On February 28, 2026, the United States and Israel launched joint military strikes against Iran. Within hours, Iran retaliated with missile strikes on US military installations across the Persian Gulf and ordered full closure of the Strait of Hormuz. Concurrently, Israel executed what analysts are calling the largest state-sponsored cyberattack in history — reducing Iran’s internet connectivity to four percent of normal traffic and disabling military command-and-control systems across the country.
The kinetic conflict is dominating headlines. But for US enterprises operating critical infrastructure, the more immediate threat is what comes next: Iranian cyber retaliation against domestic targets.
CISA, the FBI, US Cyber Command’s DC3, and the NSA have issued a joint advisory warning that Iranian-affiliated cyber actors are expected to target US critical infrastructure in response to the strikes. If your organization runs regulated workloads, manages sensitive data, or operates in a sector Iran has historically targeted, this is not hypothetical. It is a planning assumption.
The Threat Is Not New — But the Urgency Is
Iranian cyber operations against US infrastructure are well-documented. What has changed is the intensity. Active military conflict between the US and Iran creates a direct incentive for asymmetric retaliation — and cyber operations are Iran’s lowest-cost, highest-impact option for striking the US homeland without triggering conventional military escalation.
Known Threat Groups
CyberAv3ngers, an IRGC-affiliated group, has a documented history of targeting US water and energy infrastructure. In 2023, they breached water utilities in Pennsylvania and Texas by exploiting internet-connected programmable logic controllers (PLCs). Their tooling and tactics are designed for operational technology (OT) and industrial control systems (ICS) — the systems that manage physical processes like water treatment, power generation, and manufacturing.
Other Iranian APT groups have targeted the defense industrial base, healthcare systems, financial institutions, and telecommunications providers. The joint CISA advisory specifically warns organizations in these sectors to assume elevated risk.
Expected Attack Vectors
Based on the CISA advisory and historical Iranian APT behavior, the primary vectors to watch are:
- Network edge device exploitation — Firewalls, VPN concentrators, SD-WAN appliances, and load balancers remain the preferred initial access point. CISA Emergency Directive 26-03 (issued February 25) specifically mandates federal agencies patch Cisco SD-WAN systems due to active exploitation.
- Brute force credential attacks — Password spraying against externally facing authentication endpoints, especially those without MFA enforcement.
- OT/ICS targeting — Exploitation of internet-connected industrial control systems, particularly in water, energy, and manufacturing sectors.
- Ransomware enablement — Iranian APTs have historically partnered with ransomware operators, providing initial access in exchange for a share of the ransom. Expect this to accelerate.
- DDoS campaigns — Volumetric attacks against public-facing services, often used as a smokescreen for more targeted intrusion activity.
What You Should Be Doing Right Now
The CISA advisory is not a suggestion. If your organization manages infrastructure that could be a target, here is the minimum you should be executing today.
1. Audit Your Network Edge
Every internet-facing device in your environment — firewalls, VPN appliances, SD-WAN controllers, remote access gateways — needs to be inventoried and patched. Iranian APTs do not break through the front door. They walk through the side door that was left open six months ago when a firmware update was deferred.
If you have not applied the patches referenced in CISA Emergency Directive 26-03, do that first.
2. Enforce MFA Everywhere
Password spraying works because organizations still have externally facing services protected by passwords alone. Every externally accessible authentication endpoint — VPN, email, cloud dashboards, admin panels — must require multi-factor authentication. TOTP is the minimum. Hardware security keys (WebAuthn/FIDO2) are better.
3. Disconnect OT from the Internet
If your programmable logic controllers, SCADA systems, or building management systems are directly accessible from the internet, disconnect them today. CyberAv3ngers specifically targets internet-exposed OT devices. Air-gap your OT network or, at minimum, segment it behind a firewall with strict allow-list rules and no default outbound access.
4. Review Audit Logs
Iranian APTs often maintain persistent access for weeks or months before activating. If your organization is in a targeted sector, review authentication logs for anomalous patterns — failed login bursts, logins from unexpected geographies, credential use outside of normal business hours. If you do not have centralized logging with retention, you are already behind.
5. Validate Your Incident Response Plan
When — not if — an incident occurs, the quality of your response determines whether it is a contained event or an organizational crisis. Confirm your IR contacts are current, your communication channels work if primary systems are compromised, and your team knows who makes decisions during an active incident.
How Infrastructure Choices Affect Your Risk Posture
The CISA advisory focuses on what organizations should do. But there is an upstream question that does not get enough attention: does your infrastructure make these problems harder or easier to solve?
Most enterprises inherit risk from their cloud provider’s architecture. Global control planes, multinational operations, shared infrastructure, and opaque security practices create a blast radius that extends well beyond any single customer. When a nation-state actor targets a hyperscaler region, every tenant in that region is in scope.
At Open Edge, we build for a different threat model. Our infrastructure is designed so that the security controls CISA recommends are not add-ons you bolt on after a threat advisory — they are how the platform works by default.
FIPS 140-3 Validated Encryption
All data at rest on Open Edge infrastructure is encrypted using AES-256. Our cryptographic modules are FIPS 140-3 validated (CMVP Certificate #5115) running on Ubuntu 24.04 LTS with OpenSSL 3.x. All data in transit is encrypted using TLS 1.2 or higher. Encryption keys are generated and managed within the same US data centers where your data resides — no global key replication, no cross-border key escrow.
Multi-Factor Authentication by Default
Open Edge supports TOTP and WebAuthn (hardware security keys) for all user accounts. MFA can be enforced at the organization level as a policy — not a per-user opt-in. Federation via SAML 2.0 or OIDC means you can extend your existing identity provider (Active Directory, Okta, Entra ID) to your cloud infrastructure, applying the same MFA policies you already enforce internally.
Role-Based Access Control
Six predefined roles — org-admin, project-admin, member, reader, security, and auditor — enforce least-privilege access at the API layer. Unauthorized API calls return 403, not a warning. Project isolation means resources in one project are invisible to users scoped to another. An auditor role provides read-only visibility across the entire organization without the ability to modify anything.
Comprehensive Audit Logging
Every API call to the Open Edge platform is logged with timestamp, user identity, source IP, action, and result. Logs are stored in a Loki-backed system with configurable retention. You can search, filter, and export audit logs as CSV — and they map directly to SOC 2 and ISO 27001 control evidence requirements. When CISA says “review your audit logs,” our customers can do that in minutes, not days.
US-Sovereign Infrastructure
All Open Edge infrastructure is physically located in US data centers (Iron Mountain VA-1, Manassas, Virginia). All personnel with access to customer environments are US-based. No data replication to foreign jurisdictions. No offshore support teams. No multinational parent company subject to foreign government data access requests.
When geopolitical events put infrastructure in other regions at risk — whether from missile strikes on Gulf-state data centers, submarine cable disruptions in the Red Sea, or Strait of Hormuz closures affecting energy supply chains — your workloads on Open Edge are not in the blast radius.
Firewall Policy Management
Hardening network security is one of the first actions in any threat response. Open Edge includes tools that make this operationally practical: a traffic simulator to validate rule changes before deployment, shadowed rule detection to identify ineffective rules, address groups for consistent IP set management, and permissive rule warnings that flag overly broad 0.0.0.0/0 rules. These are not premium features — they ship with the platform.
The Bigger Picture
Today’s conflict between the US-Israel coalition and Iran will eventually de-escalate. But the cyber threat landscape it has accelerated will not revert to the status quo. State-sponsored cyber operations against US infrastructure are becoming a permanent fixture of geopolitical competition, not an episodic response to specific events.
The organizations that weather these periods best are not the ones that scramble to implement controls after a CISA advisory. They are the ones whose infrastructure was built with these threats as a design assumption — where encryption, access control, audit logging, and network segmentation are not afterthoughts but architectural foundations.
Your cloud provider’s security posture is your security posture. If you are re-evaluating that relationship in light of current events, it is worth asking whether your infrastructure was designed for the threat environment you are operating in today — or the one that existed five years ago.
Schedule a Security Consultation
Open Edge is built for enterprises that take infrastructure security seriously — not as a response to the news cycle, but as a permanent operational requirement. If your organization needs US-sovereign infrastructure with FIPS 140-3 validated encryption, enterprise access controls, and comprehensive audit logging, our team is available to walk through your requirements.