Industrial Control Systems at Risk Amid US‑Iran Tensions

Amid escalating U.S.–Iran tensions, organizations operating connected industrial infrastructure must strengthen their cyber defenses.

“The cyber‑impact of General Qasem Soleimani’s assassination is profound,” warned Eyal Elyashiv, CEO and co‑founder of network‑security firm Cynamics.

Industry analysts note that the recent U.S.–Iran flare‑up broadens overall cyber risk. “We have no insider intel on specific attacks, but heightened political tensions are likely to spur more cyber assaults,” said Bill Malik, vice‑president of infrastructure strategies at Trend Micro.

Following Soleimani’s death, cybersecurity specialists and U.S. officials alike have cautioned about the threat that Iran‑affiliated adversaries pose to industrial control systems.

Some experts argue that attackers may launch smaller, diversionary cyber incidents instead of a full‑scale cyberwar. “Assuming an all‑out cyber conflict is premature,” noted Andrea Little Limbago, Ph.D., chief social scientist at Virtru. “Iran’s cyber activity, ranging from destructive attacks to disinformation, has been pervasive for years and is not uniquely tied to recent events.”

Over the last decade, Iran’s cyber capabilities have grown dramatically. Security researchers attribute a range of attacks—including DDoS assaults on U.S. banks and custom malware aimed at Saudi Aramco—to Iranian actors. In 2015, reports also alleged Iranian hackers infiltrated the U.S. power grid.

“U.S. officials should be deeply concerned about Iran’s cyber reach and capabilities,” Elyashiv emphasized.

Despite reports of a cooling in bilateral tensions, a DHS alert issued on Jan. 4 warned that Iran could launch “attacks with temporary disruptive effects against critical U.S. infrastructure.”

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) likewise flagged a heightened risk of attacks and cyber‑espionage against strategic sectors—finance, energy, telecommunications—and noted a growing focus on industrial control systems and operational technology.

Iranian actors have a track record of targeting U.S. infrastructure. In 2016, the Justice Department unsealed an indictment against seven contractors linked to the Islamic Revolutionary Guard Corps for cyberattacks on multiple banks and a New York dam. DHS also warned that Iran‑affiliated actors “scout and plan against infrastructure targets, executing cyber‑enabled attacks on a range of U.S. sites.”

Industrial targets are not spared. Cyberscoop reports that the Iran‑linked hacker collective Advanced Persistent Threat 33 has repeatedly targeted the defense, transportation, and energy sectors.

Limbago cautions that it is premature to expect Iran to focus on exploiting industrial control vulnerabilities imminently. “If tensions rise further, the strategy may shift, but at present Iran’s cyber activity remains in the gray zone—below outright war,” she explained. “Iran knows that destructive attacks on critical infrastructure would provoke retaliation.”

Former CIA Counterterrorism Center executive Carol Rollie Flynn predicts Iran will launch smaller cyberattacks to avoid provoking U.S. retaliation. “They want to stay under the radar,” she said.

Limbago also warned that Iran might strike private‑sector entities without obvious industrial links. She cited a 2015 incident when former national intelligence director James Clapper attributed an attack on Sands Casino to Iran, retaliating for comments by CEO Sheldon Adelson. “Iran typically targets private firms connected to the executive branch to inflict financial damage without igniting a broader U.S. response,” Limbago noted.

Disinformation campaigns form a core of Iran’s cyber strategy. Limbago described them as “extremely prolific and global.” “These operations will persist both domestically, to bolster pro‑government sentiment, and internationally, to fuel anti‑American narratives,” she added.

Regardless of how the current tensions evolve, the moment offers industrial infrastructure operators a chance to audit their connected devices. “We urge owners and operators of industrial control systems to inventory their technology, evaluate vulnerabilities, and implement controls that lower their attack surface,” Malik advised.

Industrial entities prioritize uptime, which often results in reliance on legacy, unpatched hardware and software. “You must look beyond these antiquated systems, as history shows they are easily compromised,” Elyashiv cautioned.

Cyber hygiene remains essential, but David Goldstein, president and CEO of AssetLink Global LLC, stresses the need for robust physical security. “IIoT security is not solely about hardware and software,” he said.

Physical access proved pivotal in the 2010 Stuxnet operation against Iran’s Natanz nuclear enrichment facility. Double agents linked to U.S. and Israeli intelligence reportedly introduced malware into the air‑gapped network, ultimately disabling about 1,000 centrifuges.

Goldstein notes that Stuxnet underscores the necessity of stringent access control and trust. “Who you collaborate with, the trust you place in partners, and who has physical access are critical factors,” he emphasized.

With the proliferation of IoT in industry, a talent gap emerges: few cyber experts specialize in industrial control systems. “Many analysts apply conventional IT tactics to industrial IoT without accounting for proprietary protocols and update challenges, creating significant vulnerabilities,” Goldstein warned.

Federal agencies—including the Department of Defense—and the MITRE Corporation are addressing this gap with industrial‑control frameworks such as MITRE ATT&CK for IC. “This framework enables manufacturers, owners, and operators to articulate attack scenarios and report vulnerabilities consistently across sectors,” Malik explained. “All organizations should adopt it to assess their IC security posture.”

Malik highlighted that cybersecurity is a continuous journey, not a destination. “If the heightened tensions are short‑lived, manufacturers have limited scope to rapidly fortify their production security,” he said.

He pointed out a key vulnerability: field maintenance links. “When vendors access their equipment for maintenance or fault diagnosis, those connections become potential attack vectors,” Malik warned.

Malik urged vendors to safeguard customer data by encrypting traffic where feasible and securing software updates. “It would be disastrous if a minor issue in one customer led a manufacturer to deploy a patch that inadvertently introduced malware across its entire portfolio,” he cautioned.