How they move through a critical infrastructure environment is not what most people picture. Here is what the progression actually looks like, and why most organizations cannot see it happening.
Part 1 of this series established that Iranian-affiliated cyber adversaries are not preparing to enter U.S. water systems, energy infrastructure, and municipal facilities. They are already operating inside them. Part 2 goes deeper. Once access exists, what happens next?
The answer follows a deliberate pattern. Reconnaissance conducted before the first intrusion attempt. Entry through valid credentials that trigger no alerts. Internal mapping of the environment before any disruptive action is taken. Lateral movement from IT systems into operational technology. Persistence built to survive detection. And then patience, waiting for the right moment to act.
This piece walks through each phase of that progression, explains why zero trust has become the standard framework for addressing this class of threat, and addresses why most critical infrastructure environments cannot see any of it happening until it is too late.
