Iran vowed revenge after a U.S. airstrike ordered by President Donald Trump killed the country’s top general Qasem Soleimani earlier this month. While recent missile strikes conducted by Iran against U.S. bases in Iraq was the first public move to respond to the killing, analysts say Iran’s next retaliatory move may be targeted cyberattacks.
“Iran has historically turned to cyber operations when they wanted to exert national power without provoking a direct military confrontation with the United States and its allies,” said Sean Kanuck, a former U.S. national intelligence officer for cyber, in an interview with Air Force Magazine.
In the past, Iranian threat actors have targeted banking organizations and industrial control systems, which control industrial processes and critical infrastructures that deliver power, water, transportation, and manufacturing. In 2013, Iranian hackers attacked the computer network of a small dam in upstate New York.
“Iran has shown previously to be opportunistic in its targeting of infrastructure with denial-of-service attacks against banks as well as trying to get access to industrial control systems in electric and water companies,” said Robert M. Lee, CEO, and founder of Dragos. “While it is important to think where strategic targets would be for them, it’s just as relevant that they might search for those who are more insecure to be able to have an effect instead of a better effect on a harder target.”
ICS Defenders Should Be Vigilant
At this time, Lee said the potential for damage should be on the minds of those tasked with defending industrial control systems.
“Situations like this one put a point on the criticality of our systems and the evolution of the threat that faces them. The average citizen should not be concerned, but security teams at these companies should be on a heightened sense of awareness,” he said.
Researchers at Check Point report 35 organizations were attacked in incidents “specifically traced” to Iran’s state-sponsored hacking groups in the week following the strike that killed Soleimani. Only 17% of those were in the U.S.
But the concern in the U.S. is high enough to prompt the Department of Homeland Security to issue an advisory to U.S. companies and government agencies on best practices for system security in light of the potential for retaliatory attacks. DHS’s Cybersecurity and Infrastructure Security Agency advises organizations to examine whether they might be an attractive target, noting Iranian hackers have a history of “disruptive and destructive cyber operations against strategic targets, including finance, energy, and telecommunications organizations, and an increased interest in industrial control systems and operational technology.
“Review your organization from an outside perspective and ask the tough questions—are you attractive to Iran and its proxies because of your business model, who your customers and competitors are, or what you stand for?” the advisory advises.
Best Practices for Staying on Guard
Dragos offered the following guidance for defenders:
- Increase monitoring for malicious behaviors within the environments.
- Review response plans.
- Open lines of communication with colleagues across the industry to share insights.
- Recognize the growing threat and risk to industrial environments and make the right investments to better prepare for next time.
“We’re unlikely to see widespread issues or scenarios, such as disrupting electric power, but it’s entirely possible we will see opportunistic responses to whatever damage they think they can inflict,” said Lee.