ARTICLE
26 March 2026

The Law Of War - Critical Infrastructure Cyber Threats

BB
Baker Botts LLP

Contributor

Baker Botts LLP logo
Baker Botts is a leading global law firm. The foundation for our differentiated client support rests on our deep business acumen and technical experience built over decades of focused leadership in our sectors and practices. For more information, please visit bakerbotts.com.
Explore Firm Details
When the United States and Israel launched coordinated strikes against Iran on February 28, 2026, the cyber dimension of the conflict activated within hours.
Worldwide Technology
Matthew R. Baker,Michelle N. Molner, and Justin Bryant
Matthew R. Baker’s articles from Baker Botts LLP are most popular:
  • with readers working within the Business & Consumer Services industries
Baker Botts LLP are most popular:
  • within Consumer Protection and Real Estate and Construction topic(s)

Threat Landscape

When the United States and Israel launched coordinated strikes against Iran on February 28, 2026, the cyber dimension of the conflict activated within hours. What followed was not a centralized Iranian state response, but a swarm of private or pseudo-private attacks. More than sixty Iranian-aligned cyber groups began targeting U.S. and allied critical infrastructure—deploying denial-of-service attacks, reconnaissance against industrial systems, destructive malware, and credential-harvesting campaigns. Three factors distinguish this threat environment from others. First, AI-assisted reconnaissance tools have lowered the technical barriers to targeting industrial control systems. Second, pro-Russian hacktivist groups have aligned with Iranian-linked actors, pooling their joint resources and capabilities. Third, Iranian state-affiliated hackers had already established footholds inside U.S. company networks—including financial institutions, transportation hubs, and defense contractors—weeks before the airstrikes began.

In response to the February 28 strikes, Iran-linked cyber activity and threats against the U.S. and its allies span a wide range of critical infrastructure sectors, including:

  • Water and Energy: Iranian-aligned groups have already claimed compromises of industrial control systems in Israel. The Cybersecurity & Infrastructure Security Agency (CISA) has previously documented and warned of the specific techniques Iranian actors use against U.S. water and wastewater infrastructure, methods that are readily transferable to U.S. energy and pipeline infrastructure.
  • Healthcare: Iranian hacktivist groups have likewise claimed responsibility for attacks on major medical device manufacturers, with reported disruptions to global operations. Notably, some of these groups traditionally focus on data destruction rather than ransom, limiting recovery options.
  • Financial Services: Fitch Ratings issued an advisory warning that the conflict elevates cyber risk for public finance issuers and critical infrastructure providers.

Legal Obligations

In the event of an Iran-linked cyberattack, critical infrastructure operators face a fragmented reporting landscape with overlapping, and sometimes conflicting, obligations. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) will eventually require covered entities (i.e., entities within broadly-defined critical infrastructure verticals) to report substantial cyber incidents to CISA within 72 hours and ransom payments within 24 hours. In the interim, U.S. federal sector-specific obligations remain in full force, with sometimes significantly faster timelines. For example:

  • TSA-regulated pipelines must report cyber incidents within 12 hours.
  • Banks and financial institutions must report cyber incidents within 36 hours.
  • Electric utilities, distributors, and generators face NERC reliability standards and must promptly report attempts to compromise network security perimeters (a threshold even Iranian reconnaissance activity could trigger).
  • Public companies must disclose material cyber incidents to the SEC and investors via Form 8-K within four business days of determining materiality.

As noted, CIRCIA’s final implementing rule has not yet been issued, and CISA has moreover acknowledged that appropriations lapses may further delay implementation. Adding to the challenge, CISA is operating at reduced capacity, reportedly staffed at approximately 38 percent, with few recent updates to its guidance. When determining which reasonable security measures to implement around critical infrastructure, CISA’s Shields Up framework remains the baseline defensive standard, and adherence may be treated as a measure of reasonableness in post-attack proceedings. Beyond notice obligations and security controls, organizations should also be mindful of related litigation, enforcement, and operational disruption risks that may arise from cyber incidents. Operationally, companies should also leverage industry information-sharing organizations, commercial cybersecurity experts, and internal cybersecurity expertise.

How to Prepare

Harden Security Defenses

  • Audit all internet-facing or connected industrial control systems, disable unnecessary remote access, and change default credentials on control devices. Treat CISA’s Known Exploited Vulnerabilities catalog as the minimum patching baseline.
  • Validate incident response plans with tabletop exercises that model destructive malware scenarios where recovery, not decryption, is the objective. Ensure at least one copy of critical data is stored securely for back and disaster recovery purposes, such as offline, encrypted, and disconnected from networks.
  • Given Iranian actors’ documented pattern of supply chain targeting, third-party access to operational technology systems should be reviewed, segmented, and contractually aligned with reporting timelines immediately.

Prepare to Report

  • Map your overlapping reporting timelines, and build a decision tree identifying which triggers activate which obligations.
  • Update incident response plans to specifically address Iranian cyber threat scenarios, and incorporate these risks into enterprise risk matrices. Ensure decision-making protocols clearly identify who determines that a “substantial cyber incident,” “material event,” or “Reportable Cyber Security Incident” has occurred, as these determinations involve legal, technical, and business judgment.

Engage Leadership

  • Boards should receive immediate briefings, as cyber preparedness is both a governance and an operational responsibility.
  • Outside counsel should conduct risk assessments under privilege.

The disruption of Iran’s command structure and internet connectivity has not eliminated the cyber threat. It has dispersed the threat across dozens of hacktivist groups, autonomous state-affiliated hackers, and Russian collaborators. For critical infrastructure operators, the imperative is clear—know your reporting obligations, harden your defenses, and ensure all relevant team members are prepared if necessary.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Matthew R. Baker
Matthew R. Baker
Photo of Michelle N. Molner
Michelle N. Molner
Photo of Justin Bryant
Justin Bryant
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More