Heightened Cyber Risk During Middle East Escalation: An ICS Perspective for Security Leaders

As geopolitical tensions intensify, so does cyber risk. Both kinetic and cyber operations are integral to modern conflict, and retaliatory cyber activity often targets both military and civilian infrastructure. For CISOs overseeing industrial operations, a critical question emerges: Are we prepared if our organization becomes a target?

Asset owners do not determine whether they are targets: adversaries do. CISOs, however, can control their level of preparedness and operational resilience. This begins with maintaining continuous awareness and leveraging OT-focused threat intelligence to shape defenses around sector-specific risks and known adversary behaviors. Integrating intelligence and lessons learned from real-world OT attacks remains one of the most effective ways to guide industrial cybersecurity programs.

Recent developments in the Middle East have heightened concerns among asset owners and operators. Hacktivist campaigns, opportunistic intrusion attempts, and influence operations targeting regional organizations have all increased.

From an industrial control systems (ICS) perspective, however, the situation remains measured. At the time of writing, there are no publicly disclosed cyber operations that have progressed to Stage 2 ICS attack activity or directly impacted ICS environments.

This distinction is important for security leaders. Disruptive cyber operations targeting industrial environments require extensive planning, access development, and a deep understanding of the targeted industrial process. Historically, these operations have taken significant time to mature, underscoring the importance of preparedness during early escalation periods.

The initial phases of geopolitical cyber escalation almost always involve increased reconnaissance activity, persistent intrusion attempts, and signaling operations rather than immediate disruption of industrial systems. Threat actors typically attempt to establish footholds in enterprise networks before moving toward operational environments.

Recent activity aligns with this pattern. Dragos researchers have observed increased operations by MuddyWater, a group linked to Iranian cyber operations. Targeted sectors include aviation, government, healthcare, energy-supporting engineering services, and maritime domains.

Observed tactics remain consistent with typical intrusion campaigns: exploitation of known vulnerabilities, credential harvesting, and abuse of legitimate remote management tools. While these activities reinforce the adversary's continued interest in organizations operating industrial environments, current evidence does not indicate successful attempts to manipulate industrial processes.

Geopolitical crises often lead to increased hacktivist messaging and cyberattack claims. These claims frequently exaggerate or fabricate operational impacts to create psychological pressure or signal symbolic retaliation.

A recent example involved the hacktivist persona APT IRAN, linked to the Dragos-tracked group BAUXITE, which allegedly carried out a cyberattack against a Jordanian government-run wheat storage facility. The group stated that environmental controls within grain storage systems had been manipulated. Jordanian authorities later confirmed that the attempted attack had been thwarted, and no evidence of compromised industrial control systems has emerged.

This pattern is common during geopolitical conflicts. Hacktivist groups often report ICS attacks that never occurred or significantly exaggerate operational impact. These narratives reinforce an important reality: critical infrastructure organizations remain highly visible symbolic targets during periods of geopolitical tension, and cyber messaging is frequently used to amplify political pressure and shape public perception.

Even when industrial environments are not directly targeted, geopolitical events can still create operational disruption. Recent regional reporting has noted sustained GPS jamming affecting both maritime traffic and land-based GPS receivers across areas of the Arabian Gulf.

While this does not represent direct manipulation of industrial control systems, it highlights growing operational dependencies within modern OT environments. Many industrial operations rely on external services such as satellite navigation, telecommunications networks, and GPS-sourced timing signals used by Network Time Protocol (NTP) servers. GPS jamming or spoofing can introduce navigation errors, disrupt OT time synchronization, corrupt network and host event log timestamps, and create authentication or system synchronization issues across operational environments.

Organizations should review any OT systems that depend on GPS-based timing or positioning services and ensure they can identify and tolerate spoofing or jamming conditions. Many newer GPS-sourced NTP clocks now include anti-jamming and anti-spoofing capabilities that can help maintain reliable synchronization during interference events.

Key takeaways for CISOs and security leaders during periods of geopolitical tension should focus on disciplined risk management and operational readiness. Organizations should avoid reacting out of alarm and instead prioritize proven controls that improve resilience and reduce operational risk. The SANS Five ICS Cybersecurity Critical Controls provide clear priorities for action.

1. ICS-Specific Incident Response Plan

Organizations should maintain an incident response capability tailored to industrial environments. Unlike traditional IT plans, ICS response must prioritize safe operations, process stability, and system integrity.

CISOs should ensure cybersecurity teams, engineers, and operations leadership can coordinate effectively during incidents. Regular tabletop exercises and scenario planning help align the organization, from executives to plant operations, around realistic cyber incident scenarios.

2. Defensible Architecture

A defensible architecture lowers risk by design and supports effective monitoring and response. In industrial environments, this includes segmentation between enterprise and OT networks, the use of industrial DMZs, and strict control of communications between zones with varying levels of trust.

The goal is not a perfectly secure network, but one that limits attacker movement, supports containment actions, and provides visibility into critical operational systems.

3. ICS Network Visibility and Monitoring

Industrial environments require visibility into system communications to detect behavior that may indicate malicious activity.

Unlike traditional IT monitoring, ICS monitoring focuses on industrial protocols and operational interactions between systems. Host and network monitoring should also align directly with threat intelligence. Intelligence identifies relevant adversarial behaviors, and network detection capabilities should leverage those behaviors to produce low-noise, high-fidelity alerts that operations and SOC teams can act on quickly.

4. Secure Remote Access

Remote connectivity is essential for many industrial operations but also represents a significant attack vector. Adversaries increasingly target remote access pathways used by employees, vendors, and service providers.

Security leaders must identify, strictly control, and continuously monitor all remote access routes. Multifactor authentication, limited entry points, and monitored jump hosts significantly reduce the risk of unauthorized access to operational networks. Further guidance can be found in this recent SANS blog: Securing Remote Access in OT: A Critical Control for Modern Risk.

5. Risk-Based Vulnerability Management

In industrial environments, patching every vulnerability is often unrealistic due to operational and safety constraints. Organizations should instead prioritize vulnerabilities that present meaningful operational risk.

The 2026 Dragos OT Cybersecurity Year in Review report indicated that 3 percent of reported OT vulnerabilities were labeled “Now” and required immediate action, reinforcing that risk-based vulnerability management in OT is achievable.

A risk-based approach prioritizes vulnerabilities that could enable adversaries to gain access to operational environments or manipulate critical systems. In many cases, segmentation, monitoring, hardening, or other compensating controls may be more effective and operationally appropriate than immediate patching.

CISOs should treat the current environment as a period of heightened vigilance, not panic. This is the time to validate preventive, detective, and recovery capabilities across operational environments. If an organization cannot confidently answer the question, “Am I compromised?” It likely indicates a gap in OT visibility and monitoring that should be addressed promptly.

Likewise, disaster recovery planning should extend beyond “restore from backups” to include operational recovery and resilience planning. The OT Disaster Recovery Quick Start Guide is a useful reference for organizations beginning that process.

Destructive cyber operations against industrial environments require time, preparation, and operational understanding. Defense is doable, and organizations that maintain strong ICS visibility, defensible architectures, secure remote access, risk-based vulnerability management, and mature incident response capabilities will be significantly better positioned to withstand cyber threats during periods of geopolitical escalation.