Senior government officials and lawmakers warned Friday that Iran may attempt to carry out cyberattacks against the U.S. in retaliation for the killing of Quds Force commander Qassem Soleimani.

"The Iranians have a deep and complex cyber capability, to be sure. Know that we have certainly considered that risk,” Secretary of State Mike Pompeo said on Fox News.

Iran has launched cyberattacks at the U.S. in the past. Case in point is Iran’s hacking of Bowman Dam in Rye, NY, located in Westchester County. In 2013, hackers infiltrated the dam which sparked concerns which reached the White House according to the Wall Street Journal. It was sheer lucj that this hacking did not take any lives.

At the time, no pun intended, Time Magazine said this was the future of war… And they were right.

In 2016 we reported the Iranian hackers who hacked the dam and financial institutions were indicted but they will likely never see justice as they are still in Iran. The seven accused were believed to have been working on behalf of Iran’s government and the Islamic Revolutionary Guard.

In June we told you the Department of Homeland Security warned businesses of Iranian hackers' favorite techniques: password spraying, credential stuffing, spear-phishing. Shortly thereafter we warned of the Iranian hacking group APT33 aka Elfin hacking Microsoft Outlook and IoT devices.

We give you this history so you realize Iranian hacking has already been a major problem. There is bipartisan concern things will now get worse.

Rep. Elissa Slotkin (D-Mich.), who formerly worked as a CIA analyst and served three tours in Iraq focused on Iran-backed militias, has also strongly warned of the potential for attacks on the U.S.

“The Iranian government has vowed to retaliate and avenge Soleimani’s death, and could do so in any number of ways: against our diplomats and service members or high-ranking military officers, against our allies and partners in the region, or through targeted attacks in the Western world,” Slotkin said in a statement. “It is critical that the Administration has thought out the moves and counter-moves this attack will precipitate.

“We will probably see an uptick in espionage, primarily focused on government systems, as Iranian actors seek to gather intelligence and better understand the dynamic geopolitical environment. We also anticipate disruptive and destructive cyberattacks against the private sphere,” said John Hultquist, director of Intelligence Analysis at FireEye, in a Friday statement.

Iran has not been afraid to go after its critic’s business interests. In the past they have attacked Sands casino in Las Vegas. Owned by Sheldon Adelson, who had argued publicly against the Iran deal. The casino’s networks were wiped clean, doing a reported $40 million in damage.

Iran has attacked many businesses before including industrial control systems and banks via distributed denial of service attacks (DDoS). Wha does that mean? By harnessing numerous internet devices which typically have been hacked and are for sale on the dark web, a hacker can direct thousands of computers to send a blast of traffic to a website - until it is effectively shut down.

Iran also possesses a vast trove of intelligence, thanks to a sustained campaign of intellectual property theft against hundreds of U.S. academic institutions, according to the Department of Justice. It said the targets have included universities that conduct biological, chemical, defense industrial, space and nuclear research for the federal government.

The above is a fairly comprehensive list of Iranian attacks and related information which is publicly available. Attacks from other countries have been fairly similar. There is an exception. NotPetya did well over $10 billion in damage and was said to be a targeted attack by Russia. It used phishing and a website takeover to target Ukrainian and other European companies. It acted like ransomware in terms of how it propogated but did not allow computers to have their files unscrambled. No money was sought.

There is no way to be 100% protected – there are however many precautions all companies and organizations should take immediately. If you are protecting an industrial control system, this article has five steps worth considering.

You should follow these steps:

1) Read cybersecurity essentials – a simple list which will help most organizations become far more secure.

2) Go to a phishing simulation vendor now and sign up for one of their offerings. Phish360 is great and costs nothing to get started. This is needed to train workers by testing them without their knowledge by sending real-looking emails to their inboxes. If they click, they are immediately trained on what not to do.

3) We also recommend you get a free evaluation of your cybersecurity risk from an MSP/MSSP immediately – they can also help you build in the needed compliance to reduce the risk of being fined.