Border Cyber Group | Deep Dive | June 10, 2026

There is a line of direct descent from a 500-kilobyte worm smuggled into an Iranian centrifuge hall on a USB drive in 2007 to an unattributed threat actor manipulating fuel levels at gas stations across the American Southeast in 2026. That line runs through a power grid in western Ukraine going dark on a winter evening, a petrochemical plant in Saudi Arabia surviving a near-catastrophic explosion by a single line of buggy attacker code, and an East Coast pipeline shutdown that triggered a presidential emergency declaration and gas lines stretching around city blocks. The details differ. The underlying logic does not: operational technology that was never designed to face an adversary, connected to networks it was never meant to reach, is the most reliably exploitable attack surface in the modern threat landscape.

When CISA and seven co-signing agencies published their joint advisory on automatic tank gauge systems on June 2, 2026, they were not describing a novel threat category. They were documenting the latest chapter in a story that has been accumulating consequences for nearly two decades. Understanding that story — its technical evolution, its strategic implications, and the structural vulnerabilities it exploits — is essential to understanding why the ATG advisory, despite its understated tone, represents a serious escalation signal.

__________________

Stuxnet and the Birth of the Cyber Weapon (2007–2010)

The starting point is Natanz, a uranium enrichment facility buried under the Iranian desert, and a worm that security researchers at the time described as unlike anything they had ever seen.

Stuxnet was publicly discovered in June 2010, but it had been operating covertly since at least 2007. Developed by a US-Israeli joint intelligence operation codenamed Olympic Games, it represented the first publicly confirmed case of malicious software deliberately designed to cause physical destruction to industrial machinery. Its target was specific to the point of being surgical: Siemens S7-315 and S7-417 programmable logic controllers (PLCs) managing IR-1 centrifuge cascades at the Natanz Fuel Enrichment Plant.

The engineering was extraordinary. Stuxnet propagated through Windows networks using four separate zero-day exploits simultaneously — an unprecedented investment of offensive capability. It spread broadly but remained inert on any system that did not match the precise hardware and software fingerprint of the Natanz configuration. On matching systems, it hijacked the Siemens Step 7 engineering software to reprogram the PLCs directly, ramping centrifuge rotor speeds through a destructive cycle — 807 Hz, up to 1,410 Hz, then crashing to 2 Hz — while feeding false telemetry back to monitoring systems via a thirty-day replay of recorded normal operation. Iranian engineers watched instruments showing stable readings while their machines tore themselves apart from the inside.

IAEA inspectors, permitted limited access to Natanz, first noticed an anomaly in the rate of centrifuge replacement. Normal attrition at a facility of that scale ran roughly 800 machines per year. In late 2009 and early 2010, Iran decommissioned somewhere between 1,000 and 2,000 IR-1 centrifuges over a compressed period, a replacement rate that exceeded every projection. One analyst estimated Stuxnet set the Iranian nuclear program back by at least two years. According to reporting by Yahoo News later corroborated by multiple intelligence sources, the initial delivery vector was a Dutch AIVD asset who physically installed the worm on USB drives brought into the air-gapped facility.

What Stuxnet established, beyond its immediate operational effect, was a proof of concept for the entire field that followed: software could cross the digital-physical boundary and impose physical consequences on industrial machinery. The air gap — the belief that critical infrastructure was protected by physical separation from hostile networks — was not a defense. It was an obstacle, and obstacles can be overcome.

Stuxnet's accidental escape from Natanz in 2010, spreading to computers across Indonesia, India, and eventually the broader internet, also established a second precedent: offensive cyber tools do not remain contained. The techniques documented in Stuxnet became a reference library for every state and non-state actor that followed.

__________________

Ukraine and the First Grid Attacks (2015–2016)

Five years after Stuxnet's discovery, the techniques it demonstrated came home to a power grid. On December 23, 2015, lights went out across western Ukraine. Three energy distribution companies — Prykarpattyaoblenergo, Chernivtsioblenergo, and Kyivoblenergo — suffered coordinated, simultaneous outages affecting approximately 230,000 consumers for between one and six hours. It was the first publicly confirmed successful cyberattack on a national power grid in history.

The attack, attributed with high confidence to the Russian threat group Sandworm (also linked to GRU military intelligence), had been in preparation for at least eight months. The initial access vector was a spear-phishing email carrying a malicious Excel attachment. An employee at Prykarpattya Oblenergo opened it in spring 2015. BlackEnergy 3 malware established a foothold, connected to command-and-control infrastructure, and spent months conducting reconnaissance: mapping IT and OT networks, harvesting credentials, identifying SCADA systems, and planning the execution phase.

On December 23, attackers logged into SCADA systems using stolen credentials and began remotely switching off circuit breakers at thirty substations — seven at 110kV and twenty-three at 35kV. In one documented case, an operator watched his cursor move across his screen, taken over remotely, and was then locked out as the attacker changed his password. A simultaneous telephone denial-of-service attack flooded the utility's customer call centers to prevent damage assessment and delay restoration. KillDisk malware overwrote master boot records on operator workstations, delaying manual restoration by destroying the control systems.

The 2016 follow-on attack was more sophisticated and more alarming. The malware used, eventually named Industroyer (also known as Crashoverride), was the first ICS-specific malware since Stuxnet designed explicitly to speak the native protocols of electric grid systems — IEC 60870-5-101, IEC 60870-5-104, IEC 61850, and OPC DA. It did not need to exploit application-layer vulnerabilities in SCADA software. It simply communicated directly with substations in their own language, opening circuit breakers autonomously. The December 17, 2016 attack cut power to roughly a fifth of Kyiv for approximately an hour. Researchers from ESET and Dragos who analyzed Industroyer assessed it as having been designed for a much larger attack that was either constrained or executed conservatively as a demonstration.

The Ukraine grid attacks delivered two strategic lessons that are still being absorbed. First, the multi-month dwell time between initial access and execution — measured in months, not days — means that by the time an attack is observed, the adversary has already achieved deep access. Second, Ukraine's grid survived in part because it retained manual override capability and experienced operators who could restore power without automated systems. Many Western grid operators have progressively removed that manual fallback in the name of efficiency. The resilience buffer that saved Ukraine in 2015 and 2016 does not exist uniformly in US or European infrastructure.

__________________

Triton and the Line That Was Not Supposed to Be Crossed (2017)

In August 2017, something happened at a petrochemical facility in Saudi Arabia — the facility's identity has never been officially confirmed but is widely reported to be a Petro Rabigh facility — that most ICS security researchers described as the most dangerous industrial control system attack ever publicly documented.

The TRITON framework, attributed with high confidence to a Russian government-owned research laboratory (CNIIHM, also known as the Central Scientific Research Institute of Chemistry and Mechanics) by Mandiant/FireEye, was designed to attack Schneider Electric Triconex Safety Instrumented System (SIS) controllers. Safety instrumented systems are not production control systems. They are the last line of defense — the independent safety layer designed to trigger emergency shutdowns when sensors detect dangerous conditions such as excessive temperature, pressure anomalies, or toxic gas levels. They exist specifically to prevent industrial accidents that kill people.

The attack exploited a zero-day vulnerability in the Triconex SIS firmware to install a remote access trojan and inject attacker-controlled code into the controllers. The objective, as assessed by Mandiant, was to disable or manipulate the safety systems to prevent them from triggering a shutdown — creating the conditions under which a physical process failure could escalate into a catastrophic industrial accident. An error in the attacker's code caused an unintended shutdown before the attack could reach its intended outcome. The safety system functioned as designed — shutting down the plant — and the resulting investigation discovered the malware. Had the code been correct, the likely outcome was an uncontrolled release of hydrogen sulfide gas and potentially an explosion.

The facility had initially investigated the first shutdown, in June 2017, as a mechanical failure. Schneider Electric reviewed diagnostics and concluded the equipment was functional. The attackers had been present in the network, undetected, across both incidents. When the broader scope of the compromise was later reconstructed, investigators found that six engineering systems had been infected — not the two originally reported.

TRITON established a boundary that the security community had previously treated as implicit: nation-state actors were now developing capability specifically designed to cause mass casualties in industrial facilities. The malware was not espionage tooling. It was a weapon.

__________________

Colonial Pipeline and the IT/OT Convergence Reckoning (2021)

On May 7, 2021, a Colonial Pipeline employee discovered a ransom note in the company's IT systems. What followed over the next six days was the most consequential ransomware attack on US infrastructure to that point, and a case study in how the boundary between IT and OT — between administrative networks and operational systems — had become a dangerous fiction.

Colonial Pipeline operates 5,500 miles of pipeline carrying more than 2.5 million barrels of refined petroleum products daily from Houston to the New Jersey terminal at Linden — approximately 45 percent of the fuel supply for the US East Coast. The DarkSide ransomware-as-a-service group, operating through an affiliate, gained initial access through a compromised VPN account that lacked multifactor authentication. The password, while complex, had been obtained in a prior credential breach elsewhere. The account had not been deactivated despite being unused.

The technical breach was confined to Colonial's IT network. The operational technology network managing the pipeline itself was not confirmed to have been directly compromised. Colonial Pipeline's CEO testified to Congress that the decision to shut down pipeline operations was made preemptively — not because OT systems were compromised, but because the company lacked sufficient visibility into its OT environment to be confident they were safe to operate without the billing and flow management systems that IT ransomware had encrypted. The pipeline was shut down out of uncertainty, not confirmed operational compromise.

That distinction is important. The shutdown of East Coast fuel supply for six days was not caused by attackers taking over pipeline control systems. It was caused by an IT ransomware infection destroying the administrative confidence required to operate the OT systems safely. President Biden declared a national emergency on May 9. Average fuel prices exceeded $3 per gallon for the first time since 2014 across seventeen states. Colonial paid approximately $4.4 million in ransom, of which the FBI subsequently recovered approximately $2.3 million.

The Colonial attack demonstrated that physical disruption does not require OT compromise. An adversary who creates sufficient uncertainty about IT system integrity can force an operational shutdown voluntarily. It also demonstrated that the air gap is an organizational fiction as much as a technical one: when IT systems are needed to manage OT safely, a ransomware infection in IT propagates its effects to OT regardless of whether the OT network itself was touched.

__________________

Volt Typhoon and the Pre-Positioned Threat (2021–2024)

The Colonial Pipeline attack was financially motivated criminal activity. What CISA and the FBI began disclosing in 2023 and 2024 was categorically different: a sustained, patient Chinese state-sponsored campaign with no apparent financial motive and a strategic purpose that US officials described in terms not typically used in public cybersecurity advisories.

Volt Typhoon — also tracked as Bronze Silhouette and Vanguard Panda — was first publicly attributed by Microsoft in May 2023, with the group assessed to have been active since at least mid-2021. A February 2024 joint advisory from CISA, the FBI, and the NSA stated explicitly that PRC state-sponsored actors had compromised US critical infrastructure networks and were positioning themselves for "disruptive or destructive effects" during a future contingency. The advisory identified compromised sectors as communications, energy, transportation, and water and wastewater systems. FBI Director Christopher Wray stated publicly: "China's hackers are targeting American civilian critical infrastructure, pre-positioning to cause real-world harm to American citizens and communities in the event of conflict."

Volt Typhoon's tradecraft was designed for longevity, not noise. The group primarily used living-off-the-land techniques — built-in operating system tools, stolen credentials, and legitimate administrative software rather than custom malware — to blend into normal network traffic and resist signature-based detection. The group exploited vulnerabilities in internet-facing edge devices, particularly Fortinet FortiGate appliances, Cisco IOS systems, and NETGEAR routers, to establish initial footholds, then moved laterally into operational infrastructure using harvested credentials. The objective in many cases appeared to be not data collection but persistence — maintaining access that could be activated under specific geopolitical conditions.

In December 2023, a court-authorized FBI operation disrupted a Volt Typhoon botnet of hundreds of US-based small office and home office routers that the group had hijacked to proxy its traffic and mask its origin. Disrupting the botnet did not remove access from compromised infrastructure targets — it only degraded the operational cover.

The understood contingency underlying Volt Typhoon's targeting of Guam, Hawaii, and other military-strategic locations is a potential US-China military confrontation over Taiwan. The assessment is that pre-positioned access to US power grids, water systems, and communications infrastructure would be activated in such a scenario to impose costs on the US civilian population and complicate military logistics. This is cyber capability in service of deterrence and coercion, not criminal profit.

__________________

The ATG Advisory and the Current State of Exposure

Against this history, the June 2, 2026 joint advisory on automatic tank gauge systems reads as a continuation, not an anomaly.

ATG systems are ubiquitous, largely invisible, and historically treated as low-security infrastructure. They are embedded in gas stations, fuel depots, commercial fleets, airports, military installations, agricultural storage facilities, and chemical plants. They report fuel levels and detect leaks. They are also, according to Bitsight research, frequently internet-exposed with hardcoded credentials and no authentication on their serial port interfaces — TCP ports 8001, 9001, and 10001 accessible directly from the internet.

The advisory documents active exploitation with eight-agency co-signature, which is not how CISA frames routine vulnerability notices. The observed TTPs — authentication bypass, OS command execution, SQL injection, privilege escalation to full device control — follow patterns documented in prior ICS campaigns. The consequence set the advisory describes is not hypothetical: an attacker with full ATG access can alter tank volumes and pump controls, disable leak detection alerts, create denial-of-view conditions that obscure actual fuel levels, and compound malfunctions that create physical hazards.

The scale of the exposure problem extends well beyond ATGs. Bitsight data published in September 2025 documented approximately 180,000 internet-exposed ICS devices globally, up 13 percent from the beginning of 2024, with the trend projected to cross 200,000 before the end of 2025. Bitsight's June 2026 update on the global state of ICS/OT exposure specifically noted finding "thousands" of fuel-monitoring devices online, the majority lacking authentication and speaking insecure serial protocols over TCP/IP, and assessed that an attack playbook developed against one site would generalize cheaply to many others. In parallel, Forescout's analysis of CISA ICS advisories found that in 2025, the agency published 508 advisories covering 2,155 CVEs — the first year to exceed 500 advisories — with the average CVSS score of ICS vulnerabilities rising from 6.44 in 2010 to 8.07 in 2025. The vulnerabilities are more numerous and more severe than at any point in documented history.

The traditional defense — the air gap between operational technology and internet-accessible networks — is functionally gone in most environments. A 2025 Fortinet report assessed that 73 percent of OT organizations experienced an OT-impacting breach in 2024, up from 49 percent the year before. IT/OT convergence, driven by legitimate operational benefits including remote monitoring, predictive maintenance, and supply chain integration, has eliminated the physical separation that was once the primary security control for industrial systems that were never designed with cybersecurity in mind.

__________________

The Question Everyone is Asking

The reasonable question, reading this history, is: how bad could it actually get?

The honest answer is that the confirmed incidents illustrate a spectrum of consequences, and the more dangerous end of that spectrum has so far been reached only once at any significant scale — in Ukraine — where Russian state actors had both the capability and the political willingness to execute attacks designed to cause civilian suffering. In the US and European contexts, the most consequential confirmed incidents have been either constrained by attacker decisions (TRITON's buggy code, Volt Typhoon's apparent patience), by organizational response (Colonial's voluntary shutdown), or by the resilience of systems that retained manual override capability (Ukraine 2015).

What has changed, progressively, since Stuxnet, is the expansion of the attack surface and the democratization of the capability required to exploit it. Stuxnet required nation-state resources and years of development. Colonial Pipeline required a single leaked credential and an unused VPN account. The ATG advisory documents exploitation of systems that have default credentials, no authentication, and direct internet exposure — infrastructure accessible to any moderately capable threat actor with access to Shodan.

Volt Typhoon represents the strategic threat that most concerns serious analysts: a patient, pre-positioned capability maintained inside US critical infrastructure by a near-peer adversary, dormant until a geopolitical trigger. Its activation — if it were activated — would not look like Stuxnet's surgical precision or Colonial's ransomware note. It would look like simultaneous failures across power, water, communications, and fuel supply infrastructure in militarily significant regions, timed to complicate a US military response to a crisis elsewhere.

The ATG advisory is not Volt Typhoon. Its activity appears consistent with opportunistic criminal exploitation or lower-tier state actor reconnaissance rather than pre-positioned strategic capability. But the same internet-exposed, default-credential, no-authentication infrastructure that ATG systems represent is present across every category of operational technology that serious adversaries have targeted over the past two decades. The advisory is a data point in a larger pattern that has been accelerating, not a one-off event.

__________________

What the Pattern Tells Defenders

Across the incidents documented above, several structural vulnerabilities appear repeatedly:

Default and hardcoded credentials contributed to the initial access in Colonial Pipeline, are documented as the primary ATG vulnerability vector, and appear in virtually every major ICS intrusion timeline. The control is straightforward and rarely implemented across the full asset inventory.

Internet exposure of systems that should not be internet-exposed is the defining characteristic of the ATG threat, was the entry point for most Volt Typhoon initial access, and is documented in Bitsight's research as growing rather than shrinking. The cost of internet-exposing a device for operational convenience is borne by everyone within reach of that device's physical systems.

IT/OT convergence without compensating controls allowed Colonial Pipeline's IT ransomware to propagate effects to OT operations without directly touching OT systems. The same convergence that makes modern infrastructure more efficient makes it more brittle.

Dwell time measured in months characterized the Ukraine 2015 attack, the TRITON attack, and Volt Typhoon. The detection models appropriate for IT environments — focused on malware signatures, known IOCs, perimeter events — are insufficient for adversaries who are already inside, behaving like legitimate users, using legitimate tools. Behavioral detection and OT-specific monitoring are the appropriate controls, and they remain the exception rather than the rule.

No manual fallback is a civilizational-scale problem that has emerged gradually as automated systems displaced human operators. Ukraine survived the 2015 attacks in part because operators could manually trip breakers and restore power. That capability is not universal. In some US utility environments, the knowledge and procedures required to operate manually in the absence of automated systems have atrophied through years of disuse.

The ATG advisory's primary recommendation — remove ATGs from internet exposure — is correct and sufficient for the immediate threat. It is also a recommendation that has been repeated, in various forms, for every class of internet-exposed OT device, for approximately fifteen years. The gap between what defenders know they should do and what the aggregate exposure data shows they have done is the single most consequential vulnerability in the critical infrastructure security landscape.

History suggests the question is not whether a significant critical infrastructure attack will occur in the United States or Europe. Several already have, at varying scales. The question is whether the structural conditions — internet-exposed OT, default credentials, IT/OT convergence without segmentation, eroded manual fallback capability, pre-positioned adversary access — will still be in place when the next one does.

As of June 2026, the data says they are.

__________________

Primary sources: CISA joint ATG advisory (Jun 2, 2026); Bitsight ICS/OT Exposure Report (Jun 2026); Mandiant/FireEye TRITON analysis; SANS/E-ISAC Ukraine grid attack analysis; CISA Colonial Pipeline reporting; Microsoft/CISA Volt Typhoon advisories; IEEE Spectrum Stuxnet analysis; Forescout ICS advisory research (2026).

#ics #ot #criticalinfrastructure #apt #dfir #detection #crimeware #deepdive

Jonathan Brown | Border Cyber Group bordercybergroup.com | Support independent security reporting

If you find our work helpful... Buy us a coffee!: https://bordercybergroup.com/#/portal/support