11 hours ago
US critical networks are prime targets for cyberattacks. They're preparing for Iran to strike.
The organizations representing critical networks that keep the lights on, the water running and transportation systems humming across the U.S. are bracing for a possible surge of Iranian cyberattacks.
Virtually every critical infrastructure sector is on high alert amid a deepening conflict between Iran and Israel, though no major new cyber threat activity has been publicly reported so far.
As these groups proactively step up their defenses, it's unclear whether Washington is coordinating with them on security efforts — a change from prior moments of geopolitical unrest, when federal agencies have played a key role in sounding the alarm.
'Iranian cyber activity has not been as extensive outside of the Middle East but could shift in light of the military actions,' said John Hultquist, chief analyst for Google Threat Intelligence Group.
As the conflict evolves — and particularly if the U.S. decides to strike Iran directly — 'targets in the United States could be reprioritized for action by Iran's cyber threat capability,' he said.
During previous periods of heightened geopolitical tension, U.S. agencies, including the Cybersecurity and Infrastructure Security Agency, stepped up to warn the operators of vital U.S. networks about emerging threats. Ahead of Russia's full-scale invasion of Ukraine in 2022, CISA launched its 'Shields Up' program to raise awareness about potential risks to U.S. companies emanating from the impending war.
Anne Neuberger, who served as deputy national security adviser for cyber and emerging tech at the White House under President Joe Biden, coordinated with CISA and other agencies, including the Office of the Director of National Intelligence, to support critical infrastructure sectors before Russia attacked Ukraine. She stressed that the government is crucial in helping these companies step up their defenses during a crisis.
'The government can play a very important role in helping companies defend themselves, from sharing declassified intelligence regarding threats to bringing companies together to coordinate defenses,' Neuberger said. 'Threat intel firms should lean forward in publicly sharing any intelligence they have. ODNI and CISA should do the same.'
Spokespersons for CISA, the White House and the National Security Council did not respond to requests for comment on increasing concerns that cyber adversaries could target U.S. critical networks.
Beyond federal resources, thousands of the nation's critical infrastructure operators turn to information sharing and analysis centers and organizations, or ISACs, for threat intelligence.
The Food and Ag-ISAC — whose members include the Hershey Company, Tyson and Conagra — and the Information Technology ISAC — whose members include Intel, IBM and AT&T — put out a joint alert late last week strongly urging U.S. companies to step up their security efforts to prepare for likely Iranian cyberattacks. In a joint statement from the groups provided to POLITICO on Monday, the organizations cautioned that even if no U.S.-based companies were directly targeted, global interconnectivity meant that 'cyberattacks aimed at Israel could inadvertently affect U.S. entities.'
ISACs for the electricity, aviation, financial services, and state and local government sectors are also on alert. Jeffrey Troy, president and CEO of the Aviation ISAC, said that in the past, companies in the aviation sector had been impacted by cyberattacks disrupting GPS systems, and that as a result, 'our members remain in a constant state of vigilance, sharing intelligence in real time and collaborating on prevention, detection, and mitigation strategies.'
Andy Jabbour, founder and senior adviser for the Faith-Based Information Sharing and Analysis Organization, said his organization is monitoring potential efforts by Iranian-linked hackers to infiltrate the websites of U.S. religious groups or spread disinformation.
Jabbour said his organization is working with the National Council of ISACs on scanning for these threats, and noted that the council had stood up a program following the first strikes by Israel on Iran late last week to monitor for specific threats to U.S. infrastructure.
The National Council of ISACs did not respond to a request for comment on whether they are preparing for evolving Iranian threats.
Concerns about attacks on U.S. critical infrastructure linked to conflicts abroad have grown in recent years. Following the Oct. 7, 2023, attack on Israel by militant group Hamas, Iranian government-linked hacking group Cyber Av3ngers hacked into multiple U.S. water facilities that were using Israeli-made control panels.
The intrusions did not disrupt water supplies, but they served as a warning to utility operators about devices that could be easily hacked and potentially targeted first in a cyber conflict with Iran.
'If anti-Israeli threat actors make good on any claim of impacting critical infrastructure at this time … they're going to look for the low-hanging fruit, easily compromised devices,' said Jennifer Lyn Walker, director of infrastructure cyber defense at the Water ISAC.
Walker said that while her team has not yet detected any enhanced threats to member groups since last week, the Water ISAC would be sending out an alert this week, encouraging organizations to stay vigilant.
'We don't want to cause any undo panic, but for those members that aren't already watching and aren't already vigilant, we definitely want to amplify the message that the potential exists,' Lyn Walker said.
Some of these groups noted that the lack of federal support so far in preparing for Iranian cyberattacks may be due to widespread changes across agencies since President Donald Trump took office. CISA, the nation's main cyber defense agency, is expected to lose around 1,000 employees, and many of its programs have been cut or put on pause, including funding for the organization that supports the ISACs for state and local governments. CISA has also been without Senate-confirmed leadership since former Director Jen Easterly departed in January.
'CISA is in a state of transition,' Jabbour said, noting that while 'CISA is still accessible,' there had been no outreach to strengthen defenses against Iranian hackers since tensions erupted last week.
It isn't a complete blackout. Lyn Walker said that the Water ISAC has 'received reporting from DHS partners who are striving to maintain continuity of operations and valuable information sharing during this challenging time.'
There could also be another reason for the less visible federal response: 'Shields Up' advisories are still available from 2022, when CISA worked with organizations to prepare for an onslaught of Russian cyberattacks tied to the war in Ukraine. Kiersten Todt, who served as chief of staff at CISA when the program was stood up, said that its legacy has heightened awareness of potential cyber pitfalls across the nation's critical operations.
'Because the [cyber] threat is so serious, all of those things ended up sustaining,' Todt, current president of creative company Wondros, said. 'That 'Shields Up' mentality has now become part of the culture of critical infrastructure.'
The enhanced level of vigilance reflects concerns that the threats from Iran could change quickly. Jabbour noted that a lot is in the hands of Trump as he weighs how heavily to assist Israel.
'The next 24-48 hours will be interesting in that sense, and his decisions and his actions could certainly influence what we see here in the United States,' Jabbour said.
