John Bruggeman, CISSP, consulting (CISO) for CBTS and OnX, both are MSPs and MSSPs.gettyIn April 2026, the FBI, CISA, NSA, EPA, Department of Energy and U.S. Cyber Command issued a joint advisory warning that Iranian-affiliated APT actors had been actively exploiting internet-facing programmable logic controllers (PLCs) across U.S. critical infrastructure since at least March 2026.​PLCs are used specifically to control physical processes in water systems, energy facilities, manufacturing and government systems. CISA’s identification of Iranian-affiliated actors targeting these devices—rather than broadly deployed IT assets—suggests an interest in gaining access that could enable operational disruption of critical infrastructure.​Organizations across multiple sectors experienced operational disruption and financial losses from November 2023 to March 2026. I don't believe that six federal agencies would issue a joint advisory like that unless they see the same pattern across multiple environments and know that the threat is active. They also know how targeted organizations can find indicators of compromise to see if Iran is in their environment.​Most organizations don’t operate water treatment facilities or energy grids, but the advisory exposes a broader issue: the assumption that systems are adequately protected because they haven’t been targeted yet. Threat actors weren’t exploiting exotic zero-days. They are accessing their targets through internet-facing devices with weak authentication controls, systems that organizations deploy and then largely stop thinking about. This isn’t just on-prem gear; this pattern turns up in cloud environments as often as it does in operational technology.​Often, organizations I work with have critical workloads running in a single region or a single availability zone. When I ask why, the answer is usually some version of “the cloud is resilient” or “that is all we have budget for.” In many environments, that assumption holds true right up until disruption occurs. Cloud providers design their regions with multiple availability zones that are physically separated to survive localized failures like power outages or equipment malfunctions. But resilience by design isn’t the same as resilience in practice. Configurations can drift over time, and operational assumptions often go untested. Organizations that can’t answer “What would an outage actually cost us?” are usually the least prepared when something goes wrong.​The risks aren’t limited to physical infrastructure. The month before the joint advisory was distributed, one of the world’s largest medical device companies, Stryker, was the victim of a cybersecurity attack. Handala, the Iran-linked attackers that claimed responsibility for the massive disruption, didn’t use malware. Instead, they used management tools to cripple systems. Handala claimed to have accessed Stryker’s Microsoft Intune environment and remotely wiped 200,000 devices, a figure that hasn't been verified. ​Public reporting has cited different figures, though we of course may never know the real number.​Incidents like these illustrate that resilience gaps can hide in configurations and systems that feel safe, with trusted tools, and those gaps can create huge problems than ever before. You don't need a war to create a problem that demands resilience. Floods, earthquakes, fires or DNS configuration issues can cause large-scale infrastructure failures that take out multiple facilities in the same region. The specific cause matters less than the outcome. If your critical systems are concentrated in one place, you have a single point of failure.​To be prepared, you want to build true resiliency into your infrastructure, both on premise and in your cloud environments. But where do you start? You start with a business impact assessment (BIA). A BIA answers two questions that drive every decision that follows:1. Which of your systems are actually critical to the business? Contrary to popular belief, not everything is. 2. What does it cost when those systems go down? You need a real number that accounts for the lost revenue, productivity lost, recovery costs and reputational damage. Once you know what it costs to be down for a minute, or an hour or a day, you know how much to invest to protect them.​When leaders understand what a regional outage actually cost them, it can change the conversation. A 2025 report on the state of resilience found that per-outage losses can range from at least $10,000 to more than $1 million. Now, the cost of adding a second region or distributing workloads across multiple availability zones goes from an “additional expense” to insurance or an “obvious investment.”The BIA feeds directly into your business continuity plan (BCP). The BIA tells you what’s critical and what it costs to lose it. The BCP tells you how to protect it and recover when something goes wrong. Without the BIA, your continuity plan is built on assumptions. With it, you’re designing your cloud architecture, with a multi-region or multi-zone configuration, or whatever the right configuration is, based on real numbers and real business priorities.The threat environment is active and constantly changing, but the lesson here extends well beyond this specific threat and current conflict. Whether the disruption comes from a state-sponsored APT, a hurricane, a ransomware attack or a misconfigured admin account, the question is the same: Do you know which of your assets are critical, and have you built your infrastructure to survive losing a region? Build that resilience now, before you need it.​​Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?