Sign in Subscribe
Century Report

Dragos Maps First AI Water Attack - TCR 05/13/26

Ben Linford

Ben Linford

20 min read
Varda orbital drug manufacturing, 1.2-million-year Antarctic ice core, Medicare ACCESS AI care agents, Human Consent Standard, Transaera heat pumps, Microsoft Azure governance, Dragos

The 20-Second Scan

Track all of the arcs The Century Report covers here:

Progress & Claims Tracker

The 2-Minute Read

The pattern beneath this week's signal traces the same architecture forming across medicine, science, energy, and the points where AI capability reaches infrastructure that was not designed to receive it. A federal payment model is being assembled to fund AI agents that monitor chronic-care patients between visits. A pharmaceutical company has flown a drug to orbit and returned it for analysis of a crystal form gravity does not allow. An Antarctic ice core has crossed the million-year mark and opened the most studied unsolved interval in climate science to direct observation. Each result describes a different domain crossing a threshold the prior decade treated as fixed.

The friction layer arrived in the same cycle. Cybersecurity firm Dragos published the artifact catalogue from the first documented LLM-assisted attack on a municipal water utility, and Microsoft confirmed in writing that the contract terms governing cloud platforms can be activated to remove a state intelligence agency engaged in mass surveillance. Both findings establish what the civic and contractual architecture surrounding cloud-mediated AI actually looks like when it is tested. The defensive postmortems being published, the staged-release governance forms hardening across frontier labs, and the consent infrastructure performers are now building on top of the open web are the response layer assembling at the same speed as the threat.

What runs through the cycle is the response architecture being built during the conditions that demanded it, on the trajectory the capability is already on.

The 20-Minute Deep Dive

Dragos Records the First LLM-Assisted Strike on Operational Technology in a Municipal Water Utility

Cybersecurity firm Dragos published an analysis of a campaign run against a municipal water and drainage utility in the Monterrey metropolitan area of Mexico between December 2025 and February 2026. The firm captured 350 artifacts from the intrusion. The vast majority were AI-generated malicious scripts. Anthropic's Claude was tasked as the primary technical executor, handling intrusion planning, malicious tool development, and the analysis of SCADA vendor documentation to produce brute-force credential lists. OpenAI's GPT models served analytical functions, processing collected data and generating Spanish-language outputs.

The attackers had no prior experience targeting operational technology environments. They failed to breach the OT infrastructure controlling the utility's water and drainage systems. What they demonstrated, with the campaign Dragos has now reconstructed in detail, is that commercial AI models lower the barrier to entry for attacks on critical infrastructure by a margin large enough that a team without OT background can refine technique as it goes. This extends the trajectory the March 16 edition of The Century Report documented when Booz Allen Hamilton found attackers adopting AI for offense faster than defenders, and HexStrike compressed an attack on thousands of Netscaler devices into under ten minutes - the moment the discovery-exploitation asymmetry security researchers expected to hold began collapsing in the wild.

The pattern this fits sits alongside the Google Threat Intelligence Group disclosure earlier this week of the first documented criminal use of an AI agent to discover a zero-day in the wild, OpenAI's release of Daybreak under controlled enterprise access, and Anthropic's continued restriction of Mythos to vetted partners. The offensive curve and the defensive curve are both compounding. The Monterrey campaign is the offensive curve reaching a piece of civic infrastructure that municipalities across Latin America operate on similarly modest budgets, with similar exposure to remote-access protocols that were not designed against AI-augmented adversaries.

The forward read on the disclosure is that the verification and hardening work the next generation of defensive AI is doing - the kind of work Mozilla published as a reusable postmortem on May 8, the kind Daybreak now ships into enterprise contracts - is a direct response to the same capability the Monterrey attackers used. The defensive instruments are being built on the same trajectory as the offensive ones, with the structural advantage that they can be deployed across the entire installed base of critical infrastructure at once rather than against it one utility at a time. The Dragos report names the gap and gives defenders a concrete artifact catalogue to train on. The OT side of every municipal water system in the hemisphere has more to do than it did a week ago, and the instruments are arriving alongside the threats.

The asymmetry the Dragos report introduces runs in the defender's direction. A single campaign documented in this much detail trains the next generation of OT defensive systems across the entire installed base at once, while every new offensive run still has to refind technique against a new target environment. The 350 artifacts now in the public record are the substrate municipal water utilities across the hemisphere get to harden against, and the marginal cost of that hardening drops as the catalogue grows.

A Federal Payment Architecture Built for AI-Driven Care

The Centers for Medicare & Medicaid Services accepted 150 organizations into ACCESS, a ten-year program that fundamentally rewires how American chronic care gets paid for. The program reimburses participants for measurable health outcomes rather than for activities, covering diabetes, hypertension, chronic kidney disease, obesity, depression, and anxiety. Pair Team, a San Francisco company that has spent seven years building care delivery for patients managing chronic conditions alongside unstable housing and food insecurity, is among the first cohort. The program goes live July 5.

The structural shift the program enables is what makes it significant. Traditional Medicare pays for time spent with a clinician. ACCESS creates a mechanism to pay for an AI agent that monitors a patient between visits, calls to check in, coordinates a housing referral, or confirms someone picked up their medication. Pair Team's voice AI agent, Flora, deployed nine months ago, handles intake, coordinates referrals, and does the check-ins that keep patients engaged. The company's CEO described the first call that shifted his thinking, a 67-year-old woman living out of her car with PTSD and congestive heart failure who spoke with Flora for over an hour. Hour-long conversations with the agent are now routine. The companionship is the intervention.

The program's architects were both former healthcare startup operators before joining CMS, and the design reflects that background. Outcome-based payments, direct-to-consumer enrollment, and deliberate competition among participants are all built into the framework. The first cohort spans AI doctor startups, virtual nutrition therapy providers, connected device companies, and wearable manufacturers including Whoop. Pair Team's peer-reviewed evidence in the Journal of General Internal Medicine documented that one in four hospital visits and one in two ER visits do not happen when patients are in its care. The model has been waiting for a payment architecture that could fund it at scale.

The risks are real. Sensitive patient data flows into federal infrastructure with documented breach history. The Congressional Budget Office found in 2023 that the CMS Innovation Center's first decade increased federal spending rather than producing projected savings. What ACCESS demonstrates is that the institutional layer of healthcare is being rebuilt around the assumption that AI agents are now a legitimate care-delivery channel that deserves its own reimbursement architecture. The capability that existed in pilot deployments for years has finally found a payment mechanism that can sustain it at federal scale. The May 4 edition of The Century Report documented a Harvard study finding OpenAI's o1 reached 67% diagnostic accuracy against attending physicians' 50-55% in emergency triage - the capability this payment architecture is now built to deploy broadly.

Pharmaceuticals Made in Orbit, Returned to the Ground

A Varda Space Industries capsule carrying a pharmaceutical payload from United Therapeutics re-entered the atmosphere and was recovered intact, with the compound it carried grown in microgravity rather than in a terrestrial reactor. The crystal structure of the molecule, which United Therapeutics has not publicly named, forms differently in orbit than under gravity. Sedimentation and convection currents that distort crystallization on Earth do not exist in free-fall, which lets molecules settle into geometries that are inaccessible to ground-based manufacturing. The returned sample is now in analytical characterization to confirm whether the orbital form holds the structural properties the company predicted.

The economics of this would have looked absurd a decade ago. Launching a payload to orbit, running a chemical process there, and recovering it through atmospheric re-entry was a thought experiment, not a supply chain. What changed is the launch cost curve and the emergence of dedicated orbital manufacturing capsules. Varda has now flown several missions, each one establishing that the round trip works, that the payloads survive, and that the resulting compounds carry properties their terrestrial counterparts cannot. United Therapeutics is the first major pharmaceutical company to commit a real molecule from its pipeline to the process.

What this points at is a manufacturing modality that does not yet have a name in the industry. The orbital production envelope is small, the cycle time is long, and the cost per gram is high. For commodity chemistry none of this would matter. For high-value therapeutics where the molecular form is the differentiator, the calculus inverts. A drug whose ground-based form fails clinical trials and whose orbital form succeeds becomes worth a great deal of orbital cycle time. The specifics of what United Therapeutics is pursuing remain confidential, but the precedent is now in motion: a pharmaceutical company is treating low-Earth orbit as a production environment, not a research stunt. The assumption being eroded is that the planetary surface is the only viable substrate for industrial chemistry.

A 1.2-Million-Year Ice Core Opens the Mid-Pleistocene Transition to Direct Observation

The Beyond EPICA collaboration unveiled the longest continuous record of Earth's climate and atmospheric conditions ever recovered, extracted from a 2.8-kilometer ice core drilled in Antarctica. The data, presented at the European Geosciences Union general assembly in Vienna and not yet peer reviewed, span 1.2 million years and document how atmospheric carbon dioxide concentrations tracked global temperatures across multiple cycles of natural climate change. The reach this opens is the most important interval in the planet's recent climate history finally becoming legible at high resolution.

The interval the core covers includes the Mid-Pleistocene transition, the period when ice ages on Earth mysteriously shifted from a 40,000-year periodicity to a 100,000-year one and became colder and more severe in the process. Before the transition, glacial cycles appeared to track periodic wobbles in Earth's orbit and axis of rotation. After it, the cycles slowed and intensified, producing longer glaciations with thicker ice sheets. One leading hypothesis holds that a sharp drop in atmospheric carbon dioxide preceded and drove the transition, but until this core, researchers lacked the continuous greenhouse-gas and temperature record needed to test the idea directly across the full transition window.

The instrument-layer story underneath the result is the same maturation pattern visible across the scientific signal arriving across the past several months. Ice-core drilling has not changed dramatically in recent years. What has changed is the precision with which trapped gas bubbles can be extracted and analyzed, the resolution at which isotopic ratios can be measured, and the speed at which the resulting data can be cross-correlated with marine sediment records, terrestrial pollen records, and orbital mechanics models. The 1.2-million-year record arrives as something that can be interrogated by every other paleoclimate dataset researchers have assembled, and it answers questions about the mechanics of natural climate change that have remained open since the 1970s.

The trajectory this points at is a much sharper picture of how the climate system actually responds to changes in atmospheric composition over hundreds of thousands of years. The intuitions current climate models carry about the relationship between greenhouse-gas concentration and temperature are built on records that previously did not extend across a full glacial-cycle regime change. The new core does, and the analytical work to extract every signal it carries will continue for years. The Mid-Pleistocene transition has been a black box at the center of climate science for decades. The conditions are now in place for it to stop being one.

A Consent Layer Built on Top of the Open Web

George Clooney, Tom Hanks, Meryl Streep, and a coalition of performers, agents, and rights-holders introduced the Human Consent Standard, a machine-readable protocol that lets individuals attach licensing terms to their likeness, voice, and creative output in ways that AI training pipelines and generative systems can parse before they ingest material. The standard builds on the Really Simple Licensing specification that emerged earlier this year as a lightweight successor to robots.txt for the AI era, extending it to cover the specific case of performers and creators rather than publishers.

The mechanism is modest in its technical claims and significant in its institutional ones. A performer publishes a signed declaration that specifies what is allowed: training, synthesis, derivative voice cloning, image generation, or none of these. Compliant AI systems read the declaration before processing any content tied to that performer. Non-compliant systems can still ignore it, but the existence of a machine-readable signal means that ignoring it becomes a documented choice rather than a defensible absence of information. Litigation, regulation, and platform policy all become easier to anchor when the consent signal is unambiguous and standardized.

What is forming is a consent infrastructure that exists outside the gatekeeping of any single platform. Performers do not have to negotiate with each AI company individually. They publish their terms once, and any system that wants to claim good-faith compliance reads them. The standard sits at the same architectural layer as DNS or TLS: lightweight, broadly adopted by the actors who want interoperability, and increasingly difficult to ignore as adoption spreads. The arc here connects directly to the Generative AI & Synthetic Media Governance thread that has been running through recent editions, where licensing frameworks, watermarking standards, and provenance signals have been accumulating as the actual governance fabric of the era rather than the legislation that most coverage waits for. The May 3 edition of The Century Report documented the Academy ruling that only performances "demonstrably performed by humans with their consent" are Oscar-eligible - the same consent-infrastructure logic arriving in institutional form on the same week it arrives here as a machine-readable protocol. Consent for synthetic media is being built by the people whose consent is at stake, on infrastructure they control, in a form that compounds adoption rather than requiring approval.

Amazon Signs for a Commercial Heat Pump That Cools With 40% Less Energy

Amazon signed a multiyear contract with Transaera, a Somerville startup with MIT roots, for next-generation rooftop heat pumps that will replace gas-fired heating-and-cooling units at an undisclosed number of the company's commercial buildings. The product proved itself across a six-month field trial at an Amazon logistics facility in hot and humid Houston, where it cooled the building using 40% less energy than conventional rooftop systems. The dehumidification chemistry that produces the efficiency gain is built on metal-organic frameworks, the class of materials that won the 2024 Nobel Prize in Chemistry.

The structural problem the heat pump solves is that conventional air conditioners have to overcool the air to wring out excess moisture, which drives up energy costs in humid climates and across hot summers. Transaera coats a thin layer of a proprietary hydrophilic metal-organic framework on a wheel with a honeycomb structure that air flows through. As the wheel spins, the framework sucks moisture out of incoming humid air before the air reaches the cooling coil. The cooling system then handles dry air, which it can cool with far less energy. Forty percent of the energy used in U.S. commercial buildings goes to heating and cooling them. Less than 15% of the country's roughly six million commercial buildings currently use heat pumps.

The deployment comes with cost arithmetic that reorders the field. Transaera's product runs about 20% more upfront than a conventional unit and pays back in two to three years through energy savings. A building equipped with the heat pumps saves millions of dollars across the ten-to-fifteen-year operating life of the equipment. Global demand for air conditioning is expected to nearly triple from 2022 levels by mid-century, reaching roughly 18,000 terawatt-hours annually, which is more than the entire current electricity demand of the United States, China, India, Germany, and Japan combined. A 40% efficiency improvement in commercial cooling at that scale is a several-thousand-terawatt-hour reduction in the grid burden the clean-energy transition has to absorb.

The Amazon deployment also closes a loop on a Department of Energy public-private partnership launched in 2023 to bring next-generation commercial heat pumps to market by 2027. Transaera is one of the participants in that program, and the Amazon contract is the proof point that the technology has crossed from pilot to commercial scaling on the original timeline. The substrate of commercial building electrification is being assembled along a curve where the older, less efficient path keeps getting more expensive on its own terms, and where the materials chemistry that makes the new path possible was sitting in laboratory journals five years ago.

Microsoft Israel Loses Its General Manager After an Inquiry Into Cloud-Mediated Mass Surveillance

Alon Haimovich, the general manager of Microsoft Israel, will step down following an internal inquiry the company commissioned last year into the subsidiary's dealings with the Israeli military. The inquiry was triggered by reporting from the Guardian, the Israeli-Palestinian publication +972 Magazine, and the Hebrew-language outlet Local Call that the military's signals intelligence agency Unit 8200 had used Microsoft's Azure cloud platform to store intercepted Palestinian cellular phone calls from Gaza and the West Bank at near-limitless scale. The system allowed intelligence officers to collect, replay, and analyze the content of millions of calls every day. Within weeks of launching the inquiry, Microsoft concluded that Unit 8200 had violated its terms of service, which prohibit the use of company technology to facilitate mass surveillance, and terminated the unit's access to cloud services and AI systems supporting the surveillance project.

The inquiry, conducted by Covington & Burling, is understood to have recently concluded. Microsoft has not disclosed its full findings publicly. Sources familiar with the situation told the Guardian that the findings prompted Haimovich's departure, and that several other managers at the subsidiary have also left. Documents seen by the Guardian suggest Haimovich played a role in developing the relationship between Microsoft Israel and Unit 8200 following a 2021 meeting between Microsoft CEO Satya Nadella and the unit's then commander, including overseeing the construction of a segregated area within Azure where Unit 8200 began moving the archive of intercepted communications.

The structural read on the outcome is that a major cloud provider has now demonstrated, in writing, that the terms-of-service architecture governing its infrastructure can be activated to remove access from a state intelligence agency engaged in mass surveillance of a civilian population. The same architecture, in the same months, was the lever Anthropic refused to disable in its contract dispute with the Pentagon over bulk domestic data collection. The March 2 edition of The Century Report documented The Atlantic's sourcing that named the specific demand: bulk commercial surveillance of Americans across AI system queries, GPS, credit card transactions, and search histories cross-referenced via Claude - the terminal sticking point that collapsed negotiations the day it was surfaced. The cloud-mediated surveillance question that ran in parallel through both confrontations has now produced two independent precedents: a frontier AI lab holding the line through litigation and a hyperscaler holding the line through internal enforcement after journalism made the violation visible.

The trajectory implied is that the contract layer underneath cloud infrastructure, which extractive surveillance architectures were assumed to overrun automatically, is becoming a place where accountability can be applied. The findings of one inquiry, the departure of one general manager, and the termination of one intelligence agency's access do not resolve the broader question of what state actors do when their preferred cloud provider revokes access. They do establish that the revocation is operationally possible, that journalism is the verification layer that produces it, and that the corporate calculus around hosting surveillance at scale is shifting under the weight of the precedent.

The Other Side

The architecture extractive surveillance depended on for the decade cloud platforms scaled into the substrate of national intelligence work was the assumption that commercial terms of service were operationally inert. Mass collection of civilian communications could be parked inside Azure or AWS, and the contract clauses forbidding it would stay on paper because no one would activate them.

The Guardian, +972 Magazine, and Local Call put the specific arrangement on the record last year: Unit 8200 storing intercepted Palestinian cellular calls at near-limitless scale inside Azure, with a segregated area built for the archive after a 2021 meeting between Satya Nadella and the unit's then-commander. Microsoft commissioned Covington & Burling. The inquiry concluded the unit had violated terms. Access was terminated. Alon Haimovich, the general manager who oversaw the relationship's construction, is stepping down. The contract layer activated.

Set alongside Anthropic refusing to disable the same architecture in its Pentagon dispute, what is now visible is a verification path the next intelligence service considering this route has to factor in: investigative journalism documents the violation, the platform commissions an independent inquiry, the terms get applied in writing, access is revoked. Two independent precedents inside the same calendar quarter, one from a frontier lab and one from a hyperscaler.

The Palestinians whose calls were inside the Azure archive on the day Microsoft revoked access did not get their privacy back. The reporters at the Guardian, +972, and Local Call who put the Unit 8200 arrangement on the record have established something the next civilian population in line for the same treatment did not have a week ago: a documented precedent that the contract layer of the cloud provider supplying the substrate is activatable by their reporting.

The Century Perspective

With a century of change unfolding in a decade, a single day looks like this: a pharmaceutical compound grown in low-Earth orbit and brought home to characterize a crystal form gravity does not allow, a 2.8-kilometer Antarctic ice core opening 1.2 million years of climate history to direct observation, a federal payment architecture being assembled to fund AI agents that walk alongside chronic-care patients between clinical visits, performers and rights-holders publishing a machine-readable consent layer on top of the open web, commercial heat pumps cooling Houston buildings with forty percent less energy than the systems they replace by routing humid air through a Nobel-winning class of materials. There's also friction, and it's intense - cybersecurity researchers laying out 350 artifacts from the first documented LLM-assisted strike on a municipal water utility, a major cloud provider confirming in writing that one of the world's most powerful intelligence agencies had used its infrastructure for mass surveillance in violation of contract and removing access only after journalism made the violation visible, the offensive curve of AI-augmented attack reaching civic infrastructure that municipalities across the hemisphere operate on similarly modest budgets, the verification stack for cloud-mediated AI being built during the conditions that demanded it. But friction generates heat, and heat anneals - it lets the next generation of materials hold a shape the older alloys could never carry. Step back for a moment and you can see it: the substrate of medicine widening to include care that exists between clinic visits, the substrate of chemistry widening to include manufacturing environments off the planet, the substrate of climate science widening to a million continuous years of record, the substrate of cooling widening to materials that move moisture before they move temperature, and the consent layer of synthetic media being built by the people whose consent is at stake on infrastructure they themselves control. Every transformation has a breaking point. Crystallization can fracture under stress... or settle into structures that could never have formed under the old conditions.

AI Releases & Advancements

New today

  • Anthropic: Claude Platform on AWS is now generally available, giving customers direct access to Anthropic's native Claude Platform experience through their AWS account - including the Messages API, Claude Managed Agents, web search, MCP connector, Agent Skills, code execution, and Files API - with no separate Anthropic credentials or billing required; Claude Opus 4.7, Sonnet 4.6, and Haiku 4.5 are available across 17 regions. (Claude Blog)
  • Microsoft Research: Released MatterSim-MT, a new multi-task foundation model for in silico materials characterization that natively predicts energies, forces, stress, Bader charges, magnetic moments, Born effective charges, and dielectric matrices; pretrained on 35M+ first-principles-labeled structures covering 89 elements; simultaneously released 3–5x performance improvements to MatterSim-v1 inference via faster graph construction and ahead-of-time compilation. (Microsoft Research Blog)
  • Prior Labs: Released TabPFN-3, the latest version of the tabular foundation model originally published in Nature, now scaling to datasets up to 1 million rows and 2,000 features; up to 20x faster than TabPFN-2.5; pretrained entirely on synthetic data with support for many-class, relational, and tabular-text datasets; available on PyPI. (Prior Labs)
  • Cactus Compute: Open-sourced Needle, a 26M-parameter function-calling model distilled from Gemini that runs at 6,000 tokens/sec prefill and 1,200 tokens/sec decode on consumer devices; uses a Simple Attention Network architecture with no MLP layers; pretrained on 200B tokens and post-trained on 2B synthetic function-calling examples across 15 categories; MIT license with weights on Hugging Face. (GitHub)
  • Hypercubic (YC F25): Launched Hopper, the first agentic development environment for mainframes and COBOL, enabling AI agents to navigate TN3270 terminals, inspect datasets, write JCL, debug jobs, query VSAM, and operate inside z/OS from a modern IDE; available for download now. (Hypercubic)

Other recent releases

  • OpenAI: Launched Daybreak, an AI initiative for detecting and patching software vulnerabilities that combines GPT-5.5, GPT-5.5-Cyber, and the Codex Security agent to build threat models, validate vulnerabilities, and automate detection across organizational codebases. (OpenAI)
  • PowerColor: Released the Radeon AI PRO R9600D, a single-slot passive-cooled GPU with 32GB GDDR6 memory and a 12V-2x6 connector designed for AI inference workloads. (VideoCardz)
  • OpenBMB/ModelBest: Released MiniCPM 4.6, the latest version of the MiniCPM small language model series. (Hugging Face)
  • Google: Launched the new AI-powered Google Finance across Europe with full local language support, including AI-powered research, advanced charting/technical indicators, expanded commodities and crypto data, and live earnings call audio with synchronized transcripts and AI-generated annotated highlights; Deep Search in Google Finance is now globally available. (Google Blog)

Sources

Artificial Intelligence & Technology's Reconstitution

Institutions & Power Realignment

Scientific & Medical Acceleration

Economics & Labor Transformation

Infrastructure & Engineering Transitions

The Century Report tracks structural shifts during the transition between eras. It is produced daily as a perceptual alignment tool - not prediction, not persuasion, just pattern recognition for people paying attention.

Read more