U.S. Officials Warn of Iranian Cyber Threat to Water Systems, Citing Broad Infrastructure Risk

As tensions escalate following the bombing of Iranian nuclear facilities, federal cybersecurity officials are warning that Iranian state-sponsored hackers may retaliate by targeting America’s most vulnerable critical infrastructure: water systems.

According to a recent advisory from CISA, the FBI, and the NSA (AA24-290A), Iranian cyber actors have demonstrated the ability to infiltrate industrial control systems (ICS) and supervisory control and data acquisition (SCADA) environments—particularly those managing water treatment and distribution.

Access to these systems isn’t just about water; disrupting the water sector could cascade into failures in healthcare, energy, and emergency services—sectors that absolutely depend on clean, reliable water to operate.

Water Systems: A Silent Backbone of National Security

Water utilities, many of which are small and under-resourced, often lack advanced cyber defenses. Yet they play a pivotal role in sustaining other critical sectors, highlighting their significant interdependencies. Access to these systems isn’t just about water; disrupting the water sector could cascade into failures in healthcare, energy, chemical and critical manufacturing, and emergency services—sectors that absolutely depend on clean, reliable water to operate.

Key interconnections and dependencies include:

• Healthcare Sector: Hospitals rely on safe water for sanitation, patient care, and medical equipment sterilization. Disruptions in water service can have critical consequences for healthcare facilities.
• Energy Sector: Power plants require water for cooling systems and electricity generation, especially nuclear and hydroelectric facilities. Conversely, power loss can significantly impact the operations of both drinking water and wastewater utilities.
• Emergency Services Sector: Fire response systems depend on water pressure and availability during emergencies. Water sector utilities can collaborate with local emergency management agencies to prepare for water-related emergencies.
• Chemical Sector: The water sector also depends on the chemical supply chain for necessary treatments and processes.

Cybersecurity experts warn that a successful SCADA breach could disable pumps, manipulate chemical dosing in treatment plants, or cut off water supplies to entire regions. In a worst-case scenario, it could even result in the delivery of unsafe water to the public.

Iranian Capabilities and Broader Cyber Threats

Beyond water infrastructure, Iranian-backed cyber groups have a long track record of targeting critical U.S. systems. In 2020, the U.S. Treasury sanctioned Iranian APT groups for attacks on government agencies and the private sector. More recently, Iranian actors were linked to ransomware campaigns, influence operations during U.S. elections, and access attempts to power grids and transport networks.

Since October 2023, Iranian cyber actors have been observed employing a consistent set of tactics, techniques, and procedures (TTPs) to gain unauthorized access to organizations. Their primary objective appears to be the acquisition of credentials and detailed information about victim networks, which can then be sold on cybercriminal forums to facilitate further malicious activity.

In October 2024, a joint statement from CISA, FBI, NSA, and international partners revealed Iran’s focus on exploiting internet-facing systems and default credentials. A separate advisory warned that Iran’s MOIS (Ministry of Intelligence and Security) was actively targeting political dissidents, government officials, and accounts tied to national infrastructure.

According to a June 2025 report from Politico, cybersecurity officials believe Iran may respond to Israeli military actions with coordinated cyberattacks against the U.S. and its allies, especially those supporting Israel. Officials say targets could include financial services, airports, government agencies, and communication networks—many of which depend on water systems to function under emergency conditions.

Their methods of infiltration are often characterized by:

• Brute Force Attacks: This includes widespread “password spraying,” where attackers attempt common passwords against numerous accounts across an organization to avoid triggering account lockouts.
• Multi-Factor Authentication (MFA) “Push Bombing” or “MFA Fatigue”: Threat actors inundate users with repeated MFA push notifications, hoping that the user will eventually accept a request by mistake or out of frustration, thereby granting unauthorized access.
• MFA Registration Modification: Once initial access is gained, actors frequently modify MFA registrations to establish persistent access and bypass future authentication challenges.
• Credential Harvesting and Network Discovery: After compromising an initial account, Iranian actors conduct extensive reconnaissance within the victim’s network. They leverage open-source tools and various techniques to gather additional credentials, escalate privileges, and map out the network infrastructure, including details about domain controllers, trusted domains, and administrative accounts. This often involves using legitimate tools (“Living off the Land” techniques) to blend in with normal network activity.
• Lateral Movement: Actors utilize methods like Remote Desktop Protocol (RDP) for lateral movement within compromised networks, sometimes employing creative techniques such as embedding malicious scripts within seemingly innocuous documents to launch RDP binaries.

Call to Action for Utilities

CISA is urging water utilities—especially small and mid-sized operators—to:

• Segment operational and corporate networks.
• Patch known vulnerabilities in ICS software.
• Implement multi-factor authentication and account monitoring.
• Develop incident response plans in coordination with local emergency services.

U.S. cybersecurity agencies consistently urge critical infrastructure organizations to bolster their defenses against these persistent threats. Key recommendations include:

• Implement Phishing-Resistant Multi-Factor Authentication (MFA): This is a crucial defense against credential theft and MFA push bombing.
• Enforce Strong Password Policies: Regular password changes and complex password requirements for all accounts are essential.
• Continuous Review of MFA Settings: Ensure that MFA coverage extends to all active, internet-facing protocols and that no exploitable services are exposed.
• Robust IT Helpdesk Procedures: Review and secure processes for initial passwords, password resets, and shared accounts, ensuring strict user verification.
• Promptly Disable Accounts for Departing Staff: Minimize potential avenues for attackers to gain entry.
• Provide Cybersecurity Training: Educate users on detecting suspicious login attempts and denying uninitiated MFA requests.
• Monitor Authentication Logs: Regularly review logs for system and application login failures, especially looking for multiple failed attempts across various accounts, which can indicate brute force activity.
• Report Incidents: Organizations are encouraged to report any suspicious or malicious cyber activity to CISA or the FBI.

The warning comes as federal agencies increase coordination with state and local governments to protect essential services from cyber disruption.

The water sector is often overlooked, but it’s foundational. If Iran chooses to strike, the ripple effects could reach every American household.

Resources

For more guidance, visit:

• Iranian Cyber Actors Targeting Infrastructure – CISA Alert

• NSA Press Release on Iranian Access to Critical Infrastructure

• CISA Cyber Advisory AA24-290A
• Iranian Cyber Actors Targeting Infrastructure – Joint CISA/FBI/NSA Alert