Federal agencies and security and intelligence specialists have been ringing the bell, warning that foreign adversaries, including Iran, are seeking to exploit vulnerabilities in U.S. critical infrastructure, especially during periods of geopolitical instability. Energy networks, transportation systems, manufacturing facilities, and water utilities all become potential targets because adversaries understand they are essential to everyday life.
The U.S. Intelligence Community’s 2025 Annual Threat Assessment makes clear that the threat environment facing U.S. infrastructure is becoming more complex and interconnected. The report states that “a diverse set of foreign actors are targeting U.S. health and safety, critical infrastructure, industries, wealth, and government.” The assessment also emphasizes that these threats are not isolated challenges but part of a broader geopolitical environment in which adversaries are increasingly coordinating their efforts. According to the report, “Russia, China, Iran and North Korea—individually and collectively—are challenging U.S. interests” through a combination of cyber operations, influence campaigns, and other asymmetric tools.
The same assessment warns that “Iran’s cyber operations and capabilities also present a serious threat to U.S. networks and data.” In other words, cyber activity targeting infrastructure should not be viewed as an isolated technical problem. It is part of a broader strategic competition in which adversaries seek to exploit vulnerabilities across interconnected systems and sectors.
The Cybersecurity and Infrastructure Security Agency (CISA) is now warning that “Iranian cyber actors’ brute force and credential access activity compromises organizations across multiple critical infrastructure sectors.” The advisory goes on to note that these actors frequently use password spraying and other credential attacks to obtain access to infrastructure networks, conduct discovery, and identify additional points of access across the environment.
That operational pattern—gaining access quietly and maintaining persistence—is familiar to those of us who have spent time working directly with infrastructure operators during active cyber threats and is even more dangerous in the world of artificial intelligence. During my time at CISA, I worked closely with critical infrastructure owners and operators responding to real-time threat reporting affecting their networks and facilities. Those engagements reinforced an important lesson: the most serious infrastructure risks rarely emerge from a single vulnerability or single organization. They emerge from the connections between systems and sectors.
Infrastructure Is a System of Systems
While at CISA, I spent a significant amount of time working directly with infrastructure owners and operators responding to emerging threats and operational disruptions. Those experiences reinforced how quickly risk can move across sectors when systems are tightly interconnected.
During active cyber threat situations, coordination between government analysts and industry operators was essential. During active cyber threat situations at CISA, the most important factor was often not the technical sophistication of the threat itself—it was the speed with which information could move between government analysts, infrastructure operators, and sector partners. Operators needed timely intelligence about what adversaries were targeting, how those intrusions were occurring, and what defensive actions they could take immediately.
But cyber incidents were not the only situations that revealed these dependencies.
I also saw how quickly operational risk could emerge when visibility across supply chains or transportation systems broke down. In one case, we were working with partners across the chemical sector to track hazardous materials that had been lost in transit and were temporarily unavailable in the systems normally used to monitor chemical inventories. Even a temporary loss of visibility over chemical shipments creates ripple effects—affecting facility operations, transportation networks, emergency response planning, and community safety.
Situations like that reinforce an important lesson: infrastructure resilience depends not only on the security of individual facilities, but on the coordination mechanisms that connect them.
The U.S. organizes infrastructure protection across sixteen critical infrastructure sectors, each with its own government partners and industry stakeholders. That structure has strengthened security within sectors and helped build trusted public-private partnerships.
But the infrastructure itself does not operate in sectors. Energy powers communications networks. Communications enable emergency services. Water utilities require chemical manufacturing and distribution. Transportation systems depend on fuel distribution, digital logistics platforms, and satellite navigation. And end user production relies on the entirety of the supply chain to come together from multiple industries.
These dependencies are not theoretical. They are relied on every day. During the Colonial Pipeline ransomware incident in 2021, the operational disruption of a single pipeline system quickly rippled across the East Coast fuel supply chain. Transportation systems, airlines, and local fuel distributors all felt the effects. It was a powerful reminder that infrastructure resilience depends not only on the security of individual systems, but on the coordination mechanisms that connect them.
Infrastructure resilience is rarely about one system operating securely. But rather, it is about whether the critical infrastructure ecosystem is fully functioning to ensure the organizations responsible for those systems are effectively communicating and coordinating across all sectors and with our government for a whole of nation effort to protect our national security.
The Iranian Escalation
Iran has a long history of retaliating against the U.S. through its infrastructure going back to the 2012 Operation Ababil, in which Iran deployed a distributed denial-of-service campaign against U.S. banks, considered retaliation for the U.S. sanctions on Iran’s nuclear program. Recent threat reporting from U.S. agencies highlights a consistent operational pattern from Iranian cyber actors. CISA warned that “Iranian government-affiliated actors routinely target poorly secured U.S. networks and internet-connected devices.” In another joint advisory, U.S. agencies urged organizations to remain vigilant for potential cyber activity targeting U.S. infrastructure, warning that “Iranian-affiliated cyber actors may target U.S. devices and networks for near-term cyber operations.”
Historically, these campaigns often begin with reconnaissance and credential access. Once access is established, it can be used for espionage, influence operations, or disruptive activity during periods of geopolitical tension. For infrastructure operators, this reflects a pattern that has been observed repeatedly across multiple sectors.
The challenge is not simply defending one network from intrusion. It is understanding how access to one network can create pathways into others.
Artificial Intelligence and the Expanding Attack Surface
At the same time Iranian adversaries are interested in targeting U.S. critical infrastructure, organizations are rapidly adopting new technologies, particularly artificial intelligence. Across sectors, AI is being integrated into operational environments to support predictive maintenance, anomaly detection, logistics planning, and video analytics. These capabilities offer enormous potential benefits, but they also introduce new risks.
Many organizations are deploying AI systems faster than the security frameworks required to protect them are established and standardized. AI platforms depend on data pipelines, cloud services, and software supply chains that extend far beyond a single company or facility. If those systems are compromised through manipulated data, malicious code, or unsecure interconnectivity, the consequences could ripple across the infrastructure systems that rely on them.
Recent threat reporting indicates that nation-state actors are already using artificial intelligence to enhance cyber operations, automate phishing campaigns, and refine targeting efforts looking for these opportunities to strike. In other words, the infrastructure community is expanding its digital capabilities at the same moment that cyber threats are becoming more automated, more scalable, and more interconnected.
Cross-Sector Coordination Is the Critical Path
Over the past two decades, the U.S. has built a strong foundation for public-private collaboration in infrastructure security. Sector Risk Management Agencies coordinate with industry partners to strengthen security within individual sectors with CISA leading the way in national-level coordination. ISACs advance information sharing mechanisms and enable companies to exchange threat information within each sector.
Those efforts matter more than the average American realizes. Despite this, diminished resources, lapsed authorities, and shifting priorities are straining these partnerships and coordination mechanisms.
In addition, the threats themselves are increasingly cross-sector. Cyber actors are targeting the relationships between infrastructure systems rather than individual facilities.
When active nation-state threats from Iran and other adversaries converge with rapidly deployed technologies that are outpacing security standards, the expanding interconnectivity of critical infrastructure, and shifting government resources, the risk landscape fundamentally changes. Addressing these systemic vulnerabilities requires infrastructure owners and operators across sectors to coordinate more closely than ever before, making cross-sector coordination and information sharing the critical path for resilience.
