Ymir Vigfusson
June 23, 2025
DHS’s CISA warned us in December that Iran was targeting OT networks of critical infrastructure in the United States. The rapid escalation of tensions, including the bombing of Iranian nuclear facilities this weekend, has now prompted CISA to urge U.S. organizations to be on immediate high alert for cyber retaliation from both hacktivists and advanced cyberattack groups (APTs) aligned with the Iranian government. With the Iranian sphere of influence surpassing 170 million people, recent pacts with major cyber powers like Russia, and over a billion USD invested in cyber capabilities over the past decade, these escalations pose a significant threat against U.S. organizations and critical infrastructure and must be taken seriously.
Cyber warfare by nation states has evolved beyond espionage and ransomware attacks to further encompass two chief objectives:
Lacking traditional military capabilities to threaten the U.S. mainland, a logical reaction from Iran is to inflict maximum damage on its rivals through cyberattacks, a real risk against which all critical U.S. organizations must prepare.
For water utilities, there are three immediate steps and actions to take.
Past attacks from Iranian threat actors abused basic vulnerabilities in OT infrastructure, including the guessing of default passwords on PLC equipment. In April 2024, the goals of CISA, EPA, and FBI were simply to encourage water utilities to disconnect OT resources from direct Internet access, change default passwords, make backups of important data, and maintain basic cybersecurity awareness. With the ongoing escalations and potential retaliation, these goals are a starting point and should be considered a minimum cybersecurity baseline.
While most organizations will already have these basic steps recommended by CISA in place, now is the time to audit them. History teaches us that in cyber defense, our practices drift over time and any oversight can cause a catastrophic breach.
What to do now: Audit your network with CISA’s free CSET scanner and then sign up for their free vulnerability scanner to run as soon as possible. These are painless, safe, and important. Address any findings with high urgency.
What to have in place: If a breach occurs, you should be able to switch to safe manual controls to quickly restore operations. Create a routine of making software backups, checking your disaster recovery and business continuity plans, as well as testing your fail-safe mechanisms and standby systems.
Now that your OT environment is not directly accessible on the Internet for anyone to hack, the next step is to safeguard any path to your environment from the potent forms of cyberattacks that are rampant in all sectors. Indeed, CISA’s latest security advisory on OT from May 6th 2025 highlights on securing access to OT systems from the IT environment itself, a particularly critical vector since 72% of OT attacks in 2024 originated from the IT environment.
Addressing IT-OT interface involves forcing a discussion between your engineers, whose training prioritizes safety, and your IT personnel, whose training prioritizes cybersecurity, to understand that cyberattacks are a critical risk to operational safety. The cybersecurity risk must be owned by someone in your organization who can get safeguards implemented. The most crucial safeguard you must have is the network-level isolation of your OT systems, which are not designed to withstand cyber attacks, from any part of your IT infrastructure.
What to do now: Ensure that OT systems (ICS/PLC/SCADA) are firewalled off from any IT networks, and that they can only be accessed remotely through dedicated jump boxes if remote access is required at all. These jump boxes should be up-to-date with security patches and running modern security software, like endpoint and threat detection software (EDR).
State-sponsored attackers are adept at abusing identity and trust within organizations, as evidenced by relentless spear phishing campaigns and vibrant underground marketplaces for identities and access. Iranian attack groups are no exception, with formidable capabilities that CISA, FBI and UK’s NCSC have warned about.
Attackers routinely target the employees and contractors of an organization and compromise their endpoint devices as an initial stepping stone into their networks. While training is necessary to help your users recognize and avoid phishing attacks, falling prey to malware, and recognizing the faux “call from tech support” in their day-to-day job, it is inadequate.
What to do now: Require your users to use phishing resistant multi-factor authentication (MFA) when they log into your systems. In addition, your privileged users and engineers who have access to sensitive systems should use Keystrike or similar to block lateral movement from a compromised workstation. Take time to remind your users of proper channels to install software, to get help, and what to expect from your Support staff. Remind your Support staff about processes to protect your users and organization, particularly around common spear phishing tactics such as password resets.
First, audit your network with CISA’s free CSET scanner and sign up for their vulnerability scanner. This will ensure the safeguards you started with are still present, active, and respected.
Second, review and test your “break glass” manual procedures. Ensure if a breach happens, you can continue to ensure the health and safety of your citizens.
Third, confirm that your system backups are active, restorable, and complete. Incomplete or irretrievable backups are unfortunately among the most common regrets following breaches.
Fourth, review your overall disaster recovery and business continuity plans. Ensure that your key participants - technicians, engineers, executives, and legal staff - know their roles and responsibilities and you have correct and complete contact information on all. For bonus points, make sure those contact methods are independent of your potentially-compromised systems.
Fifth, assign cybersecurity responsibility to someone with proper command to implement the IT-OT separation, ensure endpoint security, implement MFA, and protect your privileged remote users.
At any given moment, it’s hard to get the full details on what’s going on where and what the larger implications are. Regardless, our goals and processes haven’t changed. Starting from CISA’s foundation for Securing Water Systems, we can build, verify, and protect our systems from most threats. We should also collaborate with groups such as WaterISAC to share information across our ecosystem to detect and respond to patterns before they attack us directly.
To learn more about Iranian Advanced Persistent Threat (APT) groups and how to counter them, join us for a free webinar entitled "Iranian Cyber Threat to Critical Infrastructure - Emergency Response & What You Should Do Now" on June 25th at 2pm US Eastern Time and sign up with Keystrike to onboard and protect your critical servers, jump boxes and bastion hosts in a matter of minutes.
Try Keystrike in Your Environment for 30 Days
