ARTICLE
24 April 2026

Iran Conflict Spurs CISA Warning For US Critical Infrastructure

AG
Akin Gump Strauss Hauer & Feld LLP

Contributor

Akin Gump Strauss Hauer & Feld LLP logo
Akin is a law firm focused on providing extraordinary client service, a rewarding environment for our diverse workforce and exceptional legal representation irrespective of ability to pay. The deep transactional, litigation, regulatory and policy experience we bring to client engagements helps us craft innovative, effective solutions and strategies.
Explore Firm Details
The Cybersecurity and Infrastructure Security Agency (CISA), together with other federal partners, issued a joint advisory on April 7, 2026 warning of ongoing Iranian‑affiliated cyber activity targeting U.S. critical infrastructure, including the energy, water, healthcare and manufacturing sectors.
Worldwide Technology
Natasha G. Kohne,Evan D. Wolff,Rita S. Heimes
+2 Authors
 Your Author LinkedIn Connections
Natasha G. Kohne’s articles from Akin Gump Strauss Hauer & Feld LLP are most popular:
  • with readers working within the Securities & Investment industries
Akin Gump Strauss Hauer & Feld LLP are most popular:
  • within Wealth Management topic(s)

The Cybersecurity and Infrastructure Security Agency (CISA), together with other federal partners, issued a joint advisory on April 7, 2026 warning of ongoing Iranian‑affiliated cyber activity targeting U.S. critical infrastructure, including the energy, water, healthcare and manufacturing sectors. The advisory focuses on vulnerabilities associated with internet-facing operational technology (OT) devices, including programmable logic controllers (PLCs) manufactured by Rockwell Automation/Allen-Bradley, and alerts organizations to potential risks associated with operating these devices. The advisory warns specifically of insecure remote access pathways, credential compromise and limited visibility into legacy or hybrid environments. It directs critical infrastructure operators to mitigate these risks by limiting access to PLCs from the internet, reviewing available logs for suspicious traffic based on the indicators of compromise provided in the advisory and hardening the affected PLCs.

Notably, the advisory reflects the federal government’s assessment that these vulnerabilities are not hypothetical. They are being actively probed and, in some cases, exploited. Accordingly, the advisory recommends that organizations “review the tactics, techniques and procedures and indicators of compromise in this advisory for indications of current or historical activity on their networks and apply the recommendations in this advisory to reduce the risk of compromise.”

What Organizations Can Learn from the Advisory

Recent incidents affecting critical systems—such as the Stryker cyberattack, attributed to an Iran-linked actor—demonstrate that cyber activity can cause significant real‑world disruption and safety impacts even in the absence of data theft. The advisory attributes the current disruption of PLC operations across multiple U.S. critical infrastructure sectors to a similar Iranian-linked APT group. Some impacted organizations reported operational disruptions and financial losses as a result of these activities, which could lead to increased interest in these techniques among criminal threat actors.

PLCs, and OT systems in general, are purpose-built and do not have the same capabilities as IT systems. As a result, patching, upgrading and hardening OT systems take more planning, including fallback planning and change control, than standard IT systems. A robust detection and monitoring program, accompanied by basic log review for indicators of compromise or operational technology monitoring, especially after a high-profile advisory, may help companies demonstrate a reasonable response and best-practice protocols aligned with the advisory’s recommendations.

While the advisory does not create new legal obligations, it may guide how regulators and auditors evaluate whether an organization appropriately prioritized known risks and refreshed its assumptions in light of evolving threat conditions. Timing, escalation and documentation of decisions may be as important as the technical controls ultimately selected. Organizations operating in both the energy and water sectors should therefore avoid assuming that a single compliance approach will satisfy sector‑specific expectations. For many energy‑sector entities—particularly owners and operators of Bulk Electric System (BES) assets—the most significant regulatory exposure following a cybersecurity incident is likely to arise under the North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) standards, overseen by the Federal Energy Regulatory Commission (FERC). Unlike general cybersecurity guidance, including that offered in the advisory, these standards are mandatory, routinely audited and enforced through penalties and remediation requirements.

The types of vulnerabilities highlighted in the CISA advisory—such as insecure remote access, system misconfiguration, limited OT visibility and vendor access pathways—closely align with areas already addressed by CIP requirements governing system security management, electronic security perimeters, incident response planning, configuration and vulnerability management and supply‑chain risk oversight. As a result, the recommendations contained in the advisory may inform what are considered compliant regulatory practices under the CIP standards.

In contrast, EPA cybersecurity expectations for the water sector historically have taken the form of guidance, technical assistance and risk-and-resilience planning rather than prescriptive, ongoing compliance audits. However, recent joint EPA–CISA advisories and public statements signal increasing federal attention to cybersecurity risks affecting water safety and continuity of service. As a result, water and wastewater utilities may face growing scrutiny regarding whether cybersecurity risks are appropriately identified, assessed and reflected in required risk-and-resilience assessments.

Potential Next Steps for Consideration by Critical Infrastructure

In light of the advisory, critical infrastructure organizations may reasonably consider:

  • Rapidly distributing the alert to affected stakeholders, identifying potentially affected devices and, if necessary, conducting timely internal investigations under attorney-client privilege to identify vulnerabilities and develop mitigation plans.
  • Reviewing the current System Security Plan for operational technology (OT)/industrial control systems (ICS) to evaluate containment and recovery assumptions, especially for scenarios involving OT/ICS disruption rather than data loss alone.
  • Evaluating the organization’s governance processes for managing risk associated with OT/ICS and information technology, including roles and responsibilities, appropriate policies and procedures, segmentation of OT assets into zones and establishing boundaries to prevent threats from IT systems from directly accessing control processes.
  • Testing the security program and controls against the threat behaviors described in the advisory.
  • Implementing resiliency procedures or utilizing established downtime windows to manage patching and hardening of PLCs in a manner that minimizes disruption.
  • Identifying potential security and reporting requirements based on current standards, contractual obligations and internal controls.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Natasha G. Kohne
Natasha G. Kohne
Photo of Evan D. Wolff
Evan D. Wolff
Photo of Edward Block
Edward Block
Photo of Rita S. Heimes
Rita S. Heimes
Photo of Maida Oringher Lerner
Maida Oringher Lerner
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More