Securing Critical Infrastructure in a Time of War

As the Iran war heated up throughout the past week, critical infrastructure sectors, including state and local governments, were placed on high alert for cyber attacks.

For example, consider these headlines:

MSN.com: “US banks on high alert for cyberattacks as Iran war escalates” — “The U.S. financial services industry is on heightened alert for potential cyberattacks amid the unfolding U.S. war in Iran, with firms stepping up monitoring for threats that often rise during periods of geopolitical conflict, said executives and analysts.”

The Well News: “US Cities and Federal Agencies Shift to High Alert as Iran Attack Continues” — “Major American cities and federal agencies are shifting to a heightened state of alert this week as they face security risks created by the ongoing U.S. attack on Iran. The Washington Metropolitan Police Department and other law enforcement agencies are surging patrols at sensitive locations, including diplomatic missions, religious institutions, and cultural centers.”

ABC News: “Department of Homeland Security warns of potential attacks amid Iran operation” — “The Department of Homeland Security has warned of potential lone-wolf and cyberattacks amid the ongoing strikes in Iran, according to a law enforcement bulletin obtained by ABC News. ‘Although a large-scale physical attack is unlikely, Iran and its proxies probably pose a persistent threat of targeted attacks in the Homeland, and will almost certainly escalate retaliatory actions—or calls to action—if reports of the Ayatollah’s death are confirmed,’ according to the bulletin.”

Axios: “U.S. braces for cyberspace retaliation from Iran” — “Critical infrastructure operators are on high alert for potential Iran-backed cyber retaliation following the weekend’s military strikes that killed the country’s supreme leader and several other senior officials. Why it matters: Iranian actors — both state-linked and loosely affiliated — have a history of targeting U.S. water and gas systems, even outside the context of an open military conflict. …

“‘They are a very potent, hostile power,’ retired Gen. Paul Nakasone, former head of the NSA and Cyber Command, said at the Crosscurrent conference in Sausalito, California, yesterday [March 2] about Iran’s cyber prowess.”

DIGGING DEEPER INTO CURRENT CYBER THREATS

Several unclassified media reports came out this past week that dig deeper into these cyber issues that public- and private-network operators are facing. Here are a few examples:

Thehackernews: “Iran-Linked MuddyWater Hackers Target U.S. Networks With New Dindoor Backdoor” — “New research from Broadcom’s Symantec and Carbon Black Threat Hunter Team has discovered evidence of an Iranian hacking group embedding itself in several U.S. companies’ networks, including banks, airports, non-profit, and the Israeli arm of a software company.

“The activity has been attributed to a state-sponsored hacking group called MuddyWater (aka Seedworm). It’s affiliated with the Iranian Ministry of Intelligence and Security (MOIS). The campaign is assessed to have begun in early February, with recent activity detected following U.S. and Israeli military strikes on Iran.”

Security.com: “Seedworm: Iranian APT on Networks of U.S. Bank, Airport, Software Company”

• “Activity associated with Iranian APT group Seedworm has been spotted on the networks of multiple U.S. companies. The activity began in February 2026 and has continued in recent days. 
• “A U.S. bank, airport, non-profit and the Israeli operations of a U.S. software company were among the targets. 
• “We round up details of recent Iranian cyber threat activity and what defenders need to look out for.”

Breaking Defense: “How US cyber operators could take on Iran in cyberspace as Epic Fury plays out” — “A former senior cyber commander noted that one of the biggest differences between one-off strikes like Operation Midnight Hammer last June and the current operation is that supporting elements will be working 24/7, focused on targets offensively, defensively, information operations and intelligence.”

One more great resource for this discussion: On March 3, the Center for Strategic and International Studies came out with this piece entitled “How Will Cyber Warfare Shape the U.S.-Israel Conflict with Iran?” There are several excellent insights, including these two excerpts:

“Iranian-linked cyber actors and affiliated proxies have already demonstrated a broad operational scope. Operations attributed to these groups have included the significant disruption of fuel distribution systems in Jordan. More broadly, Iranian-backed forces’ use of kinetic capabilities against regional targets, such as the missile and drone attacks on Dubai, Abu Dhabi, and Doha, underscores the regime’s willingness to expand military operations beyond its borders to target perceived allies of the United States or Israel. In this context, if the regime is willing to conduct kinetic strikes against Gulf partners, cyber operations against U.S. and Israeli infrastructure represent a comparatively lower cost, lower-risk extension of these attacks.”

“In the aftermath of Venezuela, the Trump administration’s comments changed public discourse about offensive cyber strategy seemingly overnight. The president’s statements claiming credit for cyber effects in Caracas, the chairman of the Joint Chiefs of Staff’s public remarks following both operations, coupled with a senior White House official’s previous statement in a public address that ‘we are unapologetically unafraid to do offensive cyber,’ demonstrate an eagerness to discuss offensive cyber (and space) capabilities previously considered highly sensitive and closely held by U.S. officials.”

I also found this CNBC piece to be very helpful on the wider context and Department of Homeland Security and Cybersecurity and Infrastructure Security Agency changes just announced.

BEST PRACTICE CYBER ACTIONS

This detailed piece by HSToday.us is outstanding, with practical recommendations for all on cyber: “Preparing for an Iranian Cyber War on U.S. Soil: Top 6 Risks to Anticipate.”

The article has practical details in many areas for network defenders, and covers these topics (with many more details at the link):

“1) What to Expect in the Next 0–30 Days — A Surge in Retaliatory Cyber Activity. Expect an uptick in disruptive and symbolic cyber operations tied to Iranian state actors and aligned fronts. Likely activity includes:

• Website defacements
• Distributed denial-of-service (DDoS) attacks
• Doxxing or data leaks
• Disruptive intrusions aimed at public visibility

“2) U.S. Systems Most Likely to Be Targeted (And Why)
“3) Likely Techniques: A Practical Watch List for SOC & IR Teams
“4) Could Iran Receive Assistance from China, Russia, or Others?
“5) Second-Order Ramifications of a Leadership Decapitation Event
“6) Proactive Measures Leaders Can Demand Within 72 Hours”

FINAL THOUGHTS

There were many scary headlines over this past week, such as these pictured here from Drudge Report.

But despite many ongoing concerns, distractions and real cyber threats facing CISOs and their teams over the past week-plus, I applaud the efforts of public- and private-sector IT and cyber teams that have done their jobs so well. Thank you for your ongoing efforts!

There is a live conference session this upcoming Wednesday (March 11, 2026) at the Billington State and Local Cybersecurity Summit in Washington D.C. that I will be moderating entitled: “What Should We Learn from the Salt and Volt Typhoon Attacks?” (See 3:30 on the agenda for details.) We will cover those topics, as well as a question on the current Iran cyber conflict.

Please join us if you will be at this important event, or reach out to panelists on LinkedIn for more.