As the Iran war continues, critical national infrastructure (CNI) firms are being warned about the impact of cyber-attacks.

In April, the US Cybersecurity and Infrastructure Security Agency (CISA) warned that Iran-affiliated adversaries are targeting internet-facing operational technology (OT) devices.

It came after researchers at Censys observed attackers probing the widely-deployed programmable logic controllers (PLCs) manufactured by Rockwell Automation Allen-Bradley and exploiting them as part of a broader campaign against CNI.

The UK National Cyber Security Centre (NCSC) has also recently issued an alert to CNI providers, advising them to “act now” to shore up security in the face of the growing threat. It comes after Poland’s energy sector was targeted with malware at the end of 2025, which was likened to arson.

A Viable Target 

While the CNI cyber-attack threat from Iran might seem more great in the US, the UK could also get caught up in the fallout. As a US ally providing military assistance at odds with Iranian military action, UK CNI, along with other UK interests, are viewed as “a viable target,” says Michael Arcamone, chief strategy officer at OPSWAT. “Any access that Iran state-sponsored threat actors can achieve against critical infrastructure targets in the UK can and will likely be used to leverage cooperation and more favourable negotiation terms for Iran.”

Pressure from attacks on CNI may also factor into future UK military involvement in the ongoing conflict, Arcamone predicts. The March attack on medical devices company Stryker by Iranian hacktivist group Handala shows “how an indirect attack can have cascading effects within the UK,” he says, pointing out that the medical supply chain to the NHS was disrupted as a result.

Whilst the direct cyber threat from Iran to the UK is “relatively unchanged”, the indirect risk to CNI “has clearly stepped up” following the start of the war, says Daryl Flack, partner at Avella Security. This is particularly relevant for UK firms operating in the Middle East or embedded in regional supply chains, where CNI assets such as energy pipelines, logistics hubs or transport networks “sit exposed,” he says.

In the past month, activity has shifted from “largely latent risk” to “more operationally active intrusion attempts,”  particularly targeting exposed systems using known weaknesses such as weak credentials and internet-facing infrastructure, says Santiago Pontiroli, threat intelligence research lead at Acronis. “While still largely opportunistic, the risk to the UK is increasing as these actors reuse proven attack methods across similar environments.”

SCADA-Based Systems

The age-old problem posing a risk to CNI in the energy and utilities sectors is the supervisory control and data acquisition (SCADA)-based systems that were never meant to be connected to the internet. These are challenging to secure and create points through which attackers can act.

For this reason, simple attacks can offer significant gains. Iranian-aligned groups typically rely on “proven and repeatable methods” to gain access to critical infrastructure environments, rather than sophisticated exploits, says Pontiroli.

For example, operations targeting water and energy infrastructure in 2025 demonstrated how attackers were able to access PLCs and SCADA-related systems “simply because they were directly exposed online or insufficiently secured,” Pontiroli points out.

For CNI, the concern is “the combination of access, persistence, and the ability to move into environments where IT and OT meet,” according to Alex Hinchliffe, threat intelligence analyst at Unit 42, Palo Alto Networks. “Weak segmentation between IT and OT systems is often what turns a standard cyber intrusion into an operational disruption. This risk is further amplified where remote access into OT environments is not tightly controlled or properly monitored."

Iran Operating Differently 

Hinchliffe says Palo Alto Networks’ research shows the threat is “less about a sudden spike of activity and more about how Iran is operating differently now.”

With the conflict continuing, Unit 42 describes a “multi-vector campaign combining state-aligned activity with a growing ecosystem of proxy and hacktivist groups.”

Over the past few months, the key shift has been fragmentation, says Hinchliffe. “Even where coordination inside Iran is disrupted, cyber activity continues through more distributed actors working with greater independence.”

This matters to UK CNI because the threat is becoming more stealthy, consisting of “persistent, low-visibility activity across interconnected infrastructure and supply chains”, according to Hinchliffe.

Going forward, the most likely trajectory is continued pre-positioning in networks, including through supply chains and service providers, Hinchliffe predicts. “That means the risk to UK CNI is often indirect – with access potentially already in place and waiting to be activated during periods of geopolitical escalation."

Arcamone warns that UK critical infrastructure targets could face similar threats Iran-nexus threat actors have previously deployed. “Wiper malware has seen a notable uptick due to its potency in creating chaos that Iran can leverage in their favour with the ongoing conflict.”

At the same time, while previous campaigns maybe have revolved primarily around extortion and espionage, he thinks “disruptive and high impact attacks aimed at reducing UK involvement in the conflict are likely to materialise.”

CNI CISO Actions

As the threat from Iran grows, it’s important that UK CNI CISOs ensure they have adequate security measures in place.

CISOs should assess and harden critical systems and infrastructure considering the latest attacks reported by Iran-nexus threat actors, says Arcamone. “Where previously, access for espionage purposes was the standing threat from a wide range of threat actors, the shift to destructive malware with highly disruptive consequences needs to be addressed with the utmost priority.”

As the risk grows, CNI operators should be focusing on resilience, says Hinchliffe. “This means tightening identity security, reducing exposure of internet-facing systems, and ensuring backups and recovery processes are robust and tested.”

He advises organisations to “reduce standing privileges and limit how easily compromised accounts can move across environments” – especially where IT and OT systems are converging, and lateral movement can reach operational systems.

Overall, reducing internet exposure remains key because it is still the main entry point into critical networks, including externally reachable OT services and remote access paths, Hinchliffe says. “Services should be minimised, vulnerabilities patched quickly, and organisations need clear visibility of what is connected across IT and OT estates to understand exposure."

Kate O'Flaherty Cybersecurity and privacy journalist