Cyber agency staff furloughs could challenge energy sector as threats grow

The US Department of Homeland Security's decision to furlough two-thirds of its cybersecurity staff could increase risks to US energy infrastructure, as defense analysts track a rise in cyberattacks targeting the operational systems of the nation's critical assets in the wake of the Iran war.

The US Cybersecurity and Infrastructure Security Agency (CISA) furloughs were discussed on Capitol Hill March 3 at a Senate Judiciary Committee hearing, when then-DHS Secretary Kristi Noem said that the cyber agency had been significantly degraded.

The CISA furloughs followed a partial government shutdown that began in February, after Democrats refused to fund the DHS unless Republicans agreed to changes to immigration enforcement as part of a budget deal.

In a March 10 email, a CISA spokesperson reiterated the impact of the furloughs on the agency, referring to Noem's written testimony that said while the agency can continue to respond to imminent threats and maintain its 24-hour operations center, "proactive work that keeps our adversaries at bay ... is delayed or halted."

Actions suspended due to the shutdown include cyber defense development, issuing timely directives to federal agencies, implementing critical incident reporting requirements, and delivering assessments, training, and exercises to state, local, tribal, territorial, and private organizations, CISA said.

Some utility groups said they were optimistic that CISA can continue monitoring for threats, but defense experts noted that Iran, its affiliates and its allies are gaining strength in probing the US energy system for weaknesses.

"Iran has gotten better" at cyber warfare over the last decade, said Ben Jensen, senior defense fellow at the nonpartisan Center for Strategic and International Studies, who heads the think tank's Futures Lab project that uses AI to help identify security risks.

As Iran's cyber capabilities have risen, US cyber defenses have become "potentially weaker due to both ongoing [staff] changes at CISA and the fact that the ongoing operation [of the agency] was likely highly compartmentalized," Jensen told Platts, a part of S&P Global Energy.

This may have kept certain information siloed, especially in the wake of the furloughs, meaning that regular information sharing with the industry may be stifled or no longer occurring regularly, Jensen said.

Cyberattack activity increases

Meanwhile, cybersecurity threat analysts have been tracking a rise in cyberattack activity by Iran and its ally Russia since the opening wave of US-Israeli airstrikes on Feb. 28.

Adam Meyers, head of counter-adversary operations at the cybersecurity firm CrowdStrike, said cyberattacks by Iran's Islamic Revolutionary Guard Corps have been limited, as the regime has primarily focused on its drone and rocket response.

However, CrowdStrike saw a surge in activity by pro-Iranian Russian hacktivists that began Feb. 28 and continued through March 2, Meyers said. What makes that concerning is that some of the Russian hackers have a proven track record of successfully disabling power grids.

Meyers said one of the Russian affiliates has claimed it has successfully hacked into US industrial control networks and supervisory control and data acquisition, or SCADA, systems.

The Russia-linked hacker group Z-Pentest recently claimed responsibility for compromising several US-based entities' industrial control and electro-mechanical SCADA systems. These systems are commonly used by utilities, railroads, and other heavy industries.

The group also claimed to have hacked multiple closed-circuit video monitoring networks, Meyers told Platts. These video monitoring networks can be used to secure power plants and other critical energy infrastructure such as oil refineries. Crowdstrike is still trying to verify the group's claims.

"The timing of these unverified claims, coinciding with [the US-Israeli] Operation Epic Fury, suggests Z-Pentest likely began prioritizing US entities as targets," Meyers said. "Western organizations should continue to remain on high alert for potential cyber response as the conflict continues and activity may move beyond hacktivism and into destructive operations."

In a Feb. 26 brief ahead of the war, Jensen said that cyberattacks by Iran and its proxies could range from hacking into systems to spreading propaganda to targeting critical infrastructure.

"The regime has a documented history of substituting cyber operations for its traditional approach to proxy warfare in terrorism," Jensen wrote. Between 2012 and 2014, Iran targeted US financial institutions, oil giant Saudi Aramco, and the Las Vegas Sands Corp., he said. "More recently, there was a 700 percent increase in cyberattacks targeting Israel in the two days following Israel's military strikes in Iran in 2025," Jensen added.

A decade ago in the US, Iran successfully hacked into a small dam system just outside of New York City. Although no harm was caused, the FBI said the incident demonstrated Iran's growing ability to hack into critical control systems.

In 2024 and 2025, CISA warned about the potential for Iran to initiate cyberattacks against US critical infrastructure, including all sectors of the US energy industry.

Utilities on high alert

Utility industry trade group the American Public Power Association (APPA) told Platts its members have been on high alert since the bombings began.

APPA spokesperson Tobias Selier said in an email that APPA's operations team is in touch with the DHS, and "despite the lapse in federal funding, many DHS officials continue on the job, and we have close working relationships with them."

Kimberly Denbow, vice president for security and operations at the gas-utility trade group the American Gas Association (AGA), said they and other trade groups have received calls from the DHS advising them to stay vigilant, but that the conflict in the Middle East has made it "challenging" to work with CISA.

Nevertheless, the trade group has been preparing for this situation since 2025, when the Department of Government Efficiency (DOGE), led by then-presidential adviser Elon Musk, began its program of broad staff cuts.

"We rely on the government, but we have learned not to rely solely on the government, especially when what happened last year with DOGE," Denbow said in a March 5 interview with Platts. AGA decided back then that it needed a better mechanism to address cybersecurity threats, "because we can't count on this to be there for us."

"We did a deep dive into what programs ... we rely on from the government and where we can backfill that so that we're not having all of our eggs in one basket," she said.

"It is challenging at CISA when it's hard for us to know how this administration feels about the role for CISA," Denbow said. "We're going to keep on doing what we do, and with respect to where CISA fits in with us, we are in a wait-and-see."