The 2026 U.S.-Iran War and the Global Energy Crisis

Chapter 29: The Power Grid Is the New Battlefield

29.1 Targeting Power Plants and Substations

On March 1, 2026, at 2:47 AM Tehran time, a squadron of Israeli Air Force F-35I Adir fighters appeared above Tehran. The target was a military zone in western Tehran where the Islamic Revolutionary Guard Corps (IRGC) headquarters was concentrated. At the moment precision-guided bombs penetrated the building and detonated, three nearby high-voltage transmission towers were struck by fragments and collapsed. A 230-kilovolt transmission line carrying power toward Karaj was severed. Protective relays in substations across eastern and western Tehran triggered cascading shutdown signals. Four minutes later, approximately four million of the twelve million people in the Tehran metropolitan area were plunged into darkness.

Two days later, Iran's Ministry of Energy issued an official statement. Its explanation was that "fragments struck high-voltage transmission towers and substations." This meant the bombs had not directly targeted power facilities but caused collateral damage. Yet the result was the same. Tehran's night went dark, hospital backup generators began running, and the subway stopped.

The power grid is a vast flow composed of three stages: generation, transmission, and distribution. Electricity produced at power plants travels hundreds of kilometers before voltage is stepped down at substations and delivered to homes and factories. One fatal physical constraint applies to this flow: electricity cannot be stored. Production and consumption must balance by the second. When this balance breaks, frequency wavers, and protective devices activate, cutting circuits. When one substation fails, its load surges to neighboring substations, which then shut down from overload. This is cascading failure. This is exactly what happened when the three transmission towers in western Tehran collapsed.

The idea of targeting the power grid in warfare is not new. In 1943, the Royal Air Force bombed the Moene and Eder dams in Germany's Ruhr industrial region. When the dams collapsed, hydroelectric generation ceased and munitions factories in the Ruhr suffered power shortages. In the 1991 Gulf War, this idea matured into systematic doctrine. Colonel John Warden of the U.S. Air Force viewed an adversary nation as an organism made up of five concentric rings. The innermost ring was leadership, the second was key production facilities, and the third was infrastructure. Warden argued that cutting power first among infrastructure would simultaneously paralyze the remaining four rings. The U.S. military implemented this theory. In the first week of the war, it concentrated precision-guided strikes on Iraqi power plants and substations, and Iraqi air defense radars, communications networks, and command systems collapsed all at once.

The 2022 Russia-Ukraine War proved this doctrine remained valid 35 years later. Beginning in October 2022, Russia persistently struck Ukrainian thermal power plants, hydroelectric power plants, and substations with cruise missiles and Shahed loitering munitions. Heating was cut off in winter temperatures below minus ten degrees Celsius. Water pumps stopped, leaving no tap water. Communications towers were powered down, rendering cell phones useless. In hospitals, electricity failed during surgery, forcing doctors to maintain patients' breathing with manual ventilators.

The destructiveness of power grid strikes stems from the physical characteristics of one of its components: the large power transformer (LPT). A transformer steps down ultra-high-voltage electricity of 345 kilovolts or above produced at power plants to voltages usable in homes, or steps it up for transmission. They weigh hundreds of tons. Inside is a precise structure of copper coils filled with insulating oil. Only a handful of companies worldwide can manufacture them. According to the International Energy Agency's 2026 report, transformer prices have risen 75 percent since 2018, and lead time from order to delivery now stretches four years. When a single missile destroys a transformer, the area served by that substation may lack normal power supply for four years.

In the 2026 Iran War, the significance of power grid strikes differed from the Gulf War or the Ukraine conflict. This was not solely Iran's problem.

President Trump posted on Truth Social on March 21. He said that if Iran did not open the Strait of Hormuz within 48 hours, he would "obliterate" Iran's power plants, starting with the largest. That same day, Iranian Parliament Speaker Mohammad Baqer Qalibaf responded on X. He warned that if Iran's power plants and infrastructure were struck, he would carry out unlimited retaliatory strikes on Saudi Arabia's, the UAE's, and Kuwait's power plants and desalination plants.

To understand why this threat threw the entire Gulf region into panic, we must know the water situation in Gulf countries. The Arabian Peninsula receives less than 100 millimeters of annual rainfall, making it an extreme desert. Natural freshwater resources are nearly nonexistent. Kuwait obtains 90 percent of its drinking water from desalination facilities, Bahrain 95 percent, and the UAE 42 percent. Saudi Arabia is the world's largest desalination producer. The six GCC countries account for 60 percent of global desalination capacity. These facilities produce freshwater by boiling seawater or filtering it through reverse osmosis membranes, both of which consume enormous amounts of electricity. If power is cut, freshwater production stops. Electricity is water, and water is survival.

Damage actually occurred. On March 7, Iranian Foreign Minister Abbas Araghchi claimed the United States had struck a desalination facility on Qeshm Island in southern Iran, disrupting drinking water supply to 30 villages. The U.S. denied this. Shortly after, Bahraini authorities announced that Iranian drones had caused physical damage to Bahrain's desalination facilities. In Kuwait, an auxiliary building of a combined desalination and power plant was damaged by Iranian attacks, killing an Indian worker. Iranian missiles also fell near the Fujairah combined power-desalination complex in the UAE. Iran's March 2 attack on Dubai's Jebel Ali port struck just 20 kilometers from a major desalination complex producing 160 billion gallons of water annually.

Michael Christopher Low, a history professor at the University of Utah, summarized this situation with the phrase "Saltwater Kingdoms." Gulf countries earn money from oil, but survive by using electricity made from that oil to turn seawater into drinking water. The miracle of the oil age has become the fatal vulnerability of the oil age.

David Michel of the Center for Strategic and International Studies (CSIS) made this point: 40 years ago, the CIA had already warned in classified reports of the security vulnerabilities created by the Gulf countries' desalination dependence. The 2026 war revealed that this vulnerability had not only gone unresolved for 40 years but had deepened.

Power grid strikes operate on two levels. At the direct military level, when power fails, air defense radars, communications networks, and command systems become useless. Modern military operations are highly networked; without reliable power, a single missile cannot be fired. At the indirect socioeconomic level, when power fails, water fails, and when water fails, survival is threatened. In regions like the Gulf where summer temperatures approach 50 degrees Celsius, if air conditioning and drinking water vanish simultaneously, a humanitarian catastrophe begins within days.

When Tehran fell into darkness, citizens came into the streets, switched on their phone flashlights, and cried for help. Israel and the United States intended to destroy the IRGC headquarters, but they imposed on the Iranian government the political burden of explaining "why millions of citizens are left in pitch darkness." Cutting power is a double blow: it paralyzes the enemy's military while imposing a governance crisis on the enemy's government.

At the end of March 2026, Trump announced he would accept Iran's request and extend the grace period on power grid attacks by ten days until April 6. This decision itself demonstrated the strategic importance of the power grid. It was not nuclear facilities or missile bases but power plants that became the lever in negotiations. The cooling towers and steel structures of power plants and substations now stood at the center of fierce front-line combat as fiercely contested as trenches.

29.2 A Single Line of Code Stops the Grid

On February 28, 2026, at 9:45 AM Tehran time, before the first Tomahawk cruise missile entered Iranian airspace, the battlefield was already open. At a March 2 press briefing, Chairman of the Joint Chiefs of Staff General Dan Caine said this: the U.S. Cyber Command (USCYBERCOM) and Space Command had been "first movers." They had "layered non-kinetic effects" to "disrupt, weaken, and blind Iran's ability to see, communicate, and respond."

General Caine did not disclose specifics. But the results showed in numbers. According to the Unit 42 analysis team at Palo Alto Networks, Iran's internet connectivity plummeted to 1-4 percent starting the morning of February 28. As of March 25, Iran had been in a state of effective internet blackout for 27 consecutive days. Even before physical bombing began, Iran's integrated air defense system (IADS) was already blind.

The fact that cyber attacks can physically destroy energy infrastructure was first proven in 2010. That summer, a Belarusian security firm discovered strange malicious code on computers at Iran's Natanz uranium enrichment facility. The code, named Stuxnet, was a 500-kilobyte computer worm. It operated in three stages. First, it infiltrated Windows systems. Next, it sought out and infected Siemens Step7 software, which was used to operate industrial control devices. Finally, it seized programmable logic controllers (PLCs) and manipulated the rotation speed of centrifuges that separated uranium gas.

The Natanz facility existed in a so-called air-gap environment, completely isolated from the internet. Stuxnet crossed this barrier via USB memory. It is believed an engineer inside the facility carried an infected USB in from outside. The code entered and then waited patiently. It did nothing until it detected the exact hardware configuration to which a Siemens Step7 controller was connected. Once it found its target, it raised the centrifuge rotation speed beyond safe limits. Simultaneously, it manipulated the control room monitors to display all readings as normal. Iranian technicians watched centrifuges fail one by one without knowing why. When IAEA inspectors began noticing an unusually high centrifuge replacement rate, approximately 1,000 had already been destroyed. That was one-fifth of the 5,000 operating at the time.

Stuxnet is believed to be a joint U.S.-Israeli operation. Edward Snowden confirmed this in 2013. It carried the operational name "Olympic Games" and began under the Bush administration, accelerating under the Obama administration. It is assessed to have delayed Iran's nuclear program by at least two years.

Stuxnet set a precedent: code could destroy physical equipment. Subsequent attacks were built on this precedent.

On December 23, 2015, a Russian hacker group (believed to be Sandworm) infiltrated a power distribution company in the Ivano-Frankivsk region of Ukraine. It began with a phishing email. One employee opened an attachment, and the hackers gained a foothold in the internal network. Over several months, they stole system credentials. On the day of the attack, power plant operators watched their mouse cursor move on its own across their screens. The cursor clicked grid circuit breakers one by one to the "off" position. The hackers created a blackout and then blocked recovery. They remotely shut down uninterruptible power supplies (UPS), bombarded the call center with calls to block citizen reports, and executed wiper malware to delete server data and cripple the control system itself. It was the first confirmed case of a large-scale blackout caused by cyber attack.

In May 2021, Colonial Pipeline, which handled 45 percent of oil supply to the U.S. East Coast, was infected with ransomware. When the DarkSide hacker group encrypted the IT system, the company, concerned for safety, physically shut pipeline valves. Within days, thousands of gas stations ran dry, flights were canceled, and citizens resorted to panic buying, filling plastic bags with gasoline. The malware never directly touched the valves. Only the IT system was infected, yet the operators themselves locked the valves. The real destructive power of cyber attacks lies not just in technical penetration capability but in the cascading reactions that operators' anxiety and system interdependence amplify.

The 2026 war brought all these precedents to a single stage. Physical and cyber attacks occurred simultaneously. U.S. Cyber Command disabled Iran's communications networks and air defense sensors at the moment hostilities began. On the Iranian side, more than 60 hacker groups began operations within hours of the start of war. Organized under the name "Cyber Islamic Resistance" across more than 100 Telegram channels, they claimed more than 600 attacks within two weeks of the war's start.

On March 11, the Iran-linked hacker group Handala attacked U.S. medical device company Stryker. The Handala logo appeared on login screens of employees across 79 countries. The group claimed to have remotely wiped more than 200,000 devices by exploiting Microsoft's Intune cloud management platform. Stryker was still recovering its systems on its 17th day as of March 27, and current and former employees filed four class-action lawsuits over personal data theft.

The CyberAv3ngers group, under the Islamic Revolutionary Guard Corps, targeted U.S. water treatment facilities and industrial control systems. They used default passwords to log into programmable logic controllers (PLCs) and install malware. APT33 gained access by entering commonly used passwords on U.S. energy company accounts. APT55 conducted cyber espionage against U.S. energy and defense officials.

On March 23, Handala publicly posted nine schematics of Israel's power grid and power plants on its own website. Iran's semi-official Tasnim News posted on Telegram a list designating dozens of datacenters owned by U.S. tech giants like Microsoft, Google, Amazon, and Oracle in the Middle East as "Enemy Technology Infrastructure."

According to Breaking Defense, a former cyber operations officer explained it this way: there is a critical difference between cyber attacks and physical strikes. Destroying a power plant with a missile takes months to years to repair, but cyber attacks can be turned on and off. Crippling communications networks with cyber means affecting emergency services, but when the attack stops, systems soon restore. This difference gives cyber weapons unique strategic flexibility. The grammar of hybrid warfare, where instead of physically destroying enemy air defense radars you temporarily blind them with cyber attacks and then stealth fighters enter through the gap, was proven in real combat during the 2026 Iran War.

However, there was another lesson at the same time. The same former officer added this: Russia's cyber attack on U.S. satellite communications company Viasat in the early stages of the Ukraine invasion created short-term chaos, but in exchange burned away a valuable intelligence-gathering asset. Once a cyber access point is revealed, the enemy blocks it, so the moment you use it, it vanishes. Decisions about when to use it and what to use it for can be harder than firing a missile.

The battlefield is not only where bullets fly. The control room of a power company, an engineer's keyboard, each router in an invisible network became the new battlefields of 2026. Iran's internet connectivity plummeting to 1 percent was the result not of missiles but of code.

29.3 Cyber War Vulnerabilities in Energy Facilities

In November 2023, an unusual screen appeared in the water authority office in Aliquippa, Pennsylvania. On the screen of an Israeli-made Unitronics PLC controlling the booster pump of a water treatment facility, a message read: "All Israeli-manufactured equipment is a legitimate target of CyberAv3ngers." An IRGC-affiliated hacker group had logged into an internet-exposed industrial control device using the default password. The default password. The original factory setting that had never been changed.

This incident vividly illustrates why energy facilities and infrastructure are vulnerable to cyber attack. The vulnerability has three roots.

The first is the inherent limitation of industrial control systems (ICS) and SCADA (Supervisory Control and Data Acquisition). The design philosophy of equipment that turns turbines in power plants, opens and closes circuit breakers in substations, and regulates valves in pipelines was created in the 1970s and 1980s. Engineers' sole objective then was uptime: never stopping, 24 hours, 365 days. In an era before the concept of external internet existed, security concepts like data encryption or multi-factor authentication did not appear in blueprints. Anyone accessing the internal network was considered a trusted user. Control commands passed in plaintext without passwords. The fact that the Aliquippa water authority's Unitronics PLC still carried its default password was evidence that this era's legacy remained unchanged 30 years later.

You cannot replace decades-old, expensive industrial equipment overnight simply because security is weak. For a power company, replacing a PLC in a substation requires temporarily interrupting power to that zone. This affects tens of thousands of homes and factories. Replacement costs are enormous. As a result, power companies had no choice but to patch and splice these old systems. Professor Alex K. Jones of Syracuse University's electrical engineering department explains it precisely: water treatment, power grids, and industrial control systems were designed for safety and real-time operation, not for frequent software updates or fast security patching. Consumer laptops and smartphones receive security updates weekly, but in industrial environments, a small change can halt physical processes, so patch cycles are much slower. Equipment with long lifespans, increasing connectivity, and slow update cycles makes industrial infrastructure far harder to defend than general IT systems.

The second source of vulnerability is the collapse of the air gap. In the past, energy companies believed that operational technology (OT) networks controlling physical equipment were safe because they were physically separated from information technology (IT) networks used for email and web browsing. Stuxnet cracked this myth, but it was a state-level precision operation not accepted as a general threat. The real collapse came in the name of efficiency.

The spread of renewable energy was critical. Wind and solar generate electricity only when the wind blows and the sun shines. To link this irregular generation in real time to the grid, field substation equipment must continuously exchange data with the central control center's IT systems. According to the IEA's 2026 report, globally 1,650 gigawatts of solar and wind capacity cannot operate due to insufficient grid capacity to connect them. Pressure to expand and make the grid smarter is immense.

To cut maintenance costs, access portals (such as VPNs) allowing contractors' staff to reach site equipment remotely were also breached. The air gap between IT and OT networks was punctured by the logic of efficiency and economy. Hackers target these holes with precision. They don't attack the heavily secured OT network directly. Instead, they first hack the contractor's email or an employee's personal laptop, where security is comparatively weak. Then, traveling through a legitimate remote access channel across the IT network, they walk into the heart of the OT network. This is called 'lateral movement' strategy. Connecting systems brings convenience, but the moment the weakest link breaks, a vast attack surface collapses entirely. This is the paradox of connectivity.

The third vulnerability stems from supply chain structure. Energy infrastructure is built from hardware and software components supplied by hundreds of companies worldwide. Instead of attacking a heavily secured power company directly, hackers compromise the update server of a small vendor that supplies control software to that power company. The moment the power company downloads what it believes to be a legitimate security patch, malware enters the system. In a global supply chain, it is nearly impossible to fully verify whether a specific component or firmware contains a backdoor.

And above these three vulnerabilities sits a fourth layer newly exposed by war in 2026. Data centers.

On the night of March 1, Shahed drones from Iran's Revolutionary Guard attacked two Amazon Web Services data centers in the UAE and one AWS facility in Bahrain. It was the first time in military history that a major hyperscaler's data center had been deliberately targeted. Amazon confirmed structural damage, loss of power, fires, and water damage from firefighting efforts. Two of three availability zones in the UAE region (ME-CENTRAL-1) were damaged, and services in the Bahrain region (ME-SOUTH-1) also went down.

Through Telegram, Iran's state-owned Pars News disclosed why it deliberately struck the Bahrain facility: to confirm that these centers were supporting enemy military and intelligence operations. The U.S. military was operating certain operational workloads through AWS, and according to media reports, it was using Anthropic's AI model Claude for intelligence analysis and combat simulation. The boundary between commercial cloud infrastructure and military operations had vanished. The Pentagon's Joint Warfighting Cloud Capability (JWCC) and Joint All-Domain Command and Control (JADC2) networks run on the same commercial infrastructure used by banks and delivery apps.

The results were immediate. Online services at major banks including Abu Dhabi Commercial Bank, Emirates NBD, and First Abu Dhabi Bank went down. Payment platforms Alaan and Hubpay, cloud data company Snowflake, and major ride-hailing platform Careem were affected. AWS marked its UAE services as "Disrupted" for several days and advised Bahrain region customers to replicate critical data to other AWS regions.

Researcher Sam Winter-Levy of the Carnegie International Peace Foundation issued this warning: As AI grows increasingly critical, physical attacks "will inevitably become more frequent." And: "Protecting data centers is now the equivalent of protecting the most heavily secured government buildings."

Zachary Kallenborn, a researcher at King's College London, told Fortune that in an era when war is waged through drones and robotic systems, regional conflicts can spread far wider in scope. This is because adversaries will seek to strike the remote command centers controlling unmanned systems and the data center infrastructure supporting them.

The events of March 2026, when the closure of the Strait of Hormuz and data center attacks occurred simultaneously, revealed that the chokepoints for oil and the chokepoints for data occupy the same geographic space. Seventeen submarine cables pass through the Red Sea, and data centers in the Middle East serve as relay points for digital traffic between Europe and Asia. Doug Madory of network analysis firm Kentik put it this way: simultaneous closure of the Strait of Hormuz and the Red Sea would be "a globally destructive event," and "this has never happened before."

The Gulf states' AI data center investment strategy, involving trillions of dollars, rested on a single assumption: that the region was safe. The March 1 drone attack demolished that assumption. According to Euronews, the UAE data center market was projected to grow from 3.29 billion dollars in 2026 to 7.7 billion dollars in 2031. After the attack, those projections came under review.

Energy facilities are not vulnerable to cyberattacks because there is no antivirus. The vulnerability comes from structural contradictions: equipment designed in the 1980s connected to the internet; supply chain bottlenecks in transformer replacement, where a destroyed unit takes four years to replace; demand for electricity surging from the AI revolution that has completely exhausted the grid's physical reserves; and the reality that commercial cloud infrastructure and military operations share the same servers. These overlap to simultaneously expose both the power grid and digital infrastructure.

Extreme asymmetry exists between defenders and attackers. Energy companies must defend tens of thousands of transmission towers, thousands of substations, and millions of lines of code with limited budgets and staff,365 days a year. Attackers need to succeed only once. State-backed hacking groups have no fear of failure and possess the time and capital to attempt indefinitely until they find a zero-day vulnerability.

Iran in March 2026,darkened Tehran and Dubai's banking apps that went silent,pose the same question: In an age of electrification, what can a nation protect if it cannot defend its power grid? In a time when a single line of code can stop a turbine and bring down a server, a firewall has become a defense asset as critical as a missile defense system.

AI Expert Kim Gyeong-jin, Lawyer

Specialist in AI legal policy. Former member of the National Assembly. Author of numerous books.

If this book has stayed with you for even a moment, please support the publication of the next story.

(Voluntary donation account: Nonghyup 302-1096-0948-81, Account holder: Kim Gyeong-jin)