The following bulletin is a from the Water Information  Sharing and Analysis Center:

Yesterday, the U.S Department of Homeland Security (DHS) issued a new National Terrorism Advisory System (NTAS) Bulletin pertaining to the changing threat landscape following the U.S. strike that killed Iranian Major General Qassem Soleimani. Noting that Iran and several of its affiliates have threatened retaliation against the U.S., the Bulletin addresses the possibility of both cyber and physical attacks. In releasing the Bulletin, DHS Acting Secretary Chad Wolf emphasized that currently “there is no specific, credible threat against the homeland” and that the information was being provided to “inform, share protective measures, and reassure” partners.

In terms of cyber attacks, the Bulletin states “Iran maintains a robust cyber program and can execute cyber attacks against the United States. Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States.” Additionally, during a conference call hosted by the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) late Friday, CISA Director Chris Krebs advised critical infrastructure stakeholders to be on the lookout for destructive attacks. He advised that any activities observed now were less likely to be preparatory activities and more likely to take advantage of footholds Iranian threat actors had already gained in systems. These activities could entail destructive “wiper” attacks (for example, the Shamoon attack against the Saudi Arabian oil company Saudi Aramco). To help prepare themselves for any of the types of cyber attacks Iranian threat actors might employ, Krebs encouraged partners to review the CISA Insights: Ransomware Outbreak document that was released in late August, backup data (and store that data offline), patch systems, and have an incident response plan.

Both the Bulletin and Krebs also warned of the possibility of physical attacks, with the former noting that “Homegrown Violent Extremists could capitalize on the heightened tensions to launch individual attacks” and adding that “an attack in the homeland could come with little or no warning.” To help prevent, mitigate, and respond to any physical attacks, Krebs recommended partners keep in mind four key tenets: Connect, Plan, Train, and Report, noting the following about each:

  • Connect: Actions include engaging with your Protective Security Advisor (PSA) to ensure you have access to security resources.
  • Plan: Now is the time to ensure you have a plan. If you don’t have a plan, now is the time to start building one.
  • Train: Refresh your training, especially as people are coming back from the holidays. PSAs can assist with training.
  • Report: If you see something, say something. Bake indicators of suspicious behavior into your plans (see Homegrown Violent Extremist Mobilization Indicators on the WaterISAC portal).

Please report any malicious or suspicious activities to WaterISAC at or 866-H2O-ISAC as well as to the appropriate authorities, including the FBI (via a local field office or and DHS CISA (via its online reporting form, email at, or phone at 888-282-0870).

WaterISAC will continue to monitor for additional information and share as appropriate.