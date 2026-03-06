Coordinated U.S. and Israeli strikes on Iranian targets on February 28 have created a familiar but still dangerous pattern for homeland security leaders. Iran has a documented history of responding to external pressure with cyber operations — against U.S. financial institutions, regional infrastructure, and industrial control systems. That pattern is now an active variable, not a historical footnote.

What makes this escalation different is not only Iranian capability, but the condition of the U.S. response architecture. The agencies that translate strategic warning into practical defense for sixteen critical infrastructure sectors are being asked to perform at speed, under pressure, and in an environment of constrained resources and strained coordination mechanisms. This is not simply a “cyber incident.” It is a real-time stress test of how we have organized ourselves to protect the homeland in cyberspace.

CISA and the Sector Risk Management Agencies — including the Departments of Energy, Transportation, Health and Human Services, and Treasury — carry statutory responsibilities to deliver timely threat intelligence and coordinated guidance to owners and operators. From my time leading CISA’s Infrastructure Security Division, I know how much of that work depends on a public-private conveyor belt that can translate classified situational awareness into operator-level action within hours, not days. That conveyor belt is the critical path right now. Its throughput capacity — more than any single Iranian toolset — will determine how well the homeland weathers the next 72 hours.

From a threat perspective, three Iranian cyber capabilities should be front of mind for homeland security leaders. Drawing on Dragos threat intelligence and joint advisories from CISA, NSA, FBI, and Five Eyes partners, a clear structure emerges.

First, Pyroxene — an Islamic Revolutionary Guard Corps (IRGC)-aligned group with significant overlap with UNC1549 as tracked by Mandiant — is conducting Stage 2 industrial control system (ICS) kill-chain operations inside supplier and contractor networks. The objective at this stage is not disruption; it is terrain mapping. Pyroxene is quietly identifying pathways from IT environments in defense, aviation, and energy suppliers into the operational technology (OT) networks that run industrial processes, using victim-specific Microsoft Azure command-and-control tenants. This is deliberate pre-positioning, not opportunistic scanning.

Second, Bauxite, operating under the CyberAv3ngers persona, has already crossed from access to effects. The group has compromised more than 400 OT devices via IOControl malware, manipulated Unitronics programmable logic controllers (PLCs) at U.S. water utilities, and deployed wiper malware against Israeli industrial targets in 2025. During the June 2025 Iran–Israel escalation cycle, both Bauxite and Pyroxene demonstrated destructive capability. The ability to cause physical disruption at a distance is proven. The willingness to use it is documented.

Third, Parisite — tracked across industry as Pioneer Kitten / Fox Kitten — functions as an initial access broker for this ecosystem. Its operators exploit exposed VPNs and edge devices to compromise IT environments at critical infrastructure operators, then sell or hand off that access to state-linked actors and ransomware affiliates. Dragos and other firms have directly observed Parisite providing access that was later used in operations moving toward OT environments. In other words, the IT-to-OT seam is not a theoretical vulnerability. It is an active and documented exploitation pathway.

For owners and operators of critical infrastructure, there are three immediate technical actions that align directly with these observed behaviors: isolate internet-exposed Unitronics PLCs and OT devices; audit and terminate unused contractor VPN sessions, particularly those belonging to suppliers in defense, aviation, and energy; and enable anomaly alerting on Azure API calls and IT-to-OT lateral movement. None of these steps is new. What is new is the geopolitical context and the clear evidence that Iranian operators are already present in the networks that connect to our most sensitive systems.

However, no advisory and no threat report can fix the core governance problem behind these technical steps. Most critical infrastructure operators still lack board-level authority structures and cross-sector coordination mechanisms that allow them to move at the speed a crisis like this demands. In many organizations, security teams know what needs to be done in the next 24–72 hours, but cannot obtain the necessary approvals, downtime windows, or cross-departmental cooperation quickly enough. That structural deficit predates this escalation and will outlast it.

For CISA and the SRMAs, this moment is an opportunity — and a requirement — to lean into that gap. At the federal level, that means accelerating information flows with sector ISACs and ISAOs; using existing authorities to prioritize faster, more directive guidance during escalatory windows; and clarifying what a “minimum viable” 72-hour defensive posture should look like in sectors such as water, energy, healthcare, and transportation. At the state and local level, it means fusion centers and homeland security advisors tightening their engagement with critical infrastructure owners and verifying that those minimum steps are understood and executable.

For boards and senior executives in critical infrastructure sectors, this is a prompt to ask a small set of hard questions: Who has the authority to take our most important OT assets off the internet on short notice? How quickly can we terminate unused third-party access across our environment? Do we have monitoring in place on the cloud services — like Azure — that our suppliers use to manage our systems? And if not, what stands in the way?

Iran’s cyber capabilities are not new. What is new is the combination of a clear geopolitical trigger, demonstrated destructive tooling, an established access-broker pipeline into U.S. networks, and an institutional response architecture that is being tested in real time. Meeting that test will require not only technical mitigations, but governance decisions — in agencies, in SRMAs, and in boardrooms — that allow defensive action to match the speed of the threat.