The SecurityWeek roundup captures Iranian-linked intrusions into internet-exposed automatic tank gauges at U.S. gas stations and active exploitation of Four-Faith industrial cellular routers via hardcoded credentials, yet it underplays the recurring pattern of Chinese-manufactured OT hardware serving as persistent attack vectors. These devices, often deployed without network segmentation or basic authentication, mirror earlier incidents such as the 2023-2024 compromises tracked by Dragos in the energy sector where similar cellular routers enabled initial access for ransomware and state reconnaissance. CISA’s own KEV process and the exposed contractor credentials further illustrate how even federal oversight bodies struggle with basic hygiene, leaving retail energy sites—frequently operated by small entities—outside meaningful protection regimes. Huawei’s Luxembourg zero-day router failure adds a geopolitical layer: state-linked vendors introduce undocumented behaviors that adversaries can weaponize for denial-of-service effects against telecom-dependent infrastructure. The original coverage misses the supply-chain concentration risk; multiple vendors (Four-Faith, Huawei) share manufacturing ecosystems that amplify single-flaw impact. Without mandatory outbound allow-listing and hardware root-of-trust requirements for OT endpoints, these footholds will continue enabling low-cost disruption or intelligence collection by Iran and other actors seeking asymmetric pressure on U.S. energy distribution.