NSF's National Security Mission for the Twenty-First Century
April 3, 2026 • 9:00 am – 12:30 pm EDT
Hosted by Renewing American Innovation
Iran Conflict Heightens Cyber Threats to U.S. Energy Infrastructure
Photo: Kmatta/Getty Images
The energy sector has long been targeted as a point of leverage in geopolitical conflict. Historically, energy disruptions were concentrated on logistical and supply interruptions to exert economic pressure on adversaries—for example, through sanctions, oil embargos, and restrictions on key shipping lanes. More recently, however, direct physical attacks on energy infrastructure have increasingly been deployed as a core military strategy.
In the context of the Russia-Ukraine conflict, strikes on Ukrainian energy systems tripled this year over previous years of the war, resulting in a near collapse of the country’s power grid. Last week, President Donald Trump threatened attacks on Iran’s electricity grid, and Iran responded that it would retaliate against energy and water systems across the Gulf.
Today, Iran does not have long-range weapons capable of causing physical damage to domestic U.S. energy infrastructure. However, a physical risk remains; Iran has increasingly used unmanned aircraft systems to attack critical assets, and pro-Iranian entities within the United States have capabilities to use drones as weapons—a threat that is difficult for utilities to counter.
The threat, however, does not end with physical attacks; the energy sector is vulnerable to, and has been increasingly targeted by, cyber threat actors in recent years. For several years, there has been strong evidence that foreign adversaries, notably the People’s Republic of China (PRC), have successfully infiltrated and pre-positioned on U.S. critical infrastructure, including energy systems. While these instances have not caused outages, significantly, they have demonstrated the PRC’s interest in targeting strategic critical infrastructure for disruption, including during future conflict. The United States itself has become more vocal about offensive cyber capabilities targeting the grid. In January, U.S. Cyber Command reportedly conducted a cyberattack, strategically turning power off and on in Venezuela in support of the mission to capture Nicolás Maduro, with President Trump famously stating a power blackout surrounding the raid was “due to a certain expertise that we have.”
Cyberattacks originating from Iran are a key concern as well. For more than a decade, Iran has invested heavily in its cyber capabilities and cultivated ties to hacker groups. Iran has so far conducted limited disruptive strikes in the current conflict, outside of the attack targeting U.S. medical technology firm Stryker. But, cybersecurity firms and critical infrastructure threat advisory groups warn of a heightened cyber threat environment as the Middle East conflict continues. The Trump administration has downplayed indications of imminent risk, but urged energy companies to increase physical and cybersecurity measures in case of retaliatory attacks.
Even before the February airstrikes escalated geopolitical tensions, the cyber threat environment surrounding the United States energy infrastructure has been accelerating. In February, the Department of Energy Office of Cybersecurity, Energy Security, and Emergency Response issued its first strategic plan to protect U.S. energy infrastructure from cybersecurity threats, physical attacks, and natural disasters. This year, the World Economic Forum ranked “cyber insecurity” a top 10 global risk, and the Office of the Director of National Intelligence’s 2026 Annual Threat Assessment warned U.S. critical infrastructure, including the energy sector, faces escalating cyber challenges.
Scale, Age, and Fragmentation Make U.S. Energy Infrastructure Uniquely Vulnerable
U.S. energy infrastructure is among the largest, interconnected systems in the world. The grid serves over 330 million people, encompasses over 7,300 power plants, and spans over 600,000 miles of high-voltage transmission lines. The energy sector is critical to the U.S. economy, underpinning all other critical infrastructure sectors and billions of dollars of economic activity; if energy fails, multiple other sectors fail at the same time in a cascading impact. Its importance alone makes it a vulnerable target. At the same time, the scale of the infrastructure, its fragmented regulatory structure, its highly interconnected operational nature, and its age make the system vulnerable to attacks.
The sheer scale of the system creates a large attack surface vulnerable to both physical and cyber interference. From a physical security standpoint, the geographic span increases exposure because infrastructure often crosses remote areas that are difficult to monitor. From a cybersecurity vantage, the scale and age of the system imply more entry points (e.g., devices, networks, and software systems). The North American Electric Reliability Corporation (NERC) estimates the U.S. grid is gaining about 60 new vulnerable points per day due to increasing grid digitalization, expanding distributed energy resources, new software deployment, and reliance on third-party vendors.
U.S. energy infrastructure is less centralized than that of other countries—for example, the electricity grid spans three interconnections, each with thousands of utilities. This fragmentation hinders a uniform security approach, and different utilities have a range of budgets, IT support, and security standards. Despite the organizational fragmentation, the interconnected nature of the system means that a physical or cyberattack in one region has cascading impacts across the network.
Critically, many components of the energy system are old and not designed with modern security in mind. For example, about half of U.S. oil and gas pipelines are over 50 years old, and about 75 percent of transmission lines are over 25 years old. Aging infrastructure increases both vulnerability and risk of failure and slows the recovery timeline after a disruption. Legacy systems often lack integrated monitoring and cybersecurity protection measures, and some older systems run outdated software that may no longer be supported by vendors. Attempts to retrofit older systems with digitization also introduce risks through remote access and other patches that serve as weak points.
Sophisticated Nation-State Actors Are Deliberately Targeting U.S. Energy Systems
As described above, energy infrastructure is highly vulnerable to cyber intrusions due to its age, the vast number of interlinked nodes, and the increasing prevalence of connected, rather than air-gapped, operational technology (OT) systems. In addition to being rife with inherent vulnerabilities, the energy sector is also considered a highly valuable target by nation-state cyber actors. While other U.S. sectors—including healthcare, finance, and telecommunications—have received most cumulative attacks over decades, a 2023 study found the energy sector experienced almost 40 percent of all cyberattacks across critical infrastructure sectors.
Data from the European Repository of Cyber Incidents (EuRepoC)—which tracks politically motivated cyber incidents, focusing on state-sponsored cyber operations, hacktivism linked to political causes, and cyberattacks linked to geopolitical conflict—finds that from 2010 to 2024, energy sector cyberattacks were second only to telecommunications sector attacks during times of geopolitical (or “offline”) conflict (see Figure 1) The EuRepoC data includes only incidents that resulted in a demonstrable real-world outcome (e.g., disruption or data breach) rather than all attempts and defines the energy sector as electricity systems, oil and gas infrastructure, and major energy companies.
Remote Visualization
Highly capable nation-state actors, including the PRC, Russia, and Iran, rightly perceive that infiltrating energy systems can cause significant disruption to the United States, including in future conflict; these states together account for roughly two-thirds, or 39 of 62, attributed cyberattacks on the energy sector (see Figure 2). Over the last several years, cyber activity linked to the PRC-affiliated actor Volt Typhoon has dominated U.S. government attention and cyber-related news headlines. This sophisticated campaign, which some experts believe may never be fully rooted out of U.S. energy and other systems, demonstrates the PRC’s intent and willingness to pre-position and maintain a persistent presence to eventually disrupt U.S. critical infrastructure early in a conflict scenario. Indeed, of all observed cyberattacks targeting the energy sector recently, PRC state-sponsored actors, including Volt Typhoon, were responsible for most activity. Russia and Russian-aligned threat actors have also demonstrated a keen focus on targeting the grid in the United States, as well as in Ukraine and Poland, in a recent attempted cyberattack on a NATO country.
Remote Visualization
While experts debate whether its cyber capabilities will be decisive in the current Middle East conflict, Iran has long demonstrated intent and capability to target U.S. critical infrastructure. Iran has traditionally targeted strategic sectors linked to the United States and Israel—including the defense industrial base, financial services, water utilities, and transportation infrastructure, many of which rely on outdated control systems. U.S. energy utilities were also previously targeted as part of a broader cyber campaign during the height of the Israel-Gaza conflict in late 2023 and early 2024. Notably, Iran-linked cyber actors gained access to these systems through “public internet-connected industrial control systems.” As the current conflict intensifies and the Iranian regime loses kinetic response options, the country could, by necessity, rely on disruptive cyberattacks like the early March attack on U.S. medical technology firm Stryker as part of its multidomain response to ongoing U.S.-Israeli airstrikes.
Attacks Are Accelerating with Severe Consequences of a Successful Strike
Attacks against the U.S. energy sector have been increasing. Exact numbers are difficult to monitor because centralized data collection relies on self-reporting, which drastically undercounts the number of attacks. Additionally, the available data accounts for successful attacks rather than serving as comprehensive documentation of attack attempts, meaning it is not well-suited for quantifying the evolving threat environment. Private research firms have attempted to fill this gap by surveying utilities and conducting industry analysis. Check Point Research estimated that U.S. energy and utilities (including electricity, oil and gas, and water) faced an average of more than 1,160 attack attempts per week per organization in 2024, up 70 percent from the previous year. There are varied motivations behind these attacks, ranging from criminal (e.g., financial gain, extortion, or data theft) to ideological (e.g., political or hacktivism). Nation-state motivated attacks are a limited subset of these, serving multiple purposes including prepositioning tactics, deterrence methods, intelligence gathering endeavors, and causing disruption during conflicts.
The United States has invested significant resources into energy sector cyber resilience in recent years due to a greater understanding of the threat environment and inherent vulnerabilities (Table 1); federal actions alone are insufficient to prevent all attacks on the sector. The notable 2021 incident involving the large oil company Colonial Pipeline gives a sense of how quickly the economic impact of a large-scale energy sector cyberattack can escalate. This ransomware attack on the pipeline’s IT systems was financially driven and resulted in Colonial Pipeline shutting operations for five days to contain the attack, affecting about 45 percent of fuel supply to the East Coast. This resulted in regional price spikes, gas station outages, and a federal-level emergency response. Colonial’s direct financial cost was about $4.5 million in ransom payments. Indirect costs associated with the incident, such as business interruptions, consumer costs, airline and trucking logistic disruptions, are estimated to have been much higher, in the hundreds of millions to billions of dollars range.
Remote Visualization
NERC conducts the largest-scale grid security exercise, exploring the impacts of coordinated cyber and physical attacks on the grid, resulting in a multi-week cascading crisis. Another exercise from 2015 estimated that a concentrated attack on 50 generators in the northeastern region of the United States (out of the approximately 700 generators across the region) would result in total impacts to the U.S. economy from $250 billion to $1 trillion—impacts which are likely to have increased substantially over the last decade of sustained electrification and technological innovation. Across these and other exercises, the biggest impacts arise from cascading failures and interdependent infrastructure. Recovery is slowed by supply chain limitations for physical infrastructure replacements.
Meeting an Escalating Cyber Threat to Energy Infrastructure Requires a Coordinated, Cross-Sector Response
Whether due to persistent operations by actors like the PRC or in the context of the ongoing conflict in Iran, U.S. energy infrastructure operators are increasingly subject to heightened cyber risks, and this trend is unlikely to reverse as geopolitical conflict intensifies. As noted above, studies show that the energy sector is experiencing increasing cyberattacks, and the sector is among the most-targeted in the United States. In recent weeks, government agencies like CISA have urged government and private sector entities alike to shore up their defenses, considering greater risk from Iran and Iran-affiliated cyber threat groups. Government adjacent groups (including information sharing and analysis centers) and cyber threat analysis industry groups have also made similar assessments.
With over 80 percent of U.S. energy infrastructure owned by the private sector, close collaboration between public and private entities is necessary to identify and mitigate risks from the evolving threat environment. Additional consistent, mandatory cybersecurity requirements (such as the 2024 NERC/FERC standards) are essential to ensure the U.S. energy ecosystems as a whole are building in cybersecurity by design. Critical gaps that remain include technical assistance for small utilities and rural electric co-ops, comprehensive and timely data sharing, cybersecurity workforce capacity, and supply chain visibility into grid software and hardware components.
Adversaries are keenly aware that a successful large-scale attack on U.S. energy infrastructure would not stay contained to the energy sector, indeed this truth heightens the appeal of an attack. It would cascade across healthcare, water, transportation, and communications simultaneously, making the cost of inaction far greater than the cost of the coordination among federal, state, and local entities, as well as private owners and operators, required to prevent it. The question is no longer whether U.S. energy infrastructure will be targeted by determined nation-state and criminal actors; it is when—and whether the public and private sectors will close today’s critical gaps in coordination, capacity, and information sharing in time to prevent such attacks from successfully achieving adversaries’ aims.
Leslie Abrahams is deputy director and senior fellow with the Energy Security and Climate Change program at the Center for Strategic and International Studies (CSIS) in Washington, D.C. Lauryn Williams is the deputy director and senior fellow in the Strategic Technologies Program at CSIS.