Iran may test US corporate cyber defenses as nation braces for retaliation

U.S. businesses and operators of major infrastructure such as power grids and dams could be targeted by Iran after the assassination of the Islamic republic's top military commander, Qassem Soleimani, in what could be corporate America's greatest cybersecurity challenge to date.

The U.S. Department of Homeland Security on Jan. 6 issued guidance urging companies to review security and emergency preparedness plans, back up critical information, and train staff on cybersecurity best practices. The department specifically noted Iran's targeting of finance, telecom and energy, and its heightened interest in industrial control systems and operational technology.

Iran has a history when it comes to cyber aggression.

In 2014, it launched a cyberattack against Las Vegas Sands Corp., a casino company controlled by Sheldon Adelson, a major supporter of Israel, according to James Clapper, the director of national intelligence under the Obama administration. The hackers stole Social Security numbers, credit card data and other personal information from customers.

Between 2011 and 2013, dozens of major U.S. financial institutions including JPMorgan Chase & Co. and American Express were targeted in a series of attacks orchestrated by the Iranian government intended to shut down companies' vital computer systems, the U.S. government alleged.

'Easy targets'

Despite major advances in corporate cyber defense in the intervening years, U.S. companies remain vulnerable to exploitation by the most sophisticated state actors, particularly those in the energy, telecoms and finance space, according to James Lewis, senior vice president and director of the technology policy program for the Center for Strategic and International Studies in Washington.

"The Iranians are going to say, 'In one of those sectors, are there easy targets that I can go after?' The answer is yes," Lewis said in an interview.

Lewis said Iranian hackers have been targeting the telecom and travel industries since at least 2014 to steal personal information of citizens in the U.S., Europe, Australia and Middle East, and have conducted cyber attacks on thousands of people at more than 200 oil and gas and heavy machinery companies across the world.

The most vulnerable would be smaller U.S. companies in these industries, particularly because their systems are more vulnerable and easier to penetrate. Larger firms may be protected, though that is not always the case.

"The first and most likely target is data," Lewis said. "And not just stealing it but destroying it. Then disrupting the service."

Weapon of choice

As commander of Iran's Quds Force, Soleimani developed the network militias and clandestine forces that have helped Iran fight proxy wars against its enemies in Lebanon, Syria, Yemen and beyond in recent years. He was among those killed Jan. 3 in a U.S. airstrike on an airport in Iraq.

By operating through proxies, Iran has been able to carry out operations that it can easily deny links to, such as the drone attack on Saudi oil facilities in Abqaiq and Khurais in September 2019. The U.S. Department of Defense said Quds Force was "responsible for the deaths of hundreds of American and coalition service members and the wounding of thousands more."

Cyber warfare offers another route through which Iran can carry out deniable attacks and expand its reach even further geographically. It also reduces the risk of physical harm to U.S. troops and civilians and makes it difficult for the U.S. to justify a military response.

However, cyberattacks are not without risks. Even if successful, they could prompt retaliation from the U.S., which is thought to have carried out a number of cyber operations against Iran in recent years, most famously an alleged attack on the nation's uranium enrichment program via Stuxnet in 2009.

The U.S. also carried out a cyberattack against Iranian "physical hardware" in September 2019, Reuters reported, in response to the Saudi oil facilities attack. The attack targeted Iran's ability to disseminate propaganda, according to the report. Washington, in tandem with Israel, is also alleged to have used a computer worm to cause heavy damage to Iran's nuclear program in 2010.

Counting the cost

Brown Brothers Harriman, a financial services firm, is telling its clients they should expect the conflict to be fought through proxy battles, including cyberattacks and verbal posturing, but not through direct conflict.

S&P Global Ratings concurred that the threat of full-scale military conflict is remote. "We continue to believe that any escalation will remain contained given that a direct conflict would be economically, socially, and politically destabilizing for the entire region, including US-Gulf allies," it said in a note.

Still, the financial and operational damage to its targets can be considerable.

A February 2018 report from the White House estimated that malicious cyber activity cost the U.S. economy $57 billion to $109 billion in 2016. The U.S. Department of Justice said the attacks on the financial giants cost them millions of dollars in lost business. Seven Iranian hackers were indicted.

Energy targets

For the energy sector, Lewis said a possible attack could mean turning off a pipeline or interfering with an electrical facility or dam, the latter of which Iran has previously probed. In 2013, hackers accessed the control system of a dam near New York City but did not manipulate any controls. An Iranian group later claimed responsibility, though it was unclear whether the Tehran government was involved.

Iran has also targeted oil producers in the Middle East, including a cyberattack in 2012 on the oil behemoth Saudi Arabian Oil Co., disabling key technology and stifling the production of oil.

The North American Electric Reliability Corp., which regulates the power grid, is monitoring the unfolding situation withIran and working with government and industry stakeholders to share information and insights so U.S. interests are fully prepared, said Jim Robb, the agency's president and CEO.

"Security threats are not new to our industry," Robb said in an interview. "However, they are ever-changing, and our game must always improve."