The Cybersecurity & Infrastructure Security Agency (CISA) has issued a warning that cyber actors connected with Iran are focusing cyberattacks on United States critical infrastructure. Sectors of focus include: 

• Water and wastewater systems (WWS) 
• Energy
• Government facilities and services 

With the news that Iranian-associated cyber actors are targeting critical infrastructure in the U.S., security experts are sharing their insights. 

Security Leaders Weigh In

Bradley Smith, SVP, Deputy CISO at BeyondTrust:

The Iranian cyber proxy ecosystem is not waiting for an escalation trigger — it is already operating at a wartime tempo. BeyondTrust has been tracking this activity since the early hours of Operation Epic Fury and sharing threat intelligence with our customers to support defensive preparation. What we have assessed is that the operational preparation phase for multiple Iran-aligned actors was complete before the first strikes landed on February 28. Tools were staged, reconnaissance was reported, and targets were identified. The threat now is not that these groups will activate — it is that strikes against civilian infrastructure will remove any remaining restraint on target selection and destructive intent.

The effectiveness of these operations has increased in both quality and scale compared to previous Iranian cyber campaigns. A significant contributing factor is the documented use of AI-enhanced social engineering by groups such as APT42, which has degraded the reliability of traditional detection indicators. Phishing lures and credential harvesting operations are more convincing, more scalable, and harder to distinguish from legitimate communications than in any prior campaign cycle we have tracked. This is compounding an already elevated risk to identity infrastructure, where a single compromised credential can provide an adversary the foothold needed to move laterally into critical systems.

There has already been confirmed operational impact to global supply chain entities from attributed Iranian threat actor activity — including the wiper attack against medical technology firm Stryker — in the weeks since the conflict began. This includes disruptive and destructive operations targeting technology vendors, remote access infrastructure, and upstream service providers that organizations depend on but may not directly control. The elimination of Iran's senior leadership has not neutralized its cyber offensive capability — our assessment is that it has decentralized it, shifting execution authority to a pre-positioned proxy ecosystem that is now operating with both the motivation and the autonomy to escalate. If strikes expand to civilian infrastructure such as power plants, bridges, and water treatment facilities, organizations should expect the targeting aperture for cyber operations to widen correspondingly — critical infrastructure, financial systems, cloud providers, and identity platforms are all within the assessed target set.

Louis Eichenbaum, Federal CTO at ColorTokens:

Based on current U.S. military actions involving Iran, there is a high likelihood of continued retaliatory cyber activity from Iranian state actors and affiliated proxy groups aimed at causing widespread disruption and executing targeted intrusions. These operations will likely leverage proven, opportunistic techniques, including phishing campaigns that enable credential theft and account takeover, exploitation of unpatched edge devices such as VPNs and firewalls, distributed denial-of-service attacks against public-facing services, and hack-and-leak or extortion campaigns designed to drive both operational and reputational impact. There is also a credible risk of opportunistic compromise of exposed operational technology and industrial control systems, particularly where those systems remain accessible from the internet.

Based on prior activity, priority targets are expected to include critical infrastructure sectors such as energy, water, transportation, and telecommunications, along with the defense industrial base, federal contractors, and government mission-support systems. Organizations operating exposed OT environments or maintaining weak remote access controls are especially vulnerable, and executives’ and employees’ personal accounts are likely to be targeted as initial entry points to enable broader compromise.

These actors will continue to exploit well-known and frequently targeted weaknesses, including internet-exposed PLCs and OT management interfaces, weak or absent multi-factor authentication, particularly for privileged and remote access, unpatched known exploited vulnerabilities in edge infrastructure, and common identity risks such as credential reuse and password spraying. Limited visibility into east-west traffic and lateral movement within networks further increases the likelihood that a small initial foothold can escalate into significant operational impact.

In this environment, organizations must take immediate steps to reduce exposure and strengthen resilience. This includes removing or tightly restricting internet access to OT and ICS systems, enforcing phishing-resistant multi-factor authentication, and implementing granular microsegmentation within these environments to prevent an adversary from leveraging a compromised endpoint to move laterally and reach critical assets.

Shane Barney, Chief Information Security Officer at Keeper Security: 

The recent wave of cyber activity targeting critical infrastructure in Western democracies is part of a broader shift in how conflict is playing out in the modern world. Cyberattacks are no longer separate from geopolitical events, they are increasingly used alongside them to create pressure, disrupt essential services and influence outcomes without the need for physical confrontation.

Recent reports and warnings of nation state activity targeting Industrial Control Systems (ICS) highlight a structural reality that security teams have been grappling with for years: the convergence of IT and operational technology has eliminated any meaningful separation between digital access and physical impact.

These attacks are not defined by novel exploitation techniques, but by the systematic identification and abuse of exposed systems, weak identity controls and persistent access pathways. Internet-facing management tools, particularly those tied to legacy or poorly segmented environments, create a predictable attack surface. When combined with automated scanning and AI-assisted reconnaissance, threat actors can continuously probe global infrastructure at scale, identifying misconfigurations in minutes rather than months.

The more significant issue is what happens after gaining initial access. Once a foothold is established, lateral movement becomes the primary objective. Attackers harvest credentials, escalate privileges and move toward core systems where operational disruption becomes possible. In environments where privileged access is poorly governed or insufficiently monitored, this activity can remain undetected long enough to create material impact.

This reinforces a critical shift in defensive strategy, where identity is now the primary control plane. Hardware-level protections and network segmentation remain important, but they are insufficient if identity systems allow unauthorized or persistent access. If an attacker can authenticate, they can often operate as a legitimate user, bypassing traditional security controls entirely.

Organizations must respond by eliminating standing privilege and enforcing strict access governance across both IT and OT environments. Zero standing privilege models, where access is granted just-in-time and revoked immediately after use, significantly reduce the risk of credential reuse. Privileged access must be continuously verified, fully audited and tightly scoped to specific tasks.

Equally important is the ability to monitor and intervene in real time. Unified visibility across privileged sessions allows security teams to detect anomalous behavior and terminate sessions before changes are made to critical systems. Without this level of control, attackers can operate with persistence and precision inside trusted environments.

Organizations must adopt a mindset which assumes that compromise is inevitable. The focus must shift from prevention alone to containment. Enforcing least-privilege access, segmenting identity domains, rotating and vaulting credentials and applying continuous validation across all users and devices are essential steps in limiting the blast radius of any intrusion.

Threat actors will continue to test adjacent systems, vendors and supply chain partners to identify the most efficient path to access. Security strategies must therefore extend beyond the enterprise perimeter to include third-party identities — both machine and human — and access pathways. The organizations best positioned to withstand this evolving threat landscape will be those that treat identity as the modern perimeter, enforce disciplined access controls and design systems that can contain and recover from compromise without cascading operational impact.

Morey Haber, Chief Security Advisor at BeyondTrust: 

The moment kinetic threats target civilian infrastructure; cyber retaliation becomes not just probable, but an inevitable outcome. Cyber warfare is a vehicle for retaliation no matter how you perceive the conflict. Donald Trump signaling escalation against Iran shifts the battlefield into this asymmetric domain where Iran and their supporters have just as much experience in cyberattacks as any other group in the world. Groups aligned with Iran have consistently leveraged identity attack vectors, distributed denial of service, and destructive wiper campaigns to create disruption without direct attribution.

For organizations the risk from kinetic munitions and destructive cyberattacks. Ransomware and other financial attacks like double extortion will take a back seat while this life and death situation plays out. Unfortunately, if this conflict continues to escalate, the world should expect attacks, not only against critical infrastructure, but also financial systems, supply chains, and cloud providers both electronically and physically. Cyberattacks will not mirror military precision, however. They will exploit weakest links, especially identity, where one compromised credential can cascade into a systemic shock once the adversary has an electronic beach head into an environment.

In this security professionals opinion, I hope we can avoid the potential risks of full blown cyber warfare.