Iran Cyber Campaign Targets Critical Infrastructure’s Weakest Links

Operation Epic Fury is reshaping U.S. cyber defense strategy, as Iran shifts from traditional espionage to more disruptive attacks targeting the enabling layers of critical infrastructure.

Earlier this month, the Cybersecurity and Infrastructure Security Agency (CISA) warned that Iranian-affiliated advanced persistent threat (APT) actors are actively exploiting internet-facing programmable logic controllers (PLCs) across the water, energy and government sectors.

“Activity has led to PLC disruptions across several U.S. critical infrastructure sectors through malicious interactions with the project file and manipulation of data on human machine interface (HMI) and supervisory control and data acquisition (SCADA) displays, resulting in operational disruption and financial loss,” the warning reads.

Knox Sytems CISO and former Department of Homeland Security CISO Hemant Baidwan told GovCIO Media & Research that this evolution represents a more dangerous, distributed approach to targeting industrial assets.

“From my perspective, the Iranian cyber threat has become more opportunistic, more distributed and more willing to target the broader ecosystem that supports government and critical infrastructure and not just federal agencies directly,” Baidwan said.

That “broader ecosystem” includes cloud providers, SaaS platforms and contractors that underpin essential services. By targeting these third-party links, adversaries can bypass heavily fortified federal endpoints and reach operational technology environments, he added.

“When cloud providers, SaaS platforms, contractors and infrastructure operators are all part of the mission stack, adversaries do not need to hit the federal endpoint first, they can target the enabling layer around it,” Baidwan said.

The Purdue Model and OT

The current advisory surrounds the structural integrity of Industrial Control Systems (ICS), governed by the Purdue Model. Developed in the 1990s, the framework organizes industrial environments into levels — from physical sensors (Level 0) and controllers (Level 1) to enterprise IT (Level 4) — separated by strict network segmentation. Historically, this served as an “air gap” strategy, ensuring a breach in a corporate email system could not physically reach critical machinery.

The rise of the industrial internet of things has blurred these lines. Many modern PLCs, like those targeted by Iran, now communicate directly with the cloud for remote management, effectively jumping across traditional boundaries. The Iranian campaign exploits this convergence, exposing Level 1 devices to the open internet and weakening the “defense-in-depth” model.

Scott Orton, CEO of Owl Cyber Defense, said that traditional security measures often focus on the wrong layer of this OT architecture.

“Generally speaking, we would say that they’re securing the connectivity of the network, and we are securing the data that’s traversing the network,” Orton said.

He added that defenders must be able to inspect the raw data moving between controllers and sensors to strip out hidden threats.

“Usually there’s cryptography, and in many cases, there are firewalls and all these other things that are used in addition to cross domain-type solutions or to guards,” he added. “A lot of their services are third-party services that provide those services as a SaaS model, or some other kind of model, where they’re across a wire.”

From Compliance to Mission Readiness

Armis Director of DOD Business Strategy Joe Wingo, a retired Air Force Cyber Operations Officer, said that the government’s approach to OT must prioritize mission readiness over bureaucratic compliance. He said that the framework for evaluating risk in industrial environments needs to adapt to the speed of modern innovation.

“[Agencies need] to be less about compliance and more about mission effectiveness,” Wingo told GovCIO Media & Research.

He added that the War Department is shifting its internal culture to recognize that OT risk cannot be eliminated, only managed.

“The Pentagon has really emphasized [risk management] back to [former acting DOW CIO] Katie Arrington and that notion of risk management. All those frameworks have to be reevaluated to accept different levels of risk in different ways,” Wingo said.

Workforce Strain and the Shift to Proactive Defense

As disruptive OT attacks and “hack-and-leak” campaigns increase, the strain on the cybersecurity workforce is becoming a secondary risk, Baidwan said. A reactive posture is no longer sustainable.

“In practical terms, that means moving from a reactive posture, where tools arrive after the threat has evolved, to a proactive one where capabilities can be fielded while the threat is still active and adapting,” Baidwan said.

He added that government and critical infrastructure organizations must rethink their operational rhythm for OT environments.

“The organizations that handle this best are the ones that automate routine work, focus analysts on the highest-risk issues and rehearse decision-making before incidents escalate,” he said. “My advice to CISOs is to protect the team the same way they protect the network: reduce unnecessary exposure, prioritize what matters most and build resilience before a crisis hits.”