Executive summary. Recent analysis from the Center for Strategic and International Studies (CSIS) and the Canadian Security Intelligence Service (CSIS) indicates that Iran and Iran-aligned cyber groups are shifting from sporadic disruptive attacks to sustained, multidomain campaigns that explicitly target critical infrastructure.CSIS reporting on the 2026 Gulf conflict describes Iran's behavior as a "multidomain punishment campaign" systematically putting energy facilities, ports, water systems, and digital infrastructure at risk to exert political pressure. Western security agencies now consistently warn that Iranian state and proxy actors are probing operational technology (OT) and industrial control systems (ICS) for persistent access, with water, energy, manufacturing, and transportation environments in scope.
This evolution directly affects incident response, OT threat intelligence, and resilience planning across industrial sectors. OT security programs focused on isolated incidents must now address an environment where Iranian-linked operators, hacktivists, and criminal affiliates collaborate, reuse shared infrastructure and tooling, and increasingly target common supply-chain dependencies.
1. CSIS Signals a Strategic Shift in Iran's Targeting of Critical Infrastructure
1.1 From episodic attacks to multidomain punishment campaigns
CSIS analysis of the 2026 Iran conflict outlines a deliberate strategy in which cyber operations, drone strikes, missile attacks, and information campaigns are coordinated to apply ongoing pressure on critical infrastructure.The CSIS study characterizes Iran's approach as a multidomain "punishment campaign" impacting energy facilities, ports, shipping lanes, airports, water systems, cloud infrastructure, and finance, focusing on sustained coercion rather than isolated blows1Iran’s Next Move: How to Counter Tehran’s Multidomain Punishment Campaign.
This model diverges from earlier Iranian cyber activity, previously noted for one-off incidents like attacks on Saudi Aramco or financial-sector DDoS operations. Current tactics emphasize:
- Persistent access and pre-positioning in critical systems, including OT networks.
- Lateral pressure across sectors and borders instead of localized disruptions.
- Hybrid operations combining physical, cyber, and psychological tactics.
- Targeting interconnected systems (e.g., ports, refineries, data centers, banks) as part of a comprehensive attack surface.
1.2 Evidence of sustained interest in critical infrastructure
Focus on critical infrastructure extends beyond energy. Canadian CSIS reporting points to Iran-aligned cyber groups-including those tied to the Islamic Revolutionary Guard Corps (IRGC)-attempting to compromise key organizations across healthcare, government, IT, engineering, and energy sectors, reflecting a broad and sustained targeting posture against critical entities.2Intelligence operations - Canada.ca
CSIS energy-sector analysis and European incident data reinforce this pattern:
- Data from the European Repository of Cyber Incidents (EuRepoC), cited by CSIS, indicates that from 2010 to 2024, energy-sector cyberattacks ranked second only to telecommunications incidents during periods of geopolitical conflict3Iran Conflict Heightens Cyber Threats to U.S. Energy Infrastructure.
- A 2023 study referenced by CSIS found the energy sector accounted for nearly 40% of observed cyberattacks across critical infrastructure sectors3Iran Conflict Heightens Cyber Threats to U.S. Energy Infrastructure.
These trends demonstrate a move from opportunistic disruptions to strategic, cross-sector campaigns where OT environments are central to geopolitical leverage.
2. What Persistent Iranian Cyber Campaigns Look Like in OT/ICS
2.1 Direct attacks on OT and industrial control systems
Operational technology environments now feature prominently in Iranian-linked campaigns. Recent advisories and incident reports highlight:
- Targeted exploitation of PLCs and HMIs. A joint advisory from CISA, FBI, NSA, EPA, and Israel's National Cyber Directorate warned in late 2023 that IRGC-affiliated actors operating as "CyberAv3ngers" exploited internet-exposed Unitronics Vision Series programmable logic controllers (PLCs) across sectors by leveraging default passwords4CISA and Partners Release Joint Advisory on IRGC-Affiliated Cyber Actors Exploiting PLCs | CISA.
- Water and wastewater operations. Reporting and ICS-focused analyses detail CyberAv3ngers intrusions into municipal water utilities in the US and abroad, where compromised PLCs and HMIs led to service disruptions, defacement of operator screens, and unsafe pump operation requiring manual intervention.5H2 2023 – a brief overview of main incidents in industrial cybersecurity | Kaspersky ICS CERT
- Broader OT targeting. Commercial threat intelligence observes IRGC-linked actors focusing on OT protocols and devices-including PLCs and human-machine interfaces (HMIs)-in water, energy, and manufacturing environments, often initiating attacks with internet scans for exposed industrial equipment.6An Update on Heightened Threat of Iranian Cyber Attacks | SafeBreach
Such operations often exploit basic misconfigurations-such as open remote access, default credentials, and flat networks-but function within a larger strategic campaign.
2.2 Collaborative, cross-sector intrusions
Iran's cyber ecosystem includes intelligence-linked advanced persistent threat (APT) groups, military teams, and ideologically motivated hacktivists. Since 2024, reporting shows these groups operating in parallel and sharing tactics and infrastructure:
- A 2025 analysis identified at least six Iranian-linked APTs and hacktivist groups (including MuddyWater, APT33/Elfin, OilRig, CyberAv3ngers, Fox Kitten, and Homeland Justice) conducting coordinated, cross-sector operations and sharing tools and hosting infrastructure7Iranian Cyberattacks Surges 133% amid Regional Tensions.
- Documented collaboration with foreign groups includes joint operations between Iranian-backed and pro-Russian collectives targeting Israeli and NATO-aligned organizations supporting defense and transportation infrastructure.8Hackers join U.S. and Israel's fight with Iran
- AP-reported incidents during the 2026 conflict describe pro-Iranian hackers simultaneously attacking US medical technology firms, regional industrial facilities, data centers, and attempting to compromise power and water entities, suggesting shared target lists and synchronization with physical attacks.9Iran-linked hackers take aim at US and other targets, raising risk of cyberattacks during war
For OT and ICS operators, a single intrusion may be part of a broader, coordinated campaign spanning sectors and geographies.
2.3 Supply-chain and third-party exposure
Persistent campaigns increasingly exploit shared dependencies, not just direct infrastructure:
- Shared OT components. Attacks on widely used PLC families, engineering workstations, or remote gateways can affect multiple operators and sectors using the same vendors.
- Service providers and integrators. Incident analyses highlight managed service providers (MSPs), cloud and data center operators, and engineering consultancies as key access points across industrial networks.10Analytics
- Insecure-by-design OT products. A 2023 academic study of 45 operational technology product families from 10 major vendors found every system had at least one trivial vulnerability, underlining systemic weaknesses in many industrial platforms11Insecure by Design in the Backbone of Critical Infrastructure.
In this context, supply chains and vendor ecosystems are integral to the OT attack surface, with shared components and service providers amplifying risks.
2.4 Sector-specific OT threat patterns
| Sector | Typical OT Targets | Observed/Reported TTPs (Illustrative) | Potential Operational Impact |
|---|---|---|---|
| Water & wastewater | PLCs for pumps, valves, chemical dosing; HMIs | Exploitation of internet-exposed PLCs with default credentials; HMI defacement; manipulation of pump setpoints and alarms.4CISA and Partners Release Joint Advisory on IRGC-Affiliated Cyber Actors Exploiting PLCs | CISA |
| Energy & utilities | Substation controllers, generation plant DCS, pipeline SCADA | Credential stuffing and brute force against remote access; exploitation of vulnerable VPNs; reconnaissance of public ICS interfaces.3Iran Conflict Heightens Cyber Threats to U.S. Energy Infrastructure | Localized outages, need for controlled shutdowns, strain on backup generation and blackstart plans. |
| Manufacturing | PLCs on production lines, robotics cells, safety systems | Ransomware with OT network discovery; compromise of engineering workstations; targeting shared OT components in automotive and discrete manufacturing.12Geopolitical shifts amplify OT security risks | PwC |
| Transportation & logistics | Port terminal control systems, airport baggage/ground systems, rail signaling | Espionage and access campaigns against airlines, airports, and ports (e.g., Operation Cleaver); recent hacktivist DDoS and web compromises.13Operation Cleaver | Throughput reduction, scheduling disruptions, safety and security issues at terminals and hubs. |
3. Implications for OT Incident Response and Threat Intelligence in 2026
3.1 From perimeter defense to "assume breach" in OT
National cyber agencies now stress that critical-infrastructure operators should expect adversaries to gain network footholds. CISA's Cross-Sector Cybersecurity Performance Goals (CPGs) prioritize "assume breach" exercises considering lateral movement into OT and ICS assets.14Cross-Sector Cybersecurity Performance Goals | CISA
For OT environments, key implications include:
- Incident response assumes compromised credentials and trusted channels. Perimeter firewalls and VPNs cannot be relied on as hard boundaries when persistent actors seek long-term access.
- Detection requires OT-level visibility. Asset owners need insight into protocol behavior (e.g., Modbus, DNP3, PROFINET), ICS command usage, and changes in PLC logic, beyond typical IT logs.
- Containment requires consideration of safety and process stability. Rapid isolation, revocation of remote access, and controlled transitions to manual modes should be rehearsed with operations teams.
3.2 Cross-sector and public-private incident coordination
Government advisories during escalations consistently call for coordinated, cross-sector responses:
- A 2025 US government bulletin warned that Iranian-affiliated actors would likely continue targeting utilities, transport, and economic hubs after a ceasefire, urging operators to harden systems and report incidents promptly15Iranian cyberattacks remain a threat despite ceasefire, US officials warn.
- CSIS energy analysis highlights energy attacks as having system-wide effects, with impacts cascading into healthcare, transport, and communications.3Iran Conflict Heightens Cyber Threats to U.S. Energy Infrastructure
- In the EU, joint EU-NATO task forces and the Critical Entities Resilience (CER) framework stress stress-testing and coordinated exercises for cross-border emergencies in energy and transport.16Critical infrastructure resilience at EU-level - Migration and Home Affairs
OT incident response plans must include reliable links to sectoral ISACs, national CSIRTs, and industry coordination channels, with clear thresholds for sharing OT indicators and forensics.
3.3 OT-specific threat intelligence
Generic cyber threat feeds rarely provide sufficient context for ICS defense. Effective OT threat intelligence in the Iranian campaign context includes:
- ICS-aware indicators. Hashes, domains, and IPs linked to tools used for accessing or modifying PLCs and engineering workstations, as in CyberAv3ngers campaigns.4CISA and Partners Release Joint Advisory on IRGC-Affiliated Cyber Actors Exploiting PLCs | CISA
- Mapped TTPs for OT. Iranian TTPs for default credential abuse, remote interface exploitation, and lateral movement from IT to OT networks.
- Campaign-level context. Understanding shared infrastructure or targets between hacktivist groups and APTs, and alignment with physical or diplomatic events.
- Vendor/product focus. Intelligence on targeted OT platforms enables prioritized hardening when patching options are limited.
Sectoral ISACs, government threat exchanges, and OT-focused vendors are increasingly enriching intelligence with these attributes, but asset owners must adapt their processes to consume and act on such data.
4. Regulatory Expectations: Incident Reporting and Resilience Standards
Iran-linked campaigns coincide with tightening regulations for critical-infrastructure cybersecurity, especially in the US and EU.
4.1 Incident reporting obligations
Regulatory regimes impose strict timelines for cyber incident reporting:
- United States - CIRCIA. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) requires CISA to enforce regulations mandating critical-infrastructure entities report incidents within 72 hours of detection, and ransom payments within 24 hours17Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) | CISA.
- European Union - NIS2. The NIS2 Directive imposes mandatory cybersecurity and incident-reporting on a wide range of essential entities in energy, transport, digital infrastructure, and key manufacturing sectors18NIS2 Directive Obligations - Complete Guide | EU Cyber Laws.
- Germany - NIS2UmsuCG. Germany's NIS2 implementation law requires initial notification of significant security incidents within 24 hours and a detailed follow-up within 72 hours19NIS2 in Germany (NIS2UmsuCG) – OpenKRITIS.
- EU - CER Directive. The CER framework enforces resilience requirements, including incident notification, for critical entities in energy, transport, water, and more.16Critical infrastructure resilience at EU-level - Migration and Home Affairs
These demands frame the "first 24-72 hours" of incident response, requiring OT incident workflow alignment with reporting deadlines.
4.2 Resilience and security-control expectations
Beyond notification, regulatory and standards frameworks formalize OT security expectations:
- NIS2 and national implementations require risk management, continuity planning, supply-chain security, and governance for both industrial and transport systems.18NIS2 Directive Obligations - Complete Guide | EU Cyber Laws
- CER promotes incident prevention, absorption, and recovery, with integrated risk assessments covering both physical and cyber threats.16Critical infrastructure resilience at EU-level - Migration and Home Affairs
- CISA CPGs, NIST SP 800-82, and IEC 62443, while not always mandated, are widely regarded as good practice, emphasizing asset inventory, segmentation, secure access, detection, and recovery for ICS and OT.20Withdrawn NIST Technical Series Publication
4.3 Regulatory landscape summary for OT asset owners
| Region / Framework | Primary Scope for Critical Infrastructure | Key OT-Relevant Expectations |
|---|---|---|
| US - CIRCIA | Covered critical-infrastructure entities across 16 sectors | Timely reporting (72h/24h) for significant incidents and ransom payments; supports coordinated response. |
| US - CISA CPGs & ICS guidance | All critical-infrastructure (voluntary but strongly advised) | Baseline controls for IT and OT: inventory, segmentation, MFA for remote access, assume-breach drills, and ICS-focused monitoring. |
| EU - NIS2 | Essential and important entities in energy, transport, digital, manufacturing, health | Governance, risk management, incident reporting, supply-chain security, business continuity, with OT where critical to service. |
| EU - CER Directive | Critical entities in 11 sectors (energy, transport, water, food, digital) | Resilience measures, cross-border risk assessment, stress testing, and notification provisions. |
| Global - NIST SP 800-82, IEC 62443 | Industrial and automation control systems | Technical/architectural guidance: segmentation, defense in depth, and secure ICS operations. |
5. Defensive Priorities for OT Asset Owners Facing Persistent Iranian Campaigns
5.1 Comprehensive OT asset discovery and exposure reduction
Unknown or undocumented industrial assets are highly susceptible to pre-positioning and exploitation.
Key actions:
- Maintain an up-to-date inventory of all OT assets-PLCs, HMIs, safety systems, engineering workstations, and remote access gateways.
- Identify and remove unnecessary internet exposure of industrial devices according to CISA guidance.4CISA and Partners Release Joint Advisory on IRGC-Affiliated Cyber Actors Exploiting PLCs | CISA
- Prioritize remediation for default credentials, unsupported firmware, or weak remote access controls.
5.2 Network segmentation and secure remote access
Flat networks and poorly managed remote access remain common vulnerabilities. Segmentation in line with standards reduces risk:
- Apply Purdue model and IEC 62443 zone/conduit concepts to define OT security zones by function and criticality, separating them with controlled conduits and inspection.21What Is the Purdue Model for ICS Security? | A Guide to PERA - Palo Alto Networks
- Use DMZs between enterprise IT and OT, restricting data flows for historian, MES, and remote support connections.
- Enforce strong, phishing-resistant multi-factor authentication (MFA) and least-privilege access for all remote and vendor engineering access, preferably via monitored jump hosts.
5.3 ICS-aware monitoring and anomaly detection
IT-centric security monitoring often misses signs of malicious control network activity. Priority practices:
- Deploy passive OT network monitoring that understands industrial protocols and detects anomalies in commands, logic downloads, or configuration changes.
- Integrate OT telemetry into central security operations, while accounting for process-safety constraints and avoiding disruptive scanning.
- Tune detection to Iranian TTPs-for example, repeated failed logins to PLC web interfaces, unauthorized project uploads, or unexpected remote sessions from new IPs.
5.4 Incident response playbooks tailored to OT realities
Traditional IT playbooks can be unsafe or ineffective in industrial environments, especially under regulatory pressure:
- Define OT-specific containment steps (e.g., close vendor VPNs, isolate conduits, switch to manual control) with clear authority for operations, engineering, and cybersecurity leads.
- Pre-authorize fallback for essential production and safety operations when digital controls are compromised.
- Align playbooks with incident-reporting needs, ensuring technical detail collection does not delay urgent containment.
5.5 Supply-chain and vendor-risk management
Iranian campaigns frequently exploit shared components and providers. Effective approaches include:
- Require vendors and integrators to follow secure development and disclosure processes, and to provide timely advisories and patches.
- Evaluate all third-party remote access, including that of OEMs and service partners, using zero-trust principles.
- Maintain capacity to deploy compensating controls rapidly when urgent vulnerabilities arise in widely used OT products.
5.6 Participation in collective defense
Authorities encourage active engagement in information-sharing and exercises:
- Join sectoral ISACs (e.g., water, energy, manufacturing) and national CSIRT exchanges distributing OT indicators and playbooks related to Iranian activity.3Iran Conflict Heightens Cyber Threats to U.S. Energy Infrastructure
- Take part in cyber-physical exercises and stress tests modeling multi-sector and persistent campaigns.
- Build trusted channels with law enforcement and national security agencies for rapid escalation of state-linked incidents.
6. Conclusion: Aligning OT Security with a Persistent-Threat Model
Iran's evolving cyber strategy, as detailed in CSIS and government analysis, treats critical infrastructure as a sustained pressure point rather than an occasional target. OT and ICS environments in manufacturing, energy, water, and transportation are now core elements of this campaign approach.
For industrial organizations, the key shift is from treating cyber incidents as rare exceptions to preparing for continuous, low-visibility threats to control networks-often enabled by shared supply chains and service providers.
Recommended next steps:
- Develop a high-fidelity OT asset inventory and eliminate external exposure where possible.
- Implement segmentation and remote access controls consistent with IEC 62443 and NIST SP 800-82.
- Build ICS-aware monitoring and incident response that operates safely and aligns with regulatory timelines.
- Integrate OT threat intelligence, especially regarding Iranian TTPs, into security and engineering workflows.
- Participate in cross-sector information sharing and exercises to prepare for multidomain, cross-border campaigns.
Organizations that adopt this persistent-threat model-and invest accordingly-will be positioned to withstand, not just react to, sustained cyber pressure from Iran and similar actors.
Frequently Asked Questions
### What distinguishes Iranian cyber threats to OT from those posed by other states?
While less technically advanced than China or Russia, Iran's program integrates state units, proxies, and hacktivists into politically timed campaigns.15Iranian cyberattacks remain a threat despite ceasefire, US officials warn These often target symbolic and economically sensitive infrastructure-such as water, energy, and ports-and are linked to regional conflict dynamics.
In OT environments, the main characteristic is not unique malware sophistication, but a willingness to cause visible disruption and opportunistically exploit misconfigurations (e.g., exposed PLCs), combined with use of propaganda to amplify perceived impact.
### Which OT and ICS assets are most likely to be targeted in Iranian-linked campaigns?
Reporting highlights recurring target types:
- Internet-exposed PLCs and HMIs in water, wastewater, and small utilities
- Remote-access gateways, VPNs, and jump hosts used by integrators and vendors
- Engineering workstations and historians bridging IT and OT networks
- OT components associated with Israeli or Western defense and technology ecosystems4CISA and Partners Release Joint Advisory on IRGC-Affiliated Cyber Actors Exploiting PLCs | CISA
Strengthening and monitoring these areas provides considerable defensive benefit.
### How should OT incident response teams adapt to tighter incident-reporting timelines?
OT teams increasingly require integrated legal and compliance workflows:
- Pre-define "reportable incidents" under each applicable framework (CIRCIA, NIS2/NIS2UmsuCG, sectoral rules) for OT context.
- Prepare playbooks that include early situation reports with key details for regulators-affected services, root cause, cross-border implications.
- Ensure evidence collection (e.g., PLC logic downloads, historian data) is compatible with forensic and safety requirements.
This structure limits risks of under-reporting or delayed containment.
### What role does OT-specific threat intelligence play in defending against Iranian campaigns?
OT-focused threat intelligence enables a shift to targeted, campaign-aware defense. In the Iranian context, it allows teams to:
- Monitor which protocols, vendors, and sectors are being targeted
- Identify infrastructure and indicators tied to Iranian APTs and hacktivist groups
- Anticipate follow-on actions such as wiper malware, DDoS, or information operations after initial OT access6An Update on Heightened Threat of Iranian Cyber Attacks | SafeBreach
Combined with asset mapping and segmentation, such intelligence enables risk-based prioritization.
### How can manufacturing organizations balance OT security investments between Iranian threats and other cyber risks?
Iranian-linked campaigns are a subset of a broad threat landscape that includes ransomware, supply-chain compromise, and espionage. Many controls for Iran-linked risks-asset discovery, segmentation, secured remote access, and ICS-aware monitoring-also address other threats.
A practical approach is to treat Iranian campaigns as a representative high-stress scenario in OT security architecture and exercises. Systems built to withstand a persistent, multi-vector campaign from one state actor are generally more resilient to others.
