As U.S. strikes on Iran continue, questions are mounting about the risk of retaliatory cyberattacks on American infrastructure.
Alex K. Jones, electrical engineering department chair and professor in Syracuse University’s College of Engineering and Computer Science, breaks down the realistic threat landscape—from water systems and power grids to the looming question of quantum computing—and explains what organizations can do to protect themselves.
With strikes on Iran underway, what types of cyberattacks should Americans realistically be worried about, and who’s most at risk?
I don’t think we should expect the kinds of widespread cyberattacks that are portrayed in television and movies. Those scenarios make for dramatic storytelling, but from a systems perspective they are actually quite difficult to execute at national scale.
The sectors most likely to see isolated incidents are critical infrastructure and utilities such as energy and water systems, hospitals, local governments and industries with direct ties to the Department of Defense or close U.S. allies like Israel. These are attractive targets because disruption there can create visible impact without requiring extremely sophisticated capabilities.
At the same time, launching a large coordinated attack across many infrastructure systems is technically difficult. Many of these systems are distributed and highly heterogeneous. The hardware, operating systems, control software and network architectures can vary widely from facility to facility. That diversity actually acts as a kind of natural barrier against large-scale synchronized attacks.
Where the real risk lies is smaller, localized disruptions, particularly in environments that rely on embedded computing, industrial control systems, or highly customized software.
Iran has historically targeted water systems, power grids and industrial control systems. From a hardware and systems design standpoint, why are those targets difficult to defend?
Water systems, power grids and industrial control systems are typically designed first and foremost for safety-critical and real-time operation, not for constant software updates or rapid security patching.
These environments also contain hardware that often remains in service for decades, and many of the control devices were designed before modern cybersecurity threats were fully understood. As infrastructure operators modernize toward what is often called Industry 4.0, they are increasingly connecting sensors, controllers and distributed systems so they can respond more effectively to real-time data across a network.
The challenge is that some of these systems were originally designed to operate in isolated environments, and when networking capabilities are added later, they can introduce vulnerabilities that were not anticipated in the original hardware design.
Another factor is that updating these systems is inherently difficult. In consumer computing environments like phones or laptops, the ecosystem expects rapid security patching and frequent software updates. In industrial environments, however, updates must be carefully tested because even a small change could interrupt a physical process such as water treatment or grid balancing.
As a result, patch cycles are often much slower, and some systems may operate for long periods on legacy software or firmware. That combination of long equipment lifetimes, increasing connectivity and slower update cycles makes industrial infrastructure significantly more challenging to secure than typical IT systems.
Iran relies heavily on a network of hacktivist proxies to carry out attacks. How does that complicate attribution, and does it matter who’s technically “behind” an attack when the damage is already done?
From a technical perspective, we think of this question in terms of cyberforensics, which is difficult. Attackers can hide behind multiple layers of infrastructure. Traffic may pass through compromised machines in several countries before reaching the target, so the source of the connection you see in the logs is rarely the actual attacker.
Investigators usually rely on a combination of signals. One is infrastructure analysis, looking at things like command-and-control servers, domain registrations and network routing patterns. Another is toolchain analysis, where analysts examine malware or scripts used in an attack and look for similarities to tools used in previous operations.
When governments rely on hacktivist proxies, that signal becomes noisier. Different groups may share tools, copy techniques from each other or intentionally mimic other actors. That makes it harder to determine whether an attack was directly coordinated by a state or carried out by loosely affiliated actors.
Quantum computing is advancing rapidly. How close are we to a moment where adversaries could use quantum capabilities to break the encryption protecting our most sensitive infrastructure?
Many encryption algorithms rely on mathematical problems that are easy to perform in one direction but extremely difficult to reverse without special information. A classic example is large integer factorization. If you know a small piece of trusted information such as a key, encrypting and decrypting data is straightforward, but recovering that key without it becomes computationally very difficult. Quantum computers are theoretically well suited to solving certain problems like large integer factorization.
However, production quantum computers are still relatively early in their development. Even the most advanced machines today remain quite noisy and operate with relatively modest numbers of usable qubits. Because of these limitations, the most practical applications of current quantum systems tend to be in areas like materials science, chemistry simulation, and certain optimization problems.
We are likely still a decade or more away from quantum machines capable of large-scale codebreaking. That said, there is significant effort underway in what is called post-quantum cryptography—newer cryptographic approaches based on mathematical problems believed to remain difficult even for quantum computers.
The important step now is investing in the development and deployment of these post-quantum cryptographic systems, so that critical infrastructure can migrate to quantum-resistant encryption well before large-scale quantum computers become capable of breaking current methods.
What’s the single most important thing that organizations—hospitals, local governments, etc.—should be doing right now to harden their defenses?
Most successful cyberattacks actually begin by exploiting people rather than technology, often through methods like phishing emails or credential theft. It is conceptually very difficult for an attacker to penetrate many systems directly without first gaining access through some form of human compromise.
Because of that, one of the most effective things organizations can do right now is increase awareness and training around phishing and social engineering attacks. During periods of geopolitical tension, attackers often increase these kinds of campaigns because they are inexpensive and highly effective. Training employees to recognize suspicious messages and to report them quickly can prevent many attacks before they ever reach critical systems.
Beyond that, organizations should focus on reducing easy entry points—inventorying and updating older hardware and software systems, ensuring security patches are applied where possible, and removing outdated or unsupported equipment that may contain known vulnerabilities.
Many organizations also benefit from working with external cybersecurity firms that can conduct red-team exercises or penetration testing. These tests help identify weak points in institutional infrastructure so they can be addressed before attackers exploit them.
In practice, attackers almost always start by looking for the lowest-hanging fruit. The goal for organizations should be to systematically eliminate those easy opportunities by strengthening both human awareness and technical defenses.
Alex K. Jones is a professor of electrical engineering in the College of Engineering and Computer Science at Syracuse University. His research focuses on computer architecture, hardware security and embedded systems. He is available for interviews on cybersecurity, critical infrastructure protection and related topics.
