Eminent Domain Restrictions)
Would bar utility use of eminent domain when transmission line is primarily serving identified data center customers.
introduced
2026-05
OHOhio behind-the-meter requirement proposal
Prohibits utilities from connecting a data center to the grid unless the data center provides its own BTM power OR pays full grid-impact costs.
committee
2026-03
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA HB-2026-XX data-center grid-impact transparency
Requires Dominion to publicly disclose how much new transmission/generation is being built specifically to serve hyperscaler data centers.
introduced
2026-02
PAPA in-state-benefit standard for transmission eminent domain
Discussion of requiring meaningful in-state benefit before PA land can be condemned for transmission lines exporting power to other states.
discussion_phase
2026-04

Source: hand-curated from FERC eLibrary, state PUC dockets, local press (AJC, WESA, Allegheny Front, WRAL, Ohio Capital Journal), trade press (DCD, PGJ, Bisnow), and LegiScan (state bill tracking). Updated weekly by maintainer; news flagged automatically in the daily digest's Eminent Domain section.

12 active projects 280 miles 1,140+ properties 14,593 MW BTM gas
Active projects (litigation-first, then by status)
ProjectStatusProperties
Georgia Power Project Wansley
Georgia Power · GA
AJC↗ · Pravda Georgia↗ · Energy News Beat↗
condemnation_active
litigation
330
Dominion Northern Virginia Aerial Corridor Expansion
Dominion Energy Virginia · VA
Washington Post (placeholder)↗
certificate_filed
litigation
140
Meta Beaver Dam Site Transmission + Substation Extension
We Energies (WEC) · WI
ABC30↗
certificate_filed
litigation
47
Williams Northeast Supply Enhancement (NESE)
Williams Companies (Transco subsidiary) · NJ, NY
Reuters↗ · Bloomberg↗ · FERC docket↗
constructionprimarily offshore + utility right-of-way
Google + Crusoe North Texas Gas Plant
Crusoe Energy · TX
PGJ↗
construction1
Meta Hyperion (Richland Parish, LA)
Meta Platforms · LA
DCD↗
construction3
OpenAI / Project Stargate Abilene Gas Plant (Crusoe)
Crusoe Energy / Oracle · TX
no link
construction1
Williams Project Socrates (New Albany, OH)
Williams Companies · OH
no link
construction18
MidAtlantic Resiliency Link
NextEra Energy Transmission MidAtlantic, Inc. · PA, MD, WV, VA
WESA↗ · Allegheny Front↗ · FERC docket↗
certificate_filedestimated_>500
Energy Transfer New Mexico AI Data Center Pipeline
Energy Transfer LP · NM
Pipeline & Gas Journal↗ · FERC docket↗
certificate_filed12
Microsoft + Chevron + Engine No. 1 West Texas Gas Plant
Chevron + Engine No. 1 · TX
TechCrunch↗
announcedminimal_industrial_site
Duke Energy Carolinas Data Center Corridor Expansion
Duke Energy Carolinas · NC, SC
WRAL↗
announced88

State legislative pushback
StateActionStatus / Date
NCNC HB-2026-XXX (Data Center Eminent Domain Restrictions)
Would bar utility use of eminent domain when transmission line is primarily serving identified data center customers.
introduced
2026-05
OHOhio behind-the-meter requirement proposal
Prohibits utilities from connecting a data center to the grid unless the data center provides its own BTM power OR pays full grid-impact costs.
committee
2026-03
GAReview of Georgia Power eminent-domain authority
Following Project Wansley backlash, GA legislators reviewing scope of utility condemnation authority for data-center-driven transmission.
legislative_review
2026-05
WIData center energy-cost socialization carveout (under review)
Proposal to prevent socialization of data-center grid-upgrade costs onto residential ratepayers.
pre_introduction
2026-04
VAVA HB-2026-XX data-center grid-impact transparency
Requires Dominion to publicly disclose how much new transmission/generation is being built specifically to serve hyperscaler data centers.
introduced
2026-02
PAPA in-state-benefit standard for transmission eminent domain
Discussion of requiring meaningful in-state benefit before PA land can be condemned for transmission lines exporting power to other states.
discussion_phase
2026-04

Source: hand-curated from FERC eLibrary, state PUC dockets, local press (AJC, WESA, Allegheny Front, WRAL, Ohio Capital Journal), trade press (DCD, PGJ, Bisnow), and LegiScan (state bill tracking). Updated weekly by maintainer; news flagged automatically in the daily digest's Eminent Domain section.

Daily Digest — running history

latest

Pipeline + data-center buildout digest — 2026-07-17

CISA ICS advisories (last 7 days)

No advisories matched tracked operators/vendors in the last 7 days.

Federal Register — FERC & TSA (last 14 days)

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1793 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Fri, 17 Jul 2026 10:36:28 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-07-13): $2.83/MMBtu (was $3.34 a week earlier, ▼ -15.3%)
  • Lower-48 gas in storage (2026-07-10): 3,024 Bcf (weekly Δ +41 Bcf; YoY Δ -28 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 119,096 117,480 +1.4% 159,046 144,933 +9.7%
ERCOT (TX) 63,999 63,580 +0.7% 82,406 78,536 +4.9%
MISO (Midcontinent) 94,320 89,527 +5.4% 117,514 113,489 +3.5%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

4 new matched item(s) from DCD / Bisnow / dgtlinfra (filtered to hyperscaler, AI, gas-DC convergence, and tracked operators):

Eminent Domain Watch (new since last run)

No new eminent-domain / shadow-grid articles since last run.

New & active condemnation cases (CourtListener)

3 tracked condemnation dockets total; 3 still active.

New FERC pipeline notices (Federal Register)

1 FERC notice(s), 0 naming tracked operators: - 2026-07-17 [Docket No. CP26-548-000] Guardian Pipeline, LLC; Notice of Application and Establishing Intervention Deadline

Investigative layers

Public comments & rulemakings (Regulations.gov)

Regulations.gov module not loaded.

State bills + sponsors (Open States)

Open States module not loaded.

Federal money into the buildout (USASpending)

USASpending module not loaded.

Pipeline incidents (PHMSA)

Drop a PHMSA gas-transmission incident file (.xlsx/.zip) in snapshots/phmsa/ — PHMSA has no API and its files are bot-blocked, so it's a manual download (see phmsa.py header).

Physical safety — CSB oil/gas (recent)

2 recent CSB items touching refineries / gas / pipelines — new activity at the kind of sites the map tracks:

Social signal — Bluesky (unverified leads)

2 posts on pipelines / eminent domain / FERC — commentary and leads, verify before acting:

  • 2026-07-17 @erb2323.bsky.social — People in Georgia are having their homes seized by Utility companies, eminent domain, to make way for high voltage power lines, specifically for AI data centers…
  • 2026-07-16 @lisasnyd.bsky.social — Eminent domain should'nt be used for profit! When can a power company take your land for data center infrastructure? share.google/zmkfMWbhyd21...

State legislative tracker (LegiScan)

32 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
PA SB1345 In zoning, providing for optional temporary moratorium on acceptance or consider Second consideration 2026-07-12
PA SB1384 In tax credit and tax benefit administration, further providing for definitions; Referred to Finance 2026-07-10
PA HB2650 In tax credit and tax benefit administration, further providing for definitions; Referred to Finance 2026-06-25
OH HB646 Create the Data Center Study Commission Informally passed 2026-06-10
NC S730 Ratepayer Protection Act Ref To Com On Rules and Operations of the Senate 2026-06-08
PA SB1359 Imposing a Statewide moratorium on hyperscale data center development and permit Referred to Local Government 2026-06-04
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12

… plus 7 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

4 tracked docket(s) show content changes — review and update the YAML if status has changed:

  • [FERC] to be confirmed — MidAtlantic Resiliency Link
    Detected at 2026-07-17 06:13 PDT. Open docket
  • [FERC] Transwestern blanket cert (staff protest pending) — Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
    Detected at 2026-07-17 06:13 PDT. Open docket
  • [FERC] CP17-101-000 — Transco — Northeast Supply Enhancement (Compressor Station 206, NJ)
    Detected at 2026-07-17 06:13 PDT. Open docket
  • [FERC] CP22-502-000 — Columbia Gas — Virginia Reliability Project (VA) + Seville Loop (OH)
    Detected at 2026-07-17 06:13 PDT. Open docket

Shodan ICS exposure (US)

Credits remaining: 70 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 64,468 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 200,440 Common in electric + gas SCADA.
2404 IEC 60870-5-104 53,908 Power/telecontrol.
102 Siemens S7 48,315 Siemens PLC programming.
47808 BACnet 25,482 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 55,772 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 43,725 Tridium Niagara, building management.
1962 PCWorx 32,777 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 33,453 Red Lion controllers.
9600 Omron FINS 62,510 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Tridium 1,624
Rockwell 1,349
Allen-Bradley 1,296
Honeywell 328
Red Lion 294
Siemens 88
Emerson 15
ABB 3
Schneider Electric 1
Omron 1

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-07-16

CISA ICS advisories (last 7 days)

No advisories matched tracked operators/vendors in the last 7 days.

Federal Register — FERC & TSA (last 14 days)

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1793 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Thu, 16 Jul 2026 11:29:26 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-07-13): $2.83/MMBtu (was $3.34 a week earlier, ▼ -15.3%)
  • Lower-48 gas in storage (2026-07-03): 2,983 Bcf (weekly Δ +61 Bcf; YoY Δ -23 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 117,703 117,032 +0.6% 159,046 144,933 +9.7%
ERCOT (TX) 65,010 62,926 +3.3% 82,995 78,536 +5.7%
MISO (Midcontinent) 93,809 89,680 +4.6% 117,514 113,489 +3.5%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

5 new matched item(s) from DCD / Bisnow / dgtlinfra (filtered to hyperscaler, AI, gas-DC convergence, and tracked operators):

Eminent Domain Watch (new since last run)

1 new article(s) matching eminent-domain / shadow-grid keywords:

New & active condemnation cases (CourtListener)

3 tracked condemnation dockets total; 3 still active.

New FERC pipeline notices (Federal Register)

No new FERC pipeline notices in the lookback window.

Investigative layers

Public comments & rulemakings (Regulations.gov)

Regulations.gov module not loaded.

State bills + sponsors (Open States)

Open States module not loaded.

Federal money into the buildout (USASpending)

USASpending module not loaded.

Pipeline incidents (PHMSA)

Drop a PHMSA gas-transmission incident file (.xlsx/.zip) in snapshots/phmsa/ — PHMSA has no API and its files are bot-blocked, so it's a manual download (see phmsa.py header).

Physical safety — CSB oil/gas (recent)

2 recent CSB items touching refineries / gas / pipelines — new activity at the kind of sites the map tracks:

Social signal — Bluesky (unverified leads)

9 posts on pipelines / eminent domain / FERC — commentary and leads, verify before acting:

  • 2026-07-16 @caroleeena.bsky.social · 10 — You won't believe this. In Georgia, an unnamed data center has seized rural people's homes & land using "eminent domain" and local republicans are mocking those…
  • 2026-07-16 @saveohioparks.bsky.social · 1 — Bowling Green farmer filed suit to stop pipeline firm Will-Power from taking his property by eminent domain to power Meta data center.

Will-Power backed off. J… - 2026-07-16 @allidoisgame.bsky.social — Every data center should be torn down. They steal land, claim eminent domain over people's homes, pollute the water, cause noise pollution and destroy the envir… - 2026-07-15 @moreperfectunion.bsky.social · 522 — One of the most shocking data center developments in the country is families increasingly being pushed to sell their property for data center power lines, under… - 2026-07-15 @olivia4t.bsky.social · 21 — One of the most shocking #DataCenter developments in the country is families increasingly being pushed to sell their property for data center power lines, un… - 2026-07-15 @christosilvia.bsky.social · 3 — So specifically AI model training benefits a ton from centralization. You could train a hell of a model if you dedicate a single site in the country for it and … - 2026-07-15 @nginews.bsky.social — Waha Natural Gas Prices Extend Gains as Hugh Brinson Pipeline Advances - 2026-07-15 @definitely-amy.bsky.social — Yeah Eminent domain is bad but I also can’t imagine being trapped next to a data center in a worthless property that no one will ever buy. - 2026-07-15 @stlnews.bsky.social — A massive AI data center expansion in rural Georgia has triggered intense eminent domain standoffs as utility giant Georgia Power acquires hundreds of private l…

State legislative tracker (LegiScan)

32 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
PA SB1345 In zoning, providing for optional temporary moratorium on acceptance or consider Second consideration 2026-07-12
PA SB1384 In tax credit and tax benefit administration, further providing for definitions; Referred to Finance 2026-07-10
PA HB2650 In tax credit and tax benefit administration, further providing for definitions; Referred to Finance 2026-06-25
OH HB646 Create the Data Center Study Commission Informally passed 2026-06-10
NC S730 Ratepayer Protection Act Ref To Com On Rules and Operations of the Senate 2026-06-08
PA SB1359 Imposing a Statewide moratorium on hyperscale data center development and permit Referred to Local Government 2026-06-04
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12

… plus 7 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

5 tracked docket(s) show content changes — review and update the YAML if status has changed:

  • [FERC] to be confirmed — MidAtlantic Resiliency Link
    Detected at 2026-07-16 05:26 PDT. Open docket
  • [FERC] Transwestern blanket cert (staff protest pending) — Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
    Detected at 2026-07-16 05:26 PDT. Open docket
  • [Wisconsin PSC] 137-CE-210 — Meta Beaver Dam Site Transmission + Substation (Dodge County Interconnection)
    Detected at 2026-07-16 05:26 PDT. Open docket
  • [FERC] CP17-101-000 — Transco — Northeast Supply Enhancement (Compressor Station 206, NJ)
    Detected at 2026-07-16 05:26 PDT. Open docket
  • [FERC] CP22-502-000 — Columbia Gas — Virginia Reliability Project (VA) + Seville Loop (OH)
    Detected at 2026-07-16 05:26 PDT. Open docket

Shodan ICS exposure (US)

Credits remaining: 70 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 64,167 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 199,097 Common in electric + gas SCADA.
2404 IEC 60870-5-104 53,729 Power/telecontrol.
102 Siemens S7 48,135 Siemens PLC programming.
47808 BACnet 25,341 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 55,453 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 43,574 Tridium Niagara, building management.
1962 PCWorx 32,751 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 33,355 Red Lion controllers.
9600 Omron FINS 62,198 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Tridium 1,629
Rockwell 1,289
Allen-Bradley 1,233
Honeywell 348
Red Lion 292
Siemens 94
Emerson 14
ABB 3
Schneider Electric 1
Omron 1

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-07-15

CISA ICS advisories (last 7 days)

No advisories matched tracked operators/vendors in the last 7 days.

Federal Register — FERC & TSA (last 14 days)

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1793 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Wed, 15 Jul 2026 10:01:01 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-07-06): $3.29/MMBtu (was $3.19 a week earlier, ▲ +3.1%)
  • Lower-48 gas in storage (2026-07-03): 2,983 Bcf (weekly Δ +61 Bcf; YoY Δ -23 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 115,277 116,673 -1.2% 151,116 144,933 +4.3%
ERCOT (TX) 66,696 62,560 +6.6% 82,995 77,946 +6.5%
MISO (Midcontinent) 93,190 88,807 +4.9% 120,188 113,489 +5.9%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

4 new matched item(s) from DCD / Bisnow / dgtlinfra (filtered to hyperscaler, AI, gas-DC convergence, and tracked operators):

Eminent Domain Watch (new since last run)

1 new article(s) matching eminent-domain / shadow-grid keywords:

New & active condemnation cases (CourtListener)

3 tracked condemnation dockets total; 3 still active.

New FERC pipeline notices (Federal Register)

1 FERC notice(s), 0 naming tracked operators: - 2026-07-15 [Docket No. CP26-547-000] Gulf South Pipeline Company, LLC; Notice of Application and Establishing Intervention Deadline

Investigative layers

Public comments & rulemakings (Regulations.gov)

Regulations.gov module not loaded.

State bills + sponsors (Open States)

Open States module not loaded.

Federal money into the buildout (USASpending)

USASpending module not loaded.

Pipeline incidents (PHMSA)

Drop a PHMSA gas-transmission incident file (.xlsx/.zip) in snapshots/phmsa/ — PHMSA has no API and its files are bot-blocked, so it's a manual download (see phmsa.py header).

Physical safety — CSB oil/gas (recent)

2 recent CSB items touching refineries / gas / pipelines — new activity at the kind of sites the map tracks:

Social signal — Bluesky (unverified leads)

4 posts on pipelines / eminent domain / FERC — commentary and leads, verify before acting:

  • 2026-07-15 @steviegalliart.bsky.social · 9 — Families got evicted from their homes just now so that a datacenter can be built on the land in Georgia.

To all taxpayers: the time has come to CALL YOUR CITY … - 2026-07-14 @petcharles.bsky.social · 7 — To everyone, that’s theft. Eminent domain provides fair market compensation.

Of course, it’s not clear how the use of eminent domain for a data center in any … - 2026-07-14 @beeooow.bsky.social · 3 — ahh, eminent domain so that private corporations can bulldoze your home and build another data center, adding to the electrical grid strain during an energy cri… - 2026-07-14 @singerindy.bsky.social · 1 — Imagine if Mark Zuckerberg s home(s) were taken by eminent domain.

Or if a data center was built 200 yards away.

State legislative tracker (LegiScan)

32 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
PA SB1345 In zoning, providing for optional temporary moratorium on acceptance or consider Second consideration 2026-07-12
PA SB1384 In tax credit and tax benefit administration, further providing for definitions; Referred to Finance 2026-07-10
PA HB2650 In tax credit and tax benefit administration, further providing for definitions; Referred to Finance 2026-06-25
OH HB646 Create the Data Center Study Commission Informally passed 2026-06-10
NC S730 Ratepayer Protection Act Ref To Com On Rules and Operations of the Senate 2026-06-08
PA SB1359 Imposing a Statewide moratorium on hyperscale data center development and permit Referred to Local Government 2026-06-04
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12

… plus 7 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

4 tracked docket(s) show content changes — review and update the YAML if status has changed:

  • [FERC] Transwestern blanket cert (staff protest pending) — Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
    Detected at 2026-07-15 06:02 EDT. Open docket
  • [Wisconsin PSC] 137-CE-210 — Meta Beaver Dam Site Transmission + Substation (Dodge County Interconnection)
    Detected at 2026-07-15 06:02 EDT. Open docket
  • [FERC] CP17-101-000 — Transco — Northeast Supply Enhancement (Compressor Station 206, NJ)
    Detected at 2026-07-15 06:02 EDT. Open docket
  • [FERC] CP22-502-000 — Columbia Gas — Virginia Reliability Project (VA) + Seville Loop (OH)
    Detected at 2026-07-15 06:02 EDT. Open docket

Shodan ICS exposure (US)

Credits remaining: 74 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 63,434 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 197,779 Common in electric + gas SCADA.
2404 IEC 60870-5-104 53,391 Power/telecontrol.
102 Siemens S7 47,965 Siemens PLC programming.
47808 BACnet 25,085 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 54,617 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 43,270 Tridium Niagara, building management.
1962 PCWorx 32,506 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 33,076 Red Lion controllers.
9600 Omron FINS 61,374 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Tridium 1,626
Rockwell 1,462
Allen-Bradley 1,392
Honeywell 381
Red Lion 288
Siemens 99
Emerson 14
ABB 4
Schneider Electric 1
Yokogawa 0

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-07-14

CISA ICS advisories (last 7 days)

No advisories matched tracked operators/vendors in the last 7 days.

Federal Register — FERC & TSA (last 14 days)

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1793 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Tue, 14 Jul 2026 10:01:06 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-07-06): $3.29/MMBtu (was $3.19 a week earlier, ▲ +3.1%)
  • Lower-48 gas in storage (2026-07-03): 2,983 Bcf (weekly Δ +61 Bcf; YoY Δ -23 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 113,445 116,829 -2.9% 141,765 144,933 -2.2%
ERCOT (TX) 67,897 62,152 +9.2% 82,995 76,708 +8.2%
MISO (Midcontinent) 92,245 87,953 +4.9% 116,702 110,634 +5.5%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

6 new matched item(s) from DCD / Bisnow / dgtlinfra (filtered to hyperscaler, AI, gas-DC convergence, and tracked operators):

Eminent Domain Watch (new since last run)

No new eminent-domain / shadow-grid articles since last run.

New & active condemnation cases (CourtListener)

3 tracked condemnation dockets total; 3 still active.

New FERC pipeline notices (Federal Register)

No new FERC pipeline notices in the lookback window.

Investigative layers

Public comments & rulemakings (Regulations.gov)

Regulations.gov module not loaded.

State bills + sponsors (Open States)

Open States module not loaded.

Federal money into the buildout (USASpending)

USASpending module not loaded.

Pipeline incidents (PHMSA)

Drop a PHMSA gas-transmission incident file (.xlsx/.zip) in snapshots/phmsa/ — PHMSA has no API and its files are bot-blocked, so it's a manual download (see phmsa.py header).

Physical safety — CSB oil/gas (recent)

2 recent CSB items touching refineries / gas / pipelines — new activity at the kind of sites the map tracks:

Social signal — Bluesky (unverified leads)

4 posts on pipelines / eminent domain / FERC — commentary and leads, verify before acting:

  • 2026-07-14 @janndc.bsky.social · 1 — www.cbsnews.com/news/georgia... Private homeowner is forced to sell her home to accommodate a privately owned AI Center. This family was threatened with eminent…
  • 2026-07-13 @jjinandtonic.bsky.social · 45 — letting anti data center sentiment spill over and boost anti eminent domain sentiment seems a bit of an own goal, to the extend you care about and would like th…
  • 2026-07-13 @jjinandtonic.bsky.social · 9 — And lets be clear here: this is sale rather than eminent domain seizure of land for a power transmission line, its not like data center inc is bulldozing the fa…
  • 2026-07-13 @powersov.bsky.social — Georgia Power admits 80% of the new generation it's building goes to data centers. Ratepayers cover the grid anyway. And 330+ homeowners lose their land to emin…

State legislative tracker (LegiScan)

32 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
PA SB1345 In zoning, providing for optional temporary moratorium on acceptance or consider Second consideration 2026-07-12
PA SB1384 In tax credit and tax benefit administration, further providing for definitions; Referred to Finance 2026-07-10
PA HB2650 In tax credit and tax benefit administration, further providing for definitions; Referred to Finance 2026-06-25
OH HB646 Create the Data Center Study Commission Informally passed 2026-06-10
NC S730 Ratepayer Protection Act Ref To Com On Rules and Operations of the Senate 2026-06-08
PA SB1359 Imposing a Statewide moratorium on hyperscale data center development and permit Referred to Local Government 2026-06-04
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12

… plus 7 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

No tracked docket content has changed since the last run.

Shodan ICS exposure (US)

Credits remaining: 75 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 63,347 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 195,045 Common in electric + gas SCADA.
2404 IEC 60870-5-104 53,157 Power/telecontrol.
102 Siemens S7 47,774 Siemens PLC programming.
47808 BACnet 24,953 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 54,495 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 43,122 Tridium Niagara, building management.
1962 PCWorx 32,373 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 32,883 Red Lion controllers.
9600 Omron FINS 61,048 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Tridium 1,628
Rockwell 1,144
Allen-Bradley 1,082
Honeywell 399
Red Lion 285
Siemens 106
Emerson 13
ABB 4
Schneider Electric 1
Yokogawa 0

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-07-13

CISA ICS advisories (last 7 days)

No advisories matched tracked operators/vendors in the last 7 days.

Federal Register — FERC & TSA (last 14 days)

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1793 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Mon, 13 Jul 2026 10:01:00 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-07-06): $3.29/MMBtu (was $3.19 a week earlier, ▲ +3.1%)
  • Lower-48 gas in storage (2026-07-03): 2,983 Bcf (weekly Δ +61 Bcf; YoY Δ -23 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 113,211 115,802 -2.2% 139,702 144,933 -3.6%
ERCOT (TX) 68,697 61,690 +11.4% 83,194 76,708 +8.5%
MISO (Midcontinent) 91,544 87,862 +4.2% 111,137 106,695 +4.2%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

1 new matched item(s) from DCD / Bisnow / dgtlinfra (filtered to hyperscaler, AI, gas-DC convergence, and tracked operators):

Eminent Domain Watch (new since last run)

No new eminent-domain / shadow-grid articles since last run.

New & active condemnation cases (CourtListener)

3 tracked condemnation dockets total; 3 still active.

New FERC pipeline notices (Federal Register)

No new FERC pipeline notices in the lookback window.

Investigative layers

Public comments & rulemakings (Regulations.gov)

Regulations.gov module not loaded.

State bills + sponsors (Open States)

Open States module not loaded.

Federal money into the buildout (USASpending)

USASpending module not loaded.

Pipeline incidents (PHMSA)

Drop a PHMSA gas-transmission incident file (.xlsx/.zip) in snapshots/phmsa/ — PHMSA has no API and its files are bot-blocked, so it's a manual download (see phmsa.py header).

Physical safety — CSB oil/gas (recent)

2 recent CSB items touching refineries / gas / pipelines — new activity at the kind of sites the map tracks:

Social signal — Bluesky (unverified leads)

No on-topic Bluesky posts in the lookback window.

State legislative tracker (LegiScan)

32 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
PA SB1345 In zoning, providing for optional temporary moratorium on acceptance or consider Second consideration 2026-07-12
PA SB1384 In tax credit and tax benefit administration, further providing for definitions; Referred to Finance 2026-07-10
PA HB2650 In tax credit and tax benefit administration, further providing for definitions; Referred to Finance 2026-06-25
OH HB646 Create the Data Center Study Commission Informally passed 2026-06-10
NC S730 Ratepayer Protection Act Ref To Com On Rules and Operations of the Senate 2026-06-08
PA SB1359 Imposing a Statewide moratorium on hyperscale data center development and permit Referred to Local Government 2026-06-04
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12

… plus 7 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

4 tracked docket(s) show content changes — review and update the YAML if status has changed:

  • [FERC] Transwestern blanket cert (staff protest pending) — Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
    Detected at 2026-07-13 06:02 EDT. Open docket
  • [Wisconsin PSC] 137-CE-210 — Meta Beaver Dam Site Transmission + Substation (Dodge County Interconnection)
    Detected at 2026-07-13 06:02 EDT. Open docket
  • [FERC] CP17-101-000 — Transco — Northeast Supply Enhancement (Compressor Station 206, NJ)
    Detected at 2026-07-13 06:02 EDT. Open docket
  • [FERC] CP22-502-000 — Columbia Gas — Virginia Reliability Project (VA) + Seville Loop (OH)
    Detected at 2026-07-13 06:02 EDT. Open docket

Shodan ICS exposure (US)

Credits remaining: 78 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 63,067 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 194,155 Common in electric + gas SCADA.
2404 IEC 60870-5-104 52,980 Power/telecontrol.
102 Siemens S7 47,653 Siemens PLC programming.
47808 BACnet 24,989 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 54,181 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 42,944 Tridium Niagara, building management.
1962 PCWorx 32,284 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 32,759 Red Lion controllers.
9600 Omron FINS 60,857 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Tridium 1,630
Rockwell 1,317
Allen-Bradley 1,256
Honeywell 433
Red Lion 287
Siemens 119
Emerson 13
ABB 4
Schneider Electric 1
Yokogawa 0

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-07-12

CISA ICS advisories (last 7 days)

No advisories matched tracked operators/vendors in the last 7 days.

Federal Register — FERC & TSA (last 14 days)

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1793 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Sun, 12 Jul 2026 10:01:09 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-07-06): $3.29/MMBtu (was $3.19 a week earlier, ▲ +3.1%)
  • Lower-48 gas in storage (2026-07-03): 2,983 Bcf (weekly Δ +61 Bcf; YoY Δ -23 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 113,993 115,023 -0.9% 139,702 144,933 -3.6%
ERCOT (TX) 68,961 61,390 +12.3% 83,194 76,708 +8.5%
MISO (Midcontinent) 90,778 88,518 +2.6% 111,137 106,695 +4.2%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

2 new matched item(s) from DCD / Bisnow / dgtlinfra (filtered to hyperscaler, AI, gas-DC convergence, and tracked operators):

Eminent Domain Watch (new since last run)

No new eminent-domain / shadow-grid articles since last run.

New & active condemnation cases (CourtListener)

3 tracked condemnation dockets total; 3 still active.

New FERC pipeline notices (Federal Register)

No new FERC pipeline notices in the lookback window.

Investigative layers

Public comments & rulemakings (Regulations.gov)

Regulations.gov module not loaded.

State bills + sponsors (Open States)

Open States module not loaded.

Federal money into the buildout (USASpending)

USASpending module not loaded.

Pipeline incidents (PHMSA)

Drop a PHMSA gas-transmission incident file (.xlsx/.zip) in snapshots/phmsa/ — PHMSA has no API and its files are bot-blocked, so it's a manual download (see phmsa.py header).

Physical safety — CSB oil/gas (recent)

2 recent CSB items touching refineries / gas / pipelines — new activity at the kind of sites the map tracks:

Social signal — Bluesky (unverified leads)

1 posts on pipelines / eminent domain / FERC — commentary and leads, verify before acting:

  • 2026-07-11 @pseudochaos.bsky.social — It's like "who cares if you have drinking water? I can drop the response time from 22 seconds to 20 for my customers if I build another data center!"

Governmen…

State legislative tracker (LegiScan)

32 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
PA SB1345 In zoning, providing for optional temporary moratorium on acceptance or consider Re-reported as amended 2026-07-11
PA SB1384 In tax credit and tax benefit administration, further providing for definitions; Referred to Finance 2026-07-10
PA HB2650 In tax credit and tax benefit administration, further providing for definitions; Referred to Finance 2026-06-25
OH HB646 Create the Data Center Study Commission Informally passed 2026-06-10
NC S730 Ratepayer Protection Act Ref To Com On Rules and Operations of the Senate 2026-06-08
PA SB1359 Imposing a Statewide moratorium on hyperscale data center development and permit Referred to Local Government 2026-06-04
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12

… plus 7 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

No tracked docket content has changed since the last run.

Shodan ICS exposure (US)

Credits remaining: 79 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 62,358 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 191,715 Common in electric + gas SCADA.
2404 IEC 60870-5-104 52,742 Power/telecontrol.
102 Siemens S7 47,532 Siemens PLC programming.
47808 BACnet 24,795 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 53,657 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 42,783 Tridium Niagara, building management.
1962 PCWorx 32,004 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 32,421 Red Lion controllers.
9600 Omron FINS 60,187 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Rockwell 1,984
Allen-Bradley 1,917
Tridium 1,625
Honeywell 480
Red Lion 285
Siemens 132
Emerson 11
ABB 4
Schneider Electric 1
Yokogawa 0

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-07-11

CISA ICS advisories (last 7 days)

No advisories matched tracked operators/vendors in the last 7 days.

Federal Register — FERC & TSA (last 14 days)

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1793 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Sat, 11 Jul 2026 10:01:12 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-07-06): $3.29/MMBtu (was $3.19 a week earlier, ▲ +3.1%)
  • Lower-48 gas in storage (2026-07-03): 2,983 Bcf (weekly Δ +61 Bcf; YoY Δ -23 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 115,637 113,521 +1.9% 145,166 144,933 +0.2%
ERCOT (TX) 69,413 60,777 +14.2% 83,194 76,708 +8.5%
MISO (Midcontinent) 90,493 88,602 +2.1% 111,985 106,695 +5.0%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

5 new matched item(s) from DCD / Bisnow / dgtlinfra (filtered to hyperscaler, AI, gas-DC convergence, and tracked operators):

Eminent Domain Watch (new since last run)

No new eminent-domain / shadow-grid articles since last run.

New & active condemnation cases (CourtListener)

3 tracked condemnation dockets total; 3 still active.

New FERC pipeline notices (Federal Register)

2 FERC notice(s), 1 naming tracked operators: - 2026-07-13 [Docket No. CP25-502-001] Transcontinental Gas Pipe Line Company, LLC; Notice; Notice of Request of Extension of Time
matched: Transcontinental, Transco

Investigative layers

Public comments & rulemakings (Regulations.gov)

Regulations.gov module not loaded.

State bills + sponsors (Open States)

Open States module not loaded.

Federal money into the buildout (USASpending)

USASpending module not loaded.

Pipeline incidents (PHMSA)

Drop a PHMSA gas-transmission incident file (.xlsx/.zip) in snapshots/phmsa/ — PHMSA has no API and its files are bot-blocked, so it's a manual download (see phmsa.py header).

Physical safety — CSB oil/gas (recent)

2 recent CSB items touching refineries / gas / pipelines — new activity at the kind of sites the map tracks:

Social signal — Bluesky (unverified leads)

No on-topic Bluesky posts in the lookback window.

State legislative tracker (LegiScan)

32 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
PA SB1384 In tax credit and tax benefit administration, further providing for definitions; Referred to Finance 2026-07-10
PA SB1345 In zoning, providing for optional moratorium on filing or consideration of new a Re-referred to Rules & Executive Nominations 2026-06-30
PA HB2650 In tax credit and tax benefit administration, further providing for definitions; Referred to Finance 2026-06-25
OH HB646 Create the Data Center Study Commission Informally passed 2026-06-10
NC S730 Ratepayer Protection Act Ref To Com On Rules and Operations of the Senate 2026-06-08
PA SB1359 Imposing a Statewide moratorium on hyperscale data center development and permit Referred to Local Government 2026-06-04
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12

… plus 7 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

4 tracked docket(s) show content changes — review and update the YAML if status has changed:

  • [FERC] Transwestern blanket cert (staff protest pending) — Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
    Detected at 2026-07-11 06:02 EDT. Open docket
  • [Wisconsin PSC] 137-CE-210 — Meta Beaver Dam Site Transmission + Substation (Dodge County Interconnection)
    Detected at 2026-07-11 06:02 EDT. Open docket
  • [FERC] CP17-101-000 — Transco — Northeast Supply Enhancement (Compressor Station 206, NJ)
    Detected at 2026-07-11 06:02 EDT. Open docket
  • [FERC] CP22-502-000 — Columbia Gas — Virginia Reliability Project (VA) + Seville Loop (OH)
    Detected at 2026-07-11 06:02 EDT. Open docket

Shodan ICS exposure (US)

Credits remaining: 81 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 62,041 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 189,000 Common in electric + gas SCADA.
2404 IEC 60870-5-104 52,423 Power/telecontrol.
102 Siemens S7 47,082 Siemens PLC programming.
47808 BACnet 24,643 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 51,984 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 42,148 Tridium Niagara, building management.
1962 PCWorx 31,530 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 31,977 Red Lion controllers.
9600 Omron FINS 58,708 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Tridium 1,619
Rockwell 1,103
Allen-Bradley 1,014
Honeywell 522
Red Lion 271
Siemens 144
Emerson 9
ABB 4
Schneider Electric 1
Yokogawa 0

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-07-10

CISA ICS advisories (last 7 days)

No advisories matched tracked operators/vendors in the last 7 days.

Federal Register — FERC & TSA (last 14 days)

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1793 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Fri, 10 Jul 2026 10:01:06 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-07-06): $3.29/MMBtu (was $3.19 a week earlier, ▲ +3.1%)
  • Lower-48 gas in storage (2026-07-03): 2,983 Bcf (weekly Δ +61 Bcf; YoY Δ -23 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 117,873 113,151 +4.2% 155,028 143,899 +7.7%
ERCOT (TX) 69,438 60,310 +15.1% 83,194 76,708 +8.5%
MISO (Midcontinent) 90,553 88,703 +2.1% 113,645 109,418 +3.9%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

2 new matched item(s) from DCD / Bisnow / dgtlinfra (filtered to hyperscaler, AI, gas-DC convergence, and tracked operators):

Eminent Domain Watch (new since last run)

No new eminent-domain / shadow-grid articles since last run.

New & active condemnation cases (CourtListener)

3 tracked condemnation dockets total; 3 still active.

New FERC pipeline notices (Federal Register)

No new FERC pipeline notices in the lookback window.

Investigative layers

Public comments & rulemakings (Regulations.gov)

Regulations.gov module not loaded.

State bills + sponsors (Open States)

Open States module not loaded.

Federal money into the buildout (USASpending)

USASpending module not loaded.

Pipeline incidents (PHMSA)

Drop a PHMSA gas-transmission incident file (.xlsx/.zip) in snapshots/phmsa/ — PHMSA has no API and its files are bot-blocked, so it's a manual download (see phmsa.py header).

Physical safety — CSB oil/gas (recent)

2 recent CSB items touching refineries / gas / pipelines — new activity at the kind of sites the map tracks:

Social signal — Bluesky (unverified leads)

1 posts on pipelines / eminent domain / FERC — commentary and leads, verify before acting:

  • 2026-07-09 @fercopp.bsky.social — The Final EIS for the proposed MSX and SSE4 project is now available.

Findings show less than significant effects with required avoidance and mitigation measu…

State legislative tracker (LegiScan)

32 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
PA SB1345 In zoning, providing for optional moratorium on filing or consideration of new a Re-referred to Rules & Executive Nominations 2026-06-30
PA HB2650 In tax credit and tax benefit administration, further providing for definitions; Referred to Finance 2026-06-25
OH HB646 Create the Data Center Study Commission Informally passed 2026-06-10
NC S730 Ratepayer Protection Act Ref To Com On Rules and Operations of the Senate 2026-06-08
PA SB1359 Imposing a Statewide moratorium on hyperscale data center development and permit Referred to Local Government 2026-06-04
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12
VA SB466 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Commerce and Labor (14-Y 0-N) 2026-02-12

… plus 7 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

No tracked docket content has changed since the last run.

Shodan ICS exposure (US)

Credits remaining: 83 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 61,642 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 190,057 Common in electric + gas SCADA.
2404 IEC 60870-5-104 52,167 Power/telecontrol.
102 Siemens S7 46,805 Siemens PLC programming.
47808 BACnet 24,515 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 51,583 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 41,737 Tridium Niagara, building management.
1962 PCWorx 31,148 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 31,578 Red Lion controllers.
9600 Omron FINS 58,429 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Tridium 1,622
Rockwell 1,202
Allen-Bradley 1,087
Honeywell 575
Red Lion 254
Siemens 171
Emerson 11
ABB 4
Schneider Electric 1
Yokogawa 0

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-07-09

CISA ICS advisories (last 7 days)

No advisories matched tracked operators/vendors in the last 7 days.

Federal Register — FERC & TSA (last 14 days)

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1793 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Thu, 09 Jul 2026 10:01:02 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-07-06): $3.29/MMBtu (was $3.19 a week earlier, ▲ +3.1%)
  • Lower-48 gas in storage (2026-06-26): 2,922 Bcf (weekly Δ +87 Bcf; YoY Δ -31 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 120,795 112,880 +7.0% 162,648 143,899 +13.0%
ERCOT (TX) 69,239 60,434 +14.6% 83,194 74,595 +11.5%
MISO (Midcontinent) 91,238 88,739 +2.8% 116,149 109,418 +6.2%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

No new matched items since the last run. Sources: DCD, Bisnow, dgtlinfra.

Eminent Domain Watch (new since last run)

No new eminent-domain / shadow-grid articles since last run.

New & active condemnation cases (CourtListener)

3 tracked condemnation dockets total; 3 still active.

New FERC pipeline notices (Federal Register)

1 FERC notice(s), 0 naming tracked operators: - 2026-07-09 [Docket No. PF26-9-000] Transwestern Pipeline Company, LLC; Notice of Scoping Period Requesting Comments on Environmental Issues for t

Investigative layers

Public comments & rulemakings (Regulations.gov)

Regulations.gov module not loaded.

State bills + sponsors (Open States)

Open States module not loaded.

Federal money into the buildout (USASpending)

USASpending module not loaded.

Pipeline incidents (PHMSA)

Drop a PHMSA gas-transmission incident file (.xlsx/.zip) in snapshots/phmsa/ — PHMSA has no API and its files are bot-blocked, so it's a manual download (see phmsa.py header).

Physical safety — CSB oil/gas (recent)

2 recent CSB items touching refineries / gas / pipelines — new activity at the kind of sites the map tracks:

Social signal — Bluesky (unverified leads)

7 posts on pipelines / eminent domain / FERC — commentary and leads, verify before acting:

  • 2026-07-09 @doctorow.pluralistic.net · 6 — You might support the right of farmers to block attempts to expropriate them via eminent domain in order to build a data center, or the right of people to not h…
  • 2026-07-08 @kevinleecaster.bsky.social — Sable oil company is urging Republicans to use eminent domain to seize state-owned land, private property and even part of a state park so it can operate its Sa…
  • 2026-07-07 @raybeckerman.bsky.social — Oil Pipeline Owner Asks Trump Officials to Seize Miles of California Park, Other Land biologicaldiversity.org/w/news/press...
  • 2026-06-30 @castanet.net · 2 — Alberta's Smith is shrugging off UCP backbencher's condemnation of MOU with Ottawa (Alberta)
  • 2026-06-30 @torontostar-rss.bsky.social · 1 — Alberta’s Smith is shrugging off UCP backbencher’s condemnation of MOU with Ottawa
  • 2026-06-29 @nginews.bsky.social — Near-Full NGPL Line Gets OK to Move More Texas Natural Gas to Henry Hub
  • 2026-06-26 @nginews.bsky.social — MVP Southgate Gets FERC Green Light as Natural Gas Prices Flash Demand Signals

State legislative tracker (LegiScan)

32 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
PA SB1345 In zoning, providing for optional moratorium on filing or consideration of new a Re-referred to Rules & Executive Nominations 2026-06-30
PA HB2650 In tax credit and tax benefit administration, further providing for definitions; Referred to Finance 2026-06-25
OH HB646 Create the Data Center Study Commission Informally passed 2026-06-10
NC S730 Ratepayer Protection Act Ref To Com On Rules and Operations of the Senate 2026-06-08
PA SB1359 Imposing a Statewide moratorium on hyperscale data center development and permit Referred to Local Government 2026-06-04
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12
VA SB466 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Commerce and Labor (14-Y 0-N) 2026-02-12

… plus 7 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

4 tracked docket(s) show content changes — review and update the YAML if status has changed:

  • [FERC] Transwestern blanket cert (staff protest pending) — Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
    Detected at 2026-07-09 06:02 EDT. Open docket
  • [Wisconsin PSC] 137-CE-210 — Meta Beaver Dam Site Transmission + Substation (Dodge County Interconnection)
    Detected at 2026-07-09 06:02 EDT. Open docket
  • [FERC] CP17-101-000 — Transco — Northeast Supply Enhancement (Compressor Station 206, NJ)
    Detected at 2026-07-09 06:02 EDT. Open docket
  • [FERC] CP22-502-000 — Columbia Gas — Virginia Reliability Project (VA) + Seville Loop (OH)
    Detected at 2026-07-09 06:02 EDT. Open docket

Shodan ICS exposure (US)

Credits remaining: 85 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 61,389 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 189,510 Common in electric + gas SCADA.
2404 IEC 60870-5-104 52,000 Power/telecontrol.
102 Siemens S7 46,603 Siemens PLC programming.
47808 BACnet 24,420 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 51,373 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 41,574 Tridium Niagara, building management.
1962 PCWorx 31,084 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 31,408 Red Lion controllers.
9600 Omron FINS 58,159 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Tridium 1,609
Rockwell 1,474
Allen-Bradley 1,345
Honeywell 606
Red Lion 250
Siemens 180
Emerson 10
ABB 4
Schneider Electric 1
Omron 1

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-07-08

CISA ICS advisories (last 7 days)

No advisories matched tracked operators/vendors in the last 7 days.

Federal Register — FERC & TSA (last 14 days)

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1793 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Wed, 08 Jul 2026 10:01:05 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-06-29): $3.33/MMBtu (was $3.25 a week earlier, ▲ +2.5%)
  • Lower-48 gas in storage (2026-06-26): 2,922 Bcf (weekly Δ +87 Bcf; YoY Δ -31 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 123,628 113,040 +9.4% 162,648 143,899 +13.0%
ERCOT (TX) 69,061 60,582 +14.0% 83,194 75,436 +10.3%
MISO (Midcontinent) 92,422 88,917 +3.9% 118,745 109,418 +8.5%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

No new matched items since the last run. Sources: DCD, Bisnow, dgtlinfra.

Eminent Domain Watch (new since last run)

No new eminent-domain / shadow-grid articles since last run.

New & active condemnation cases (CourtListener)

3 tracked condemnation dockets total; 3 still active.

New FERC pipeline notices (Federal Register)

No new FERC pipeline notices in the lookback window.

Investigative layers

Public comments & rulemakings (Regulations.gov)

Regulations.gov module not loaded.

State bills + sponsors (Open States)

Open States module not loaded.

Federal money into the buildout (USASpending)

USASpending module not loaded.

Pipeline incidents (PHMSA)

Drop a PHMSA gas-transmission incident file (.xlsx/.zip) in snapshots/phmsa/ — PHMSA has no API and its files are bot-blocked, so it's a manual download (see phmsa.py header).

Physical safety — CSB oil/gas (recent)

2 recent CSB items touching refineries / gas / pipelines — new activity at the kind of sites the map tracks:

Social signal — Bluesky (unverified leads)

1 posts on pipelines / eminent domain / FERC — commentary and leads, verify before acting:

  • 2026-07-07 @nashvillepost.com · 2 — Legislation focuses on stricter regulations for facilities, 90-day construction moratorium, eminent domain targeting zoo-area site https://www.nashvillepost.com…

State legislative tracker (LegiScan)

32 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
PA SB1345 In zoning, providing for optional moratorium on filing or consideration of new a Re-referred to Rules & Executive Nominations 2026-06-30
PA HB2650 In tax credit and tax benefit administration, further providing for definitions; Referred to Finance 2026-06-25
OH HB646 Create the Data Center Study Commission Informally passed 2026-06-10
NC S730 Ratepayer Protection Act Ref To Com On Rules and Operations of the Senate 2026-06-08
PA SB1359 Imposing a Statewide moratorium on hyperscale data center development and permit Referred to Local Government 2026-06-04
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12
VA SB466 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Commerce and Labor (14-Y 0-N) 2026-02-12

… plus 7 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

4 tracked docket(s) show content changes — review and update the YAML if status has changed:

  • [FERC] Transwestern blanket cert (staff protest pending) — Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
    Detected at 2026-07-08 06:02 EDT. Open docket
  • [Wisconsin PSC] 137-CE-210 — Meta Beaver Dam Site Transmission + Substation (Dodge County Interconnection)
    Detected at 2026-07-08 06:02 EDT. Open docket
  • [FERC] CP17-101-000 — Transco — Northeast Supply Enhancement (Compressor Station 206, NJ)
    Detected at 2026-07-08 06:02 EDT. Open docket
  • [FERC] CP22-502-000 — Columbia Gas — Virginia Reliability Project (VA) + Seville Loop (OH)
    Detected at 2026-07-08 06:02 EDT. Open docket

Shodan ICS exposure (US)

Credits remaining: 87 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 61,227 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 188,479 Common in electric + gas SCADA.
2404 IEC 60870-5-104 51,780 Power/telecontrol.
102 Siemens S7 46,496 Siemens PLC programming.
47808 BACnet 24,430 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 51,371 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 41,354 Tridium Niagara, building management.
1962 PCWorx 30,992 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 31,268 Red Lion controllers.
9600 Omron FINS 57,971 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Tridium 1,607
Rockwell 1,453
Allen-Bradley 1,309
Honeywell 603
Red Lion 249
Siemens 177
Emerson 12
ABB 4
Schneider Electric 1
Omron 1

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-07-07

CISA ICS advisories (last 7 days)

No advisories matched tracked operators/vendors in the last 7 days.

Federal Register — FERC & TSA (last 14 days)

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1793 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Tue, 07 Jul 2026 10:01:28 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-06-29): $3.33/MMBtu (was $3.25 a week earlier, ▲ +2.5%)
  • Lower-48 gas in storage (2026-06-26): 2,922 Bcf (weekly Δ +87 Bcf; YoY Δ -31 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 125,695 112,909 +11.3% 162,648 142,918 +13.8%
ERCOT (TX) 69,142 60,694 +13.9% 83,194 75,994 +9.5%
MISO (Midcontinent) 93,968 89,134 +5.4% 121,514 109,418 +11.1%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

2 new matched item(s) from DCD / Bisnow / dgtlinfra (filtered to hyperscaler, AI, gas-DC convergence, and tracked operators):

Eminent Domain Watch (new since last run)

No new eminent-domain / shadow-grid articles since last run.

New & active condemnation cases (CourtListener)

3 tracked condemnation dockets total; 3 still active.

New FERC pipeline notices (Federal Register)

No new FERC pipeline notices in the lookback window.

Investigative layers

Public comments & rulemakings (Regulations.gov)

Regulations.gov module not loaded.

State bills + sponsors (Open States)

Open States module not loaded.

Federal money into the buildout (USASpending)

USASpending module not loaded.

Pipeline incidents (PHMSA)

Drop a PHMSA gas-transmission incident file (.xlsx/.zip) in snapshots/phmsa/ — PHMSA has no API and its files are bot-blocked, so it's a manual download (see phmsa.py header).

Physical safety — CSB oil/gas (recent)

2 recent CSB items touching refineries / gas / pipelines — new activity at the kind of sites the map tracks:

Social signal — Bluesky (unverified leads)

No on-topic Bluesky posts in the lookback window.

State legislative tracker (LegiScan)

32 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
PA SB1345 In zoning, providing for optional moratorium on filing or consideration of new a Re-referred to Rules & Executive Nominations 2026-06-30
PA HB2650 In tax credit and tax benefit administration, further providing for definitions; Referred to Finance 2026-06-25
OH HB646 Create the Data Center Study Commission Informally passed 2026-06-10
NC S730 Ratepayer Protection Act Ref To Com On Rules and Operations of the Senate 2026-06-08
PA SB1359 Imposing a Statewide moratorium on hyperscale data center development and permit Referred to Local Government 2026-06-04
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12
VA SB466 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Commerce and Labor (14-Y 0-N) 2026-02-12

… plus 7 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

No tracked docket content has changed since the last run.

Shodan ICS exposure (US)

Credits remaining: 88 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 61,016 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 187,185 Common in electric + gas SCADA.
2404 IEC 60870-5-104 51,595 Power/telecontrol.
102 Siemens S7 46,380 Siemens PLC programming.
47808 BACnet 24,362 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 51,376 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 41,245 Tridium Niagara, building management.
1962 PCWorx 30,856 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 31,100 Red Lion controllers.
9600 Omron FINS 57,513 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Tridium 1,616
Rockwell 1,438
Allen-Bradley 1,289
Honeywell 589
Red Lion 249
Siemens 183
Emerson 12
ABB 4
Schneider Electric 1
Omron 1

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-07-06

CISA ICS advisories (last 7 days)

No advisories matched tracked operators/vendors in the last 7 days.

Federal Register — FERC & TSA (last 14 days)

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1793 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Mon, 06 Jul 2026 10:01:24 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-06-29): $3.33/MMBtu (was $3.25 a week earlier, ▲ +2.5%)
  • Lower-48 gas in storage (2026-06-26): 2,922 Bcf (weekly Δ +87 Bcf; YoY Δ -31 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 126,479 111,954 +13.0% 162,648 142,918 +13.8%
ERCOT (TX) 69,393 60,945 +13.9% 82,223 76,267 +7.8%
MISO (Midcontinent) 95,423 88,760 +7.5% 121,514 109,418 +11.1%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

1 new matched item(s) from DCD / Bisnow / dgtlinfra (filtered to hyperscaler, AI, gas-DC convergence, and tracked operators):

Eminent Domain Watch (new since last run)

No new eminent-domain / shadow-grid articles since last run.

New & active condemnation cases (CourtListener)

3 tracked condemnation dockets total; 3 still active.

New FERC pipeline notices (Federal Register)

No new FERC pipeline notices in the lookback window.

Investigative layers

Public comments & rulemakings (Regulations.gov)

Regulations.gov module not loaded.

State bills + sponsors (Open States)

Open States module not loaded.

Federal money into the buildout (USASpending)

USASpending module not loaded.

Pipeline incidents (PHMSA)

Drop a PHMSA gas-transmission incident file (.xlsx/.zip) in snapshots/phmsa/ — PHMSA has no API and its files are bot-blocked, so it's a manual download (see phmsa.py header).

Physical safety — CSB oil/gas (recent)

2 recent CSB items touching refineries / gas / pipelines — new activity at the kind of sites the map tracks:

Social signal — Bluesky (unverified leads)

1 posts on pipelines / eminent domain / FERC — commentary and leads, verify before acting:

  • 2026-07-05 @pulletsurprise.bsky.social · 2 — hey cnn maybe you should mention that the local mayoral administration is moving forward to appropriate the data center property by means of eminent domain.

no…

State legislative tracker (LegiScan)

32 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
PA SB1345 In zoning, providing for optional moratorium on filing or consideration of new a Re-referred to Rules & Executive Nominations 2026-06-30
PA HB2650 In tax credit and tax benefit administration, further providing for definitions; Referred to Finance 2026-06-25
OH HB646 Create the Data Center Study Commission Informally passed 2026-06-10
NC S730 Ratepayer Protection Act Ref To Com On Rules and Operations of the Senate 2026-06-08
PA SB1359 Imposing a Statewide moratorium on hyperscale data center development and permit Referred to Local Government 2026-06-04
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12
VA SB466 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Commerce and Labor (14-Y 0-N) 2026-02-12

… plus 7 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

3 tracked docket(s) show content changes — review and update the YAML if status has changed:

  • [FERC] Transwestern blanket cert (staff protest pending) — Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
    Detected at 2026-07-06 06:03 EDT. Open docket
  • [FERC] CP17-101-000 — Transco — Northeast Supply Enhancement (Compressor Station 206, NJ)
    Detected at 2026-07-06 06:03 EDT. Open docket
  • [FERC] CP22-502-000 — Columbia Gas — Virginia Reliability Project (VA) + Seville Loop (OH)
    Detected at 2026-07-06 06:03 EDT. Open docket

Shodan ICS exposure (US)

Credits remaining: 91 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 60,933 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 186,833 Common in electric + gas SCADA.
2404 IEC 60870-5-104 51,606 Power/telecontrol.
102 Siemens S7 46,347 Siemens PLC programming.
47808 BACnet 24,307 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 51,225 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 41,337 Tridium Niagara, building management.
1962 PCWorx 30,722 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 31,002 Red Lion controllers.
9600 Omron FINS 57,422 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Tridium 1,604
Rockwell 1,393
Allen-Bradley 1,260
Honeywell 588
Red Lion 249
Siemens 182
Emerson 11
ABB 4
Schneider Electric 1
Omron 1

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-07-05

CISA ICS advisories (last 7 days)

No advisories matched tracked operators/vendors in the last 7 days.

Federal Register — FERC & TSA (last 14 days)

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1793 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Sun, 05 Jul 2026 10:01:10 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-06-29): $3.33/MMBtu (was $3.25 a week earlier, ▲ +2.5%)
  • Lower-48 gas in storage (2026-06-26): 2,922 Bcf (weekly Δ +87 Bcf; YoY Δ -31 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 124,929 111,425 +12.1% 162,648 142,918 +13.8%
ERCOT (TX) 69,735 61,762 +12.9% 82,223 76,668 +7.2%
MISO (Midcontinent) 95,931 88,430 +8.5% 121,514 109,418 +11.1%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

2 new matched item(s) from DCD / Bisnow / dgtlinfra (filtered to hyperscaler, AI, gas-DC convergence, and tracked operators):

Eminent Domain Watch (new since last run)

No new eminent-domain / shadow-grid articles since last run.

New & active condemnation cases (CourtListener)

3 tracked condemnation dockets total; 3 still active.

New FERC pipeline notices (Federal Register)

No new FERC pipeline notices in the lookback window.

Investigative layers

Public comments & rulemakings (Regulations.gov)

Regulations.gov module not loaded.

State bills + sponsors (Open States)

Open States module not loaded.

Federal money into the buildout (USASpending)

USASpending module not loaded.

Pipeline incidents (PHMSA)

Drop a PHMSA gas-transmission incident file (.xlsx/.zip) in snapshots/phmsa/ — PHMSA has no API and its files are bot-blocked, so it's a manual download (see phmsa.py header).

Physical safety — CSB oil/gas (recent)

2 recent CSB items touching refineries / gas / pipelines — new activity at the kind of sites the map tracks:

Social signal — Bluesky (unverified leads)

No on-topic Bluesky posts in the lookback window.

State legislative tracker (LegiScan)

32 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
PA SB1345 In zoning, providing for optional moratorium on filing or consideration of new a Re-referred to Rules & Executive Nominations 2026-06-30
PA HB2650 In tax credit and tax benefit administration, further providing for definitions; Referred to Finance 2026-06-25
OH HB646 Create the Data Center Study Commission Informally passed 2026-06-10
NC S730 Ratepayer Protection Act Ref To Com On Rules and Operations of the Senate 2026-06-08
PA SB1359 Imposing a Statewide moratorium on hyperscale data center development and permit Referred to Local Government 2026-06-04
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12
VA SB466 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Commerce and Labor (14-Y 0-N) 2026-02-12

… plus 7 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

3 tracked docket(s) show content changes — review and update the YAML if status has changed:

  • [FERC] Transwestern blanket cert (staff protest pending) — Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
    Detected at 2026-07-05 06:02 EDT. Open docket
  • [FERC] CP17-101-000 — Transco — Northeast Supply Enhancement (Compressor Station 206, NJ)
    Detected at 2026-07-05 06:02 EDT. Open docket
  • [FERC] CP22-502-000 — Columbia Gas — Virginia Reliability Project (VA) + Seville Loop (OH)
    Detected at 2026-07-05 06:02 EDT. Open docket

Shodan ICS exposure (US)

Credits remaining: 93 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 60,770 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 186,362 Common in electric + gas SCADA.
2404 IEC 60870-5-104 51,546 Power/telecontrol.
102 Siemens S7 46,208 Siemens PLC programming.
47808 BACnet 24,021 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 50,997 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 41,128 Tridium Niagara, building management.
1962 PCWorx 30,539 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 30,846 Red Lion controllers.
9600 Omron FINS 57,491 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Tridium 1,606
Rockwell 1,360
Allen-Bradley 1,241
Honeywell 589
Red Lion 252
Siemens 173
Emerson 12
ABB 4
Schneider Electric 1
Omron 1

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Digest not available.

Pipeline + data-center buildout digest — 2026-07-03

CISA ICS advisories (last 7 days)

No advisories matched tracked operators/vendors in the last 7 days.

Federal Register — FERC & TSA (last 14 days)

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1793 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Fri, 03 Jul 2026 10:01:09 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-06-29): $3.33/MMBtu (was $3.25 a week earlier, ▲ +2.5%)
  • Lower-48 gas in storage (2026-06-26): 2,922 Bcf (weekly Δ +87 Bcf; YoY Δ -31 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 117,684 115,366 +2.0% 162,648 145,838 +11.5%
ERCOT (TX) 69,751 63,088 +10.6% 82,200 76,668 +7.2%
MISO (Midcontinent) 93,636 89,431 +4.7% 121,514 109,418 +11.1%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

4 new matched item(s) from DCD / Bisnow / dgtlinfra (filtered to hyperscaler, AI, gas-DC convergence, and tracked operators):

Eminent Domain Watch (new since last run)

No new eminent-domain / shadow-grid articles since last run.

New & active condemnation cases (CourtListener)

3 tracked condemnation dockets total; 3 still active.

New FERC pipeline notices (Federal Register)

2 FERC notice(s), 1 naming tracked operators: - 2026-07-06 [Docket No. CP26-527-000] Columbia Gas Transmission, LLC; Notice of Scoping Period Requesting Comments on Environmental Issues for the P
matched: Columbia Gas

Investigative layers

Public comments & rulemakings (Regulations.gov)

Regulations.gov module not loaded.

State bills + sponsors (Open States)

Open States module not loaded.

Federal money into the buildout (USASpending)

USASpending module not loaded.

Pipeline incidents (PHMSA)

Drop a PHMSA gas-transmission incident file (.xlsx/.zip) in snapshots/phmsa/ — PHMSA has no API and its files are bot-blocked, so it's a manual download (see phmsa.py header).

Physical safety — CSB oil/gas (recent)

2 recent CSB items touching refineries / gas / pipelines — new activity at the kind of sites the map tracks:

Social signal — Bluesky (unverified leads)

1 posts on pipelines / eminent domain / FERC — commentary and leads, verify before acting:

  • 2026-07-02 @jpscandel.bsky.social — I don't want to sound snarky, but the parties involved operate on their timeliness, not yours. In Carney and Eby's presser today, Smith's pipeline announcement …

State legislative tracker (LegiScan)

32 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
PA SB1345 In zoning, providing for optional moratorium on filing or consideration of new a Re-referred to Rules & Executive Nominations 2026-06-30
PA HB2650 In tax credit and tax benefit administration, further providing for definitions; Referred to Finance 2026-06-25
OH HB646 Create the Data Center Study Commission Informally passed 2026-06-10
NC S730 Ratepayer Protection Act Ref To Com On Rules and Operations of the Senate 2026-06-08
PA SB1359 Imposing a Statewide moratorium on hyperscale data center development and permit Referred to Local Government 2026-06-04
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12
VA SB466 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Commerce and Labor (14-Y 0-N) 2026-02-12

… plus 7 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

3 tracked docket(s) show content changes — review and update the YAML if status has changed:

  • [FERC] Transwestern blanket cert (staff protest pending) — Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
    Detected at 2026-07-03 06:02 EDT. Open docket
  • [FERC] CP17-101-000 — Transco — Northeast Supply Enhancement (Compressor Station 206, NJ)
    Detected at 2026-07-03 06:02 EDT. Open docket
  • [FERC] CP22-502-000 — Columbia Gas — Virginia Reliability Project (VA) + Seville Loop (OH)
    Detected at 2026-07-03 06:02 EDT. Open docket

Shodan ICS exposure (US)

Credits remaining: 95 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 60,822 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 187,509 Common in electric + gas SCADA.
2404 IEC 60870-5-104 51,396 Power/telecontrol.
102 Siemens S7 45,990 Siemens PLC programming.
47808 BACnet 24,375 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 50,438 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 40,873 Tridium Niagara, building management.
1962 PCWorx 30,379 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 30,621 Red Lion controllers.
9600 Omron FINS 57,139 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Tridium 1,623
Rockwell 1,448
Allen-Bradley 1,334
Honeywell 609
Red Lion 254
Siemens 175
Emerson 12
ABB 3
Schneider Electric 1
Yokogawa 0

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-07-02

CISA ICS advisories (last 7 days)

No advisories matched tracked operators/vendors in the last 7 days.

Federal Register — FERC & TSA (last 14 days)

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

21 new entries flagged (gas-fueled OR ≥300 MW):

Queue ID Project County MW Fuel Status Completion
27INR0115 Diamante BESS Grimes 513.68 Other Active 2028-11-01 00:00:00
27INR0653 Rock House Draw Gas Pecos 523.0 Gas Active 2027-10-29 00:00:00
28INR0100 Digital Ranch Gas Ellis 378.0 Gas Active 2027-12-01 00:00:00
28INR0278 Spur Energy Storage Wise 612.62 Other Active 2029-09-15 00:00:00
28INR0524 Anawa La Gas Hidalgo 1220.0 Gas Active 2028-12-30 00:00:00
28INR0530 Uva Creek Gas Borden 0.0 Gas Active 2028-05-01 00:00:00
29INR0223 Mandolin Solar II SLF Starr 304.4 Solar Active 2029-06-15 00:00:00
29INR0340 Bobcat Generating Station Caldwell 450.0 Gas Active 2029-11-01 00:00:00
29INR0341 Pampa Natural Gas Roberts 250.7 Gas Active 2030-01-01 00:00:00
29INR0347 Glass Mountain BB Solar 1 Pecos 302.66 Solar Active 2029-03-01 00:00:00
29INR0348 Glass Mountain BB Solar 2 Pecos 302.66 Solar Active 2029-03-01 00:00:00
29INR0349 Glass Mountain BB Solar 5 Pecos 302.61 Solar Active 2029-10-01 00:00:00
29INR0357 Glass Mountain BB Solar 3 Pecos 302.61 Solar Active 2029-10-01 00:00:00
29INR0358 Glass Mountain BB Solar 4 Pecos 302.61 Solar Active 2029-10-01 00:00:00
29INR0360 Trumpet Solar Reeves 455.0 Solar Active 2029-07-01 00:00:00
29INR0361 Aurelius 3 Natural Gas Deaf Smith 1275.0 Gas Active 2029-06-30 00:00:00
30INR0020 Willow Oak Gas Jefferson 1350.0 Gas Active 2030-01-01 00:00:00
31INR0021 Mule Deer Run Gas II Anderson 1300.0 Gas Active 2031-07-01 00:00:00
31INR0022 Mule Deer Run Gas III Anderson 1380.0 Gas Active 2031-07-01 00:00:00
33INR0005 Bullock Gas Hill 1400.0 Gas Active 2033-07-01 00:00:00
33INR0006 Liberty Thermal Energy Center Hill 1400.0 Gas Active 2033-07-01 00:00:00

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Thu, 02 Jul 2026 10:01:06 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-06-29): $3.33/MMBtu (was $3.25 a week earlier, ▲ +2.5%)
  • Lower-48 gas in storage (2026-06-19): 2,835 Bcf (weekly Δ +76 Bcf; YoY Δ -63 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 112,513 117,756 -4.5% 161,965 154,755 +4.7%
ERCOT (TX) 69,517 63,366 +9.7% 82,200 76,668 +7.2%
MISO (Midcontinent) 91,375 89,556 +2.0% 122,469 109,282 +12.1%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

3 new matched item(s) from DCD / Bisnow / dgtlinfra (filtered to hyperscaler, AI, gas-DC convergence, and tracked operators):

Eminent Domain Watch (new since last run)

No new eminent-domain / shadow-grid articles since last run.

New & active condemnation cases (CourtListener)

3 tracked condemnation dockets total; 3 still active.

New FERC pipeline notices (Federal Register)

1 FERC notice(s), 0 naming tracked operators: - 2026-07-02 [Docket No. PF26-6-000] ANR Pipeline Company; Notice of Scoping Period Requesting Comments on Environmental Issues for the Planned Nor

Investigative layers

Public comments & rulemakings (Regulations.gov)

1 pipeline / data-center rulemakings (the dockets where the public comments): - 2026-07-01 [FERC] Environmental Impact Statements; Availability, etc.: Tennessee Gas Pipeline Co., LLC; Southern Natur

State bills + sponsors (Open States)

Federal money into the buildout (USASpending)

USASpending module not loaded.

Pipeline incidents (PHMSA)

Drop a PHMSA gas-transmission incident file (.xlsx/.zip) in snapshots/phmsa/ — PHMSA has no API and its files are bot-blocked, so it's a manual download (see phmsa.py header).

Physical safety — CSB oil/gas (recent)

2 recent CSB items touching refineries / gas / pipelines — new activity at the kind of sites the map tracks:

Social signal — Bluesky (unverified leads)

No on-topic Bluesky posts in the lookback window.

State legislative tracker (LegiScan)

32 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
PA SB1345 In zoning, providing for optional moratorium on filing or consideration of new a Re-referred to Rules & Executive Nominations 2026-06-30
PA HB2650 In tax credit and tax benefit administration, further providing for definitions; Referred to Finance 2026-06-25
OH HB646 Create the Data Center Study Commission Informally passed 2026-06-10
NC S730 Ratepayer Protection Act Ref To Com On Rules and Operations of the Senate 2026-06-08
PA SB1359 Imposing a Statewide moratorium on hyperscale data center development and permit Referred to Local Government 2026-06-04
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12
VA SB466 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Commerce and Labor (14-Y 0-N) 2026-02-12

… plus 7 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

No tracked docket content has changed since the last run.

Shodan ICS exposure (US)

Credits remaining: 96 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 60,561 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 186,741 Common in electric + gas SCADA.
2404 IEC 60870-5-104 51,303 Power/telecontrol.
102 Siemens S7 45,840 Siemens PLC programming.
47808 BACnet 24,273 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 50,173 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 40,715 Tridium Niagara, building management.
1962 PCWorx 30,240 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 30,429 Red Lion controllers.
9600 Omron FINS 56,760 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Rockwell 1,720
Tridium 1,618
Allen-Bradley 1,606
Honeywell 614
Red Lion 256
Siemens 182
Emerson 14
ABB 3
Schneider Electric 1
Yokogawa 0

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-07-01

CISA ICS advisories (last 7 days)

No advisories matched tracked operators/vendors in the last 7 days.

Federal Register — FERC & TSA (last 14 days)

  • 2026-06-30 | Notice | data center | Crewmember Access Point

    This notice sets the fee for aircraft operators that choose to participate in the Crewmember Access Point (CMAPTM) program at $19.00 per employee, per year. The CMAP program, formerly known as the Known Crew Member (KCMTM) program, provides expedited screeni…

  • 2026-06-26 | Notice | data center | Commission Information Collection Activities (Ferc-725b). Comment Request; Errata Notice

    In compliance with the requirements of the Paperwork Reduction Act of 1995, the Federal Energy Regulatory Commission (Commission or FERC) is soliciting public comment on the currently approved information collection, FERC-725B, (Mandatory Reliability Standards, Critical Infrastru…

  • 2026-06-24 | Proposed Rule | large load | Revisions to Financial Forms Reporting and Filing Requirements

    The Federal Energy Regulatory Commission (Commission) invites comments on its proposal to amend certain annual and quarterly financial forms, which the Commission requires jurisdictional public utilities, licensees, centralized service companies, and natural gas and oil pipeline …

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1802 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Wed, 01 Jul 2026 10:06:23 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-06-22): $3.16/MMBtu (was $3.27 a week earlier, ▼ -3.4%)
  • Lower-48 gas in storage (2026-06-19): 2,835 Bcf (weekly Δ +76 Bcf; YoY Δ -63 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 106,873 120,932 -11.6% 150,053 158,646 -5.4%
ERCOT (TX) 69,405 63,626 +9.1% 82,200 76,668 +7.2%
MISO (Midcontinent) 88,168 90,277 -2.3% 123,921 113,603 +9.1%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

5 new matched item(s) from DCD / Bisnow / dgtlinfra (filtered to hyperscaler, AI, gas-DC convergence, and tracked operators):

Eminent Domain Watch (new since last run)

No new eminent-domain / shadow-grid articles since last run.

New & active condemnation cases (CourtListener)

3 tracked condemnation dockets total; 3 still active.

New FERC pipeline notices (Federal Register)

2 FERC notice(s), 1 naming tracked operators: - 2026-07-01 [Docket Nos. CP25-514-000, CP25-517-000] Tennessee Gas Pipeline Company, LLC, Southern Natural Gas Company, LLC, Elba Express Company, LLC; Notice of A
matched: Tennessee Gas

Investigative layers

Public comments & rulemakings (Regulations.gov)

Regulations.gov module not loaded.

State bills + sponsors (Open States)

  • Florida SB 484Data Centers
    2026-05-08 · Chapter No. 2026-65 · sponsors: Rules, Community Affairs, Avila

Federal money into the buildout (USASpending)

USASpending module not loaded.

Pipeline incidents (PHMSA)

Drop a PHMSA gas-transmission incident file (.xlsx/.zip) in snapshots/phmsa/ — PHMSA has no API and its files are bot-blocked, so it's a manual download (see phmsa.py header).

Physical safety — CSB oil/gas (recent)

2 recent CSB items touching refineries / gas / pipelines — new activity at the kind of sites the map tracks:

Social signal — Bluesky (unverified leads)

9 posts on pipelines / eminent domain / FERC — commentary and leads, verify before acting:

Power compaines are taking your homes to power Ai Data Centers all in the bull shit intrest of sa… - 2026-06-30 @thegarbagequeen.bsky.social · 27 — After more than half a million people signed a petition opposing plans to build a data center right next to the Nashville Zoo, Mayor O'Connell announced they mi… - 2026-06-30 @supremevt.bsky.social · 6 — Also Nashville Zoo update, the data center that is trying to pop up next to the zoo is still trying to force through...so Nashville's mayor is going to use emin… - 2026-06-30 @litzz11.bsky.social · 4 — Whoa. Nashville mayor will use eminent domain to stop a massive data center from going in next to the Nashville Zoo.

www.wkrn.com/news/local-n... - 2026-06-30 @jack-farrell.bsky.social · 2 — Alberta's Smith is shrugging off UCP backbencher Jason Stephan’s condemnation of MOU with Ottawa ahead of pipeline announcement Thursday

Stephan says it’s a ve… - 2026-06-30 @sunsong23.bsky.social · 2 — May they easily win!

May it be

May it be so!

"We're fighting data centers' attempt to take Ohio farms through eminent domain, i.e. by force. We will win."

1… - 2026-06-30 @sweetrhesus.bsky.social · 1 — Ok I deleted my post. I read a different story and it was vague about the reasoning and i thought this said he was using eminent domain FOR the data center. Tha… - 2026-06-30 @climatenewsnow.bsky.social — Nashville Mayor Freddie O'Connell on Monday he will use eminent domain to stop construction of a proposed data center next to Nashville Zoo. #ClimateChange

ne… - 2026-06-30 @tarastelluto.bsky.social — It seems to me that the city has the moral high ground, and it's using it. The data center is Very Bad land use for that property, and Nashville needs to be pro…

State legislative tracker (LegiScan)

32 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
PA SB1345 In zoning, providing for optional moratorium on filing or consideration of new a Re-referred to Rules & Executive Nominations 2026-06-30
PA HB2650 In tax credit and tax benefit administration, further providing for definitions; Referred to Finance 2026-06-25
OH HB646 Create the Data Center Study Commission Informally passed 2026-06-10
NC S730 Ratepayer Protection Act Ref To Com On Rules and Operations of the Senate 2026-06-08
PA SB1359 Imposing a Statewide moratorium on hyperscale data center development and permit Referred to Local Government 2026-06-04
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12
VA SB466 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Commerce and Labor (14-Y 0-N) 2026-02-12

… plus 7 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

4 tracked docket(s) show content changes — review and update the YAML if status has changed:

  • [FERC] Transwestern blanket cert (staff protest pending) — Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
    Detected at 2026-07-01 06:07 EDT. Open docket
  • [Wisconsin PSC] 137-CE-210 — Meta Beaver Dam Site Transmission + Substation (Dodge County Interconnection)
    Detected at 2026-07-01 06:07 EDT. Open docket
  • [FERC] CP17-101-000 — Transco — Northeast Supply Enhancement (Compressor Station 206, NJ)
    Detected at 2026-07-01 06:07 EDT. Open docket
  • [FERC] CP22-502-000 — Columbia Gas — Virginia Reliability Project (VA) + Seville Loop (OH)
    Detected at 2026-07-01 06:07 EDT. Open docket

Shodan ICS exposure (US)

Credits remaining: 96 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 60,132 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 184,632 Common in electric + gas SCADA.
2404 IEC 60870-5-104 51,229 Power/telecontrol.
102 Siemens S7 45,688 Siemens PLC programming.
47808 BACnet 24,119 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 49,811 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 40,457 Tridium Niagara, building management.
1962 PCWorx 30,054 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 30,195 Red Lion controllers.
9600 Omron FINS 56,273 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Rockwell 1,769
Allen-Bradley 1,656
Tridium 1,611
Honeywell 615
Red Lion 254
Siemens 198
Emerson 15
ABB 3
Schneider Electric 1
Yokogawa 0

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-06-30

CISA ICS advisories (last 7 days)

No advisories matched tracked operators/vendors in the last 7 days.

Federal Register — FERC & TSA (last 14 days)

  • 2026-06-30 | Notice | data center | Crewmember Access Point

    This notice sets the fee for aircraft operators that choose to participate in the Crewmember Access Point (CMAPTM) program at $19.00 per employee, per year. The CMAP program, formerly known as the Known Crew Member (KCMTM) program, provides expedited screeni…

  • 2026-06-26 | Notice | data center | Commission Information Collection Activities (Ferc-725b). Comment Request; Errata Notice

    In compliance with the requirements of the Paperwork Reduction Act of 1995, the Federal Energy Regulatory Commission (Commission or FERC) is soliciting public comment on the currently approved information collection, FERC-725B, (Mandatory Reliability Standards, Critical Infrastru…

  • 2026-06-24 | Proposed Rule | large load | Revisions to Financial Forms Reporting and Filing Requirements

    The Federal Energy Regulatory Commission (Commission) invites comments on its proposal to amend certain annual and quarterly financial forms, which the Commission requires jurisdictional public utilities, licensees, centralized service companies, and natural gas and oil pipeline …

  • 2026-06-16 | Notice | large load | Sunshine Act Meeting Notice

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1802 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Tue, 30 Jun 2026 10:00:57 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-06-22): $3.16/MMBtu (was $3.27 a week earlier, ▼ -3.4%)
  • Lower-48 gas in storage (2026-06-19): 2,835 Bcf (weekly Δ +76 Bcf; YoY Δ -63 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 102,528 122,438 -16.3% 144,583 160,560 -10.0%
ERCOT (TX) 69,291 64,116 +8.1% 82,200 76,817 +7.0%
MISO (Midcontinent) 84,899 91,513 -7.2% 122,757 116,404 +5.5%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

5 new matched item(s) from DCD / Bisnow / dgtlinfra (filtered to hyperscaler, AI, gas-DC convergence, and tracked operators):

Eminent Domain Watch (new since last run)

3 new article(s) matching eminent-domain / shadow-grid keywords:

New & active condemnation cases (CourtListener)

3 tracked condemnation dockets total; 3 still active.

New FERC pipeline notices (Federal Register)

1 FERC notice(s), 0 naming tracked operators: - 2026-06-30 [Docket No. CP24-520-001] El Paso Natural Gas Company, LLC; Notice of Request for Extension of Time

Investigative layers

Public comments & rulemakings (Regulations.gov)

Regulations.gov module not loaded.

State bills + sponsors (Open States)

Open States module not loaded.

Federal money into the buildout (USASpending)

USASpending module not loaded.

Pipeline incidents (PHMSA)

Drop a PHMSA gas-transmission incident file (.xlsx/.zip) in snapshots/phmsa/ — PHMSA has no API and its files are bot-blocked, so it's a manual download (see phmsa.py header).

Physical safety — CSB oil/gas (recent)

2 recent CSB items touching refineries / gas / pipelines — new activity at the kind of sites the map tracks:

Social signal — Bluesky (unverified leads)

20 posts on pipelines / eminent domain / FERC — commentary and leads, verify before acting:

  • 2026-06-30 @wolven.blacksky.app · 108 — Eminent Domain used for good ends: Mayor of Nashville blocks data center intended for area near the zoo.

ShareGoodNewsToo

www.tennessean.com/story/news/l... - 2026-06-30 @toffeefan.bsky.social · 7 — Please read the story. He’s used eminent domain to STOP development of the data center. - 2026-06-30 @danielahorwitz.bsky.social · 7 — I am a huge supporter of the zoo and signed the petition opposing the data center there. I hope it never gets built. But using eminent domain to achieve that … - 2026-06-30 @l0stashes.bsky.social · 4 — “Condemnation, in a legal context, refers to when a government exercises its eminent domain powers to seize private property for public use.

It leaves the door… - 2026-06-30 @l0stashes.bsky.social · 4 — “Condemnation, in a legal context, refers to when a government exercises its eminent domain powers to seize private property for public use.

It leaves the door… - 2026-06-30 @tnriverkeeper.bsky.social · 2 — Nashville plans to stop data center near zoo with eminent domain www.wkrn.com/news/local-n... - 2026-06-30 @toffeefan.bsky.social · 1 — Please read the story. He’s used eminent domain to STOP development of the data center. - 2026-06-30 @summednews.bsky.social · 1 — Tennessee: Mayor files eminent domain legislation in fight over proposed data center by Nashville Zoo

Tennessee #Nashville

  • 2026-06-30 @bloomberglaw.com — The US Supreme Court agreed to hear a case from North Dakota ranchers seeking answers on how compensation should be handled in eminent domain cases involving a …
  • 2026-06-30 @toffeefan.bsky.social — Please read the story. He’s used eminent domain to STOP development of the data center.

State legislative tracker (LegiScan)

32 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
PA HB2650 In tax credit and tax benefit administration, further providing for definitions; Referred to Finance 2026-06-25
OH HB646 Create the Data Center Study Commission Informally passed 2026-06-10
NC S730 Ratepayer Protection Act Ref To Com On Rules and Operations of the Senate 2026-06-08
PA SB1359 Imposing a Statewide moratorium on hyperscale data center development and permit Referred to Local Government 2026-06-04
PA SB1345 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-06-04
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12
VA SB466 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Commerce and Labor (14-Y 0-N) 2026-02-12

… plus 7 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

No tracked docket content has changed since the last run.

Shodan ICS exposure (US)

Credits remaining: 31 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 60,733 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 183,953 Common in electric + gas SCADA.
2404 IEC 60870-5-104 51,095 Power/telecontrol.
102 Siemens S7 45,741 Siemens PLC programming.
47808 BACnet 24,721 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 49,503 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 40,312 Tridium Niagara, building management.
1962 PCWorx 30,069 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 30,181 Red Lion controllers.
9600 Omron FINS 56,164 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Tridium 1,612
Rockwell 1,559
Allen-Bradley 1,446
Honeywell 634
Red Lion 250
Siemens 193
Emerson 16
ABB 3
Schneider Electric 1
Omron 1

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-06-29

CISA ICS advisories (last 7 days)

No advisories matched tracked operators/vendors in the last 7 days.

Federal Register — FERC & TSA (last 14 days)

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1802 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Mon, 29 Jun 2026 10:01:50 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-06-22): $3.16/MMBtu (was $3.27 a week earlier, ▼ -3.4%)
  • Lower-48 gas in storage (2026-06-19): 2,835 Bcf (weekly Δ +76 Bcf; YoY Δ -63 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 100,020 121,791 -17.9% 121,815 160,560 -24.1%
ERCOT (TX) 69,130 64,098 +7.9% 82,200 76,817 +7.0%
MISO (Midcontinent) 81,603 92,203 -11.5% 106,549 116,404 -8.5%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

2 new matched item(s) from DCD / Bisnow / dgtlinfra (filtered to hyperscaler, AI, gas-DC convergence, and tracked operators):

Eminent Domain Watch (new since last run)

No new eminent-domain / shadow-grid articles since last run.

New & active condemnation cases (CourtListener)

3 tracked condemnation dockets total; 3 still active.

New FERC pipeline notices (Federal Register)

No new FERC pipeline notices in the lookback window.

Investigative layers

Public comments & rulemakings (Regulations.gov)

Regulations.gov module not loaded.

State bills + sponsors (Open States)

Open States module not loaded.

Federal money into the buildout (USASpending)

USASpending module not loaded.

Pipeline incidents (PHMSA)

Drop a PHMSA gas-transmission incident file (.xlsx/.zip) in snapshots/phmsa/ — PHMSA has no API and its files are bot-blocked, so it's a manual download (see phmsa.py header).

Physical safety — CSB oil/gas (recent)

2 recent CSB items touching refineries / gas / pipelines — new activity at the kind of sites the map tracks:

Social signal — Bluesky (unverified leads)

No on-topic Bluesky posts in the lookback window.

State legislative tracker (LegiScan)

32 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
PA HB2650 In tax credit and tax benefit administration, further providing for definitions; Referred to Finance 2026-06-25
OH HB646 Create the Data Center Study Commission Informally passed 2026-06-10
NC S730 Ratepayer Protection Act Ref To Com On Rules and Operations of the Senate 2026-06-08
PA SB1359 Imposing a Statewide moratorium on hyperscale data center development and permit Referred to Local Government 2026-06-04
PA SB1345 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-06-04
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12
VA SB466 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Commerce and Labor (14-Y 0-N) 2026-02-12

… plus 7 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

3 tracked docket(s) show content changes — review and update the YAML if status has changed:

  • [FERC] Transwestern blanket cert (staff protest pending) — Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
    Detected at 2026-06-29 06:03 EDT. Open docket
  • [FERC] CP17-101-000 — Transco — Northeast Supply Enhancement (Compressor Station 206, NJ)
    Detected at 2026-06-29 06:03 EDT. Open docket
  • [FERC] CP22-502-000 — Columbia Gas — Virginia Reliability Project (VA) + Seville Loop (OH)
    Detected at 2026-06-29 06:03 EDT. Open docket

Shodan ICS exposure (US)

Credits remaining: 33 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 60,950 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 184,183 Common in electric + gas SCADA.
2404 IEC 60870-5-104 51,113 Power/telecontrol.
102 Siemens S7 45,952 Siemens PLC programming.
47808 BACnet 24,692 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 49,824 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 40,301 Tridium Niagara, building management.
1962 PCWorx 30,327 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 30,379 Red Lion controllers.
9600 Omron FINS 56,967 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Tridium 1,621
Rockwell 1,538
Allen-Bradley 1,427
Honeywell 646
Red Lion 252
Siemens 201
Emerson 17
ABB 3
Schneider Electric 1
Omron 1

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-06-28

CISA ICS advisories (last 7 days)

No advisories matched tracked operators/vendors in the last 7 days.

Federal Register — FERC & TSA (last 14 days)

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1802 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Sun, 28 Jun 2026 10:02:00 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-06-22): $3.16/MMBtu (was $3.27 a week earlier, ▼ -3.4%)
  • Lower-48 gas in storage (2026-06-19): 2,835 Bcf (weekly Δ +76 Bcf; YoY Δ -63 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 98,935 121,148 -18.3% 121,815 160,560 -24.1%
ERCOT (TX) 68,398 64,309 +6.4% 82,200 76,817 +7.0%
MISO (Midcontinent) 79,530 92,853 -14.3% 96,401 116,404 -17.2%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

1 new matched item(s) from DCD / Bisnow / dgtlinfra (filtered to hyperscaler, AI, gas-DC convergence, and tracked operators):

Eminent Domain Watch (new since last run)

No new eminent-domain / shadow-grid articles since last run.

New & active condemnation cases (CourtListener)

3 tracked condemnation dockets total; 3 still active.

New FERC pipeline notices (Federal Register)

No new FERC pipeline notices in the lookback window.

Investigative layers

Public comments & rulemakings (Regulations.gov)

Regulations.gov module not loaded.

State bills + sponsors (Open States)

Open States module not loaded.

Federal money into the buildout (USASpending)

USASpending module not loaded.

Pipeline incidents (PHMSA)

Drop a PHMSA gas-transmission incident file (.xlsx/.zip) in snapshots/phmsa/ — PHMSA has no API and its files are bot-blocked, so it's a manual download (see phmsa.py header).

Physical safety — CSB oil/gas (recent)

2 recent CSB items touching refineries / gas / pipelines — new activity at the kind of sites the map tracks:

Social signal — Bluesky (unverified leads)

No on-topic Bluesky posts in the lookback window.

State legislative tracker (LegiScan)

32 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
PA HB2650 In tax credit and tax benefit administration, further providing for definitions; Referred to Finance 2026-06-25
OH HB646 Create the Data Center Study Commission Informally passed 2026-06-10
NC S730 Ratepayer Protection Act Ref To Com On Rules and Operations of the Senate 2026-06-08
PA SB1359 Imposing a Statewide moratorium on hyperscale data center development and permit Referred to Local Government 2026-06-04
PA SB1345 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-06-04
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12
VA SB466 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Commerce and Labor (14-Y 0-N) 2026-02-12

… plus 7 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

4 tracked docket(s) show content changes — review and update the YAML if status has changed:

  • [FERC] Transwestern blanket cert (staff protest pending) — Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
    Detected at 2026-06-28 06:03 EDT. Open docket
  • [Wisconsin PSC] 137-CE-210 — Meta Beaver Dam Site Transmission + Substation (Dodge County Interconnection)
    Detected at 2026-06-28 06:03 EDT. Open docket
  • [FERC] CP17-101-000 — Transco — Northeast Supply Enhancement (Compressor Station 206, NJ)
    Detected at 2026-06-28 06:03 EDT. Open docket
  • [FERC] CP22-502-000 — Columbia Gas — Virginia Reliability Project (VA) + Seville Loop (OH)
    Detected at 2026-06-28 06:03 EDT. Open docket

Shodan ICS exposure (US)

Credits remaining: 35 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 61,178 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 187,044 Common in electric + gas SCADA.
2404 IEC 60870-5-104 51,008 Power/telecontrol.
102 Siemens S7 46,118 Siemens PLC programming.
47808 BACnet 24,686 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 50,419 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 40,768 Tridium Niagara, building management.
1962 PCWorx 30,475 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 30,576 Red Lion controllers.
9600 Omron FINS 57,028 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Tridium 1,621
Rockwell 1,522
Allen-Bradley 1,411
Honeywell 610
Red Lion 255
Siemens 205
Emerson 14
ABB 3
Schneider Electric 1
Omron 1

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-06-27

CISA ICS advisories (last 7 days)

No advisories matched tracked operators/vendors in the last 7 days.

Federal Register — FERC & TSA (last 14 days)

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1802 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Sat, 27 Jun 2026 10:01:04 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-06-22): $3.16/MMBtu (was $3.27 a week earlier, ▼ -3.4%)
  • Lower-48 gas in storage (2026-06-19): 2,835 Bcf (weekly Δ +76 Bcf; YoY Δ -63 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 98,246 120,663 -18.6% 121,815 160,560 -24.1%
ERCOT (TX) 67,296 64,669 +4.1% 82,200 77,040 +6.7%
MISO (Midcontinent) 78,501 92,867 -15.5% 96,401 116,404 -17.2%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

7 new matched item(s) from DCD / Bisnow / dgtlinfra (filtered to hyperscaler, AI, gas-DC convergence, and tracked operators):

Eminent Domain Watch (new since last run)

1 new article(s) matching eminent-domain / shadow-grid keywords:

New & active condemnation cases (CourtListener)

3 tracked condemnation dockets total; 3 still active.

New FERC pipeline notices (Federal Register)

3 FERC notice(s), 0 naming tracked operators: - 2026-06-29 [Docket No. CP13-499-006, Docket No. CP13-502-003] Constitution Pipeline Company, LLC; Iroquois Gas Transmission System, L.P.: Notice of Schedule for the Prepara - 2026-06-29 [Docket No. CP26-241-000] Northern Natural Gas Company; Notice of Schedule for the Preparation of an Environmental Assessment for the Ce - 2026-06-29 [Docket No. CP26-158-000] WBI Energy Transmission, Inc.; Notice of Schedule for the Preparation of an Environmental Assessment for the L

Investigative layers

Public comments & rulemakings (Regulations.gov)

Regulations.gov module not loaded.

State bills + sponsors (Open States)

Open States module not loaded.

Federal money into the buildout (USASpending)

USASpending module not loaded.

Pipeline incidents (PHMSA)

Drop a PHMSA gas-transmission incident file (.xlsx/.zip) in snapshots/phmsa/ — PHMSA has no API and its files are bot-blocked, so it's a manual download (see phmsa.py header).

Physical safety — CSB oil/gas (recent)

2 recent CSB items touching refineries / gas / pipelines — new activity at the kind of sites the map tracks:

Social signal — Bluesky (unverified leads)

No on-topic Bluesky posts in the lookback window.

State legislative tracker (LegiScan)

32 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
PA HB2650 In tax credit and tax benefit administration, further providing for definitions; Referred to Finance 2026-06-25
OH HB646 Create the Data Center Study Commission Informally passed 2026-06-10
NC S730 Ratepayer Protection Act Ref To Com On Rules and Operations of the Senate 2026-06-08
PA SB1359 Imposing a Statewide moratorium on hyperscale data center development and permit Referred to Local Government 2026-06-04
PA SB1345 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-06-04
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12
VA SB466 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Commerce and Labor (14-Y 0-N) 2026-02-12

… plus 7 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

3 tracked docket(s) show content changes — review and update the YAML if status has changed:

  • [FERC] Transwestern blanket cert (staff protest pending) — Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
    Detected at 2026-06-27 06:02 EDT. Open docket
  • [FERC] CP17-101-000 — Transco — Northeast Supply Enhancement (Compressor Station 206, NJ)
    Detected at 2026-06-27 06:02 EDT. Open docket
  • [FERC] CP22-502-000 — Columbia Gas — Virginia Reliability Project (VA) + Seville Loop (OH)
    Detected at 2026-06-27 06:02 EDT. Open docket

Shodan ICS exposure (US)

Credits remaining: 38 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 61,801 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 186,818 Common in electric + gas SCADA.
2404 IEC 60870-5-104 50,869 Power/telecontrol.
102 Siemens S7 46,089 Siemens PLC programming.
47808 BACnet 24,940 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 50,377 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 40,889 Tridium Niagara, building management.
1962 PCWorx 30,454 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 30,551 Red Lion controllers.
9600 Omron FINS 56,835 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Tridium 1,623
Rockwell 1,580
Allen-Bradley 1,451
Honeywell 616
Red Lion 255
Siemens 201
Emerson 12
ABB 3
Schneider Electric 1
Omron 1

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-06-26

CISA ICS advisories (last 7 days)

No advisories matched tracked operators/vendors in the last 7 days.

Federal Register — FERC & TSA (last 14 days)

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1802 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Fri, 26 Jun 2026 10:01:11 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-06-22): $3.16/MMBtu (was $3.27 a week earlier, ▼ -3.4%)
  • Lower-48 gas in storage (2026-06-19): 2,835 Bcf (weekly Δ +76 Bcf; YoY Δ -63 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 97,303 120,008 -18.9% 121,815 160,560 -24.1%
ERCOT (TX) 66,408 64,985 +2.2% 82,105 77,295 +6.2%
MISO (Midcontinent) 78,020 91,829 -15.0% 98,025 116,404 -15.8%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

4 new matched item(s) from DCD / Bisnow / dgtlinfra (filtered to hyperscaler, AI, gas-DC convergence, and tracked operators):

Eminent Domain Watch (new since last run)

No new eminent-domain / shadow-grid articles since last run.

New & active condemnation cases (CourtListener)

3 tracked condemnation dockets total; 3 still active.

New FERC pipeline notices (Federal Register)

No new FERC pipeline notices in the lookback window.

Investigative layers

Public comments & rulemakings (Regulations.gov)

Regulations.gov module not loaded.

State bills + sponsors (Open States)

Federal money into the buildout (USASpending)

USASpending module not loaded.

Pipeline incidents (PHMSA)

Drop a PHMSA gas-transmission incident file (.xlsx/.zip) in snapshots/phmsa/ — PHMSA has no API and its files are bot-blocked, so it's a manual download (see phmsa.py header).

Physical safety — CSB oil/gas (recent)

2 recent CSB items touching refineries / gas / pipelines — new activity at the kind of sites the map tracks:

Social signal — Bluesky (unverified leads)

2 posts on pipelines / eminent domain / FERC — commentary and leads, verify before acting:

Glenfarne hasn't secured the right-of-way for the pipeline (but still is pushing the narrative construction will be begin this summer).

They're even… - 2026-06-25 @thefinaldispatch.bsky.social — Texas gas pipeline projects spark tensions with landowners

https://www.texastribune.org/2026/06/25/texas-natural-gas-pipelines-eminent-domain-land-fights/

State legislative tracker (LegiScan)

32 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
PA HB2650 In tax credit and tax benefit administration, further providing for definitions; Referred to Finance 2026-06-25
OH HB646 Create the Data Center Study Commission Informally passed 2026-06-10
NC S730 Ratepayer Protection Act Ref To Com On Rules and Operations of the Senate 2026-06-08
PA SB1359 Imposing a Statewide moratorium on hyperscale data center development and permit Referred to Local Government 2026-06-04
PA SB1345 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-06-04
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12
VA SB466 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Commerce and Labor (14-Y 0-N) 2026-02-12

… plus 7 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

3 tracked docket(s) show content changes — review and update the YAML if status has changed:

  • [FERC] Transwestern blanket cert (staff protest pending) — Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
    Detected at 2026-06-26 06:02 EDT. Open docket
  • [FERC] CP17-101-000 — Transco — Northeast Supply Enhancement (Compressor Station 206, NJ)
    Detected at 2026-06-26 06:02 EDT. Open docket
  • [FERC] CP22-502-000 — Columbia Gas — Virginia Reliability Project (VA) + Seville Loop (OH)
    Detected at 2026-06-26 06:02 EDT. Open docket

Shodan ICS exposure (US)

Credits remaining: 41 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 61,829 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 186,830 Common in electric + gas SCADA.
2404 IEC 60870-5-104 50,847 Power/telecontrol.
102 Siemens S7 46,240 Siemens PLC programming.
47808 BACnet 24,798 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 50,405 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 41,028 Tridium Niagara, building management.
1962 PCWorx 30,597 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 30,688 Red Lion controllers.
9600 Omron FINS 56,853 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Tridium 1,609
Rockwell 1,472
Allen-Bradley 1,347
Honeywell 611
Red Lion 255
Siemens 201
Emerson 12
ABB 3
Schneider Electric 1
Omron 1

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-06-25

CISA ICS advisories (last 7 days)

No advisories matched tracked operators/vendors in the last 7 days.

Federal Register — FERC & TSA (last 14 days)

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1802 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Thu, 25 Jun 2026 10:01:01 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-06-22): $3.16/MMBtu (was $3.27 a week earlier, ▼ -3.4%)
  • Lower-48 gas in storage (2026-06-12): 2,759 Bcf (weekly Δ +73 Bcf; YoY Δ -43 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 97,641 117,562 -16.9% 120,795 160,560 -24.8%
ERCOT (TX) 66,812 65,374 +2.2% 82,591 77,295 +6.9%
MISO (Midcontinent) 77,450 91,091 -15.0% 94,558 116,404 -18.8%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

6 new matched item(s) from DCD / Bisnow / dgtlinfra (filtered to hyperscaler, AI, gas-DC convergence, and tracked operators):

Eminent Domain Watch (new since last run)

No new eminent-domain / shadow-grid articles since last run.

New & active condemnation cases (CourtListener)

3 tracked condemnation dockets total; 3 still active.

New FERC pipeline notices (Federal Register)

2 FERC notice(s), 0 naming tracked operators: - 2026-06-25 [Docket No. CP26-11-000] Columbia Gulf Transmission, LLC; Notice of Availability of the Environmental Assessment for the Proposed Pulas - 2026-06-25 [Docket No. CP26-542-000] Double E Pipeline, LLC; Notice of Request Under Blanket Authorization and Establishing Intervention and Protes

Investigative layers

Public comments & rulemakings (Regulations.gov)

Regulations.gov module not loaded.

State bills + sponsors (Open States)

Open States module not loaded.

Federal money into the buildout (USASpending)

USASpending module not loaded.

Pipeline incidents (PHMSA)

Drop a PHMSA gas-transmission incident file (.xlsx/.zip) in snapshots/phmsa/ — PHMSA has no API and its files are bot-blocked, so it's a manual download (see phmsa.py header).

Physical safety — CSB oil/gas (recent)

2 recent CSB items touching refineries / gas / pipelines — new activity at the kind of sites the map tracks:

Social signal — Bluesky (unverified leads)

1 posts on pipelines / eminent domain / FERC — commentary and leads, verify before acting:

  • 2026-06-24 @intlguy56.bsky.social — Demolish construction sites, jail officials who took bribes to authorize. Retake ownership of properties under eminent domain. Threaten data center owners wit…

State legislative tracker (LegiScan)

32 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
PA HB2650 In tax credit and tax benefit administration, further providing for definitions; Third consideration and final passage (134-68) 2026-06-24
OH HB646 Create the Data Center Study Commission Informally passed 2026-06-10
NC S730 Ratepayer Protection Act Ref To Com On Rules and Operations of the Senate 2026-06-08
PA SB1359 Imposing a Statewide moratorium on hyperscale data center development and permit Referred to Local Government 2026-06-04
PA SB1345 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-06-04
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12
VA SB466 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Commerce and Labor (14-Y 0-N) 2026-02-12

… plus 7 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

No tracked docket content has changed since the last run.

Shodan ICS exposure (US)

Credits remaining: 42 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 61,993 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 187,252 Common in electric + gas SCADA.
2404 IEC 60870-5-104 50,820 Power/telecontrol.
102 Siemens S7 46,422 Siemens PLC programming.
47808 BACnet 24,802 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 50,542 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 41,221 Tridium Niagara, building management.
1962 PCWorx 30,793 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 30,853 Red Lion controllers.
9600 Omron FINS 57,028 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Tridium 1,607
Rockwell 1,473
Allen-Bradley 1,352
Honeywell 610
Red Lion 257
Siemens 216
Emerson 12
ABB 2
Schneider Electric 1
Omron 1

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-06-24

CISA ICS advisories (last 7 days)

No advisories matched tracked operators/vendors in the last 7 days.

Federal Register — FERC & TSA (last 14 days)

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1802 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Wed, 24 Jun 2026 10:01:38 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-06-15): $3.06/MMBtu (was $3.08 a week earlier, ▼ -0.6%)
  • Lower-48 gas in storage (2026-06-12): 2,759 Bcf (weekly Δ +73 Bcf; YoY Δ -43 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 98,078 113,314 -13.4% 120,795 160,560 -24.8%
ERCOT (TX) 66,456 65,467 +1.5% 82,591 77,295 +6.9%
MISO (Midcontinent) 77,191 90,116 -14.3% 95,218 116,404 -18.2%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

4 new matched item(s) from DCD / Bisnow / dgtlinfra (filtered to hyperscaler, AI, gas-DC convergence, and tracked operators):

Eminent Domain Watch (new since last run)

No new eminent-domain / shadow-grid articles since last run.

New & active condemnation cases (CourtListener)

3 tracked condemnation dockets total; 3 still active.

New FERC pipeline notices (Federal Register)

2 FERC notice(s), 0 naming tracked operators: - 2026-06-24 [Docket No. RM26-12-000] Revisions to Financial Forms Reporting and Filing Requirements - 2026-06-24 [Docket No. CP25-539-000, Docket No. CP25-539-001] Rockies Express Pipeline LLC; Cheyenne Connector, LLC; East Cheyenne Gas Storage, LLC; Notice of Scoping Perio

Investigative layers

Public comments & rulemakings (Regulations.gov)

Regulations.gov module not loaded.

State bills + sponsors (Open States)

Open States module not loaded.

Federal money into the buildout (USASpending)

USASpending module not loaded.

Pipeline incidents (PHMSA)

Drop a PHMSA gas-transmission incident file (.xlsx/.zip) in snapshots/phmsa/ — PHMSA has no API and its files are bot-blocked, so it's a manual download (see phmsa.py header).

Physical safety — CSB oil/gas (recent)

2 recent CSB items touching refineries / gas / pipelines — new activity at the kind of sites the map tracks:

Social signal — Bluesky (unverified leads)

No on-topic Bluesky posts in the lookback window.

State legislative tracker (LegiScan)

32 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
PA HB2650 In tax credit and tax benefit administration, further providing for definitions; Re-committed to Appropriations 2026-06-23
OH HB646 Create the Data Center Study Commission Informally passed 2026-06-10
NC S730 Ratepayer Protection Act Ref To Com On Rules and Operations of the Senate 2026-06-08
PA SB1359 Imposing a Statewide moratorium on hyperscale data center development and permit Referred to Local Government 2026-06-04
PA SB1345 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-06-04
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12
VA SB466 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Commerce and Labor (14-Y 0-N) 2026-02-12

… plus 7 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

3 tracked docket(s) show content changes — review and update the YAML if status has changed:

  • [FERC] Transwestern blanket cert (staff protest pending) — Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
    Detected at 2026-06-24 06:02 EDT. Open docket
  • [FERC] CP17-101-000 — Transco — Northeast Supply Enhancement (Compressor Station 206, NJ)
    Detected at 2026-06-24 06:02 EDT. Open docket
  • [FERC] CP22-502-000 — Columbia Gas — Virginia Reliability Project (VA) + Seville Loop (OH)
    Detected at 2026-06-24 06:02 EDT. Open docket

Shodan ICS exposure (US)

Credits remaining: 42 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 62,644 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 189,015 Common in electric + gas SCADA.
2404 IEC 60870-5-104 51,036 Power/telecontrol.
102 Siemens S7 46,757 Siemens PLC programming.
47808 BACnet 24,968 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 51,083 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 41,731 Tridium Niagara, building management.
1962 PCWorx 31,182 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 31,285 Red Lion controllers.
9600 Omron FINS 58,406 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Tridium 1,611
Rockwell 1,405
Allen-Bradley 1,265
Honeywell 620
Red Lion 256
Siemens 225
Emerson 15
ABB 2
Schneider Electric 1
Omron 1

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-06-23

CISA ICS advisories (last 7 days)

No advisories matched tracked operators/vendors in the last 7 days.

Federal Register — FERC & TSA (last 14 days)

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1802 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Tue, 23 Jun 2026 10:00:59 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-06-15): $3.06/MMBtu (was $3.08 a week earlier, ▼ -0.6%)
  • Lower-48 gas in storage (2026-06-12): 2,759 Bcf (weekly Δ +73 Bcf; YoY Δ -43 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 97,582 107,795 -9.5% 120,795 160,560 -24.8%
ERCOT (TX) 65,533 64,692 +1.3% 82,591 77,295 +6.9%
MISO (Midcontinent) 76,601 88,027 -13.0% 90,925 116,404 -21.9%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

5 new matched item(s) from DCD / Bisnow / dgtlinfra (filtered to hyperscaler, AI, gas-DC convergence, and tracked operators):

Eminent Domain Watch (new since last run)

No new eminent-domain / shadow-grid articles since last run.

New & active condemnation cases (CourtListener)

3 tracked condemnation dockets total; 3 still active.

New FERC pipeline notices (Federal Register)

No new FERC pipeline notices in the lookback window.

Investigative layers

Public comments & rulemakings (Regulations.gov)

Regulations.gov module not loaded.

State bills + sponsors (Open States)

Open States module not loaded.

Federal money into the buildout (USASpending)

USASpending module not loaded.

Pipeline incidents (PHMSA)

Drop a PHMSA gas-transmission incident file (.xlsx/.zip) in snapshots/phmsa/ — PHMSA has no API and its files are bot-blocked, so it's a manual download (see phmsa.py header).

Physical safety — CSB oil/gas (recent)

3 recent CSB items touching refineries / gas / pipelines — new activity at the kind of sites the map tracks:

Social signal — Bluesky (unverified leads)

1 posts on pipelines / eminent domain / FERC — commentary and leads, verify before acting:

  • 2026-06-22 @thefactum.ai — [Property Rights Analyst]: AI data center demands are normalizing the use of eminent domain against families, privatizing gains for tech while forcing locals to…

State legislative tracker (LegiScan)

32 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
PA HB2650 In tax credit and tax benefit administration, further providing for definitions; Re-committed to Rules 2026-06-17
OH HB646 Create the Data Center Study Commission Informally passed 2026-06-10
NC S730 Ratepayer Protection Act Ref To Com On Rules and Operations of the Senate 2026-06-08
PA SB1359 Imposing a Statewide moratorium on hyperscale data center development and permit Referred to Local Government 2026-06-04
PA SB1345 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-06-04
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12
VA SB466 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Commerce and Labor (14-Y 0-N) 2026-02-12

… plus 7 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

3 tracked docket(s) show content changes — review and update the YAML if status has changed:

  • [FERC] Transwestern blanket cert (staff protest pending) — Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
    Detected at 2026-06-23 06:02 EDT. Open docket
  • [FERC] CP17-101-000 — Transco — Northeast Supply Enhancement (Compressor Station 206, NJ)
    Detected at 2026-06-23 06:02 EDT. Open docket
  • [FERC] CP22-502-000 — Columbia Gas — Virginia Reliability Project (VA) + Seville Loop (OH)
    Detected at 2026-06-23 06:02 EDT. Open docket

Shodan ICS exposure (US)

Credits remaining: 46 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 63,034 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 189,993 Common in electric + gas SCADA.
2404 IEC 60870-5-104 51,291 Power/telecontrol.
102 Siemens S7 47,248 Siemens PLC programming.
47808 BACnet 25,206 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 51,494 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 42,239 Tridium Niagara, building management.
1962 PCWorx 31,628 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 31,716 Red Lion controllers.
9600 Omron FINS 59,106 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Tridium 1,611
Rockwell 1,296
Allen-Bradley 1,169
Honeywell 627
Red Lion 256
Siemens 224
Emerson 16
ABB 2
Schneider Electric 1
Omron 1

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-06-22

CISA ICS advisories (last 7 days)

No advisories matched tracked operators/vendors in the last 7 days.

Federal Register — FERC & TSA (last 14 days)

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1802 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Mon, 22 Jun 2026 10:00:55 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-06-15): $3.06/MMBtu (was $3.08 a week earlier, ▼ -0.6%)
  • Lower-48 gas in storage (2026-06-12): 2,759 Bcf (weekly Δ +73 Bcf; YoY Δ -43 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 96,587 102,287 -5.6% 120,795 143,536 -15.8%
ERCOT (TX) 64,095 64,088 +0.0% 82,591 77,295 +6.9%
MISO (Midcontinent) 76,281 84,512 -9.7% 88,614 114,262 -22.4%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

1 new matched item(s) from DCD / Bisnow / dgtlinfra (filtered to hyperscaler, AI, gas-DC convergence, and tracked operators):

Eminent Domain Watch (new since last run)

No new eminent-domain / shadow-grid articles since last run.

New & active condemnation cases (CourtListener)

3 tracked condemnation dockets total; 3 still active.

New FERC pipeline notices (Federal Register)

No new FERC pipeline notices in the lookback window.

Investigative layers

Public comments & rulemakings (Regulations.gov)

Regulations.gov module not loaded.

State bills + sponsors (Open States)

Open States module not loaded.

Federal money into the buildout (USASpending)

USASpending module not loaded.

Pipeline incidents (PHMSA)

Drop a PHMSA gas-transmission incident file (.xlsx/.zip) in snapshots/phmsa/ — PHMSA has no API and its files are bot-blocked, so it's a manual download (see phmsa.py header).

Physical safety — CSB oil/gas (recent)

3 recent CSB items touching refineries / gas / pipelines — new activity at the kind of sites the map tracks:

Social signal — Bluesky (unverified leads)

1 posts on pipelines / eminent domain / FERC — commentary and leads, verify before acting:

State legislative tracker (LegiScan)

32 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
PA HB2650 In tax credit and tax benefit administration, further providing for definitions; Re-committed to Rules 2026-06-17
OH HB646 Create the Data Center Study Commission Informally passed 2026-06-10
NC S730 Ratepayer Protection Act Ref To Com On Rules and Operations of the Senate 2026-06-08
PA SB1359 Imposing a Statewide moratorium on hyperscale data center development and permit Referred to Local Government 2026-06-04
PA SB1345 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-06-04
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12
VA SB466 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Commerce and Labor (14-Y 0-N) 2026-02-12

… plus 7 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

No tracked docket content has changed since the last run.

Shodan ICS exposure (US)

Credits remaining: 47 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 64,914 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 189,803 Common in electric + gas SCADA.
2404 IEC 60870-5-104 51,504 Power/telecontrol.
102 Siemens S7 47,502 Siemens PLC programming.
47808 BACnet 25,356 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 51,726 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 42,496 Tridium Niagara, building management.
1962 PCWorx 32,105 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 32,093 Red Lion controllers.
9600 Omron FINS 59,679 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Tridium 1,602
Rockwell 1,346
Allen-Bradley 1,199
Honeywell 646
Red Lion 262
Siemens 237
Emerson 17
ABB 2
Schneider Electric 1
Omron 1

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-06-21

CISA ICS advisories (last 7 days)

No advisories matched tracked operators/vendors in the last 7 days.

Federal Register — FERC & TSA (last 14 days)

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1802 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Sun, 21 Jun 2026 18:30:20 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-06-15): $3.06/MMBtu (was $3.08 a week earlier, ▼ -0.6%)
  • Lower-48 gas in storage (2026-06-12): 2,759 Bcf (weekly Δ +73 Bcf; YoY Δ -43 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 97,275 99,630 -2.4% 120,795 135,055 -10.6%
ERCOT (TX) 63,662 63,891 -0.4% 82,591 77,295 +6.9%
MISO (Midcontinent) 76,043 81,698 -6.9% 88,614 110,703 -20.0%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

1 new matched item(s) from DCD / Bisnow / dgtlinfra (filtered to hyperscaler, AI, gas-DC convergence, and tracked operators):

Eminent Domain Watch (new since last run)

No new eminent-domain / shadow-grid articles since last run.

New & active condemnation cases (CourtListener)

3 tracked condemnation dockets total; 3 still active.

New FERC pipeline notices (Federal Register)

No new FERC pipeline notices in the lookback window.

Investigative layers

Public comments & rulemakings (Regulations.gov)

Regulations.gov module not loaded.

State bills + sponsors (Open States)

Open States module not loaded.

Federal money into the buildout (USASpending)

USASpending module not loaded.

Pipeline incidents (PHMSA)

Drop a PHMSA gas-transmission incident file (.xlsx/.zip) in snapshots/phmsa/ — PHMSA has no API and its files are bot-blocked, so it's a manual download (see phmsa.py header).

Physical safety — CSB oil/gas (recent)

3 recent CSB items touching refineries / gas / pipelines — new activity at the kind of sites the map tracks:

Social signal — Bluesky (unverified leads)

1 posts on pipelines / eminent domain / FERC — commentary and leads, verify before acting:

  • 2026-06-21 @fossilfreeusa.bsky.social — Refusals by Boxtown residents to sell their land to #TXoilbarons for a pipeline caught the oil barons by surprise, & their grassroots coalition #MemphisCommunit…

State legislative tracker (LegiScan)

32 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
PA HB2650 In tax credit and tax benefit administration, further providing for definitions; Re-committed to Rules 2026-06-17
OH HB646 Create the Data Center Study Commission Informally passed 2026-06-10
NC S730 Ratepayer Protection Act Ref To Com On Rules and Operations of the Senate 2026-06-08
PA SB1359 Imposing a Statewide moratorium on hyperscale data center development and permit Referred to Local Government 2026-06-04
PA SB1345 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-06-04
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12
VA SB466 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Commerce and Labor (14-Y 0-N) 2026-02-12

… plus 7 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

3 tracked docket(s) show content changes — review and update the YAML if status has changed:

  • [FERC] Transwestern blanket cert (staff protest pending) — Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
    Detected at 2026-06-21 14:31 EDT. Open docket
  • [FERC] CP17-101-000 — Transco — Northeast Supply Enhancement (Compressor Station 206, NJ)
    Detected at 2026-06-21 14:31 EDT. Open docket
  • [FERC] CP22-502-000 — Columbia Gas — Virginia Reliability Project (VA) + Seville Loop (OH)
    Detected at 2026-06-21 14:31 EDT. Open docket

Shodan ICS exposure (US)

Credits remaining: 49 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 65,351 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 191,835 Common in electric + gas SCADA.
2404 IEC 60870-5-104 51,799 Power/telecontrol.
102 Siemens S7 47,874 Siemens PLC programming.
47808 BACnet 25,616 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 52,689 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 43,116 Tridium Niagara, building management.
1962 PCWorx 32,633 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 32,671 Red Lion controllers.
9600 Omron FINS 60,443 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Tridium 1,608
Rockwell 1,411
Allen-Bradley 1,257
Honeywell 650
Red Lion 268
Siemens 261
Emerson 14
ABB 2
Schneider Electric 1
Omron 1

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-06-20

CISA ICS advisories (last 7 days)

No advisories matched tracked operators/vendors in the last 7 days.

Federal Register — FERC & TSA (last 14 days)

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1802 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Sat, 20 Jun 2026 10:01:22 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-06-15): $3.06/MMBtu (was $3.08 a week earlier, ▼ -0.6%)
  • Lower-48 gas in storage (2026-06-12): 2,759 Bcf (weekly Δ +73 Bcf; YoY Δ -43 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 99,706 99,387 +0.3% 126,594 127,931 -1.0%
ERCOT (TX) 64,446 63,085 +2.2% 82,591 77,295 +6.9%
MISO (Midcontinent) 77,411 79,989 -3.2% 92,879 102,651 -9.5%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

3 new matched item(s) from DCD / Bisnow / dgtlinfra (filtered to hyperscaler, AI, gas-DC convergence, and tracked operators):

Eminent Domain Watch (new since last run)

No new eminent-domain / shadow-grid articles since last run.

New & active condemnation cases (CourtListener)

3 tracked condemnation dockets total; 3 still active.

New FERC pipeline notices (Federal Register)

No new FERC pipeline notices in the lookback window.

Investigative layers

Public comments & rulemakings (Regulations.gov)

Regulations.gov module not loaded.

State bills + sponsors (Open States)

Federal money into the buildout (USASpending)

USASpending module not loaded.

Pipeline incidents (PHMSA)

Drop a PHMSA gas-transmission incident file (.xlsx/.zip) in snapshots/phmsa/ — PHMSA has no API and its files are bot-blocked, so it's a manual download (see phmsa.py header).

Physical safety — CSB oil/gas (recent)

3 recent CSB items touching refineries / gas / pipelines — new activity at the kind of sites the map tracks:

Social signal — Bluesky (unverified leads)

2 posts on pipelines / eminent domain / FERC — commentary and leads, verify before acting:

  • 2026-06-19 @wokeskyreflections.bsky.social — When they build a data center near your home, they need to put in more power lines, so they need to widen the road, and widen it a lot.

You lose your property… - 2026-06-19 @wokeskyreflections.bsky.social — They're running high-voltage power lines through over 100 properties and that cuts through people's yards. We call that eminent domain, and they're taking it fo…

State legislative tracker (LegiScan)

32 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
PA HB2650 In tax credit and tax benefit administration, further providing for definitions; Re-committed to Rules 2026-06-17
OH HB646 Create the Data Center Study Commission Informally passed 2026-06-10
NC S730 Ratepayer Protection Act Ref To Com On Rules and Operations of the Senate 2026-06-08
PA SB1359 Imposing a Statewide moratorium on hyperscale data center development and permit Referred to Local Government 2026-06-04
PA SB1345 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-06-04
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12
VA SB466 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Commerce and Labor (14-Y 0-N) 2026-02-12

… plus 7 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

3 tracked docket(s) show content changes — review and update the YAML if status has changed:

  • [FERC] Transwestern blanket cert (staff protest pending) — Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
    Detected at 2026-06-20 06:02 EDT. Open docket
  • [FERC] CP17-101-000 — Transco — Northeast Supply Enhancement (Compressor Station 206, NJ)
    Detected at 2026-06-20 06:02 EDT. Open docket
  • [FERC] CP22-502-000 — Columbia Gas — Virginia Reliability Project (VA) + Seville Loop (OH)
    Detected at 2026-06-20 06:02 EDT. Open docket

Shodan ICS exposure (US)

Credits remaining: 61 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 65,600 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 192,570 Common in electric + gas SCADA.
2404 IEC 60870-5-104 51,671 Power/telecontrol.
102 Siemens S7 48,154 Siemens PLC programming.
47808 BACnet 25,958 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 52,964 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 43,814 Tridium Niagara, building management.
1962 PCWorx 32,698 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 32,820 Red Lion controllers.
9600 Omron FINS 60,904 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Tridium 1,598
Rockwell 1,393
Allen-Bradley 1,246
Honeywell 617
Red Lion 292
Siemens 254
Emerson 14
ABB 3
Schneider Electric 1
Omron 1

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-06-19

CISA ICS advisories (last 7 days)

No advisories matched tracked operators/vendors in the last 7 days.

Federal Register — FERC & TSA (last 14 days)

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1802 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Fri, 19 Jun 2026 10:01:03 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-06-15): $3.06/MMBtu (was $3.08 a week earlier, ▼ -0.6%)
  • Lower-48 gas in storage (2026-06-12): 2,759 Bcf (weekly Δ +73 Bcf; YoY Δ -43 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 102,426 99,827 +2.6% 140,165 130,146 +7.7%
ERCOT (TX) 64,912 61,608 +5.4% 82,591 77,295 +6.9%
MISO (Midcontinent) 78,252 79,234 -1.2% 96,685 102,651 -5.8%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

2 new matched item(s) from DCD / Bisnow / dgtlinfra (filtered to hyperscaler, AI, gas-DC convergence, and tracked operators):

Eminent Domain Watch (new since last run)

1 new article(s) matching eminent-domain / shadow-grid keywords:

New & active condemnation cases (CourtListener)

3 tracked condemnation dockets total; 3 still active.

New FERC pipeline notices (Federal Register)

No new FERC pipeline notices in the lookback window.

Investigative layers

Public comments & rulemakings (Regulations.gov)

Regulations.gov module not loaded.

State bills + sponsors (Open States)

Federal money into the buildout (USASpending)

USASpending module not loaded.

Pipeline incidents (PHMSA)

Drop a PHMSA gas-transmission incident file (.xlsx/.zip) in snapshots/phmsa/ — PHMSA has no API and its files are bot-blocked, so it's a manual download (see phmsa.py header).

Physical safety — CSB oil/gas (recent)

3 recent CSB items touching refineries / gas / pipelines — new activity at the kind of sites the map tracks:

Social signal — Bluesky (unverified leads)

No on-topic Bluesky posts in the lookback window.

State legislative tracker (LegiScan)

32 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
PA HB2650 In tax credit and tax benefit administration, further providing for definitions; Re-committed to Rules 2026-06-17
OH HB646 Create the Data Center Study Commission Informally passed 2026-06-10
NC S730 Ratepayer Protection Act Ref To Com On Rules and Operations of the Senate 2026-06-08
PA SB1359 Imposing a Statewide moratorium on hyperscale data center development and permit Referred to Local Government 2026-06-04
PA SB1345 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-06-04
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12
VA SB466 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Commerce and Labor (14-Y 0-N) 2026-02-12

… plus 7 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

No tracked docket content has changed since the last run.

Shodan ICS exposure (US)

Credits remaining: 62 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 65,551 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 192,523 Common in electric + gas SCADA.
2404 IEC 60870-5-104 51,552 Power/telecontrol.
102 Siemens S7 48,265 Siemens PLC programming.
47808 BACnet 27,042 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 53,138 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 43,792 Tridium Niagara, building management.
1962 PCWorx 32,773 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 32,958 Red Lion controllers.
9600 Omron FINS 60,864 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Rockwell 1,758
Allen-Bradley 1,625
Tridium 1,566
Honeywell 612
Red Lion 293
Siemens 271
Emerson 14
ABB 3
Schneider Electric 1
Omron 1

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-06-18

CISA ICS advisories (last 7 days)

5 advisory(ies) match tracked operators/vendors:

Plus 3 other ICS advisories not directly matching tracked operators.

Federal Register — FERC & TSA (last 14 days)

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1802 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Thu, 18 Jun 2026 10:06:06 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-06-15): $3.06/MMBtu (was $3.08 a week earlier, ▼ -0.6%)
  • Lower-48 gas in storage (2026-06-05): 2,686 Bcf (weekly Δ +108 Bcf; YoY Δ -21 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 104,767 98,514 +6.3% 145,113 130,146 +11.5%
ERCOT (TX) 64,594 60,504 +6.8% 78,292 75,920 +3.1%
MISO (Midcontinent) 79,764 78,519 +1.6% 104,657 102,651 +2.0%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

3 new matched item(s) from DCD / Bisnow / dgtlinfra (filtered to hyperscaler, AI, gas-DC convergence, and tracked operators):

Eminent Domain Watch (new since last run)

1 new article(s) matching eminent-domain / shadow-grid keywords:

New & active condemnation cases (CourtListener)

3 tracked condemnation dockets total; 3 still active.

New FERC pipeline notices (Federal Register)

3 FERC notice(s), 0 naming tracked operators: - 2026-06-18 [Docket No. CP26-127-000] Gulf South Pipeline Company, LLC; Notice of Schedule for the Preparation of an Environmental Assessment for th - 2026-06-18 [Docket No. CP26-148-000] Texas Eastern Transmission, LP; Notice of Schedule for the Preparation of An Environmental Assessment for the - 2026-06-18 [Docket No. CP26-538-000] Northwest Pipeline LLC; Notice of Request Under Blanket Authorization and Establishing Intervention and Protes

Investigative layers

Public comments & rulemakings (Regulations.gov)

Regulations.gov module not loaded.

State bills + sponsors (Open States)

Open States module not loaded.

Federal money into the buildout (USASpending)

USASpending module not loaded.

Pipeline incidents (PHMSA)

Drop a PHMSA gas-transmission incident file (.xlsx/.zip) in snapshots/phmsa/ — PHMSA has no API and its files are bot-blocked, so it's a manual download (see phmsa.py header).

Physical safety — CSB oil/gas (recent)

3 recent CSB items touching refineries / gas / pipelines — new activity at the kind of sites the map tracks:

Social signal — Bluesky (unverified leads)

1 posts on pipelines / eminent domain / FERC — commentary and leads, verify before acting:

  • 2026-06-17 @tyronnetd.bsky.social — I mean, I would also start jailing traitors, make Universal health care happen or die tryin, eminent domain every data center to build some new national parks o…

State legislative tracker (LegiScan)

32 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
PA HB2650 In tax credit and tax benefit administration, further providing for definitions; Re-committed to Rules 2026-06-17
OH HB646 Create the Data Center Study Commission Informally passed 2026-06-10
NC S730 Ratepayer Protection Act Ref To Com On Rules and Operations of the Senate 2026-06-08
PA SB1359 Imposing a Statewide moratorium on hyperscale data center development and permit Referred to Local Government 2026-06-04
PA SB1345 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-06-04
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12
VA SB466 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Commerce and Labor (14-Y 0-N) 2026-02-12

… plus 7 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

3 tracked docket(s) show content changes — review and update the YAML if status has changed:

  • [FERC] Transwestern blanket cert (staff protest pending) — Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
    Detected at 2026-06-18 07:26 EDT. Open docket
  • [FERC] CP17-101-000 — Transco — Northeast Supply Enhancement (Compressor Station 206, NJ)
    Detected at 2026-06-18 07:27 EDT. Open docket
  • [FERC] CP22-502-000 — Columbia Gas — Virginia Reliability Project (VA) + Seville Loop (OH)
    Detected at 2026-06-18 07:27 EDT. Open docket

Shodan ICS exposure (US)

Credits remaining: 62 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 66,297 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 197,941 Common in electric + gas SCADA.
2404 IEC 60870-5-104 51,774 Power/telecontrol.
102 Siemens S7 48,456 Siemens PLC programming.
47808 BACnet 27,161 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 53,568 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 44,190 Tridium Niagara, building management.
1962 PCWorx 33,058 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 33,271 Red Lion controllers.
9600 Omron FINS 61,315 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Rockwell 1,696
Tridium 1,561
Allen-Bradley 1,551
Honeywell 611
Red Lion 290
Siemens 289
Emerson 15
ABB 3
Schneider Electric 1
Omron 1

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-06-17

CISA ICS advisories (last 7 days)

5 advisory(ies) match tracked operators/vendors:

Plus 3 other ICS advisories not directly matching tracked operators.

Federal Register — FERC & TSA (last 14 days)

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1802 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Wed, 17 Jun 2026 10:01:25 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-06-08): $3.10/MMBtu (was $3.04 a week earlier, ▲ +2.0%)
  • Lower-48 gas in storage (2026-06-05): 2,686 Bcf (weekly Δ +108 Bcf; YoY Δ -21 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 106,917 96,826 +10.4% 145,113 130,146 +11.5%
ERCOT (TX) 64,849 59,956 +8.2% 78,493 75,920 +3.4%
MISO (Midcontinent) 81,852 77,067 +6.2% 110,202 102,651 +7.4%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

4 new matched item(s) from DCD / Bisnow / dgtlinfra (filtered to hyperscaler, AI, gas-DC convergence, and tracked operators):

Eminent Domain Watch (new since last run)

1 new article(s) matching eminent-domain / shadow-grid keywords:

New & active condemnation cases (CourtListener)

3 tracked condemnation dockets total; 3 still active.

New FERC pipeline notices (Federal Register)

1 FERC notice(s), 0 naming tracked operators: - 2026-06-17 Combined Notice of Filings

Investigative layers

Public comments & rulemakings (Regulations.gov)

Regulations.gov module not loaded.

State bills + sponsors (Open States)

Open States module not loaded.

Federal money into the buildout (USASpending)

USASpending module not loaded.

Pipeline incidents (PHMSA)

Drop a PHMSA gas-transmission incident file (.xlsx/.zip) in snapshots/phmsa/ — PHMSA has no API and its files are bot-blocked, so it's a manual download (see phmsa.py header).

Physical safety — CSB oil/gas (recent)

3 recent CSB items touching refineries / gas / pipelines — new activity at the kind of sites the map tracks:

Social signal — Bluesky (unverified leads)

No on-topic Bluesky posts in the lookback window.

State legislative tracker (LegiScan)

32 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
PA HB2650 In tax credit and tax benefit administration, further providing for definitions; Referred to Finance 2026-06-16
OH HB646 Create the Data Center Study Commission Informally passed 2026-06-10
NC S730 Ratepayer Protection Act Ref To Com On Rules and Operations of the Senate 2026-06-08
PA SB1359 Imposing a Statewide moratorium on hyperscale data center development and permit Referred to Local Government 2026-06-04
PA SB1345 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-06-04
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12
VA SB466 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Commerce and Labor (14-Y 0-N) 2026-02-12

… plus 7 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

3 tracked docket(s) show content changes — review and update the YAML if status has changed:

  • [FERC] Transwestern blanket cert (staff protest pending) — Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
    Detected at 2026-06-17 06:03 EDT. Open docket
  • [FERC] CP17-101-000 — Transco — Northeast Supply Enhancement (Compressor Station 206, NJ)
    Detected at 2026-06-17 06:03 EDT. Open docket
  • [FERC] CP22-502-000 — Columbia Gas — Virginia Reliability Project (VA) + Seville Loop (OH)
    Detected at 2026-06-17 06:03 EDT. Open docket

Shodan ICS exposure (US)

Credits remaining: 66 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 66,395 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 197,481 Common in electric + gas SCADA.
2404 IEC 60870-5-104 51,741 Power/telecontrol.
102 Siemens S7 48,242 Siemens PLC programming.
47808 BACnet 28,386 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 53,631 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 44,083 Tridium Niagara, building management.
1962 PCWorx 32,938 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 33,150 Red Lion controllers.
9600 Omron FINS 61,017 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Rockwell 1,727
Allen-Bradley 1,582
Tridium 1,551
Honeywell 619
Red Lion 288
Siemens 266
Emerson 14
ABB 3
Schneider Electric 1
Omron 1

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-06-16

CISA ICS advisories (last 7 days)

3 advisory(ies) match tracked operators/vendors:

Plus 3 other ICS advisories not directly matching tracked operators.

Federal Register — FERC & TSA (last 14 days)

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1802 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Tue, 16 Jun 2026 10:01:10 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-06-08): $3.10/MMBtu (was $3.04 a week earlier, ▲ +2.0%)
  • Lower-48 gas in storage (2026-06-05): 2,686 Bcf (weekly Δ +108 Bcf; YoY Δ -21 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 108,935 95,839 +13.7% 145,113 130,146 +11.5%
ERCOT (TX) 65,453 59,863 +9.3% 78,493 75,752 +3.6%
MISO (Midcontinent) 84,245 75,739 +11.2% 110,202 95,146 +15.8%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

3 new matched item(s) from DCD / Bisnow / dgtlinfra (filtered to hyperscaler, AI, gas-DC convergence, and tracked operators):

Eminent Domain Watch (new since last run)

No new eminent-domain / shadow-grid articles since last run.

New & active condemnation cases (CourtListener)

3 tracked condemnation dockets total; 3 still active.

New FERC pipeline notices (Federal Register)

1 FERC notice(s), 0 naming tracked operators: - 2026-06-16 [Docket Nos. CP26-537-000, CP17-117-000] Louisiana LNG Infrastructure LLC; Driftwood Pipeline LLC; Notice of Amendment Application and Motion To Vacate

Investigative layers

Public comments & rulemakings (Regulations.gov)

Regulations.gov module not loaded.

State bills + sponsors (Open States)

Open States module not loaded.

Federal money into the buildout (USASpending)

USASpending module not loaded.

Pipeline incidents (PHMSA)

Drop a PHMSA gas-transmission incident file (.xlsx/.zip) in snapshots/phmsa/ — PHMSA has no API and its files are bot-blocked, so it's a manual download (see phmsa.py header).

Physical safety — CSB oil/gas (recent)

3 recent CSB items touching refineries / gas / pipelines — new activity at the kind of sites the map tracks:

Social signal — Bluesky (unverified leads)

2 posts on pipelines / eminent domain / FERC — commentary and leads, verify before acting:

  • 2026-06-16 @notmymonkeymon.bsky.social · 7 — I floated this a few weeks ago - that the regime is going to start intervening on data center zoning & approval, declaring eminent domain to overrule local oppo…
  • 2026-06-15 @resistance1955.bsky.social · 1 — All they want to do is take other people's stuff.

Here in Ohio, our "glorious Legislature" (predominantly GOP) is pushing through a bill that will allow data-c…

State legislative tracker (LegiScan)

32 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
OH HB646 Create the Data Center Study Commission Informally passed 2026-06-10
NC S730 Ratepayer Protection Act Ref To Com On Rules and Operations of the Senate 2026-06-08
PA SB1359 Imposing a Statewide moratorium on hyperscale data center development and permit Referred to Local Government 2026-06-04
PA SB1345 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-06-04
PA HB2535 Providing for the public safety regulation of large load users; requiring the su Referred to Veterans Affairs & Emergency Preparedness 2026-05-27
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12
VA SB466 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Commerce and Labor (14-Y 0-N) 2026-02-12

… plus 7 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

4 tracked docket(s) show content changes — review and update the YAML if status has changed:

  • [FERC] to be confirmed — MidAtlantic Resiliency Link
    Detected at 2026-06-16 06:02 EDT. Open docket
  • [FERC] Transwestern blanket cert (staff protest pending) — Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
    Detected at 2026-06-16 06:02 EDT. Open docket
  • [FERC] CP17-101-000 — Transco — Northeast Supply Enhancement (Compressor Station 206, NJ)
    Detected at 2026-06-16 06:02 EDT. Open docket
  • [FERC] CP22-502-000 — Columbia Gas — Virginia Reliability Project (VA) + Seville Loop (OH)
    Detected at 2026-06-16 06:02 EDT. Open docket

Shodan ICS exposure (US)

Credits remaining: 70 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 65,848 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 195,631 Common in electric + gas SCADA.
2404 IEC 60870-5-104 51,483 Power/telecontrol.
102 Siemens S7 47,813 Siemens PLC programming.
47808 BACnet 28,278 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 52,918 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 43,714 Tridium Niagara, building management.
1962 PCWorx 32,543 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 32,745 Red Lion controllers.
9600 Omron FINS 60,294 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Rockwell 1,706
Allen-Bradley 1,571
Tridium 1,545
Honeywell 617
Red Lion 284
Siemens 276
Emerson 16
ABB 3
Schneider Electric 1
Omron 1

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Digest not available.

Pipeline + data-center buildout digest — 2026-06-14

CISA ICS advisories (last 7 days)

3 advisory(ies) match tracked operators/vendors:

Plus 3 other ICS advisories not directly matching tracked operators.

Federal Register — FERC & TSA (last 14 days)

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1802 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Sun, 14 Jun 2026 10:01:05 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-06-08): $3.10/MMBtu (was $3.04 a week earlier, ▲ +2.0%)
  • Lower-48 gas in storage (2026-06-05): 2,686 Bcf (weekly Δ +108 Bcf; YoY Δ -21 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 110,255 95,998 +14.9% 145,113 130,146 +11.5%
ERCOT (TX) 66,354 60,902 +9.0% 78,493 76,397 +2.7%
MISO (Midcontinent) 86,716 74,818 +15.9% 110,202 94,103 +17.1%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

No new matched items since the last run. Sources: DCD, Bisnow, dgtlinfra.

Eminent Domain Watch (new since last run)

No new eminent-domain / shadow-grid articles since last run.

New & active condemnation cases (CourtListener)

3 tracked condemnation dockets total; 3 still active.

New FERC pipeline notices (Federal Register)

No new FERC pipeline notices in the lookback window.

Investigative layers

Public comments & rulemakings (Regulations.gov)

Regulations.gov module not loaded.

State bills + sponsors (Open States)

Open States module not loaded.

Federal money into the buildout (USASpending)

USASpending module not loaded.

Pipeline incidents (PHMSA)

Drop a PHMSA gas-transmission incident file (.xlsx/.zip) in snapshots/phmsa/ — PHMSA has no API and its files are bot-blocked, so it's a manual download (see phmsa.py header).

Physical safety — CSB oil/gas (recent)

3 recent CSB items touching refineries / gas / pipelines — new activity at the kind of sites the map tracks:

Social signal — Bluesky (unverified leads)

2 posts on pipelines / eminent domain / FERC — commentary and leads, verify before acting:

7 Things to Know About the Data Center Projects Taking Over the U.S. open.substack… - 2026-06-14 @dagnabitalltoheck.bsky.social — "The Farm Bureau isn’t opposed to data centers, they are opposed to a violation of property rights." Data center co's do not hold the power of eminent domain, b…

State legislative tracker (LegiScan)

32 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
OH HB646 Create the Data Center Study Commission Informally passed 2026-06-10
NC S730 Ratepayer Protection Act Ref To Com On Rules and Operations of the Senate 2026-06-08
PA SB1359 Imposing a Statewide moratorium on hyperscale data center development and permit Referred to Local Government 2026-06-04
PA SB1345 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-06-04
PA HB2535 Providing for the public safety regulation of large load users; requiring the su Referred to Veterans Affairs & Emergency Preparedness 2026-05-27
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12
VA SB466 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Commerce and Labor (14-Y 0-N) 2026-02-12

… plus 7 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

No tracked docket content has changed since the last run.

Shodan ICS exposure (US)

Credits remaining: 71 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 66,598 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 197,214 Common in electric + gas SCADA.
2404 IEC 60870-5-104 52,213 Power/telecontrol.
102 Siemens S7 49,541 Siemens PLC programming.
47808 BACnet 28,265 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 53,298 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 44,402 Tridium Niagara, building management.
1962 PCWorx 33,462 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 33,639 Red Lion controllers.
9600 Omron FINS 60,920 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Tridium 1,567
Rockwell 1,420
Allen-Bradley 1,282
Honeywell 622
Red Lion 299
Siemens 290
Emerson 18
Schneider Electric 1
ABB 1
Omron 1

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-06-13

CISA ICS advisories (last 7 days)

3 advisory(ies) match tracked operators/vendors:

Plus 3 other ICS advisories not directly matching tracked operators.

Federal Register — FERC & TSA (last 14 days)

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1802 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Sat, 13 Jun 2026 10:01:12 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-06-08): $3.10/MMBtu (was $3.04 a week earlier, ▲ +2.0%)
  • Lower-48 gas in storage (2026-06-05): 2,686 Bcf (weekly Δ +108 Bcf; YoY Δ -21 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 109,772 96,884 +13.3% 145,113 130,146 +11.5%
ERCOT (TX) 65,405 61,168 +6.9% 78,493 76,397 +2.7%
MISO (Midcontinent) 86,975 75,425 +15.3% 110,202 94,103 +17.1%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

7 new matched item(s) from DCD / Bisnow / dgtlinfra (filtered to hyperscaler, AI, gas-DC convergence, and tracked operators):

Eminent Domain Watch (new since last run)

No new eminent-domain / shadow-grid articles since last run.

New & active condemnation cases (CourtListener)

3 tracked condemnation dockets total; 3 still active.

New FERC pipeline notices (Federal Register)

No new FERC pipeline notices in the lookback window.

Investigative layers

Public comments & rulemakings (Regulations.gov)

Regulations.gov module not loaded.

State bills + sponsors (Open States)

Open States module not loaded.

Federal money into the buildout (USASpending)

USASpending module not loaded.

Pipeline incidents (PHMSA)

Drop a PHMSA gas-transmission incident file (.xlsx/.zip) in snapshots/phmsa/ — PHMSA has no API and its files are bot-blocked, so it's a manual download (see phmsa.py header).

Physical safety — CSB oil/gas (recent)

3 recent CSB items touching refineries / gas / pipelines — new activity at the kind of sites the map tracks:

Social signal — Bluesky (unverified leads)

No on-topic Bluesky posts in the lookback window.

State legislative tracker (LegiScan)

32 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
OH HB646 Create the Data Center Study Commission Informally passed 2026-06-10
NC S730 Ratepayer Protection Act Ref To Com On Rules and Operations of the Senate 2026-06-08
PA SB1359 Imposing a Statewide moratorium on hyperscale data center development and permit Referred to Local Government 2026-06-04
PA SB1345 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-06-04
PA HB2535 Providing for the public safety regulation of large load users; requiring the su Referred to Veterans Affairs & Emergency Preparedness 2026-05-27
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12
VA SB466 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Commerce and Labor (14-Y 0-N) 2026-02-12

… plus 7 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

4 tracked docket(s) show content changes — review and update the YAML if status has changed:

  • [FERC] to be confirmed — MidAtlantic Resiliency Link
    Detected at 2026-06-13 06:02 EDT. Open docket
  • [FERC] Transwestern blanket cert (staff protest pending) — Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
    Detected at 2026-06-13 06:02 EDT. Open docket
  • [FERC] CP17-101-000 — Transco — Northeast Supply Enhancement (Compressor Station 206, NJ)
    Detected at 2026-06-13 06:02 EDT. Open docket
  • [FERC] CP22-502-000 — Columbia Gas — Virginia Reliability Project (VA) + Seville Loop (OH)
    Detected at 2026-06-13 06:02 EDT. Open docket

Shodan ICS exposure (US)

Credits remaining: 73 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 66,952 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 197,791 Common in electric + gas SCADA.
2404 IEC 60870-5-104 52,667 Power/telecontrol.
102 Siemens S7 50,139 Siemens PLC programming.
47808 BACnet 28,183 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 53,790 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 44,916 Tridium Niagara, building management.
1962 PCWorx 34,160 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 34,073 Red Lion controllers.
9600 Omron FINS 61,111 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Tridium 1,561
Rockwell 1,431
Allen-Bradley 1,285
Honeywell 623
Siemens 312
Red Lion 304
Emerson 18
Schneider Electric 1
ABB 1
Omron 1

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-06-12

CISA ICS advisories (last 7 days)

No advisories matched tracked operators/vendors in the last 7 days.

Federal Register — FERC & TSA (last 14 days)

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1802 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Fri, 12 Jun 2026 10:01:00 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-06-08): $3.10/MMBtu (was $3.04 a week earlier, ▲ +2.0%)
  • Lower-48 gas in storage (2026-06-05): 2,686 Bcf (weekly Δ +108 Bcf; YoY Δ -21 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 108,144 96,354 +12.2% 145,113 130,146 +11.5%
ERCOT (TX) 64,280 61,416 +4.7% 78,493 76,397 +2.7%
MISO (Midcontinent) 86,928 75,561 +15.0% 110,202 94,103 +17.1%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

No new matched items since the last run. Sources: DCD, Bisnow, dgtlinfra.

Eminent Domain Watch (new since last run)

No new eminent-domain / shadow-grid articles since last run.

New & active condemnation cases (CourtListener)

3 tracked condemnation dockets total; 3 still active.

New FERC pipeline notices (Federal Register)

1 FERC notice(s), 0 naming tracked operators: - 2026-06-12 [CP26-530-000, CP26-533-000] Venture Global CP2 LNG, LLC, Venture Global CP Express, LLC; Notice of Application and Establishing Interventi

Investigative layers

Public comments & rulemakings (Regulations.gov)

Regulations.gov module not loaded.

State bills + sponsors (Open States)

Open States module not loaded.

Federal money into the buildout (USASpending)

USASpending module not loaded.

Pipeline incidents (PHMSA)

Drop a PHMSA gas-transmission incident file (.xlsx/.zip) in snapshots/phmsa/ — PHMSA has no API and its files are bot-blocked, so it's a manual download (see phmsa.py header).

Physical safety — CSB oil/gas (recent)

3 recent CSB items touching refineries / gas / pipelines — new activity at the kind of sites the map tracks:

Social signal — Bluesky (unverified leads)

1 posts on pipelines / eminent domain / FERC — commentary and leads, verify before acting:

  • 2026-06-11 @laurarbelin.bsky.social · 6 — Libertarian Thomas Laehn plans to make the abuse of eminent domain the top issue of his U.S. Senate campaign. He has ideas on how to stop the "boondoggle" propo…

State legislative tracker (LegiScan)

32 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
OH HB646 Create the Data Center Study Commission Informally passed 2026-06-10
NC S730 Ratepayer Protection Act Ref To Com On Rules and Operations of the Senate 2026-06-08
PA SB1359 Imposing a Statewide moratorium on hyperscale data center development and permit Referred to Local Government 2026-06-04
PA SB1345 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-06-04
PA HB2535 Providing for the public safety regulation of large load users; requiring the su Referred to Veterans Affairs & Emergency Preparedness 2026-05-27
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12
VA SB466 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Commerce and Labor (14-Y 0-N) 2026-02-12

… plus 7 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

No tracked docket content has changed since the last run.

Shodan ICS exposure (US)

Credits remaining: 74 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 67,648 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 201,891 Common in electric + gas SCADA.
2404 IEC 60870-5-104 53,100 Power/telecontrol.
102 Siemens S7 50,581 Siemens PLC programming.
47808 BACnet 28,228 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 54,525 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 45,357 Tridium Niagara, building management.
1962 PCWorx 34,772 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 34,611 Red Lion controllers.
9600 Omron FINS 61,779 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Tridium 1,550
Rockwell 1,374
Allen-Bradley 1,240
Honeywell 628
Siemens 318
Red Lion 305
Emerson 17
Schneider Electric 1
ABB 1
Omron 1

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-06-11

CISA ICS advisories (last 7 days)

No advisories matched tracked operators/vendors in the last 7 days.

Federal Register — FERC & TSA (last 14 days)

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1802 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Thu, 11 Jun 2026 10:01:06 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-06-08): $3.10/MMBtu (was $3.04 a week earlier, ▲ +2.0%)
  • Lower-48 gas in storage (2026-05-29): 2,578 Bcf (weekly Δ +95 Bcf; YoY Δ -20 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 104,887 95,246 +10.1% 137,580 121,929 +12.8%
ERCOT (TX) 63,179 62,067 +1.8% 78,493 76,397 +2.7%
MISO (Midcontinent) 85,754 75,524 +13.5% 112,221 94,103 +19.3%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

No new matched items since the last run. Sources: DCD, Bisnow, dgtlinfra.

Eminent Domain Watch (new since last run)

No new eminent-domain / shadow-grid articles since last run.

New & active condemnation cases (CourtListener)

3 tracked condemnation dockets total; 3 still active.

New FERC pipeline notices (Federal Register)

No new FERC pipeline notices in the lookback window.

Investigative layers

Public comments & rulemakings (Regulations.gov)

Regulations.gov module not loaded.

State bills + sponsors (Open States)

Open States module not loaded.

Federal money into the buildout (USASpending)

USASpending module not loaded.

Pipeline incidents (PHMSA)

Drop a PHMSA gas-transmission incident file (.xlsx/.zip) in snapshots/phmsa/ — PHMSA has no API and its files are bot-blocked, so it's a manual download (see phmsa.py header).

Social signal — Bluesky (unverified leads)

1 posts on pipelines / eminent domain / FERC — commentary and leads, verify before acting:

  • 2026-06-10 @saveohioparks.bsky.social · 3 — Business roundtable wants farmland taken by eminent domain for data center buildout. @morgantrau.bsky.social @wcpo9news.bsky.social: bit.ly/4vIg3F8

Sen. Brian…

State legislative tracker (LegiScan)

32 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
OH HB646 Create the Data Center Study Commission Informally passed 2026-06-10
NC S730 Ratepayer Protection Act Ref To Com On Rules and Operations of the Senate 2026-06-08
PA SB1359 Imposing a Statewide moratorium on hyperscale data center development and permit Referred to Local Government 2026-06-04
PA SB1345 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-06-04
PA HB2535 Providing for the public safety regulation of large load users; requiring the su Referred to Veterans Affairs & Emergency Preparedness 2026-05-27
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12
VA SB466 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Commerce and Labor (14-Y 0-N) 2026-02-12

… plus 7 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

3 tracked docket(s) show content changes — review and update the YAML if status has changed:

  • [FERC] Transwestern blanket cert (staff protest pending) — Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
    Detected at 2026-06-11 06:02 EDT. Open docket
  • [FERC] CP17-101-000 — Transco — Northeast Supply Enhancement (Compressor Station 206, NJ)
    Detected at 2026-06-11 06:02 EDT. Open docket
  • [FERC] CP22-502-000 — Columbia Gas — Virginia Reliability Project (VA) + Seville Loop (OH)
    Detected at 2026-06-11 06:02 EDT. Open docket

Shodan ICS exposure (US)

Credits remaining: 75 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 67,994 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 202,811 Common in electric + gas SCADA.
2404 IEC 60870-5-104 53,298 Power/telecontrol.
102 Siemens S7 51,294 Siemens PLC programming.
47808 BACnet 28,164 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 55,577 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 46,462 Tridium Niagara, building management.
1962 PCWorx 35,325 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 35,215 Red Lion controllers.
9600 Omron FINS 62,454 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Tridium 1,551
Rockwell 1,499
Allen-Bradley 1,345
Honeywell 638
Siemens 331
Red Lion 311
Emerson 21
Schneider Electric 1
ABB 1
Omron 1

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-06-10

CISA ICS advisories (last 7 days)

No advisories matched tracked operators/vendors in the last 7 days.

Federal Register — FERC & TSA (last 14 days)

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1802 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Wed, 10 Jun 2026 10:01:14 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-06-01): $3.07/MMBtu (was $3.18 a week earlier, ▼ -3.5%)
  • Lower-48 gas in storage (2026-05-29): 2,578 Bcf (weekly Δ +95 Bcf; YoY Δ -20 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 101,589 94,078 +8.0% 127,048 117,955 +7.7%
ERCOT (TX) 62,051 62,800 -1.2% 78,040 76,397 +2.2%
MISO (Midcontinent) 83,514 75,623 +10.4% 110,912 91,476 +21.2%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

No new matched items since the last run. Sources: DCD, Bisnow, dgtlinfra.

Eminent Domain Watch (new since last run)

No new eminent-domain / shadow-grid articles since last run.

New & active condemnation cases (CourtListener)

3 tracked condemnation dockets total; 3 still active.

New FERC pipeline notices (Federal Register)

1 FERC notice(s), 1 naming tracked operators: - 2026-06-10 [Docket No. CP26-527-000] Columbia Gas Transmission, LLC; Notice of Application and Establishing Intervention Deadline
matched: Columbia Gas

Investigative layers

Public comments & rulemakings (Regulations.gov)

Regulations.gov module not loaded.

State bills + sponsors (Open States)

Open States module not loaded.

Federal money into the buildout (USASpending)

USASpending module not loaded.

Pipeline incidents (PHMSA)

Drop a PHMSA gas-transmission incident file (.xlsx/.zip) in snapshots/phmsa/ — PHMSA has no API and its files are bot-blocked, so it's a manual download (see phmsa.py header).

Social signal — Bluesky (unverified leads)

2 posts on pipelines / eminent domain / FERC — commentary and leads, verify before acting:

  • 2026-06-09 @chrislifts.bsky.social · 4 — Next administration takes over every AI company and data center under eminent domain. Regulation of them is now a national emergency.

Take over Space X, Starli… - 2026-06-09 @rtoinsider.bsky.social · 2 — FirstEnergy filed a paper in FERC on June 8 arguing the commission should adopt the model from the natural gas pipeline industry to allocate the cost of transmi…

State legislative tracker (LegiScan)

31 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
NC S730 Ratepayer Protection Act Ref To Com On Rules and Operations of the Senate 2026-06-08
PA SB1359 Imposing a Statewide moratorium on hyperscale data center development and permit Referred to Local Government 2026-06-04
PA SB1345 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-06-04
PA HB2535 Providing for the public safety regulation of large load users; requiring the su Referred to Veterans Affairs & Emergency Preparedness 2026-05-27
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12
VA SB466 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Commerce and Labor (14-Y 0-N) 2026-02-12
VA HB1515 Local approval of data centers; temporary moratorium. Continued to next session in Rules (Voice Vote) 2026-02-06

… plus 6 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

No tracked docket content has changed since the last run.

Shodan ICS exposure (US)

Credits remaining: 77 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 68,641 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 202,731 Common in electric + gas SCADA.
2404 IEC 60870-5-104 53,368 Power/telecontrol.
102 Siemens S7 51,641 Siemens PLC programming.
47808 BACnet 28,481 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 56,030 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 46,933 Tridium Niagara, building management.
1962 PCWorx 35,730 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 35,714 Red Lion controllers.
9600 Omron FINS 62,979 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Tridium 1,567
Rockwell 1,538
Allen-Bradley 1,382
Honeywell 642
Siemens 349
Red Lion 333
Emerson 19
Schneider Electric 1
ABB 1
Omron 1

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-06-09

CISA ICS advisories (last 7 days)

No advisories matched tracked operators/vendors in the last 7 days.

Federal Register — FERC & TSA (last 14 days)

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1802 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Tue, 09 Jun 2026 10:01:32 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-06-01): $3.07/MMBtu (was $3.18 a week earlier, ▼ -3.5%)
  • Lower-48 gas in storage (2026-05-29): 2,578 Bcf (weekly Δ +95 Bcf; YoY Δ -20 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 98,771 92,383 +6.9% 126,920 117,955 +7.6%
ERCOT (TX) 61,583 62,888 -2.1% 77,831 76,397 +1.9%
MISO (Midcontinent) 81,428 75,398 +8.0% 101,626 91,476 +11.1%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

No new matched items since the last run. Sources: DCD, Bisnow, dgtlinfra.

Eminent Domain Watch (new since last run)

No new eminent-domain / shadow-grid articles since last run.

New & active condemnation cases (CourtListener)

3 tracked condemnation dockets total; 3 still active.

New FERC pipeline notices (Federal Register)

1 FERC notice(s), 0 naming tracked operators: - 2026-06-09 [Docket No. PF26-7-000] Algonquin Gas Transmission, LLC; Notice of Scoping Period Requesting Comments on Environmental Issues for the

Investigative layers

Public comments & rulemakings (Regulations.gov)

Regulations.gov module not loaded.

State bills + sponsors (Open States)

Open States module not loaded.

Federal money into the buildout (USASpending)

USASpending module not loaded.

Pipeline incidents (PHMSA)

Drop a PHMSA gas-transmission incident file (.xlsx/.zip) in snapshots/phmsa/ — PHMSA has no API and its files are bot-blocked, so it's a manual download (see phmsa.py header).

Social signal — Bluesky (unverified leads)

No on-topic Bluesky posts in the lookback window.

State legislative tracker (LegiScan)

31 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
NC S730 Ratepayer Protection Act Ref To Com On Rules and Operations of the Senate 2026-06-08
PA SB1359 Imposing a Statewide moratorium on hyperscale data center development and permit Referred to Local Government 2026-06-04
PA SB1345 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-06-04
PA HB2535 Providing for the public safety regulation of large load users; requiring the su Referred to Veterans Affairs & Emergency Preparedness 2026-05-27
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12
VA SB466 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Commerce and Labor (14-Y 0-N) 2026-02-12
VA HB1515 Local approval of data centers; temporary moratorium. Continued to next session in Rules (Voice Vote) 2026-02-06

… plus 6 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

3 tracked docket(s) show content changes — review and update the YAML if status has changed:

  • [FERC] Transwestern blanket cert (staff protest pending) — Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
    Detected at 2026-06-09 06:02 EDT. Open docket
  • [FERC] CP17-101-000 — Transco — Northeast Supply Enhancement (Compressor Station 206, NJ)
    Detected at 2026-06-09 06:02 EDT. Open docket
  • [FERC] CP22-502-000 — Columbia Gas — Virginia Reliability Project (VA) + Seville Loop (OH)
    Detected at 2026-06-09 06:02 EDT. Open docket

Shodan ICS exposure (US)

Credits remaining: 78 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 70,024 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 202,920 Common in electric + gas SCADA.
2404 IEC 60870-5-104 53,263 Power/telecontrol.
102 Siemens S7 51,615 Siemens PLC programming.
47808 BACnet 28,496 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 56,143 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 47,122 Tridium Niagara, building management.
1962 PCWorx 35,926 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 35,867 Red Lion controllers.
9600 Omron FINS 63,148 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Tridium 1,556
Rockwell 1,497
Allen-Bradley 1,348
Honeywell 649
Red Lion 335
Siemens 334
Emerson 19
ABB 2
Schneider Electric 1
Omron 1

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-06-08

CISA ICS advisories (last 7 days)

No advisories matched tracked operators/vendors in the last 7 days.

Federal Register — FERC & TSA (last 14 days)

  • 2026-06-03 | Notice | data center | Revision of Agency Information Collection Activity Under OMB Review: TSA PreCheck® Application Program

    This notice announces that the Transportation Security Administration (TSA) has forwarded the Information Collection Request (ICR), Office of Management and Budget (OMB) control number 1652-0059, abstracted below to OMB for review and approval of a revision of the currently appro…

  • 2026-05-28 | Rule | data center | Standards for Business Practices of Interstate Natural Gas Pipelines

    The Federal Energy Regulatory Commission amends its regulations to incorporate by reference, as mandatory enforceable requirements, revisions to three of the Version 4.0 Standards for Business Practices of Interstate Natural Gas Pipelines adopted by the Wholesale Gas Quadrant (WG…

  • 2026-05-27 | Notice | data center | Commission Information Collection Activities (FERC-725U)

    In compliance with the requirements of the Paperwork Reduction Act of 1995, the Federal Energy Regulatory Commission (Commission or FERC) is soliciting public comments on the currently approved information collection, FERC-725U, Mandatory Reliability Standards for the Bulk Power …

  • 2026-05-27 | Proposed Rule | pipeline security | Revisions to the Blanket Certificate Program

    The Federal Energy Regulatory Commission (Commission) proposes to revise its blanket certificate regulations to expand the scope and scale of projects that interstate natural gas pipelines may construct without a case-specific authorization order and to increase the cost limits f…

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1802 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Mon, 08 Jun 2026 10:01:03 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-06-01): $3.07/MMBtu (was $3.18 a week earlier, ▼ -3.5%)
  • Lower-48 gas in storage (2026-05-29): 2,578 Bcf (weekly Δ +95 Bcf; YoY Δ -20 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 96,508 90,110 +7.1% 126,920 117,955 +7.6%
ERCOT (TX) 61,524 62,079 -0.9% 78,356 76,397 +2.6%
MISO (Midcontinent) 78,209 74,246 +5.3% 96,481 91,476 +5.5%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

No new matched items since the last run. Sources: DCD, Bisnow, dgtlinfra.

Eminent Domain Watch (new since last run)

No new eminent-domain / shadow-grid articles since last run.

New & active condemnation cases (CourtListener)

3 tracked condemnation dockets total; 3 still active.

New FERC pipeline notices (Federal Register)

No new FERC pipeline notices in the lookback window.

Investigative layers

Public comments & rulemakings (Regulations.gov)

Regulations.gov module not loaded.

State bills + sponsors (Open States)

Open States module not loaded.

Federal money into the buildout (USASpending)

USASpending module not loaded.

Pipeline incidents (PHMSA)

Drop a PHMSA gas-transmission incident file (.xlsx/.zip) in snapshots/phmsa/ — PHMSA has no API and its files are bot-blocked, so it's a manual download (see phmsa.py header).

State legislative tracker (LegiScan)

31 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
NC S730 Ratepayer Protection Act Regular Message Sent To Senate 2026-06-04
PA SB1359 Imposing a Statewide moratorium on hyperscale data center development and permit Referred to Local Government 2026-06-04
PA SB1345 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-06-04
PA HB2535 Providing for the public safety regulation of large load users; requiring the su Referred to Veterans Affairs & Emergency Preparedness 2026-05-27
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12
VA SB466 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Commerce and Labor (14-Y 0-N) 2026-02-12
VA HB1515 Local approval of data centers; temporary moratorium. Continued to next session in Rules (Voice Vote) 2026-02-06

… plus 6 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

3 tracked docket(s) show content changes — review and update the YAML if status has changed:

  • [FERC] Transwestern blanket cert (staff protest pending) — Transwestern (Energy Transfer) 'Green Chile' Pipeline → Project Jupiter
    Detected at 2026-06-08 06:02 EDT. Open docket
  • [FERC] CP17-101-000 — Transco — Northeast Supply Enhancement (Compressor Station 206, NJ)
    Detected at 2026-06-08 06:02 EDT. Open docket
  • [FERC] CP22-502-000 — Columbia Gas — Virginia Reliability Project (VA) + Seville Loop (OH)
    Detected at 2026-06-08 06:02 EDT. Open docket

Shodan ICS exposure (US)

Credits remaining: 82 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 70,046 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 206,485 Common in electric + gas SCADA.
2404 IEC 60870-5-104 53,269 Power/telecontrol.
102 Siemens S7 51,616 Siemens PLC programming.
47808 BACnet 28,474 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 56,015 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 47,084 Tridium Niagara, building management.
1962 PCWorx 35,815 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 35,872 Red Lion controllers.
9600 Omron FINS 63,518 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Rockwell 1,716
Allen-Bradley 1,571
Tridium 1,556
Honeywell 631
Siemens 355
Red Lion 336
Emerson 18
ABB 2
Omron 2
Schneider Electric 1

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-06-07

CISA ICS advisories (last 7 days)

No advisories matched tracked operators/vendors in the last 7 days.

Federal Register — FERC & TSA (last 14 days)

  • 2026-06-03 | Notice | data center | Revision of Agency Information Collection Activity Under OMB Review: TSA PreCheck® Application Program

    This notice announces that the Transportation Security Administration (TSA) has forwarded the Information Collection Request (ICR), Office of Management and Budget (OMB) control number 1652-0059, abstracted below to OMB for review and approval of a revision of the currently appro…

  • 2026-05-28 | Rule | data center | Standards for Business Practices of Interstate Natural Gas Pipelines

    The Federal Energy Regulatory Commission amends its regulations to incorporate by reference, as mandatory enforceable requirements, revisions to three of the Version 4.0 Standards for Business Practices of Interstate Natural Gas Pipelines adopted by the Wholesale Gas Quadrant (WG…

  • 2026-05-27 | Notice | data center | Commission Information Collection Activities (FERC-725U)

    In compliance with the requirements of the Paperwork Reduction Act of 1995, the Federal Energy Regulatory Commission (Commission or FERC) is soliciting public comments on the currently approved information collection, FERC-725U, Mandatory Reliability Standards for the Bulk Power …

  • 2026-05-27 | Proposed Rule | pipeline security | Revisions to the Blanket Certificate Program

    The Federal Energy Regulatory Commission (Commission) proposes to revise its blanket certificate regulations to expand the scope and scale of projects that interstate natural gas pipelines may construct without a case-specific authorization order and to increase the cost limits f…

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1802 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Sun, 07 Jun 2026 10:01:08 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-06-01): $3.07/MMBtu (was $3.18 a week earlier, ▼ -3.5%)
  • Lower-48 gas in storage (2026-05-29): 2,578 Bcf (weekly Δ +95 Bcf; YoY Δ -20 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 93,465 88,874 +5.2% 126,920 117,955 +7.6%
ERCOT (TX) 61,680 60,953 +1.2% 78,356 76,162 +2.9%
MISO (Midcontinent) 78,209 73,635 +6.2% 96,481 91,476 +5.5%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

No new matched items since the last run. Sources: DCD, Bisnow, dgtlinfra.

Eminent Domain Watch (new since last run)

No new eminent-domain / shadow-grid articles since last run.

New & active condemnation cases (CourtListener)

3 tracked condemnation dockets total; 3 still active.

New FERC pipeline notices (Federal Register)

No new FERC pipeline notices in the lookback window.

Investigative layers

Public comments & rulemakings (Regulations.gov)

1 pipeline / data-center rulemakings (the dockets where the public comments): - 2026-05-28 [FERC] Standards for Business Practices of Interstate Natural Gas Pipelines

State bills + sponsors (Open States)

Federal money into the buildout (USASpending)

DOE energy grants (SMRs, grid, generation) + pipeline/power contracts — the public money behind the buildout: - $1,196,474,884 [DOE grant] — GENERAL ATOMICS ← Department of Energy (2003-11-01) - $983,037,068 [DOE grant] — US SFR OWNER LLC ← Department of Energy (2021-05-03) - $921,717,024 [DOE grant] — X ENERGY, LLC ← Department of Energy (2021-02-02) - $872,969,835 [contract NAICS —] — DOYON UTILITIES, LLC ← Department of Defense (2007-09-28) - $700,000,000 [DOE grant] — DEPARTMENT OF COMMERCE MONTANA ← Department of Energy (2025-01-01) - $630,561,319 [DOE grant] — STATE OF CALIFORNIA ENERGY COMMISSION ← Department of Energy (2025-01-01) - $543,106,305 [contract NAICS —] — DOYON UTILITIES, LLC ← Department of Defense (2007-09-28) - $500,000,000 [DOE grant] — CENTURY ALUMINUM CO ← Department of Energy (2025-01-01) - $500,000,000 [DOE grant] — NATIONAL CEMENT COMPANY OF CALIFORNIA, INC. ← Department of Energy (2024-12-01) - $500,000,000 [DOE grant] — CLEVELAND-CLIFFS STEEL CORPORATION ← Department of Energy (2024-09-25)

Pipeline incidents (PHMSA)

Drop a PHMSA gas-transmission incident file (.xlsx/.zip) in snapshots/phmsa/ — PHMSA has no API and its files are bot-blocked, so it's a manual download (see phmsa.py header).

State legislative tracker (LegiScan)

31 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
NC S730 Ratepayer Protection Act Regular Message Sent To Senate 2026-06-04
PA SB1359 Imposing a Statewide moratorium on hyperscale data center development and permit Referred to Local Government 2026-06-04
PA SB1345 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-06-04
PA HB2535 Providing for the public safety regulation of large load users; requiring the su Referred to Veterans Affairs & Emergency Preparedness 2026-05-27
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12
VA SB466 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Commerce and Labor (14-Y 0-N) 2026-02-12
VA HB1515 Local approval of data centers; temporary moratorium. Continued to next session in Rules (Voice Vote) 2026-02-06

… plus 6 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

No tracked docket content has changed since the last run.

Shodan ICS exposure (US)

Credits remaining: 84 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 70,462 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 207,198 Common in electric + gas SCADA.
2404 IEC 60870-5-104 53,420 Power/telecontrol.
102 Siemens S7 51,723 Siemens PLC programming.
47808 BACnet 28,599 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 56,333 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 47,441 Tridium Niagara, building management.
1962 PCWorx 36,085 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 36,147 Red Lion controllers.
9600 Omron FINS 63,868 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Rockwell 1,717
Allen-Bradley 1,571
Tridium 1,561
Honeywell 627
Siemens 358
Red Lion 338
Emerson 17
ABB 2
Omron 2
Schneider Electric 0

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-06-06

CISA ICS advisories (last 7 days)

No advisories matched tracked operators/vendors in the last 7 days.

Federal Register — FERC & TSA (last 14 days)

  • 2026-06-03 | Notice | data center | Revision of Agency Information Collection Activity Under OMB Review: TSA PreCheck® Application Program

    This notice announces that the Transportation Security Administration (TSA) has forwarded the Information Collection Request (ICR), Office of Management and Budget (OMB) control number 1652-0059, abstracted below to OMB for review and approval of a revision of the currently appro…

  • 2026-05-28 | Rule | data center | Standards for Business Practices of Interstate Natural Gas Pipelines

    The Federal Energy Regulatory Commission amends its regulations to incorporate by reference, as mandatory enforceable requirements, revisions to three of the Version 4.0 Standards for Business Practices of Interstate Natural Gas Pipelines adopted by the Wholesale Gas Quadrant (WG…

  • 2026-05-27 | Notice | data center | Commission Information Collection Activities (FERC-725U)

    In compliance with the requirements of the Paperwork Reduction Act of 1995, the Federal Energy Regulatory Commission (Commission or FERC) is soliciting public comments on the currently approved information collection, FERC-725U, Mandatory Reliability Standards for the Bulk Power …

  • 2026-05-27 | Proposed Rule | pipeline security | Revisions to the Blanket Certificate Program

    The Federal Energy Regulatory Commission (Commission) proposes to revise its blanket certificate regulations to expand the scope and scale of projects that interstate natural gas pipelines may construct without a case-specific authorization order and to increase the cost limits f…

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1802 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Sat, 06 Jun 2026 10:00:58 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-06-01): $3.07/MMBtu (was $3.18 a week earlier, ▼ -3.5%)
  • Lower-48 gas in storage (2026-05-29): 2,578 Bcf (weekly Δ +95 Bcf; YoY Δ -20 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 90,487 87,947 +2.9% 126,920 117,955 +7.6%
ERCOT (TX) 62,066 59,977 +3.5% 78,356 76,162 +2.9%
MISO (Midcontinent) 78,209 73,369 +6.6% 96,481 91,476 +5.5%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

No new matched items since the last run. Sources: DCD, Bisnow, dgtlinfra.

Eminent Domain Watch (new since last run)

No new eminent-domain / shadow-grid articles since last run.

New & active condemnation cases (CourtListener)

3 new docket(s) since last run: - 2026-05-15 (active) ANR Pipeline Company, LLC v. Haugh
ANR Pipeline · District Court, N.D. Illinois - 2026-05-15 (active) ANR Pipeline Company v. Brener
ANR Pipeline · District Court, N.D. Illinois - 2026-05-15 (active) ANR Pipeline Company, LLC v. Cooper
ANR Pipeline · District Court, N.D. Illinois

3 tracked condemnation dockets total; 3 still active.

New FERC pipeline notices (Federal Register)

21 FERC notice(s), 4 naming tracked operators: - 2026-05-20 [Docket No. CP26-136-000] Kinder Morgan Louisiana Pipeline LLC; Notice of Schedule for the Preparation of an Environmental Assessment fo
matched: Kinder Morgan - 2026-05-14 [Docket No. CP26-488-000] Transcontinental Gas Pipe Line Company, LLC; Notice of Request Under Blanket Authorization and Establishing In
matched: Transcontinental, Transco - 2026-05-08 [Docket No. CP25-35-002] Columbia Gas Transmission, LLC; Notice of Request for Extension of Time
matched: Columbia Gas - 2026-05-07 [Docket No. CP26-291-000] Columbia Gas Transmission, LLC; Notice of Request Under Blanket Authorization and Establishing Intervention an
matched: Columbia Gas

State legislative tracker (LegiScan)

31 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
NC S730 Ratepayer Protection Act Regular Message Sent To Senate 2026-06-04
PA SB1359 Imposing a Statewide moratorium on hyperscale data center development and permit Referred to Local Government 2026-06-04
PA SB1345 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-06-04
PA HB2535 Providing for the public safety regulation of large load users; requiring the su Referred to Veterans Affairs & Emergency Preparedness 2026-05-27
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12
VA SB466 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Commerce and Labor (14-Y 0-N) 2026-02-12
VA HB1515 Local approval of data centers; temporary moratorium. Continued to next session in Rules (Voice Vote) 2026-02-06

… plus 6 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

1 tracked docket(s) show content changes — review and update the YAML if status has changed:

  • [FERC] to be confirmed — MidAtlantic Resiliency Link
    Detected at 2026-06-06 06:03 EDT. Open docket

Shodan ICS exposure (US)

Credits remaining: 86 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 71,347 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 207,677 Common in electric + gas SCADA.
2404 IEC 60870-5-104 53,610 Power/telecontrol.
102 Siemens S7 51,820 Siemens PLC programming.
47808 BACnet 29,124 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 56,647 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 48,247 Tridium Niagara, building management.
1962 PCWorx 36,347 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 36,408 Red Lion controllers.
9600 Omron FINS 64,385 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Tridium 1,563
Rockwell 1,527
Allen-Bradley 1,380
Honeywell 626
Siemens 364
Red Lion 336
Emerson 18
ABB 2
Omron 1
Schneider Electric 0

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-06-05

CISA ICS advisories (last 7 days)

No advisories matched tracked operators/vendors in the last 7 days.

Federal Register — FERC & TSA (last 14 days)

  • 2026-06-03 | Notice | data center | Revision of Agency Information Collection Activity Under OMB Review: TSA PreCheck® Application Program

    This notice announces that the Transportation Security Administration (TSA) has forwarded the Information Collection Request (ICR), Office of Management and Budget (OMB) control number 1652-0059, abstracted below to OMB for review and approval of a revision of the currently appro…

  • 2026-05-28 | Rule | data center | Standards for Business Practices of Interstate Natural Gas Pipelines

    The Federal Energy Regulatory Commission amends its regulations to incorporate by reference, as mandatory enforceable requirements, revisions to three of the Version 4.0 Standards for Business Practices of Interstate Natural Gas Pipelines adopted by the Wholesale Gas Quadrant (WG…

  • 2026-05-27 | Notice | data center | Commission Information Collection Activities (FERC-725U)

    In compliance with the requirements of the Paperwork Reduction Act of 1995, the Federal Energy Regulatory Commission (Commission or FERC) is soliciting public comments on the currently approved information collection, FERC-725U, Mandatory Reliability Standards for the Bulk Power …

  • 2026-05-27 | Proposed Rule | pipeline security | Revisions to the Blanket Certificate Program

    The Federal Energy Regulatory Commission (Commission) proposes to revise its blanket certificate regulations to expand the scope and scale of projects that interstate natural gas pipelines may construct without a case-specific authorization order and to increase the cost limits f…

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1802 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Fri, 05 Jun 2026 10:01:14 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-06-01): $3.07/MMBtu (was $3.18 a week earlier, ▼ -3.5%)
  • Lower-48 gas in storage (2026-05-29): 2,578 Bcf (weekly Δ +95 Bcf; YoY Δ -20 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 88,379 85,844 +3.0% 121,891 117,955 +3.3%
ERCOT (TX) 62,757 58,976 +6.4% 78,356 76,162 +2.9%
MISO (Midcontinent) 72,464 72,416 +0.1% 93,859 91,476 +2.6%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

No new matched items since the last run. Sources: DCD, Bisnow, dgtlinfra.

Eminent Domain Watch (new since last run)

No new eminent-domain / shadow-grid articles since last run.

State legislative tracker (LegiScan)

31 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
NC S730 Ratepayer Protection Act Regular Message Sent To Senate 2026-06-04
PA SB1359 Imposing a Statewide moratorium on hyperscale data center development and permit Referred to Local Government 2026-06-04
PA SB1345 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-06-04
PA HB2535 Providing for the public safety regulation of large load users; requiring the su Referred to Veterans Affairs & Emergency Preparedness 2026-05-27
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12
VA SB466 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Commerce and Labor (14-Y 0-N) 2026-02-12
VA HB1515 Local approval of data centers; temporary moratorium. Continued to next session in Rules (Voice Vote) 2026-02-06

… plus 6 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

3 tracked docket(s) show content changes — review and update the YAML if status has changed:

  • [FERC] to be confirmed — MidAtlantic Resiliency Link
    Detected at 2026-06-05 06:02 EDT. Open docket
  • [FERC] CP17-101 — Williams Northeast Supply Enhancement (NESE)
    Detected at 2026-06-05 06:02 EDT. Open docket
  • [FERC] placeholder — Energy Transfer New Mexico AI Data Center Pipeline
    Detected at 2026-06-05 06:02 EDT. Open docket

Shodan ICS exposure (US)

Credits remaining: 88 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 71,582 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 208,189 Common in electric + gas SCADA.
2404 IEC 60870-5-104 53,676 Power/telecontrol.
102 Siemens S7 51,897 Siemens PLC programming.
47808 BACnet 29,153 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 56,982 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 48,454 Tridium Niagara, building management.
1962 PCWorx 36,557 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 36,637 Red Lion controllers.
9600 Omron FINS 64,689 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Rockwell 1,577
Tridium 1,569
Allen-Bradley 1,438
Honeywell 626
Siemens 379
Red Lion 338
Emerson 19
ABB 2
Omron 1
Schneider Electric 0

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-06-04

CISA ICS advisories (last 7 days)

No advisories matched tracked operators/vendors in the last 7 days.

Federal Register — FERC & TSA (last 14 days)

  • 2026-06-03 | Notice | data center | Revision of Agency Information Collection Activity Under OMB Review: TSA PreCheck® Application Program

    This notice announces that the Transportation Security Administration (TSA) has forwarded the Information Collection Request (ICR), Office of Management and Budget (OMB) control number 1652-0059, abstracted below to OMB for review and approval of a revision of the currently appro…

  • 2026-05-28 | Rule | data center | Standards for Business Practices of Interstate Natural Gas Pipelines

    The Federal Energy Regulatory Commission amends its regulations to incorporate by reference, as mandatory enforceable requirements, revisions to three of the Version 4.0 Standards for Business Practices of Interstate Natural Gas Pipelines adopted by the Wholesale Gas Quadrant (WG…

  • 2026-05-27 | Notice | data center | Commission Information Collection Activities (FERC-725U)

    In compliance with the requirements of the Paperwork Reduction Act of 1995, the Federal Energy Regulatory Commission (Commission or FERC) is soliciting public comments on the currently approved information collection, FERC-725U, Mandatory Reliability Standards for the Bulk Power …

  • 2026-05-27 | Proposed Rule | pipeline security | Revisions to the Blanket Certificate Program

    The Federal Energy Regulatory Commission (Commission) proposes to revise its blanket certificate regulations to expand the scope and scale of projects that interstate natural gas pipelines may construct without a case-specific authorization order and to increase the cost limits f…

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1802 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Thu, 04 Jun 2026 10:00:57 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-06-01): $3.07/MMBtu (was $3.18 a week earlier, ▼ -3.5%)
  • Lower-48 gas in storage (2026-05-22): 2,483 Bcf (weekly Δ +92 Bcf; YoY Δ +7 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 87,555 83,669 +4.6% 111,569 117,955 -5.4%
ERCOT (TX) 62,559 58,297 +7.3% 78,356 76,162 +2.9%
MISO (Midcontinent) 72,464 71,509 +1.3% 93,859 91,476 +2.6%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

No new matched items since the last run. Sources: DCD, Bisnow, dgtlinfra.

Eminent Domain Watch (new since last run)

No new eminent-domain / shadow-grid articles since last run.

State legislative tracker (LegiScan)

29 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
NC S730 Ratepayer Protection Act Ordered Engrossed 2026-06-03
PA HB2535 Providing for the public safety regulation of large load users; requiring the su Referred to Veterans Affairs & Emergency Preparedness 2026-05-27
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12
VA SB466 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Commerce and Labor (14-Y 0-N) 2026-02-12
VA HB1515 Local approval of data centers; temporary moratorium. Continued to next session in Rules (Voice Vote) 2026-02-06
GA HB1059 Data Center Impact Assessment and Development Moratorium Act of 2026; enact House Second Readers 2026-02-02
AZ HB2467 Data centers; incentives repeal; requirements House COM Committee action: Withdrawn, voting: (0-0-0-0-0-0) 2026-01-22

… plus 4 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

No tracked docket content has changed since the last run.

Shodan ICS exposure (US)

Credits remaining: 90 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 71,826 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 208,596 Common in electric + gas SCADA.
2404 IEC 60870-5-104 53,729 Power/telecontrol.
102 Siemens S7 51,969 Siemens PLC programming.
47808 BACnet 29,183 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 57,200 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 48,683 Tridium Niagara, building management.
1962 PCWorx 36,792 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 36,887 Red Lion controllers.
9600 Omron FINS 64,865 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Rockwell 1,618
Tridium 1,565
Allen-Bradley 1,470
Honeywell 629
Siemens 369
Red Lion 339
Emerson 17
ABB 2
Omron 1
Schneider Electric 0

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-06-03

CISA ICS advisories (last 7 days)

No advisories matched tracked operators/vendors in the last 7 days.

Federal Register — FERC & TSA (last 14 days)

  • 2026-06-03 | Notice | data center | Revision of Agency Information Collection Activity Under OMB Review: TSA PreCheck® Application Program

    This notice announces that the Transportation Security Administration (TSA) has forwarded the Information Collection Request (ICR), Office of Management and Budget (OMB) control number 1652-0059, abstracted below to OMB for review and approval of a revision of the currently appro…

  • 2026-05-28 | Rule | data center | Standards for Business Practices of Interstate Natural Gas Pipelines

    The Federal Energy Regulatory Commission amends its regulations to incorporate by reference, as mandatory enforceable requirements, revisions to three of the Version 4.0 Standards for Business Practices of Interstate Natural Gas Pipelines adopted by the Wholesale Gas Quadrant (WG…

  • 2026-05-27 | Notice | data center | Commission Information Collection Activities (FERC-725U)

    In compliance with the requirements of the Paperwork Reduction Act of 1995, the Federal Energy Regulatory Commission (Commission or FERC) is soliciting public comments on the currently approved information collection, FERC-725U, Mandatory Reliability Standards for the Bulk Power …

  • 2026-05-27 | Proposed Rule | pipeline security | Revisions to the Blanket Certificate Program

    The Federal Energy Regulatory Commission (Commission) proposes to revise its blanket certificate regulations to expand the scope and scale of projects that interstate natural gas pipelines may construct without a case-specific authorization order and to increase the cost limits f…

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1802 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Wed, 03 Jun 2026 10:00:57 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-05-26): $3.10/MMBtu (was $2.79 a week earlier, ▲ +11.1%)
  • Lower-48 gas in storage (2026-05-22): 2,483 Bcf (weekly Δ +92 Bcf; YoY Δ +7 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 88,598 81,675 +8.5% 114,860 108,449 +5.9%
ERCOT (TX) 61,626 57,589 +7.0% 78,356 76,162 +2.9%
MISO (Midcontinent) 72,464 70,084 +3.4% 93,859 91,476 +2.6%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

No new matched items since the last run. Sources: DCD, Bisnow, dgtlinfra.

Eminent Domain Watch (new since last run)

No new eminent-domain / shadow-grid articles since last run.

State legislative tracker (LegiScan)

29 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
NC S730 Ratepayer Protection Act Placed On Cal For 06/03/2026 2026-06-02
PA HB2535 Providing for the public safety regulation of large load users; requiring the su Referred to Veterans Affairs & Emergency Preparedness 2026-05-27
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12
VA SB466 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Commerce and Labor (14-Y 0-N) 2026-02-12
VA HB1515 Local approval of data centers; temporary moratorium. Continued to next session in Rules (Voice Vote) 2026-02-06
GA HB1059 Data Center Impact Assessment and Development Moratorium Act of 2026; enact House Second Readers 2026-02-02
AZ HB2467 Data centers; incentives repeal; requirements House COM Committee action: Withdrawn, voting: (0-0-0-0-0-0) 2026-01-22

… plus 4 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

No tracked docket content has changed since the last run.

Shodan ICS exposure (US)

Credits remaining: 94 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 71,975 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 208,296 Common in electric + gas SCADA.
2404 IEC 60870-5-104 53,824 Power/telecontrol.
102 Siemens S7 52,013 Siemens PLC programming.
47808 BACnet 29,203 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 57,391 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 48,908 Tridium Niagara, building management.
1962 PCWorx 37,134 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 37,312 Red Lion controllers.
9600 Omron FINS 65,146 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Rockwell 1,620
Tridium 1,573
Allen-Bradley 1,457
Honeywell 632
Siemens 391
Red Lion 364
Emerson 20
ABB 2
Omron 1
Schneider Electric 0

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-06-02

CISA ICS advisories (last 7 days)

No advisories matched tracked operators/vendors in the last 7 days.

Federal Register — FERC & TSA (last 14 days)

  • 2026-05-28 | Rule | data center | Standards for Business Practices of Interstate Natural Gas Pipelines

    The Federal Energy Regulatory Commission amends its regulations to incorporate by reference, as mandatory enforceable requirements, revisions to three of the Version 4.0 Standards for Business Practices of Interstate Natural Gas Pipelines adopted by the Wholesale Gas Quadrant (WG…

  • 2026-05-27 | Notice | data center | Commission Information Collection Activities (FERC-725U)

    In compliance with the requirements of the Paperwork Reduction Act of 1995, the Federal Energy Regulatory Commission (Commission or FERC) is soliciting public comments on the currently approved information collection, FERC-725U, Mandatory Reliability Standards for the Bulk Power …

  • 2026-05-27 | Proposed Rule | pipeline security | Revisions to the Blanket Certificate Program

    The Federal Energy Regulatory Commission (Commission) proposes to revise its blanket certificate regulations to expand the scope and scale of projects that interstate natural gas pipelines may construct without a case-specific authorization order and to increase the cost limits f…

  • 2026-05-19 | Notice | pipeline security | Sunshine Act Meeting Notice

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

15 new entries flagged (gas-fueled OR ≥300 MW):

Queue ID Project County MW Fuel Status Completion
26INR0724 Monahans Power Gas Ward 18.2 Gas Active 2027-03-01 00:00:00
27INR0618 Prairie Point Energy Storage I Wise 1044.8 Other Active 2027-12-31 00:00:00
27INR0619 Prairie Point Energy Storage II Wise 1044.8 Other Active 2027-12-31 00:00:00
28INR0157 Axtell BESS McLennan 306.94 Other Active 2029-04-16 00:00:00
28INR0377 Wichita Creek Solar Wichita 500.0 Solar Active 2028-10-04 00:00:00
28INR0509 Thunder Bird 2 Gas Jack 1273.8 Gas Active 2031-06-14 00:00:00
29INR0154 Las Mujeres Solar Jim Hogg 684.33 Solar Active 2029-12-01 00:00:00
29INR0191 Black Mountain Fannin Gas Fannin 990.6 Gas Active 2029-09-28 00:00:00
29INR0264 Victory Ellis – Gas Ellis 480.0 Gas Active 2028-12-31 00:00:00
29INR0326 Montgomery Ranch 2 Wind Foard 301.5 Wind Active 2029-12-31 00:00:00
29INR0333 Tyler Rose Power Plant 1 Grimes 597.36 Gas Active 2029-07-01 00:00:00
29INR0336 Tyler Rose Power Plant 2 Grimes 398.24 Gas Active 2029-12-01 00:00:00
30INR0110 Thunder Bird 1 Gas Jack 1272.8 Gas Active 2030-06-14 00:00:00
30INR0113 The Giant Arc I Pecos 1300.0 Gas Active 2030-04-08 00:00:00
30INR0114 Longleaf II Power Station Angelina 600.0 Gas Active 2030-07-01 00:00:00

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Tue, 02 Jun 2026 12:52:40 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-05-26): $3.10/MMBtu (was $2.79 a week earlier, ▲ +11.1%)
  • Lower-48 gas in storage (2026-05-22): 2,483 Bcf (weekly Δ +92 Bcf; YoY Δ +7 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 89,699 79,765 +12.5% 114,860 94,829 +21.1%
ERCOT (TX) 60,928 57,061 +6.8% 78,356 76,162 +2.9%
MISO (Midcontinent) 72,464 68,183 +6.3% 93,859 90,659 +3.5%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

No new matched items since the last run. Sources: DCD, Bisnow, dgtlinfra.

Eminent Domain Watch (new since last run)

No new eminent-domain / shadow-grid articles since last run.

State legislative tracker (LegiScan)

29 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
NC S730 Ratepayer Protection Act Re-ref to the Com on Commerce and Economic Development, if f 2026-05-28
PA HB2535 Providing for the public safety regulation of large load users; requiring the su Referred to Veterans Affairs & Emergency Preparedness 2026-05-27
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12
VA SB466 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Commerce and Labor (14-Y 0-N) 2026-02-12
VA HB1515 Local approval of data centers; temporary moratorium. Continued to next session in Rules (Voice Vote) 2026-02-06
GA HB1059 Data Center Impact Assessment and Development Moratorium Act of 2026; enact House Second Readers 2026-02-02
AZ HB2467 Data centers; incentives repeal; requirements House COM Committee action: Withdrawn, voting: (0-0-0-0-0-0) 2026-01-22

… plus 4 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

No tracked docket content has changed since the last run.

Shodan ICS exposure (US)

Credits remaining: 94 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 72,301 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 208,946 Common in electric + gas SCADA.
2404 IEC 60870-5-104 54,040 Power/telecontrol.
102 Siemens S7 52,206 Siemens PLC programming.
47808 BACnet 29,209 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 57,738 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 49,340 Tridium Niagara, building management.
1962 PCWorx 37,437 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 37,622 Red Lion controllers.
9600 Omron FINS 65,446 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Rockwell 1,832
Allen-Bradley 1,663
Tridium 1,579
Honeywell 632
Siemens 397
Red Lion 365
Emerson 18
ABB 2
Omron 1
Schneider Electric 0

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-05-31

CISA ICS advisories (last 7 days)

10 advisory(ies) match tracked operators/vendors:

Plus 4 other ICS advisories not directly matching tracked operators.

Federal Register — FERC & TSA (last 14 days)

  • 2026-05-28 | Rule | data center | Standards for Business Practices of Interstate Natural Gas Pipelines

    The Federal Energy Regulatory Commission amends its regulations to incorporate by reference, as mandatory enforceable requirements, revisions to three of the Version 4.0 Standards for Business Practices of Interstate Natural Gas Pipelines adopted by the Wholesale Gas Quadrant (WG…

  • 2026-05-27 | Notice | data center | Commission Information Collection Activities (FERC-725U)

    In compliance with the requirements of the Paperwork Reduction Act of 1995, the Federal Energy Regulatory Commission (Commission or FERC) is soliciting public comments on the currently approved information collection, FERC-725U, Mandatory Reliability Standards for the Bulk Power …

  • 2026-05-27 | Proposed Rule | pipeline security | Revisions to the Blanket Certificate Program

    The Federal Energy Regulatory Commission (Commission) proposes to revise its blanket certificate regulations to expand the scope and scale of projects that interstate natural gas pipelines may construct without a case-specific authorization order and to increase the cost limits f…

  • 2026-05-19 | Notice | pipeline security | Sunshine Act Meeting Notice

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1809 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Sun, 31 May 2026 10:01:51 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-05-26): $3.10/MMBtu (was $2.79 a week earlier, ▲ +11.1%)
  • Lower-48 gas in storage (2026-05-22): 2,483 Bcf (weekly Δ +92 Bcf; YoY Δ +7 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 89,210 78,812 +13.2% 114,860 94,132 +22.0%
ERCOT (TX) 58,454 57,980 +0.8% 77,793 76,224 +2.1%
MISO (Midcontinent) 72,464 66,887 +8.3% 93,859 78,050 +20.3%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

2 new matched item(s) from DCD / Bisnow / dgtlinfra (filtered to hyperscaler, AI, gas-DC convergence, and tracked operators):

Eminent Domain Watch (new since last run)

No new eminent-domain / shadow-grid articles since last run.

State legislative tracker (LegiScan)

29 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
NC S730 Ratepayer Protection Act Re-ref to the Com on Commerce and Economic Development, if f 2026-05-28
PA HB2535 Providing for the public safety regulation of large load users; requiring the su Referred to Veterans Affairs & Emergency Preparedness 2026-05-27
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12
VA SB466 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Commerce and Labor (14-Y 0-N) 2026-02-12
VA HB1515 Local approval of data centers; temporary moratorium. Continued to next session in Rules (Voice Vote) 2026-02-06
GA HB1059 Data Center Impact Assessment and Development Moratorium Act of 2026; enact House Second Readers 2026-02-02
AZ HB2467 Data centers; incentives repeal; requirements House COM Committee action: Withdrawn, voting: (0-0-0-0-0-0) 2026-01-22

… plus 4 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

No tracked docket content has changed since the last run.

Shodan ICS exposure (US)

Credits remaining: 60 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 73,142 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 209,419 Common in electric + gas SCADA.
2404 IEC 60870-5-104 n/a Power/telecontrol.
102 Siemens S7 52,244 Siemens PLC programming.
47808 BACnet 29,277 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 58,101 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 49,731 Tridium Niagara, building management.
1962 PCWorx 37,761 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 37,967 Red Lion controllers.
9600 Omron FINS 65,789 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Rockwell 1,994
Allen-Bradley 1,813
Tridium 1,572
Honeywell 626
Siemens 403
Red Lion 373
Emerson 18
ABB 2
Omron 1
Schneider Electric 0

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-05-30

CISA ICS advisories (last 7 days)

10 advisory(ies) match tracked operators/vendors:

Plus 4 other ICS advisories not directly matching tracked operators.

Federal Register — FERC & TSA (last 14 days)

  • 2026-05-28 | Rule | data center | Standards for Business Practices of Interstate Natural Gas Pipelines

    The Federal Energy Regulatory Commission amends its regulations to incorporate by reference, as mandatory enforceable requirements, revisions to three of the Version 4.0 Standards for Business Practices of Interstate Natural Gas Pipelines adopted by the Wholesale Gas Quadrant (WG…

  • 2026-05-27 | Notice | data center | Commission Information Collection Activities (FERC-725U)

    In compliance with the requirements of the Paperwork Reduction Act of 1995, the Federal Energy Regulatory Commission (Commission or FERC) is soliciting public comments on the currently approved information collection, FERC-725U, Mandatory Reliability Standards for the Bulk Power …

  • 2026-05-27 | Proposed Rule | pipeline security | Revisions to the Blanket Certificate Program

    The Federal Energy Regulatory Commission (Commission) proposes to revise its blanket certificate regulations to expand the scope and scale of projects that interstate natural gas pipelines may construct without a case-specific authorization order and to increase the cost limits f…

  • 2026-05-19 | Notice | pipeline security | Sunshine Act Meeting Notice

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1809 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Sat, 30 May 2026 10:01:14 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-05-26): $3.10/MMBtu (was $2.79 a week earlier, ▲ +11.1%)
  • Lower-48 gas in storage (2026-05-22): 2,483 Bcf (weekly Δ +92 Bcf; YoY Δ +7 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 89,109 79,095 +12.7% 114,860 94,132 +22.0%
ERCOT (TX) 57,178 58,907 -2.9% 77,793 78,327 -0.7%
MISO (Midcontinent) 72,464 67,287 +7.7% 93,859 78,050 +20.3%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

2 new matched item(s) from DCD / Bisnow / dgtlinfra (filtered to hyperscaler, AI, gas-DC convergence, and tracked operators):

Eminent Domain Watch (new since last run)

No new eminent-domain / shadow-grid articles since last run.

State legislative tracker (LegiScan)

29 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
NC S730 Ratepayer Protection Act Re-ref to the Com on Commerce and Economic Development, if f 2026-05-28
PA HB2535 Providing for the public safety regulation of large load users; requiring the su Referred to Veterans Affairs & Emergency Preparedness 2026-05-27
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12
VA SB466 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Commerce and Labor (14-Y 0-N) 2026-02-12
VA HB1515 Local approval of data centers; temporary moratorium. Continued to next session in Rules (Voice Vote) 2026-02-06
GA HB1059 Data Center Impact Assessment and Development Moratorium Act of 2026; enact House Second Readers 2026-02-02
AZ HB2467 Data centers; incentives repeal; requirements House COM Committee action: Withdrawn, voting: (0-0-0-0-0-0) 2026-01-22

… plus 4 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

No tracked docket content has changed since the last run.

Shodan ICS exposure (US)

Credits remaining: 64 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 73,265 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 213,979 Common in electric + gas SCADA.
2404 IEC 60870-5-104 54,021 Power/telecontrol.
102 Siemens S7 52,181 Siemens PLC programming.
47808 BACnet 29,714 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 58,227 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 50,412 Tridium Niagara, building management.
1962 PCWorx 37,958 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 38,144 Red Lion controllers.
9600 Omron FINS 65,944 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Rockwell 2,058
Allen-Bradley 1,869
Tridium 1,567
Honeywell 625
Siemens 407
Red Lion 375
Emerson 20
ABB 2
Omron 1
Schneider Electric 0

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-05-29

CISA ICS advisories (last 7 days)

10 advisory(ies) match tracked operators/vendors:

Plus 4 other ICS advisories not directly matching tracked operators.

Federal Register — FERC & TSA (last 14 days)

  • 2026-05-28 | Rule | data center | Standards for Business Practices of Interstate Natural Gas Pipelines

    The Federal Energy Regulatory Commission amends its regulations to incorporate by reference, as mandatory enforceable requirements, revisions to three of the Version 4.0 Standards for Business Practices of Interstate Natural Gas Pipelines adopted by the Wholesale Gas Quadrant (WG…

  • 2026-05-27 | Notice | data center | Commission Information Collection Activities (FERC-725U)

    In compliance with the requirements of the Paperwork Reduction Act of 1995, the Federal Energy Regulatory Commission (Commission or FERC) is soliciting public comments on the currently approved information collection, FERC-725U, Mandatory Reliability Standards for the Bulk Power …

  • 2026-05-27 | Proposed Rule | pipeline security | Revisions to the Blanket Certificate Program

    The Federal Energy Regulatory Commission (Commission) proposes to revise its blanket certificate regulations to expand the scope and scale of projects that interstate natural gas pipelines may construct without a case-specific authorization order and to increase the cost limits f…

  • 2026-05-19 | Notice | pipeline security | Sunshine Act Meeting Notice

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1809 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Fri, 29 May 2026 15:37:01 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-05-26): $3.10/MMBtu (was $2.79 a week earlier, ▲ +11.1%)
  • Lower-48 gas in storage (2026-05-22): 2,483 Bcf (weekly Δ +92 Bcf; YoY Δ +7 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 88,130 78,742 +11.9% 114,860 91,438 +25.6%
ERCOT (TX) 56,602 59,432 -4.8% 73,401 78,327 -6.3%
MISO (Midcontinent) 72,464 67,181 +7.9% 93,859 78,050 +20.3%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

No new matched items since the last run. Sources: DCD, Bisnow, dgtlinfra.

Eminent Domain Watch (new since last run)

No new eminent-domain / shadow-grid articles since last run.

State legislative tracker (LegiScan)

29 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
NC S730 Ratepayer Protection Act Re-ref to the Com on Commerce and Economic Development, if f 2026-05-28
PA HB2535 Providing for the public safety regulation of large load users; requiring the su Referred to Veterans Affairs & Emergency Preparedness 2026-05-27
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12
VA SB466 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Commerce and Labor (14-Y 0-N) 2026-02-12
VA HB1515 Local approval of data centers; temporary moratorium. Continued to next session in Rules (Voice Vote) 2026-02-06
GA HB1059 Data Center Impact Assessment and Development Moratorium Act of 2026; enact House Second Readers 2026-02-02
AZ HB2467 Data centers; incentives repeal; requirements House COM Committee action: Withdrawn, voting: (0-0-0-0-0-0) 2026-01-22

… plus 4 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

No tracked docket content has changed since the last run.

Shodan ICS exposure (US)

Credits remaining: 65 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 73,640 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 214,503 Common in electric + gas SCADA.
2404 IEC 60870-5-104 54,052 Power/telecontrol.
102 Siemens S7 52,164 Siemens PLC programming.
47808 BACnet 29,798 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 58,463 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 50,817 Tridium Niagara, building management.
1962 PCWorx 38,277 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 38,459 Red Lion controllers.
9600 Omron FINS 66,504 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Rockwell 1,711
Tridium 1,571
Allen-Bradley 1,530
Honeywell 631
Siemens 415
Red Lion 388
Emerson 17
ABB 2
Omron 1
Schneider Electric 0

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Pipeline + data-center buildout digest — 2026-05-28

CISA ICS advisories (last 7 days)

10 advisory(ies) match tracked operators/vendors:

Plus 4 other ICS advisories not directly matching tracked operators.

Federal Register — FERC & TSA (last 14 days)

  • 2026-05-28 | Rule | data center | Standards for Business Practices of Interstate Natural Gas Pipelines

    The Federal Energy Regulatory Commission amends its regulations to incorporate by reference, as mandatory enforceable requirements, revisions to three of the Version 4.0 Standards for Business Practices of Interstate Natural Gas Pipelines adopted by the Wholesale Gas Quadrant (WG…

  • 2026-05-27 | Notice | data center | Commission Information Collection Activities (FERC-725U)

    In compliance with the requirements of the Paperwork Reduction Act of 1995, the Federal Energy Regulatory Commission (Commission or FERC) is soliciting public comments on the currently approved information collection, FERC-725U, Mandatory Reliability Standards for the Bulk Power …

  • 2026-05-27 | Proposed Rule | pipeline security | Revisions to the Blanket Certificate Program

    The Federal Energy Regulatory Commission (Commission) proposes to revise its blanket certificate regulations to expand the scope and scale of projects that interstate natural gas pipelines may construct without a case-specific authorization order and to increase the cost limits f…

  • 2026-05-19 | Notice | pipeline security | Sunshine Act Meeting Notice

TSA Security Directives index — pipeline-related

No change. 13 pipeline directives currently listed.

ERCOT interconnection queue (flagged new entries)

No new flagged entries since last run. 1809 total rows in queue.

LBNL Empirical Queues (cross-ISO, quarterly)

  • Landing page last-modified: Thu, 28 May 2026 19:15:47 GMT
  • Changed since last run: True → New quarterly snapshot likely. Download: https://emp.lbl.gov/queues

EIA market & demand snapshot

  • Henry Hub spot (2026-05-26): $3.10/MMBtu (was $2.79 a week earlier, ▲ +11.1%)
  • Lower-48 gas in storage (2026-05-22): 2,483 Bcf (weekly Δ +92 Bcf; YoY Δ +7 Bcf)

Hourly demand by ISO — last 7 days vs. same week last year:

ISO Avg now (MW) Avg YoY (MW) Avg Δ% Peak now (MW) Peak YoY (MW) Peak Δ%
PJM (incl. NoVa Dominion Zone) 87,423 78,704 +11.1% 114,860 89,414 +28.5%
ERCOT (TX) 55,678 59,553 -6.5% 72,151 78,327 -7.9%
MISO (Midcontinent) 72,353 67,356 +7.4% 93,859 80,859 +16.1%

Peak-demand YoY growth is the cleanest available proxy for new large-load (data-center) additions.

Data-center & hyperscaler news (new since last run)

No new matched items since the last run. Sources: DCD, Bisnow, dgtlinfra.

Eminent Domain Watch (new since last run)

No new eminent-domain / shadow-grid articles since last run.

If status of any tracked project changes, edit /Users/jaynelytel/pipeline_map/data/eminent_domain_projects.yaml and rerun the map.

State legislative tracker (LegiScan)

29 bills matched across tracked states (NC, OH, GA, VA, WI, PA, TX, AZ, NV, OR, IA) for queries: data center eminent domain / grid impact / behind the meter / transmission condemnation / cost socialization:

State Bill Title Last action Date
PA HB2535 Providing for the public safety regulation of large load users; requiring the su Referred to Veterans Affairs & Emergency Preparedness 2026-05-27
PA HB2533 In zoning, providing for optional moratorium on filing or consideration of new a Referred to Local Government 2026-05-27
NC S730 Ratepayer Protection Act Re-ref Com On Rules, Calendar, and Operations of the House 2026-05-21
PA SB1323 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-05-20
NC S1026 Power Bill Protection/Large Load Tariff Re-ref Com On Appropriations/Base Budget 2026-05-05
NC H1180 Data Center Amendments Ref To Com On Rules, Calendar, and Operations of the House 2026-05-04
NC H1063 Ratepayer and Resource Protection Act Ref To Com On Rules, Calendar, and Operations of the House 2026-04-28
IA SSB3181 A bill for an act making certain sales and use tax exemptions relating to nuclea Committee report approving bill, renumbered as SF 2498. 2026-04-14
VA SB94 Data centers; site assessment, sound profile of the high energy use facility. Acts of Assembly Chapter text (CHAP0568) 2026-04-13
PA HB1834 Providing for the regulation of commercial data centers; imposing duties on the Referred to Consumer Protection & Professional Licensure 2026-03-31
PA SB724 Providing for regulation of large load customers and public utilities and for co Referred to Consumer Protection & Professional Licensure 2026-03-31
OH SB381 Require PUCO approval to connect data centers to electrical grid Referred to committee: Public Utilities 2026-03-25
OH SB378 Enact the Responsible Water Use by Data Centers Act Referred to committee: Public Utilities 2026-03-25
WI SB1061 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
WI AB1099 Moratorium on data centers. Failed to pass pursuant to Senate Joint Resolution 1 2026-03-23
GA SB410 State Sales and Use Taxes; the data center equipment sales and use tax exemption House Second Readers 2026-03-10
OH HB706 Impose certain minimum requirements on data center customers Referred to committee: Energy 2026-02-25
OH HB710 Prohibit public support, limit construction of, new data centers Referred to committee: General Government 2026-02-25
GA SB34 Public Service Commission; costs incurred by an electric utility as a result of Senate Committee Favorably Reported By Substitute 2026-02-25
VA HB658 State Corporation Commission; cost allocation proceedings for certain electric u Left in Labor and Commerce 2026-02-18
VA HB503 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Labor and Commerce (Voice Vote) 2026-02-12
VA SB466 Electric utilities; cost recovery, costs substantially related to serving data c Continued to next session in Commerce and Labor (14-Y 0-N) 2026-02-12
VA HB1515 Local approval of data centers; temporary moratorium. Continued to next session in Rules (Voice Vote) 2026-02-06
GA HB1059 Data Center Impact Assessment and Development Moratorium Act of 2026; enact House Second Readers 2026-02-02
AZ HB2467 Data centers; incentives repeal; requirements House COM Committee action: Withdrawn, voting: (0-0-0-0-0-0) 2026-01-22

… plus 4 more bills not shown.

FERC docket activity (potential new shadow-grid projects)

No FERC docket matches this run.

Docket-watch alerts (tracked project dockets with changed content)

No tracked docket content has changed since the last run.

KEV Synthesis — Pipeline-Relevant Vulnerability Intelligence

Macro view (CISA KEV + VulnCheck KEV):

  • 84 pipeline-relevant known-exploited CVEs tracked
  • 9 HIGH-priority (SCADA platforms with measurable US exposure)
  • 14 MEDIUM (ICS vendor footprint) • 61 LOW (generic OT terms)
  • 8 ransomware-campaign flagged (9.5%) • 0 of those are HIGH-priority
  • 0 added in last 7d • 1 in last 30d
  • 50 CVEs that VulnCheck flags as actively exploited but CISA has not yet listed (early-warning signal)
  • Median CISA patch-action lag: 21 days (time from dateAdded to required-action due date)

Top vendors by exploited-CVE count (pipeline-relevant subset):

Vendor # CVEs
Schneider Electric 9
Microsoft 9
Arm 6
Siemens 5
GIGABYTE 4
Qualcomm 3
mitsubishielectric 2
codepress 2
SonicWall 2
PTZOptics 2

HIGH-priority CVEs (top 9):

CVE Vendor / Product Ransomware Added Shodan exposure
CVE-2010-2772 [VC] Siemens / simatic_wincc no 2010-10-01
CVE-2018-8872 [VC] Schneider Electric / triconex_tricon_mp_3008_firmware no 2018-01-12
CVE-2018-7522 [VC] Schneider Electric / triconex_tricon_mp_3008_firmware no 2018-12-20
CVE-2019-14931 [VC] mitsubishielectric / smartrtu_firmware no 2019-12-13
CVE-2019-14927 [VC] mitsubishielectric / smartrtu_firmware no 2019-12-17
CVE-2021-24219 [VC] thrivethemes / focusblog no 2021-03-24 31
CVE-2012-3015 [VC] Siemens / simatic_pcs7 no 2021-12-15
CVE-2016-8562 [CISA] Siemens / SIMATIC CP no 2022-03-03
CVE-2014-2908 [VC] Siemens / simatic_s7_cpu_1200_firmware no 2024-07-25

Shodan ICS exposure (US)

Credits remaining: 69 / 100 query, 100 / 100 scan (plan: dev).

Exposed ICS protocol endpoints by port:

Port Protocol US devices Notes
502 Modbus 73,793 No native auth; pipeline & gas-plant SCADA.
20000 DNP3 214,679 Common in electric + gas SCADA.
2404 IEC 60870-5-104 54,098 Power/telecontrol.
102 Siemens S7 52,274 Siemens PLC programming.
47808 BACnet 29,837 Building automation; also pipeline aux systems.
44818 EtherNet/IP CIP 58,699 Rockwell / Allen-Bradley PLCs.
1911 Niagara Fox 51,099 Tridium Niagara, building management.
1962 PCWorx 38,623 Phoenix Contact ILC PLCs.
789 Red Lion Crimson3 38,690 Red Lion controllers.
9600 Omron FINS 66,992 Omron PLCs.

ICS vendor banner counts (US):

Vendor Devices
Rockwell 1,993
Allen-Bradley 1,815
Tridium 1,593
Honeywell 643
Siemens 423
Red Lion 389
Emerson 16
ABB 2
Omron 2
Schneider Electric 0

All counts via Shodan /host/count (free, no credits charged). Defensive use only.


Run with python3 digest.py. Sources: CISA RSS, federalregister.gov API, tsa.gov/sd-and-ea, ERCOT via gridstatus, emp.lbl.gov/queues, EIA v2 API, Shodan API, DCD / Bisnow / dgtlinfra RSS.

Shodan Brief — running history

latest
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alley24,258
Pittsylvania County, VA hub0
Henry Hub area (Erath, LA)0
Corpus Christi LNG corridor14
Sabine Pass / Cameron LNG37
Permian / Waha (Pecos, TX)0
Cheniere Bay (Plaquemines, LA)0
Leidy Hub area (Clinton Co., PA)0
Forest City, NC (Meta + MVP)0
New Albany, OH (Meta Socrates)1,401

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams258(no own ASN)
TC Energy540
Enbridge320
Kinder Morgan25(no own ASN)
Boardwalk21(no own ASN)
Cheniere20(no own ASN)
Energy Transfer18(no own ASN)
Tallgrass1(no own ASN)
MPLX0(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS1183
OSIsoft PI01
iFIX62170
Wonderware23
Ovation2447
DeltaV2857
Symphony-1-1
ClearSCADA013
Cygnet6998
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alley23,952
Pittsylvania County, VA hub0
Henry Hub area (Erath, LA)0
Corpus Christi LNG corridor14
Sabine Pass / Cameron LNG38
Permian / Waha (Pecos, TX)0
Cheniere Bay (Plaquemines, LA)0
Leidy Hub area (Clinton Co., PA)0
Forest City, NC (Meta + MVP)0
New Albany, OH (Meta Socrates)1,384

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams256(no own ASN)
TC Energy560
Enbridge360
Kinder Morgan33(no own ASN)
Cheniere20(no own ASN)
Energy Transfer19(no own ASN)
Boardwalk18(no own ASN)
Tallgrass226
MPLX1(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS1587
OSIsoft PI01
iFIX64174
Wonderware12
Ovation2547
DeltaV2957
Symphony253598
ClearSCADA013
Cygnet6999
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alley23,823
Pittsylvania County, VA hub0
Henry Hub area (Erath, LA)0
Corpus Christi LNG corridor12
Sabine Pass / Cameron LNG37
Permian / Waha (Pecos, TX)0
Cheniere Bay (Plaquemines, LA)0
Leidy Hub area (Clinton Co., PA)0
Forest City, NC (Meta + MVP)0
New Albany, OH (Meta Socrates)1,338

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams261(no own ASN)
TC Energy570
Enbridge390
Kinder Morgan23(no own ASN)
Energy Transfer21(no own ASN)
Cheniere19(no own ASN)
Boardwalk17(no own ASN)
Tallgrass226
MPLX0(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS1489
OSIsoft PI01
iFIX65175
Wonderware12
Ovation2142
DeltaV3361
Symphony252591
ClearSCADA013
Cygnet71100
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alley23,590
Pittsylvania County, VA hubn/a (rate-limited)
Henry Hub area (Erath, LA)n/a (rate-limited)
Corpus Christi LNG corridorn/a (rate-limited)
Sabine Pass / Cameron LNGn/a (rate-limited)
Permian / Waha (Pecos, TX)n/a (rate-limited)
Cheniere Bay (Plaquemines, LA)n/a (rate-limited)
Leidy Hub area (Clinton Co., PA)n/a (rate-limited)
Forest City, NC (Meta + MVP)n/a (rate-limited)
New Albany, OH (Meta Socrates)n/a (rate-limited)

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams262(no own ASN)
TC Energy580
Enbridge490
Kinder Morgan29(no own ASN)
Energy Transfer20(no own ASN)
Cheniere18(no own ASN)
Boardwalk17(no own ASN)
Tallgrass225
MPLX0(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS1588
OSIsoft PI01
iFIX63170
Wonderware12
Ovation1941
DeltaV3258
Symphony264606
ClearSCADA013
Cygnet7196
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alley23,492
Pittsylvania County, VA hub0
Henry Hub area (Erath, LA)0
Corpus Christi LNG corridor12
Sabine Pass / Cameron LNG37
Permian / Waha (Pecos, TX)0
Cheniere Bay (Plaquemines, LA)0
Leidy Hub area (Clinton Co., PA)0
Forest City, NC (Meta + MVP)n/a (rate-limited)
New Albany, OH (Meta Socrates)n/a (rate-limited)

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams270(no own ASN)
TC Energy610
Enbridge550
Kinder Morgan46(no own ASN)
Energy Transfer22(no own ASN)
Cheniere19(no own ASN)
Boardwalk14(no own ASN)
Tallgrass324
MPLX2(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS1589
OSIsoft PI00
iFIX64172
Wonderware12
Ovation2245
DeltaV3663
Symphony264592
ClearSCADA012
Cygnet7095
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alley23,256
Pittsylvania County, VA hub0
Henry Hub area (Erath, LA)1
Corpus Christi LNG corridorn/a (rate-limited)
Sabine Pass / Cameron LNGn/a (rate-limited)
Permian / Waha (Pecos, TX)n/a (rate-limited)
Cheniere Bay (Plaquemines, LA)n/a (rate-limited)
Leidy Hub area (Clinton Co., PA)n/a (rate-limited)
Forest City, NC (Meta + MVP)n/a (rate-limited)
New Albany, OH (Meta Socrates)n/a (rate-limited)

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams271(no own ASN)
TC Energy630
Enbridge580
Kinder Morgan26(no own ASN)
Energy Transfer24(no own ASN)
Cheniere19(no own ASN)
Boardwalk16(no own ASN)
Tallgrass424
MPLX0(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS1491
OSIsoft PI00
iFIX65172
Wonderware21
Ovation2347
DeltaV3459
Symphony266584
ClearSCADA012
Cygnet6894
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alleyn/a (rate-limited)
Pittsylvania County, VA hubn/a (rate-limited)
Henry Hub area (Erath, LA)n/a (rate-limited)
Corpus Christi LNG corridorn/a (rate-limited)
Sabine Pass / Cameron LNGn/a (rate-limited)
Permian / Waha (Pecos, TX)n/a (rate-limited)
Cheniere Bay (Plaquemines, LA)n/a (rate-limited)
Leidy Hub area (Clinton Co., PA)n/a (rate-limited)
Forest City, NC (Meta + MVP)n/a (rate-limited)
New Albany, OH (Meta Socrates)n/a (rate-limited)

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams270(no own ASN)
TC Energy690
Enbridge610
Kinder Morgan35(no own ASN)
Energy Transfer24(no own ASN)
Cheniere19(no own ASN)
Boardwalk17(no own ASN)
Tallgrass624
MPLX0(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS1595
OSIsoft PI00
iFIX66172
Wonderware11
Ovation2347
DeltaV4064
Symphony268597
ClearSCADA013
Cygnet6794
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alleyn/a (rate-limited)
Pittsylvania County, VA hubn/a (rate-limited)
Henry Hub area (Erath, LA)n/a (rate-limited)
Corpus Christi LNG corridorn/a (rate-limited)
Sabine Pass / Cameron LNGn/a (rate-limited)
Permian / Waha (Pecos, TX)n/a (rate-limited)
Cheniere Bay (Plaquemines, LA)n/a (rate-limited)
Leidy Hub area (Clinton Co., PA)n/a (rate-limited)
Forest City, NC (Meta + MVP)n/a (rate-limited)
New Albany, OH (Meta Socrates)n/a (rate-limited)

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams271(no own ASN)
Enbridge670
TC Energy660
Kinder Morgan56(no own ASN)
Energy Transfer26(no own ASN)
Cheniere20(no own ASN)
Boardwalk18(no own ASN)
Tallgrass624
MPLX0(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS1393
OSIsoft PI00
iFIX70180
Wonderware11
Ovation3256
DeltaV4059
Symphony266599
ClearSCADA012
Cygnet7094
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alley22,420
Pittsylvania County, VA hub0
Henry Hub area (Erath, LA)1
Corpus Christi LNG corridorn/a (rate-limited)
Sabine Pass / Cameron LNGn/a (rate-limited)
Permian / Waha (Pecos, TX)n/a (rate-limited)
Cheniere Bay (Plaquemines, LA)n/a (rate-limited)
Leidy Hub area (Clinton Co., PA)n/a (rate-limited)
Forest City, NC (Meta + MVP)n/a (rate-limited)
New Albany, OH (Meta Socrates)n/a (rate-limited)

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams249(no own ASN)
Enbridge700
Kinder Morgan70(no own ASN)
TC Energy650
Energy Transfer23(no own ASN)
Cheniere21(no own ASN)
Boardwalk19(no own ASN)
Tallgrass624
MPLX0(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS1392
OSIsoft PI00
iFIX68179
Wonderware11
Ovation2648
DeltaV4058
Symphony265601
ClearSCADA010
Cygnet6893
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alley22,343
Pittsylvania County, VA hub0
Henry Hub area (Erath, LA)1
Corpus Christi LNG corridor12
Sabine Pass / Cameron LNG36
Permian / Waha (Pecos, TX)0
Cheniere Bay (Plaquemines, LA)0
Leidy Hub area (Clinton Co., PA)0
Forest City, NC (Meta + MVP)0
New Albany, OH (Meta Socrates)1,157

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams253(no own ASN)
Enbridge690
Kinder Morgan69(no own ASN)
TC Energy620
Energy Transfer23(no own ASN)
Cheniere21(no own ASN)
Boardwalk20(no own ASN)
Tallgrass625
MPLX0(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS1797
OSIsoft PI00
iFIX65175
Wonderware12
Ovation2347
DeltaV3956
Symphony269599
ClearSCADA010
Cygnet7199
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alley22,336
Pittsylvania County, VA hub0
Henry Hub area (Erath, LA)1
Corpus Christi LNG corridor12
Sabine Pass / Cameron LNG36
Permian / Waha (Pecos, TX)0
Cheniere Bay (Plaquemines, LA)0
Leidy Hub area (Clinton Co., PA)0
Forest City, NC (Meta + MVP)0
New Albany, OH (Meta Socrates)1,149

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams252(no own ASN)
Kinder Morgan71(no own ASN)
Enbridge700
TC Energy610
Energy Transfer23(no own ASN)
Cheniere21(no own ASN)
Boardwalk21(no own ASN)
Tallgrass725
MPLX0(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS1598
OSIsoft PI00
iFIX65176
Wonderware12
Ovation2852
DeltaV3856
Symphony260591
ClearSCADA010
Cygnet74105
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alleyn/a (rate-limited)
Pittsylvania County, VA hubn/a (rate-limited)
Henry Hub area (Erath, LA)n/a (rate-limited)
Corpus Christi LNG corridorn/a (rate-limited)
Sabine Pass / Cameron LNGn/a (rate-limited)
Permian / Waha (Pecos, TX)n/a (rate-limited)
Cheniere Bay (Plaquemines, LA)0
Leidy Hub area (Clinton Co., PA)0
Forest City, NC (Meta + MVP)0
New Albany, OH (Meta Socrates)n/a (rate-limited)

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams247(no own ASN)
Kinder Morgan72(no own ASN)
Enbridge700
TC Energy640
Energy Transfer25(no own ASN)
Cheniere21(no own ASN)
Boardwalk20(no own ASN)
Tallgrass725
MPLX0(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS1599
OSIsoft PI00
iFIX64172
Wonderware33
Ovation2851
DeltaV3655
Symphony270601
ClearSCADA010
Cygnet72105
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alleyn/a (rate-limited)
Pittsylvania County, VA hubn/a (rate-limited)
Henry Hub area (Erath, LA)n/a (rate-limited)
Corpus Christi LNG corridorn/a (rate-limited)
Sabine Pass / Cameron LNGn/a (rate-limited)
Permian / Waha (Pecos, TX)n/a (rate-limited)
Cheniere Bay (Plaquemines, LA)n/a (rate-limited)
Leidy Hub area (Clinton Co., PA)n/a (rate-limited)
Forest City, NC (Meta + MVP)n/a (rate-limited)
New Albany, OH (Meta Socrates)n/a (rate-limited)

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams249(no own ASN)
Enbridge710
Kinder Morgan71(no own ASN)
TC Energy650
Energy Transfer25(no own ASN)
Boardwalk21(no own ASN)
Cheniere20(no own ASN)
Tallgrass725
MPLX1(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS14101
OSIsoft PI00
iFIX61168
Wonderware11
Ovation2754
DeltaV3857
Symphony273599
ClearSCADA010
Cygnet72108
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alleyn/a (rate-limited)
Pittsylvania County, VA hubn/a (rate-limited)
Henry Hub area (Erath, LA)n/a (rate-limited)
Corpus Christi LNG corridorn/a (rate-limited)
Sabine Pass / Cameron LNGn/a (rate-limited)
Permian / Waha (Pecos, TX)n/a (rate-limited)
Cheniere Bay (Plaquemines, LA)n/a (rate-limited)
Leidy Hub area (Clinton Co., PA)n/a (rate-limited)
Forest City, NC (Meta + MVP)n/a (rate-limited)
New Albany, OH (Meta Socrates)n/a (rate-limited)

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams257(no own ASN)
Enbridge730
Kinder Morgan71(no own ASN)
TC Energy660
Energy Transfer25(no own ASN)
Boardwalk23(no own ASN)
Cheniere20(no own ASN)
Tallgrass625
MPLX1(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS14100
OSIsoft PI00
iFIX66176
Wonderware33
Ovation2747
DeltaV3856
Symphony272592
ClearSCADA010
Cygnet69101
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alleyn/a (rate-limited)
Pittsylvania County, VA hubn/a (rate-limited)
Henry Hub area (Erath, LA)n/a (rate-limited)
Corpus Christi LNG corridorn/a (rate-limited)
Sabine Pass / Cameron LNGn/a (rate-limited)
Permian / Waha (Pecos, TX)n/a (rate-limited)
Cheniere Bay (Plaquemines, LA)n/a (rate-limited)
Leidy Hub area (Clinton Co., PA)n/a (rate-limited)
Forest City, NC (Meta + MVP)n/a (rate-limited)
New Albany, OH (Meta Socrates)n/a (rate-limited)

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams257(no own ASN)
Enbridge730
Kinder Morgan71(no own ASN)
TC Energy660
Energy Transfer25(no own ASN)
Boardwalk23(no own ASN)
Cheniere20(no own ASN)
Tallgrass625
MPLX1(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS14100
OSIsoft PI00
iFIX66176
Wonderware33
Ovation2747
DeltaV3856
Symphony272592
ClearSCADA010
Cygnet69101
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alley22,301
Pittsylvania County, VA hub0
Henry Hub area (Erath, LA)1
Corpus Christi LNG corridor11
Sabine Pass / Cameron LNG34
Permian / Waha (Pecos, TX)0
Cheniere Bay (Plaquemines, LA)0
Leidy Hub area (Clinton Co., PA)0
Forest City, NC (Meta + MVP)0
New Albany, OH (Meta Socrates)1,153

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams255(no own ASN)
Enbridge740
Kinder Morgan72(no own ASN)
TC Energy650
Energy Transfer25(no own ASN)
Cheniere21(no own ASN)
Boardwalk19(no own ASN)
Tallgrass625
MPLX1(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS16101
OSIsoft PI00
iFIX67179
Wonderware22
Ovation2241
DeltaV3959
Symphony272597
ClearSCADA010
Cygnet72104
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alley22,185
Pittsylvania County, VA hub0
Henry Hub area (Erath, LA)1
Corpus Christi LNG corridor11
Sabine Pass / Cameron LNG33
Permian / Waha (Pecos, TX)0
Cheniere Bay (Plaquemines, LA)0
Leidy Hub area (Clinton Co., PA)0
Forest City, NC (Meta + MVP)0
New Albany, OH (Meta Socrates)1,164

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams253(no own ASN)
Enbridge730
Kinder Morgan70(no own ASN)
TC Energy680
Energy Transfer25(no own ASN)
Cheniere21(no own ASN)
Boardwalk21(no own ASN)
Tallgrass625
MPLX1(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS15100
OSIsoft PI00
iFIX67171
Wonderware00
Ovation2241
DeltaV3756
Symphony260589
ClearSCADA010
Cygnet71103
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alley22,124
Pittsylvania County, VA hub0
Henry Hub area (Erath, LA)1
Corpus Christi LNG corridor11
Sabine Pass / Cameron LNG33
Permian / Waha (Pecos, TX)0
Cheniere Bay (Plaquemines, LA)0
Leidy Hub area (Clinton Co., PA)0
Forest City, NC (Meta + MVP)0
New Albany, OH (Meta Socrates)1,181

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams254(no own ASN)
Enbridge730
Kinder Morgan71(no own ASN)
TC Energy650
Energy Transfer24(no own ASN)
Cheniere21(no own ASN)
Boardwalk21(no own ASN)
Tallgrass625
MPLX0(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS1499
OSIsoft PI00
iFIX66171
Wonderware11
Ovation2141
DeltaV3654
Symphony252583
ClearSCADA010
Cygnet70102
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alley22,166
Pittsylvania County, VA hub0
Henry Hub area (Erath, LA)1
Corpus Christi LNG corridor11
Sabine Pass / Cameron LNG34
Permian / Waha (Pecos, TX)0
Cheniere Bay (Plaquemines, LA)0
Leidy Hub area (Clinton Co., PA)0
Forest City, NC (Meta + MVP)0
New Albany, OH (Meta Socrates)1,186

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams259(no own ASN)
Enbridge740
Kinder Morgan71(no own ASN)
TC Energy680
Energy Transfer24(no own ASN)
Boardwalk23(no own ASN)
Cheniere21(no own ASN)
Tallgrass625
MPLX1(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS1397
OSIsoft PI00
iFIX68173
Wonderware11
Ovation2044
DeltaV3755
Symphony245580
ClearSCADA010
Cygnet69103
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alley22,410
Pittsylvania County, VA hub0
Henry Hub area (Erath, LA)1
Corpus Christi LNG corridor11
Sabine Pass / Cameron LNG35
Permian / Waha (Pecos, TX)0
Cheniere Bay (Plaquemines, LA)0
Leidy Hub area (Clinton Co., PA)0
Forest City, NC (Meta + MVP)0
New Albany, OH (Meta Socrates)1,186

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams258(no own ASN)
Enbridge740
Kinder Morgan71(no own ASN)
TC Energy670
Energy Transfer24(no own ASN)
Boardwalk24(no own ASN)
Cheniere21(no own ASN)
Tallgrass626
MPLX0(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS1398
OSIsoft PI00
iFIX69177
Wonderware11
Ovation2549
DeltaV4057
Symphony253604
ClearSCADA010
Cygnet69102
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alley22,380
Pittsylvania County, VA hub0
Henry Hub area (Erath, LA)1
Corpus Christi LNG corridor11
Sabine Pass / Cameron LNG36
Permian / Waha (Pecos, TX)0
Cheniere Bay (Plaquemines, LA)0
Leidy Hub area (Clinton Co., PA)n/a (rate-limited)
Forest City, NC (Meta + MVP)n/a (rate-limited)
New Albany, OH (Meta Socrates)n/a (rate-limited)

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams259(no own ASN)
Enbridge710
Kinder Morgan71(no own ASN)
TC Energy670
Boardwalk26(no own ASN)
Energy Transfer24(no own ASN)
Cheniere21(no own ASN)
Tallgrass626
MPLX0(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS1398
OSIsoft PI00
iFIX71187
Wonderware11
Ovation2143
DeltaV3856
Symphony245607
ClearSCADA010
Cygnet70103
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alleyn/a (rate-limited)
Pittsylvania County, VA hubn/a (rate-limited)
Henry Hub area (Erath, LA)n/a (rate-limited)
Corpus Christi LNG corridorn/a (rate-limited)
Sabine Pass / Cameron LNGn/a (rate-limited)
Permian / Waha (Pecos, TX)n/a (rate-limited)
Cheniere Bay (Plaquemines, LA)n/a (rate-limited)
Leidy Hub area (Clinton Co., PA)n/a (rate-limited)
Forest City, NC (Meta + MVP)n/a (rate-limited)
New Albany, OH (Meta Socrates)n/a (rate-limited)

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams264(no own ASN)
Enbridge720
Kinder Morgan71(no own ASN)
TC Energy650
Boardwalk28(no own ASN)
Energy Transfer24(no own ASN)
Cheniere20(no own ASN)
Tallgrass625
MPLX1(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS1399
OSIsoft PI00
iFIX70186
Wonderware11
Ovation2244
DeltaV4058
Symphony240611
ClearSCADA010
Cygnet70103
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alley22,409
Pittsylvania County, VA hub0
Henry Hub area (Erath, LA)1
Corpus Christi LNG corridor12
Sabine Pass / Cameron LNG35
Permian / Waha (Pecos, TX)0
Cheniere Bay (Plaquemines, LA)0
Leidy Hub area (Clinton Co., PA)0
Forest City, NC (Meta + MVP)0
New Albany, OH (Meta Socrates)1,211

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams261(no own ASN)
Enbridge740
Kinder Morgan70(no own ASN)
TC Energy640
Boardwalk26(no own ASN)
Energy Transfer24(no own ASN)
Cheniere21(no own ASN)
Tallgrass626
MPLX0(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS15103
OSIsoft PI00
iFIX69187
Wonderware22
Ovation2445
DeltaV4160
Symphony238613
ClearSCADA09
Cygnet71103
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alley22,628
Pittsylvania County, VA hub0
Henry Hub area (Erath, LA)1
Corpus Christi LNG corridor10
Sabine Pass / Cameron LNG35
Permian / Waha (Pecos, TX)0
Cheniere Bay (Plaquemines, LA)0
Leidy Hub area (Clinton Co., PA)0
Forest City, NC (Meta + MVP)0
New Albany, OH (Meta Socrates)1,290

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams267(no own ASN)
Enbridge740
Kinder Morgan70(no own ASN)
TC Energy640
Boardwalk26(no own ASN)
Energy Transfer23(no own ASN)
Cheniere22(no own ASN)
Tallgrass628
MPLX0(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS16107
OSIsoft PI00
iFIX69189
Wonderware22
Ovation2142
DeltaV4058
Symphony247628
ClearSCADA09
Cygnet69101
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alleyn/a (rate-limited)
Pittsylvania County, VA hubn/a (rate-limited)
Henry Hub area (Erath, LA)n/a (rate-limited)
Corpus Christi LNG corridorn/a (rate-limited)
Sabine Pass / Cameron LNGn/a (rate-limited)
Permian / Waha (Pecos, TX)n/a (rate-limited)
Cheniere Bay (Plaquemines, LA)n/a (rate-limited)
Leidy Hub area (Clinton Co., PA)n/a (rate-limited)
Forest City, NC (Meta + MVP)n/a (rate-limited)
New Albany, OH (Meta Socrates)n/a (rate-limited)

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams266(no own ASN)
Enbridge790
Kinder Morgan71(no own ASN)
TC Energy620
Boardwalk26(no own ASN)
Energy Transfer24(no own ASN)
Cheniere23(no own ASN)
Tallgrass628
MPLX1(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS16109
OSIsoft PI00
iFIX67196
Wonderware11
Ovation2442
DeltaV3956
Symphony247636
ClearSCADA09
Cygnet68106
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alley22,800
Pittsylvania County, VA hub0
Henry Hub area (Erath, LA)1
Corpus Christi LNG corridor11
Sabine Pass / Cameron LNG36
Permian / Waha (Pecos, TX)0
Cheniere Bay (Plaquemines, LA)0
Leidy Hub area (Clinton Co., PA)0
Forest City, NC (Meta + MVP)0
New Albany, OH (Meta Socrates)1,313

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams267(no own ASN)
Enbridge800
Kinder Morgan71(no own ASN)
TC Energy620
Boardwalk26(no own ASN)
Cheniere24(no own ASN)
Energy Transfer23(no own ASN)
Tallgrass628
MPLX0(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS17110
OSIsoft PI00
iFIX71207
Wonderware11
Ovation3149
DeltaV4058
Symphony245639
ClearSCADA09
Cygnet70106
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alleyn/a (rate-limited)
Pittsylvania County, VA hubn/a (rate-limited)
Henry Hub area (Erath, LA)n/a (rate-limited)
Corpus Christi LNG corridorn/a (rate-limited)
Sabine Pass / Cameron LNGn/a (rate-limited)
Permian / Waha (Pecos, TX)n/a (rate-limited)
Cheniere Bay (Plaquemines, LA)n/a (rate-limited)
Leidy Hub area (Clinton Co., PA)n/a (rate-limited)
Forest City, NC (Meta + MVP)n/a (rate-limited)
New Albany, OH (Meta Socrates)n/a (rate-limited)

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams271(no own ASN)
Enbridge810
Kinder Morgan70(no own ASN)
TC Energy620
Boardwalk25(no own ASN)
Cheniere24(no own ASN)
Energy Transfer23(no own ASN)
Tallgrass629
MPLX0(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS18112
OSIsoft PI00
iFIX72211
Wonderware11
Ovation2946
DeltaV4361
Symphony252649
ClearSCADA09
Cygnet71105
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alleyn/a (rate-limited)
Pittsylvania County, VA hubn/a (rate-limited)
Henry Hub area (Erath, LA)n/a (rate-limited)
Corpus Christi LNG corridorn/a (rate-limited)
Sabine Pass / Cameron LNGn/a (rate-limited)
Permian / Waha (Pecos, TX)n/a (rate-limited)
Cheniere Bay (Plaquemines, LA)0
Leidy Hub area (Clinton Co., PA)0
Forest City, NC (Meta + MVP)0
New Albany, OH (Meta Socrates)n/a (rate-limited)

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams270(no own ASN)
Enbridge810
Kinder Morgan71(no own ASN)
TC Energy620
Energy Transfer25(no own ASN)
Cheniere24(no own ASN)
Boardwalk23(no own ASN)
Tallgrass629
MPLX0(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS17111
OSIsoft PI00
iFIX71212
Wonderware11
Ovation2742
DeltaV4261
Symphony244653
ClearSCADA09
Cygnet77112
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alley23,281
Pittsylvania County, VA hub0
Henry Hub area (Erath, LA)1
Corpus Christi LNG corridor10
Sabine Pass / Cameron LNG35
Permian / Waha (Pecos, TX)0
Cheniere Bay (Plaquemines, LA)0
Leidy Hub area (Clinton Co., PA)0
Forest City, NC (Meta + MVP)0
New Albany, OH (Meta Socrates)1,323

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams270(no own ASN)
Enbridge810
Kinder Morgan69(no own ASN)
TC Energy610
Energy Transfer26(no own ASN)
Cheniere24(no own ASN)
Boardwalk23(no own ASN)
Tallgrass628
MPLX0(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS17109
OSIsoft PI00
iFIX78220
Wonderware11
Ovation2742
DeltaV3957
Symphony240652
ClearSCADA09
Cygnet79115
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alley24,106
Pittsylvania County, VA hub0
Henry Hub area (Erath, LA)1
Corpus Christi LNG corridor10
Sabine Pass / Cameron LNG36
Permian / Waha (Pecos, TX)0
Cheniere Bay (Plaquemines, LA)0
Leidy Hub area (Clinton Co., PA)0
Forest City, NC (Meta + MVP)0
New Albany, OH (Meta Socrates)1,334

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams273(no own ASN)
Enbridge810
Kinder Morgan70(no own ASN)
TC Energy600
Energy Transfer26(no own ASN)
Cheniere24(no own ASN)
Boardwalk24(no own ASN)
Tallgrass628
MPLX1(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS16103
OSIsoft PI00
iFIX81224
Wonderware11
Ovation2745
DeltaV4160
Symphony245656
ClearSCADA09
Cygnet81119
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alley24,072
Pittsylvania County, VA hub0
Henry Hub area (Erath, LA)1
Corpus Christi LNG corridor10
Sabine Pass / Cameron LNG36
Permian / Waha (Pecos, TX)0
Cheniere Bay (Plaquemines, LA)0
Leidy Hub area (Clinton Co., PA)0
Forest City, NC (Meta + MVP)0
New Albany, OH (Meta Socrates)1,316

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams272(no own ASN)
Enbridge810
Kinder Morgan70(no own ASN)
TC Energy590
Energy Transfer26(no own ASN)
Boardwalk26(no own ASN)
Cheniere23(no own ASN)
Tallgrass728
MPLX0(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS16103
OSIsoft PI00
iFIX79221
Wonderware22
Ovation2944
DeltaV4162
Symphony245659
ClearSCADA09
Cygnet79118
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alleyn/a (rate-limited)
Pittsylvania County, VA hubn/a (rate-limited)
Henry Hub area (Erath, LA)n/a (rate-limited)
Corpus Christi LNG corridorn/a (rate-limited)
Sabine Pass / Cameron LNGn/a (rate-limited)
Permian / Waha (Pecos, TX)n/a (rate-limited)
Cheniere Bay (Plaquemines, LA)n/a (rate-limited)
Leidy Hub area (Clinton Co., PA)n/a (rate-limited)
Forest City, NC (Meta + MVP)n/a (rate-limited)
New Albany, OH (Meta Socrates)n/a (rate-limited)

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams271(no own ASN)
Enbridge810
Kinder Morgan70(no own ASN)
TC Energy560
Energy Transfer26(no own ASN)
Boardwalk24(no own ASN)
Cheniere23(no own ASN)
Tallgrass730
MPLX1(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS16100
OSIsoft PI00
iFIX75213
Wonderware11
Ovation3147
DeltaV4162
Symphony245657
ClearSCADA110
Cygnet82119
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alley29,144
Pittsylvania County, VA hub0
Henry Hub area (Erath, LA)1
Corpus Christi LNG corridor9
Sabine Pass / Cameron LNG35
Permian / Waha (Pecos, TX)0
Cheniere Bay (Plaquemines, LA)0
Leidy Hub area (Clinton Co., PA)0
Forest City, NC (Meta + MVP)0
New Albany, OH (Meta Socrates)n/a (rate-limited)

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams278(no own ASN)
Enbridge800
Kinder Morgan69(no own ASN)
TC Energy570
Boardwalk28(no own ASN)
Energy Transfer24(no own ASN)
Cheniere22(no own ASN)
Tallgrass630
MPLX0(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS12101
OSIsoft PI00
iFIX80218
Wonderware22
Ovation2844
DeltaV4061
Symphony249679
ClearSCADA110
Cygnet79115
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alley29,144
Pittsylvania County, VA hub0
Henry Hub area (Erath, LA)1
Corpus Christi LNG corridor9
Sabine Pass / Cameron LNG35
Permian / Waha (Pecos, TX)0
Cheniere Bay (Plaquemines, LA)0
Leidy Hub area (Clinton Co., PA)0
Forest City, NC (Meta + MVP)0
New Albany, OH (Meta Socrates)n/a (rate-limited)

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams278(no own ASN)
Enbridge800
Kinder Morgan69(no own ASN)
TC Energy570
Boardwalk28(no own ASN)
Energy Transfer24(no own ASN)
Cheniere22(no own ASN)
Tallgrass630
MPLX0(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS12101
OSIsoft PI00
iFIX80218
Wonderware22
Ovation2844
DeltaV4061
Symphony249679
ClearSCADA110
Cygnet79115
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alleyn/a (rate-limited)
Pittsylvania County, VA hubn/a (rate-limited)
Henry Hub area (Erath, LA)n/a (rate-limited)
Corpus Christi LNG corridorn/a (rate-limited)
Sabine Pass / Cameron LNGn/a (rate-limited)
Permian / Waha (Pecos, TX)n/a (rate-limited)
Cheniere Bay (Plaquemines, LA)n/a (rate-limited)
Leidy Hub area (Clinton Co., PA)n/a (rate-limited)
Forest City, NC (Meta + MVP)n/a (rate-limited)
New Albany, OH (Meta Socrates)n/a (rate-limited)

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams282(no own ASN)
Enbridge800
Kinder Morgan69(no own ASN)
TC Energy550
Energy Transfer25(no own ASN)
Boardwalk24(no own ASN)
Cheniere22(no own ASN)
Tallgrass630
MPLX0(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS14105
OSIsoft PI00
iFIX75215
Wonderware11
Ovation2843
DeltaV3859
Symphony255683
ClearSCADA09
Cygnet79116
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alley33,191
Pittsylvania County, VA hub0
Henry Hub area (Erath, LA)1
Corpus Christi LNG corridor8
Sabine Pass / Cameron LNG36
Permian / Waha (Pecos, TX)0
Cheniere Bay (Plaquemines, LA)n/a (rate-limited)
Leidy Hub area (Clinton Co., PA)n/a (rate-limited)
Forest City, NC (Meta + MVP)n/a (rate-limited)
New Albany, OH (Meta Socrates)n/a (rate-limited)

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams281(no own ASN)
Enbridge800
Kinder Morgan70(no own ASN)
TC Energy580
Boardwalk25(no own ASN)
Energy Transfer24(no own ASN)
Cheniere22(no own ASN)
Tallgrass630
MPLX0(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS14103
OSIsoft PI00
iFIX73214
Wonderware22
Ovation2942
DeltaV4162
Symphony255688
ClearSCADA09
Cygnet80117
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alley34,926
Pittsylvania County, VA hub0
Henry Hub area (Erath, LA)1
Corpus Christi LNG corridorn/a (rate-limited)
Sabine Pass / Cameron LNGn/a (rate-limited)
Permian / Waha (Pecos, TX)n/a (rate-limited)
Cheniere Bay (Plaquemines, LA)n/a (rate-limited)
Leidy Hub area (Clinton Co., PA)n/a (rate-limited)
Forest City, NC (Meta + MVP)n/a (rate-limited)
New Albany, OH (Meta Socrates)n/a (rate-limited)

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams281(no own ASN)
Enbridge820
Kinder Morgan70(no own ASN)
TC Energy580
Energy Transfer24(no own ASN)
Boardwalk23(no own ASN)
Cheniere22(no own ASN)
Tallgrass630
MPLX0(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS16106
OSIsoft PI00
iFIX63205
Wonderware11
Ovation3244
DeltaV4263
Symphony258693
ClearSCADA09
Cygnet78118
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alley35,902
Pittsylvania County, VA hub0
Henry Hub area (Erath, LA)1
Corpus Christi LNG corridor9
Sabine Pass / Cameron LNG37
Permian / Waha (Pecos, TX)0
Cheniere Bay (Plaquemines, LA)0
Leidy Hub area (Clinton Co., PA)0
Forest City, NC (Meta + MVP)0
New Albany, OH (Meta Socrates)n/a (rate-limited)

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams281(no own ASN)
Enbridge800
Kinder Morgan70(no own ASN)
TC Energy580
Energy Transfer24(no own ASN)
Cheniere22(no own ASN)
Boardwalk22(no own ASN)
Tallgrass630
MPLX0(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS16104
OSIsoft PI00
iFIX63204
Wonderware11
Ovation2942
DeltaV4161
Symphony254684
ClearSCADA09
Cygnet76115
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alley35,983
Pittsylvania County, VA hubn/a (rate-limited)
Henry Hub area (Erath, LA)n/a (rate-limited)
Corpus Christi LNG corridor9
Sabine Pass / Cameron LNG36
Permian / Waha (Pecos, TX)0
Cheniere Bay (Plaquemines, LA)0
Leidy Hub area (Clinton Co., PA)0
Forest City, NC (Meta + MVP)0
New Albany, OH (Meta Socrates)1,488

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams283(no own ASN)
Enbridge780
Kinder Morgan69(no own ASN)
TC Energy570
Energy Transfer26(no own ASN)
Cheniere22(no own ASN)
Boardwalk19(no own ASN)
Tallgrass630
MPLX0(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS16105
OSIsoft PI00
iFIX68213
Wonderware01
Ovation2743
DeltaV3958
Symphony248674
ClearSCADA-1-1
Cygnet74113
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alley36,290
Pittsylvania County, VA hub0
Henry Hub area (Erath, LA)1
Corpus Christi LNG corridor9
Sabine Pass / Cameron LNG38
Permian / Waha (Pecos, TX)0
Cheniere Bay (Plaquemines, LA)0
Leidy Hub area (Clinton Co., PA)0
Forest City, NC (Meta + MVP)0
New Albany, OH (Meta Socrates)1,489

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams284(no own ASN)
Enbridge780
Kinder Morgan70(no own ASN)
TC Energy530
Energy Transfer24(no own ASN)
Cheniere22(no own ASN)
Boardwalk20(no own ASN)
Tallgrass630
MPLX0(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS16106
OSIsoft PI00
iFIX67213
Wonderware01
Ovation2741
DeltaV3957
Symphony256685
ClearSCADA09
Cygnet76114
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alleyn/a (rate-limited)
Pittsylvania County, VA hubn/a (rate-limited)
Henry Hub area (Erath, LA)n/a (rate-limited)
Corpus Christi LNG corridorn/a (rate-limited)
Sabine Pass / Cameron LNGn/a (rate-limited)
Permian / Waha (Pecos, TX)n/a (rate-limited)
Cheniere Bay (Plaquemines, LA)n/a (rate-limited)
Leidy Hub area (Clinton Co., PA)n/a (rate-limited)
Forest City, NC (Meta + MVP)n/a (rate-limited)
New Albany, OH (Meta Socrates)n/a (rate-limited)

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams286(no own ASN)
Enbridge780
Kinder Morgan70(no own ASN)
TC Energy520
Energy Transfer24(no own ASN)
Cheniere23(no own ASN)
Boardwalk20(no own ASN)
Tallgrass630
MPLX0(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS14102
OSIsoft PI00
iFIX68211
Wonderware02
Ovation2540
DeltaV3856
Symphony257673
ClearSCADA010
Cygnet76112
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alley36,514
Pittsylvania County, VA hub0
Henry Hub area (Erath, LA)1
Corpus Christi LNG corridor9
Sabine Pass / Cameron LNG41
Permian / Waha (Pecos, TX)0
Cheniere Bay (Plaquemines, LA)0
Leidy Hub area (Clinton Co., PA)0
Forest City, NC (Meta + MVP)0
New Albany, OH (Meta Socrates)1,556

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams284(no own ASN)
Enbridge790
Kinder Morgan69(no own ASN)
TC Energy500
Energy Transfer25(no own ASN)
Cheniere24(no own ASN)
Boardwalk20(no own ASN)
Tallgrass630
MPLX1(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS15105
OSIsoft PI00
iFIX75217
Wonderware24
Ovation2337
DeltaV4260
Symphony264681
ClearSCADA010
Cygnet77113
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alleyn/a (rate-limited)
Pittsylvania County, VA hubn/a (rate-limited)
Henry Hub area (Erath, LA)n/a (rate-limited)
Corpus Christi LNG corridorn/a (rate-limited)
Sabine Pass / Cameron LNGn/a (rate-limited)
Permian / Waha (Pecos, TX)n/a (rate-limited)
Cheniere Bay (Plaquemines, LA)n/a (rate-limited)
Leidy Hub area (Clinton Co., PA)n/a (rate-limited)
Forest City, NC (Meta + MVP)0
New Albany, OH (Meta Socrates)n/a (rate-limited)

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams286(no own ASN)
Enbridge790
Kinder Morgan69(no own ASN)
TC Energy490
Energy Transfer25(no own ASN)
Cheniere23(no own ASN)
Boardwalk22(no own ASN)
Tallgrass632
MPLX1(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS14105
OSIsoft PI00
iFIX68210
Wonderware12
Ovation2542
DeltaV4159
Symphony264673
ClearSCADA010
Cygnet78116
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alley36,710
Pittsylvania County, VA hub0
Henry Hub area (Erath, LA)1
Corpus Christi LNG corridor9
Sabine Pass / Cameron LNG40
Permian / Waha (Pecos, TX)0
Cheniere Bay (Plaquemines, LA)0
Leidy Hub area (Clinton Co., PA)0
Forest City, NC (Meta + MVP)0
New Albany, OH (Meta Socrates)1,597

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams286(no own ASN)
Enbridge790
Kinder Morgan68(no own ASN)
TC Energy480
Energy Transfer27(no own ASN)
Cheniere23(no own ASN)
Boardwalk22(no own ASN)
Tallgrass632
MPLX1(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS15107
OSIsoft PI00
iFIX71213
Wonderware13
Ovation2746
DeltaV4056
Symphony259667
ClearSCADA011
Cygnet78116
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alley36,753
Pittsylvania County, VA hub0
Henry Hub area (Erath, LA)1
Corpus Christi LNG corridor9
Sabine Pass / Cameron LNG40
Permian / Waha (Pecos, TX)0
Cheniere Bay (Plaquemines, LA)0
Leidy Hub area (Clinton Co., PA)0
Forest City, NC (Meta + MVP)0
New Albany, OH (Meta Socrates)1,620

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams282(no own ASN)
Enbridge790
Kinder Morgan66(no own ASN)
TC Energy490
Energy Transfer27(no own ASN)
Cheniere23(no own ASN)
Boardwalk18(no own ASN)
Tallgrass632
MPLX0(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS15105
OSIsoft PI00
iFIX66209
Wonderware13
Ovation2743
DeltaV4561
Symphony255665
ClearSCADA011
Cygnet78117
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alley37,259
Pittsylvania County, VA hub0
Henry Hub area (Erath, LA)1
Corpus Christi LNG corridor10
Sabine Pass / Cameron LNG40
Permian / Waha (Pecos, TX)0
Cheniere Bay (Plaquemines, LA)0
Leidy Hub area (Clinton Co., PA)0
Forest City, NC (Meta + MVP)0
New Albany, OH (Meta Socrates)1,645

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams283(no own ASN)
Enbridge800
Kinder Morgan66(no own ASN)
TC Energy480
Energy Transfer26(no own ASN)
Cheniere23(no own ASN)
Boardwalk22(no own ASN)
Tallgrass632
MPLX0(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS15105
OSIsoft PI00
iFIX63210
Wonderware35
Ovation2744
DeltaV4865
Symphony262664
ClearSCADA011
Cygnet78117
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alley37,570
Pittsylvania County, VA hub0
Henry Hub area (Erath, LA)1
Corpus Christi LNG corridor10
Sabine Pass / Cameron LNG40
Permian / Waha (Pecos, TX)0
Cheniere Bay (Plaquemines, LA)0
Leidy Hub area (Clinton Co., PA)0
Forest City, NC (Meta + MVP)0
New Albany, OH (Meta Socrates)1,684

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams274(no own ASN)
Enbridge800
Kinder Morgan68(no own ASN)
TC Energy450
Energy Transfer26(no own ASN)
Cheniere23(no own ASN)
Boardwalk17(no own ASN)
Tallgrass633
MPLX0(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS16108
OSIsoft PI01
iFIX67211
Wonderware13
Ovation2342
DeltaV4461
Symphony257650
ClearSCADA010
Cygnet73112
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alleyn/a (rate-limited)
Pittsylvania County, VA hubn/a (rate-limited)
Henry Hub area (Erath, LA)n/a (rate-limited)
Corpus Christi LNG corridorn/a (rate-limited)
Sabine Pass / Cameron LNGn/a (rate-limited)
Permian / Waha (Pecos, TX)n/a (rate-limited)
Cheniere Bay (Plaquemines, LA)n/a (rate-limited)
Leidy Hub area (Clinton Co., PA)n/a (rate-limited)
Forest City, NC (Meta + MVP)n/a (rate-limited)
New Albany, OH (Meta Socrates)n/a (rate-limited)

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams272(no own ASN)
Enbridge820
Kinder Morgan68(no own ASN)
TC Energy440
Energy Transfer25(no own ASN)
Cheniere23(no own ASN)
Boardwalk15(no own ASN)
Tallgrass633
MPLX0(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS17109
OSIsoft PI01
iFIX71223
Wonderware13
Ovation2241
DeltaV4461
Symphony255647
ClearSCADA010
Cygnet72112
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alley38,287
Pittsylvania County, VA hub0
Henry Hub area (Erath, LA)1
Corpus Christi LNG corridor10
Sabine Pass / Cameron LNG39
Permian / Waha (Pecos, TX)0
Cheniere Bay (Plaquemines, LA)0
Leidy Hub area (Clinton Co., PA)0
Forest City, NC (Meta + MVP)0
New Albany, OH (Meta Socrates)1,776

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams270(no own ASN)
Enbridge820
Kinder Morgan68(no own ASN)
TC Energy440
Energy Transfer25(no own ASN)
Cheniere23(no own ASN)
Boardwalk18(no own ASN)
Tallgrass633
MPLX0(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS18112
OSIsoft PI01
iFIX72228
Wonderware24
Ovation2746
DeltaV4461
Symphony255649
ClearSCADA011
Cygnet74113
Pipeline-area cities (25 km radius)
Ashburn / NoVa Data Center Alley38,371
Pittsylvania County, VA hub0
Henry Hub area (Erath, LA)1
Corpus Christi LNG corridor10
Sabine Pass / Cameron LNG38
Permian / Waha (Pecos, TX)0
Cheniere Bay (Plaquemines, LA)0
Leidy Hub area (Clinton Co., PA)0
Forest City, NC (Meta + MVP)0
New Albany, OH (Meta Socrates)1,813

Pipeline-operator exposure (US)
OperatorHostname matchesOwn-ASN matches
Williams274(no own ASN)
Enbridge820
Kinder Morgan68(no own ASN)
TC Energy450
Cheniere24(no own ASN)
Energy Transfer24(no own ASN)
Boardwalk13(no own ASN)
Tallgrass634
MPLX0(no own ASN)

SCADA banner counts
BannerUSGlobal
OASyS17114
OSIsoft PI01
iFIX70224
Wonderware35
Ovation3149
DeltaV4768
Symphony257642
ClearSCADA011
Cygnet77115