While it is evident that the United States military is far more formidable than Iran’s, and that the Department of Defense possesses significantly more sophisticated cyber capabilities, that disparity does not extend to the cyber defenses of privately owned U.S. critical infrastructure when compared to nation-state attack methods — including those of Iran.
In fact, cyber operations may represent one of the few domains in which Iran could perceive relative parity — or potentially even advantage — against privately held U.S. infrastructure. As documented in the series of reports we ISA published last month, virtually every privately owned critical infrastructure sector has already been compromised by nation-state cyberattacks. Iran specifically has a long history of using cyber means to attack US critical infrastructure.
In the face of an enhanced threat environment, US critical infrastructure remains hampered by an uncoordinated regulatory system that diverts vast amounts of the scarce cybersecurity resources. Numerous studies have repeatedly documented that, depending on which sector is analyzed, 40-80% of scarce cybersecurity resources are being occupied by redundant regulatory mandates.
The fact that the existing regulatory structure undermines effective cybersecurity is no longer a matter of serious debate. Streaming the cyber regulatory was object of 1.1 in the Biden Administration’s National Cybersecurity Strategy.
Last spring, the Chairs of both the House Homeland Security Committee and the Oversight and Government Reform Committee wrote to OMB, instructing them to “act now” to eliminate duplicative cybersecurity regulations, concluding that “eliminating the duplicative framework of cybersecurity regulations is the fastest and most cost-effective way to materially improve our nation’s security.”
The real beauty of this reform is that it can be accomplished almost immediately. The Congressional letter cited above details explicitly that OMB has the authority to eliminate the duplicative structure of cyber regulations. Whereas in previous years an elongated process for lawyers in various agencies to debate what regulations are duplicative, we now have technology 9actually multiple technologies) that can empirically and quickly identify where regulations – even across agencies – are duplicative, and OMB can establish a date certain to create a non-duplicative core regulation.
The blessing of speed is critical in a time of war. Although the initial strikes on Iran have no doubt disrupted their ability to respond kinetically vs the US, Iran has a long history of using cyber means against the most vulnerable targets – privately owned critical infrastructure.
Because the US maintains overwhelming conventional military superiority, cyber operations offer Iran a comparatively low-cost, high impact means of retaliation. Cyber operations allow Iran to impose disruption without triggering conventional escalation thresholds. U.S. interagency guidance has explicitly warned that Iranian-affiliated cyber actors may target U.S. critical infrastructure and other vulnerable U.S. networks (Cybersecurity and Infrastructure Security Agency [CISA] et al., 2025).
The Department of Homeland Security (DHS) issued a National Terrorism Advisory System (NTAS) Bulletin on June 22, 2025, stating that low-level cyberattacks by pro-Iranian hacktivists are likely and that Iranian government-affiliated actors may conduct attacks against U.S. networks (Department of Homeland Security [DHS], 2025). This bulletin places Iranian cyber activity within a broader retaliatory and geopolitical context.
The bulletin contained a joint CISA, FBI, NSA, and DC3 fact sheet warning of potential targeted cyber activity against U.S. critical infrastructure (CISA et al., 2025). The agencies documented that Iranian-affiliated actors routinely target poorly secured, internet-connected systems and commonly exploit:
The same advisory documents a campaign (November 2023–January 2024) in which IRGC-affiliated cyber actors targeted and compromised internet-connected programmable logic controllers (PLCs) and human-machine interfaces (HMIs), including victims within the United States (CISA et al., 2025). The advisory states that the actors exploited publicly accessible ICS devices using factory-default passwords or no passwords at all.
This is particularly significant because U.S. critical infrastructure is predominantly privately owned and frequently includes legacy or lightly managed OT systems. The documented exploitation pathway—public internet exposure plus default credentials—requires relatively modest technical sophistication compared to advanced zero-day exploitation.
These are just some of the attack methods Iran has already used against US critical infrastructure – and that was before we went to war against them.
We have endured massive losses in the trillions of dollars from cyber attacks which we ham-strung ourselves with an ill-conceived regulatory structure. Now that we are at war with a cyber sophisticated and extremely dangerous and desperate foe, we need to finally allow our cyber defenses to operate efficiently and effectively by simply eliminating the duplications.
