New analysis from the Center for Strategic and International Studies (CSIS) identified that Iran’s approach to cyber conflict is no longer episodic or symbolic, reflecting a sustained, strategic posture that treats cyberspace as an extension of state power, particularly against critical infrastructure. The bipartisan, nonprofit policy research organization and think tank notes that Iranian actors, including state-linked and proxy ‘hacktivist’ groups, are positioned to target sectors such as energy, water, and transportation, exploiting legacy ICS (industrial control systems) and weak segmentation. These operations are not just about immediate disruption but about pre-positioning access for future escalation, creating latent risk inside networks that may only surface during moments of geopolitical crisis.
What makes the current threat environment more volatile is the blend of capability and intent. Iran’s cyber doctrine favors asymmetric responses, using cyber operations as a lower-cost, deniable alternative to direct military retaliation. According to CSIS, this can range from influence campaigns and disruptive attacks to more sophisticated operations against critical infrastructure, particularly in response to U.S. or allied military pressure. The use of proxies enables scale and plausible deniability, complicating attribution while expanding the attack surface across privately operated infrastructure.
Highlighting that the energy sector is vulnerable to, and has been increasingly targeted by, cyber threat actors in recent years, Leslie Abrahams and Lauryn Williams wrote in the CSIS analysis that for several years, there has been strong evidence that foreign adversaries, notably the People’s Republic of China (PRC), have ‘infiltrated and pre-positioned’ on U.S. critical infrastructure, including energy systems. While these instances have not caused outages, significantly, they have demonstrated the PRC’s interest in targeting strategic critical infrastructure for disruption, including during future conflict. The United States itself has become more vocal about offensive cyber capabilities targeting the grid.
CSIS recognizes that risk to U.S. energy infrastructure is amplified by systemic weaknesses at home. The analysis highlights that cybersecurity across critical infrastructure remains fragmented and uneven, with voluntary standards and inconsistent enforcement leaving gaps that advanced adversaries can exploit. In this context, Iranian cyber activity does not need to be highly sophisticated to be effective. Even moderate disruptions to energy systems could cascade into broader economic and operational impacts, especially if attacks are timed to coincide with kinetic escalation, reinforcing the role of cyber operations as a force multiplier in modern conflict.
“For more than a decade, Iran has invested heavily in its cyber capabilities and cultivated ties to hacker groups. Iran has so far conducted limited disruptive strikes in the current conflict, outside of the attack targeting U.S. medical technology firm Stryker,” according to the CSIS analysis. “But, cybersecurity firms and critical infrastructure threat advisory groups warn of a heightened cyber threat environment as the Middle East conflict continues. The Trump administration has downplayed indications of imminent risk, but urged energy companies to increase physical and cybersecurity measures in case of retaliatory attacks.”
Even before the February airstrikes escalated geopolitical tensions, the cyber threat environment surrounding the U.S. energy infrastructure has been accelerating. In February, the Department of Energy Office of Cybersecurity, Energy Security, and Emergency Response issued its first strategic plan to protect U.S. energy infrastructure from cybersecurity threats, physical attacks, and natural disasters. This year, the World Economic Forum ranked ‘cyber insecurity’ a top-10 global risk, and the Office of the Director of National Intelligence’s 2026 Annual Threat Assessment warned that U.S. critical infrastructure, including the energy sector, faces escalating cyber challenges.
Abrahams and Williams mentioned that the sheer scale of the system creates a large attack surface vulnerable to both physical and cyber interference. “From a physical security standpoint, the geographic span increases exposure because infrastructure often crosses remote areas that are difficult to monitor. From a cybersecurity vantage, the scale and age of the system imply more entry points (e.g., devices, networks, and software systems).”
The North American Electric Reliability Corporation (NERC) estimates the U.S. grid is gaining about 60 new vulnerable points per day due to increasing grid digitalization, expanding distributed energy resources, new software deployment, and reliance on third-party vendors.
They also recognize that energy infrastructure is highly vulnerable to cyber intrusions due to its age, vast number of interlinked nodes, and increasing prevalence of connected, rather than air-gapped, operational technology (OT) systems. “In addition to being rife with inherent vulnerabilities, the energy sector is also considered a highly valuable target by nation-state cyber actors. While other U.S. sectors, including healthcare, finance, and telecommunications, have received most cumulative attacks over decades, a 2023 study found the energy sector experienced almost 40% of all cyberattacks across critical infrastructure sectors.”
Data from the European Repository of Cyber Incidents (EuRepoC), which tracks politically motivated cyber incidents, focusing on state-sponsored cyber operations, hacktivism linked to political causes, and cyberattacks linked to geopolitical conflict, finds that from 2010 to 2024, energy sector cyberattacks were second only to telecommunications sector attacks during times of geopolitical (or ‘offline’) conflict.
The CSIS analysis identified that highly capable nation-state actors, including the PRC, Russia, and Iran, rightly perceive that infiltrating energy systems can cause significant disruption to the U.S., including in future conflict; these states together account for roughly two-thirds, or 39 of 62, attributed cyberattacks on the energy sector.
“Over the last several years, cyber activity linked to the PRC-affiliated actor Volt Typhoon has dominated U.S. government attention and cyber-related news headlines,” it added. “This sophisticated campaign, which some experts believe may never be fully rooted out of U.S. energy and other systems, demonstrates the PRC’s intent and willingness to pre-position and maintain a persistent presence to eventually disrupt U.S. critical infrastructure early in a conflict scenario. Indeed, of all observed cyberattacks targeting the energy sector recently, PRC state-sponsored actors, including Volt Typhoon, were responsible for most activity.”
Furthermore, Russia and Russian-aligned threat actors have also demonstrated a keen focus on targeting the grid in the United States, as well as in Ukraine and Poland, in a recent attempted cyberattack on a NATO country.
While experts debate whether its cyber capabilities will be decisive in the current Middle East conflict, Iran has long demonstrated intent and capability to target U.S. critical infrastructure. Iran has traditionally targeted strategic sectors linked to the U.S. and Israel, including the defense industrial base, financial services, water utilities, and transportation infrastructure, many of which rely on outdated control systems. U.S. energy utilities were also previously targeted as part of a broader cyber campaign during the height of the Israel-Gaza conflict in late 2023 and early 2024. Notably, Iran-linked cyber actors gained access to these systems through ‘public internet-connected industrial control systems.’
As the current conflict intensifies and the Iranian regime loses kinetic response options, the country could, by necessity, rely on disruptive cyberattacks like the early March attack on U.S. medical technology firm Stryker as part of its multidomain response to ongoing U.S.-Israeli airstrikes.
CSIS outlined that the U.S. invested significant resources into energy sector cyber resilience in recent years due to a greater understanding of the threat environment and inherent vulnerabilities; federal actions alone are insufficient to prevent all attacks on the sector.
The 2021 ransomware attack on Colonial Pipeline forced a five-day shutdown that disrupted roughly 45% of fuel supply to the U.S. East Coast, triggering price spikes, shortages, and a federal emergency response. While the company paid about $4.5 million in ransom, the broader economic fallout, including business disruption and supply chain impacts, ran into the hundreds of millions to billions of dollars.
CSIS also mentioned that the NERC conducts the largest-scale grid security exercise, exploring the impacts of coordinated cyber and physical attacks on the grid, resulting in a multi-week cascading crisis. Another exercise from 2015 estimated that a concentrated attack on 50 generators in the northeastern region of the U.S., out of the approximately 700 generators across the region, would result in total impacts to the U.S. economy from $250 billion to $1 trillion. Across these and other exercises, the biggest impacts arise from cascading failures and interdependent infrastructure. Recovery is slowed by supply chain limitations for physical infrastructure replacements.
“Whether due to persistent operations by actors like the PRC or in the context of the ongoing conflict in Iran, U.S. energy infrastructure operators are increasingly subject to heightened cyber risks, and this trend is unlikely to reverse as geopolitical conflict intensifies,” Abrahams and Williams wrote in the analysis. “As noted above, studies show that the energy sector is experiencing increasing cyberattacks, and the sector is among the most-targeted in the United States. In recent weeks, government agencies like CISA have urged government and private sector entities alike to shore up their defenses, considering greater risk from Iran and Iran-affiliated cyber threat groups. Government adjacent groups (including information sharing and analysis centers) and cyber threat analysis industry groups have also made similar assessments.”
With over 80% of U.S. energy infrastructure owned by the private sector, close collaboration between public and private entities is necessary to identify and mitigate risks from the evolving threat environment. Additional consistent, mandatory cybersecurity requirements, such as the 2024 NERC/FERC standards, are essential to ensure the U.S. energy ecosystems as a whole are building in cybersecurity by design. Critical gaps that remain include technical assistance for small utilities and rural electric co-ops, comprehensive and timely data sharing, cybersecurity workforce capacity, and supply chain visibility into grid software and hardware components.
Last week, Check Point Research disclosed that it has been tracking an ongoing password-spraying campaign targeting Microsoft 365 environments across the Middle East, primarily in Israel and the UAE, conducted by an Iran-linked threat actor. These attackers have been targeting cloud environments of government entities, municipalities, energy-sector organizations, and private-sector companies amid the ongoing conflict in the Middle East, primarily in Israel and the UAE. Furthermore, activity associated with the same actor was also observed against a limited number of targets in Europe, the U.S., the U.K., and Saudi Arabia.
