The cyber front lines are shifting. Fast.

For the United States, tensions in the Middle East continue to escalate. Between Iran, Israel and neighboring countries, every day brings a new potential threat — and in the wake of direct military action against Israel and the U.S. response, cybersecurity experts agree on one thing: the next wave of aggression may not come from rockets or drones, but from lines of code targeting our most vital systems.

For security leaders across U.S. critical national infrastructure (CNI), the question isn’t if they’re in the crosshairs. It’s how ready they are when, not if, the next attack hits.

Let’s be clear: this isn’t about theoretical threats. It’s about a well-documented cyber playbook that Iran has used time and again. From the Shamoon malware that devastated Saudi Aramco to targeted ransomware campaigns against energy and transportation sectors, Iran has demonstrated a persistent interest in destabilizing its adversaries through cyber means.

Right now, that interest likely includes us.

Assume You're Already a Target

Iranian cyber operations are known for leveraging basic lapses: misconfigured firewalls, unpatched software, flat networks with little segmentation. These are the kinds of gaps that should be addressed during routine maintenance, but too often, they aren’t. When geopolitical tensions spike, those oversights become invitations.

And while hacktivist groups may launch the first wave of defacements or DDoS attacks, the more dangerous work will likely happen in the shadows — reconnaissance, lateral movement, and persistent access, all masked behind the noise.

This is why resilience and visibility can no longer be aspirational goals. They must be operational mandates.

It’s a mindset shift echoed in the European Union’s Digital Operational Resilience Act (DORA), an EU regulation focused on enhancing the digital operational resilience of financial industry, which moves beyond check-the-box inspections to ensure operational   and business assurance through continuous readiness.

Get Back to Basics. Do It Flawlessly

Much of what we’re currently advising aligns with current U.S. government guidance, including advisories from CISA and other federal partners. The challenge isn’t that organizations don’t know what to do — it’s that execution is often inconsistent, especially around the foundational elements like configuration validation and continuous monitoring.

Here’s what we’re telling every CNI client right now: Treat best practices like mandates. The time to act is before your incident response plan gets its real-world test.

4 Tactical Steps to Prioritize Now

1. Validate and Test Your Incident Response and Backup Protocols

If your team hasn’t rehearsed your IR playbook in the last 60 days, schedule a tabletop exercise this week. Ensure backups are not only recent, but also restorable. A plan on paper is only useful if it performs under pressure.

2. Patch and Monitor Continuously for Misconfigurations

Vulnerability scanning is not enough. Network misconfigurations — especially around firewalls and access controls, segmentation, and routing — create hidden exposures. Automate config monitoring to flag unauthorized changes and policy drift in real time.

Equally important is extending visibility beyond perimeter defenses. As seen in attacks like Volt Typhoon, adversaries often exploit blind spots in the network interior — where critical misconfigurations can go unnoticed for years.

3. Prioritize Critical System Remediation

Not all vulnerabilities are created equal. Focus first on the assets that directly impact safety, continuity of operations, and regulatory compliance. And communicate remediation priorities clearly across teams, especially where IT and OT intersect.

Consider threat actor tactics, techniques, and procedures (TTPs) when prioritizing remediation — ensuring your efforts target known TTPs and patterns for ingress, lateral movement and persistence used by groups like Iran’s IRGC-affiliated cyber units.

4. Segregate OT and IT Environments

Flat networks are a gift to adversaries. Harden segmentation between operational technology (OT) and IT systems. Use network detection and response (NDR) tools to monitor for unusual lateral movement, especially attempts to cross security zones.

A Call for Discipline and Speed

We’re not suggesting panic — we’re suggesting discipline. The fundamentals still hold. But the urgency has changed.

Cybersecurity is no longer just a technical issue. It’s a matter of national resilience. CNI organizations must close the gap between what they know they should be doing and what they’re actually executing consistently. That’s the difference between readiness and regret.

The good news? Much of this is within our control. But it requires a shift in mindset — from compliance to operational rigor. That is what creates resilience. From reactive fixes to proactive assurance.

Closing the gap between knowing and executing isn’t just about avoiding attacks — it’s about building a foundation of resilience that can adapt to threats we haven’t seen yet.

Iran’s cyber playbook is built on exploiting gaps. Let’s not give them any.