Industrial Control Systems Face Elevated Cyber Risk Amid U.S.–Iran Tensions

The recent spike in U.S.–Iran tensions has heightened the threat landscape for industrial control systems (ICS). Organizations that operate connected industrial infrastructure must now adopt a more vigilant security posture.

Eyal Elyashiv, CEO and co‑founder of Cynamics, warned that the cyber‑impact stemming from the assassination of Iranian General Qasem Soleimani could be significant.

Industry analysts note that the heightened U.S.–Iran conflict elevates overall cyber risk. Bill Malik, VP of infrastructure strategies at Trend Micro, stated, "We have no insider knowledge of specific attack plans, but it is logical that rising political tensions could spur more cyberattacks."

After the assassination, numerous cybersecurity experts and U.S. government officials issued warnings about the increased risk of attacks from Iran‑affiliated adversaries.

Andrea Little Limbago, Ph.D., chief social scientist at Virtru, cautioned that the likelihood of smaller, distraction‑oriented cyberattacks is higher than an all‑out cyberwar. She added, "Iran’s cyber activity—from destructive attacks to disinformation—has been widespread for quite some time. That’s not new and not linked to this week’s events."

Over the past decade, Iran’s cyber‑capabilities have expanded dramatically. Analysts have attributed a range of attacks—including denial‑of‑service assaults on U.S. banks and custom malware targeting Saudi Aramco—to Iranian actors. In 2015, reports alleged Iranian hackers infiltrated the U.S. power grid.

Officials in the U.S. should remain highly concerned about Iran’s cyber‑reach, Elyashiv emphasized.

A Department of Homeland Security alert issued on Jan. 4 warned that Iran could, at a minimum, launch attacks with temporary disruptive effects against critical U.S. infrastructure.

Similarly, the U.S. Cybersecurity and Infrastructure Security Agency highlighted a heightened risk of cyber‑espionage and attacks against finance, energy, telecommunications, and industrial control systems.

The 2016 U.S. Justice Department indictment charged seven Iranian contractors linked to the Islamic Revolutionary Guards Corps with cyberattacks on several banks and a New York dam. The DHS also warned of Iranian actors "scouting and planning against infrastructure targets and cyber‑enabled attacks against a range of U.S.‑based targets."

In the industrial sector, a hacker collective known as Advanced Persistent Threat 33, tied to Iran, has targeted defense, transportation, and energy organizations, according to Cyberscoop.

Limbago believes that, given the current level of tensions, Iran is unlikely to prioritize exploiting explicit ICs vulnerabilities in the short term. She noted that "Iran understands that destructive attacks on critical infrastructure will likely trigger escalation and retaliation."

Former CIA Counterterrorism Center executive director Carol Rollie Flynn predicts that Iranian actors will focus on smaller cyberattacks to avoid provoking retaliation.

Limbago also suggests that Iranian adversaries may target private‑sector organizations lacking a clear IC connection. Historical precedent, such as the 2015 Sands Casino attack allegedly linked to Iran, supports this approach.

Disinformation remains a core component of Iran’s cyber strategy. Limbago described these operations as "extremely prolific and global," aimed at bolstering domestic support and sowing anti‑American sentiment worldwide.

Managing Cyber‑Risk

Regardless of the evolving geopolitical landscape, industrial operators must audit their connected devices. Malik recommends reviewing technology inventories, assessing vulnerabilities, and applying controls to reduce attack surfaces.

Because uptime is paramount, many industrial environments continue to use outdated, unpatched hardware and software. Elyashiv cautioned that "organizations must look beyond antiquated systems currently protecting critical infrastructure, as recent history clearly shows they can be easily compromised."

David Goldstein, president and CEO of AssetLink Global LLC, emphasized that securing IIoT requires more than hardware and software. "The answer to IIoT security isn’t entirely in hardware and software," he said.

The Stuxnet attack on Iran’s Natanz nuclear enrichment facility exemplified the importance of physical access controls. In that operation, double agents installed malware on an air‑gapped central network, ultimately destroying roughly 1,000 centrifuges.

Goldstein highlighted that trust and access control are critical. He asked, "Who do you work with, who do you trust, who has credentials to get into your system, who has physical access? Trust between actors and partners will become increasingly important as IoT systems permeate everything."

As IoT technologies spread in industrial contexts, a shortage of cyber‑experts familiar with industrial control systems persists. Goldstein noted that most analysts apply generic IT techniques to industrial IoT, overlooking proprietary protocols and update challenges, which pose significant vulnerabilities.

Organizations such as the U.S. Department of Defense and MITRE Corp. are bridging this gap with frameworks like MITRE ATT&CK for ICs. Malik explained that this framework enables manufacturers, owners, and operators to discuss attack scenarios and report vulnerabilities consistently across sectors.

Malik stressed that cybersecurity is a journey, not a destination. Given the short‑term nature of current tensions, he said, "There is little that IC manufacturers can do to strengthen their production security posture rapidly."

He also identified a specific vulnerability: field maintenance links used for diagnostics can become attack vectors. Malik urged vendors to secure customer data, encrypt traffic when possible, and ensure software updates are free of malware.