In the summer of 2009, technicians at Iran's Natanz uranium enrichment facility began noticing an unusual pattern. Centrifuges were failing at a rate that exceeded anything the facility's engineers could explain through normal wear. The machines were not exploding or visibly malfunctioning. They were degrading, spinning outside their safe operating parameters, destroying themselves from the inside while every monitoring display in the control room showed normal readings. By the time Iranian authorities understood what had happened, an estimated 1,000 centrifuges had been rendered inoperable. The country's nuclear program had been set back by somewhere between one and two years, without a single missile fired, without a single bomb dropped, without any action that could be formally attributed to a foreign government.
The weapon was a piece of software. It is known publicly as Stuxnet. The operation that deployed it is known as Olympic Games. It was developed jointly by the United States and Israel, begun under the Bush administration and accelerated under Obama, designed with extraordinary precision to affect only one specific model of Siemens programmable logic controller operating at a specific rotational frequency range, in a specific facility, in a specific country.
Stuxnet is cited in this series because it is not an analogy. It is a proof of concept. It demonstrated, publicly, permanently, and in a way that every intelligence service on earth has studied since, that the control layer of a physical industrial system is a weapons-grade attack surface. That access to that layer, established during peacetime through legitimate channels, can be converted into physical destruction at a moment of strategic choice. And that the conversion can be made while leaving the monitoring systems showing normal readings, so that the operators do not know what is happening until the damage is done.
The question this series has been building toward is now ready to be asked directly. Who has established access to the control layer of American critical energy and transportation infrastructure? And what is that access capable of, beyond reading data?
The Difference Between Collection and Sabotage
Intelligence professionals distinguish between collection operations and action operations. Collection is what the first three parts of this series described: telemetry flowing through foreign-managed BMS, operational data aggregated across fleets, degradation signatures legible to a trained analyst. Collection is valuable in peacetime. It informs strategy, identifies vulnerabilities, maps operational patterns. But collection alone does not change the physical world.
Action operations, what the intelligence community calls black operations when they are covert and deniable, change the physical world without attribution. Stuxnet was a black operation. It caused physical destruction through a control system without leaving fingerprints that could be formally acknowledged. The centrifuges destroyed themselves, following instructions delivered through their own legitimate control channel, while the monitoring systems reported normal operations.
The access pathway for collection and the access pathway for sabotage are, in a connected control system, the same pathway. The channel that reads telemetry is the same channel that delivers firmware updates. The channel that delivers firmware updates is the channel that delivers instructions. The difference between a data collection operation and a sabotage pre-position is not architectural. It is a question of what instructions are loaded into the channel, and when.
This is not a theoretical extrapolation. The Federal Highway Administration's September 2025 advisory, reported by Reuters, documented the discovery of undocumented cellular radios in foreign-manufactured battery management systems and power inverters deployed across U.S. highway infrastructure. The advisory described the potential for those devices to trigger surges and send rogue commands. Not to collect data. To send commands. That is not a collection capability. That is the physical manifestation of a pre-positioned action capability, installed in civilian infrastructure during peacetime, through legitimate commercial channels, in systems that manage electrical flow to highway infrastructure including electric vehicle chargers.
The access pathway for collection and the access pathway for sabotage are the same pathway. The difference between a data collection operation and a sabotage pre-position is not architectural. It is a question of what instructions are loaded, and when.
The Stuxnet Lesson, Read Correctly
Stuxnet is remembered primarily as a story about American and Israeli offensive capability. That is the wrong reading for our purposes. The more important lesson is what Stuxnet demonstrated about the requirements for a successful control-layer attack, because those requirements illuminate exactly what a pre-positioned capability in American infrastructure would need to look like.
Stuxnet required, first, precise technical knowledge of the target system. The worm was designed to affect a specific Siemens PLC model operating at a specific frequency range. This level of precision required intelligence on the exact hardware and software configuration of the Natanz facility, gathered over years through a combination of signals intelligence, human intelligence, and physical access operations. An attacker who wanted to achieve a similar effect against American battery infrastructure would need equivalent knowledge of the target systems. A foreign company that designed, built, and maintains the BMS in those systems already has that knowledge. It does not need to gather it covertly. It is the manufacturer.
Stuxnet required, second, physical access to deliver the payload to an air-gapped system. Natanz was not connected to the internet. The weapon had to be introduced via USB drive, through a human vector who either knowingly or unknowingly carried the infected drive into the facility. A modern automotive BMS connected to the cloud for over-the-air updates is not air-gapped. The delivery channel exists as a standard feature of the product. The firmware update pathway is the payload delivery mechanism. No human vector is required. No physical access is needed. The channel is open, authenticated, and used routinely.
Stuxnet required, third, a false data layer that reported normal operations while the damage accumulated. The centrifuge operators saw normal readings while their machines were destroying themselves. A BMS that displays normal state of charge and thermal readings while operating outside safe parameters, a BMS whose monitoring outputs are controlled by the same software that controls the operating parameters, provides exactly this false data layer natively. The monitoring and the control are the same system.
Operation Olympic Games, the joint U.S.-Israeli cyberweapon program that produced Stuxnet, began under the Bush administration in 2006 and was accelerated under Obama. The malware specifically targeted Siemens Step 7 software controlling frequency converters at Natanz. It caused centrifuge rotors to spin above and below safe operating speeds in a repeating cycle, causing physical destruction while falsely reporting normal operations to monitoring systems.
The program destroyed an estimated 1,000 centrifuges and set Iran's nuclear enrichment program back by an estimated one to two years. It was the first publicly confirmed use of a cyberweapon to cause kinetic physical destruction of industrial infrastructure. It demonstrated that the control layer of a physical system is a weapons-grade attack surface, accessible without physical presence, deniable without attribution, and capable of producing effects indistinguishable from mechanical failure.
Neither the United States nor Israel has formally acknowledged responsibility. The operation became publicly known in 2010 when a coding error caused the worm to spread beyond Natanz to computers worldwide.
The Escalation Ladder
Pre-positioned capabilities are not used in peacetime. This is not a sign that they are not dangerous. It is the proof that they are strategically designed. A capability that is used reveals itself and is neutralized. A capability that is maintained, updated quietly with each firmware cycle, and held dormant is a deterrent and a weapon simultaneously, exercisable at a moment of strategic choice.
The escalation ladder has three rungs, and understanding all three is necessary to understand why the bottom rung, collection, understates the threat.
Collection is the bottom rung. Telemetry flowing through foreign-managed BMS to servers subject to foreign legal jurisdiction. Charging behavior, degradation signatures, thermal event precursors. Operational patterns of government fleets, law enforcement vehicles, military logistics. This is happening now, continuously, in every vehicle on the GM EV lineup powered by a foreign-designed intelligence layer. It is valuable in peacetime and it is the rung the BIS rule was designed to address.
Pre-positioning is the middle rung. Access pathways established and maintained but not activated. Undocumented radio hardware installed in infrastructure battery management systems, as the FHWA advisory documented. Firmware update channels held open, authenticated, and functional. This rung does not require any hostile act to establish. It is established by the normal operation of the commercial relationship. The pre-position is the product, delivered through legitimate procurement, maintained through normal service contracts. It exists whether or not anyone intends to use it. It waits.
Activation is the top rung. The decision to use what has been pre-positioned. A fleet of electric vehicles simultaneously disabled during a period of geopolitical crisis. Grid-connected battery storage systems in critical infrastructure driven outside safe operating parameters during a coordinated denial of service operation against the energy grid. Highway BMS infrastructure commanded to trigger surges at a moment chosen by a foreign government. The Stuxnet parallel is exact: physical effects, delivered through the legitimate control channel, while monitoring systems report normal operations, without attribution to any hostile act.
Activation requires a decision. That decision is made based on the geopolitical temperature, the strategic calculus of the moment, and whether the cost of revealing the capability is outweighed by the operational value of using it. The capability itself is already in place. The decision has not been made, as far as the public record shows. But the capability does not expire. And the geopolitical temperature is not static.
A capability that is not used is not evidence that the capability does not exist. It is evidence that the cost-benefit calculation has not yet crossed the threshold. Pre-positioned capabilities are most valuable precisely because they are not used during peacetime: their strategic value lies in their existence as a latent threat, exercisable at a moment of the holder's choosing. This is why the absence of a known activation event is not reassuring. It is the expected condition of a well-designed pre-position.
Beyond the BMS: The Physical Infrastructure Parallel
The argument of this series has been built on the BMS because the BMS is the most technically specific and least publicly understood attack surface in the connected vehicle and energy storage ecosystem. But the BMS is one node in a larger pattern.
The same logic, the same escalation ladder, the same distinction between collection and pre-positioned action capability, applies wherever foreign actors have established legitimate operational presence in American critical infrastructure. Remediation contracts on contaminated mining sites. Produced water treatment operations at active extraction sites. Good Samaritan permits on acid mine drainage remediation projects. Solar inverter installations along federal highway corridors. Grid-connected battery storage at substations and behind-the-meter at industrial facilities.
Each of these represents a legitimate commercial relationship. Each provides physical access to critical infrastructure. Each creates an operational presence that is indistinguishable, from the outside, from normal commercial activity. And each represents, simultaneously, an intelligence collection point and a potential pre-positioned action capability, exercisable under conditions that the holder controls and the host cannot fully observe.
This is not a new observation. It is the subject of an entire parallel series on this platform, one that maps the specific geographic and legal vulnerabilities through which foreign actors are establishing exactly these kinds of operational presences, and proposes specific legislative fixes that would close the most dangerous of them.
The Intelligence Layer series was the segue that series was missing. The battery series explained the physical supply chain and where it is exposed. This series explained that even a secured physical supply chain remains vulnerable if the intelligence layer running on top of it is foreign-controlled. The Quiet Acquisition explains what is happening in the physical world while the software debate continues, and what Congress can do about it before the pre-positions become activations.
Stuxnet taught the world that the control layer of a physical system is a weapons-grade attack surface. The question is not whether that lesson was learned. The question is who learned it, and what they have been doing with it since.
What the Series Has Built
Five parts. One argument in five movements.
The BMS is the intelligence layer of the battery, not a control unit but an electrochemical inference system that generates a continuous stream of operational data as a byproduct of doing its job. The data flywheel advantages incumbents who are predominantly foreign-domiciled, compounding every quarter against domestic entrants who do not exist at automotive scale.
The certification barrier that prevents domestic competition is not a technology problem. ASIL-D is correct, necessary, and should not be lowered. The barrier is a capital and time problem that private markets cannot solve alone against incumbents who cleared it a decade ago with structural advantages a domestic entrant does not have.
The data flowing through foreign-managed BMS is already a national security concern, named as such by the U.S. government in a published Federal Register rulemaking, confirmed in hardware by a Federal Highway Administration advisory documenting undocumented radios in deployed infrastructure, and structurally exposed through the human vector of Korean battery engineers whose knowledge is the target of a documented Chinese intelligence recruitment campaign.
The domestic alternative can be built. The OWS model, applied to ASIL-D certified BMS, funded at the right level, structured with the right exit condition, and routed through the right legislative vehicle, is the program. It does not lower the standard. It funds domestic builders to clear it. The government has done this before, for a different product, in less time, against a harder constraint.
And the collection problem, addressed by the OWS program and the BIS rule, is not the complete threat. The same access pathway used for data collection is the pathway for pre-positioned action. Stuxnet proved that the control layer is a weapons-grade attack surface. The FHWA advisory proved that undocumented hardware has already been found in American infrastructure BMS. The escalation ladder from collection to pre-positioning to activation is not a theoretical construct. It is the operational framework that every serious intelligence service uses to think about embedded access in adversary infrastructure.
The legislative fixes that close the physical access layer, that address the remediation contracts and the produced water operations and the Good Samaritan permits through which foreign actors are establishing operational presence in American critical mineral and energy infrastructure, are the subject of the series that follows.
That series begins where this one ends.
Six parts mapping the foreign acquisition vector American policy does not yet fully see. FEOC blocks the front door. The back door, remediation contracts, produced water operations, Good Samaritan permits, is open. The legislative fixes are specific, achievable, and ready to ride the annual NDAA. The Intelligence Layer series explained what is at stake in the software layer. The Quiet Acquisition explains what is already happening in the physical one.
Begin at Part 1: The Wrong Wall →