Blog

Your weekly dose of tech insight for Arizona's builders

What Iran's Drone Strikes on AWS Mean for Your Business Continuity Plan

Your disaster recovery plan probably accounts for ransomware. Maybe a monsoon flooding your server room. Perhaps even a backhoe taking out the fiber line to your office, again.

But does it account for Iranian drones?

On February 28th, the United States and Israel launched coordinated strikes on Iran's nuclear facilities. Most people know that part. What most people don't know is what happened next: Iran responded by sending drones directly into Amazon Web Services data centers in the UAE. Two facilities struck. A third in Bahrain damaged. Fire suppression systems activated. Water damage on top of structural damage. Services across the region: banking, payments, delivery apps, enterprise software, went dark.

For the first time in history, commercial cloud infrastructure became a direct military target.

And somewhere in the back of my mind, I thought: I wonder how many construction companies in the Middle East just lost access to their project management software, their accounting systems, their submittals. I wonder how many of them had a plan for this.

The answer, almost certainly, is none.

The Cloud Isn't Magic. It's Real Estate.

Here's the thing about "the cloud" that we all kind of know but conveniently forget, it's not actually a cloud. It's buildings. Physical buildings with addresses. Buildings full of servers that need power and cooling and fiber connections. Buildings that can catch fire, flood, lose power or get hit by a $20,000 styrofoam drone launched from 800 miles away.

As one IT professor put it after the strikes, "Cloud computing isn't magical. It still requires physical facilities on the ground, which are vulnerable to all sorts of disaster scenarios."

Now, before you panic and start shopping for an on-premises server to stick in your job trailer, let's be clear: this doesn't mean the cloud is bad. AWS handled this about as well as you could hope, they immediately told customers to migrate workloads to other regions, activate disaster recovery plans, and redirect traffic away from the affected areas. The global AWS infrastructure is designed so that losing one region shouldn't take down everything.

But here's the question that should keep you up at night: Did those affected companies actually have disaster recovery plans? Did they know how to migrate workloads? Did they have their data backed up somewhere outside that region?

Most didn't.

"Never Waste a Good Crisis"

I was listening to a panel discussion with some serious cybersecurity heavyweights, including a guy who spent twelve years at the NSA tracking Iran's nuclear program. When asked whether American businesses should be worried, his advice was surprisingly practical:

"Never waste a good crisis. Use this one as an opportunity to actually think through your business continuity. What do I absolutely need to keep my business running? My accounting system. My ability to communicate with my team and customers. Command and control of the systems I manage. Reporting and other stuff can probably survive without for a while. Just use this as an opportunity to think through it a little more."

That's good advice whether you're worried about Iranian drones or the more likely scenario of some knucklehead clicking a phishing link at 4:47 PM on a Friday.

Here's what he said most businesses get wrong: "We all say the really easy things: practice continuity of operations, practice disaster recovery, but no one ever actually practices. They'll do a tabletop exercise and it's all blue-sky BS. But it's probably not bad to actually run through a scenario and really try to think about: okay, how do I keep my business running?"

What This Actually Means for Arizona Builders

Let me be direct: Iranian drones are not going to hit a data center in Phoenix or Ashburn, Virginia tomorrow. The risk to U.S based cloud infrastructure from kinetic military strikes is low. Our air defense systems are a bit more robust than the UAE's, and we're not sitting 800 miles from Tehran.

But here's what is relevant to you:

• Iran's conventional military just got hammered. Which means cyber is now their primary weapon. According to intelligence sources on that panel, Iranian operators had already pre-positioned backdoors inside American banks and airports before the first bomb dropped. When your tanks and missiles get destroyed, you don't surrender, you shift to asymmetric warfare. And in 2026, that means cyber-attacks.

• Soft targets are attractive targets. Iran isn't going to take down the Pentagon's classified networks. But airports? Hospitals? Municipal water systems? The physical security cameras at your local transit hub? Those are all fair game and according to multiple reports, they're already being probed. One panelist noted that Iranian operators have been specifically targeting security cameras and physical access control systems. Why? Because in most organizations, those systems sit on the same network segment as other operational technology and they're often connected to Active Directory for convenience. Pop one, and you've got a pathway to everything.

• Supply chain attacks are the smart play. If you want to hit a hard target, you don't go through the front door. You find the soft link in the supply chain. The panelists described stopping an attack where Chinese operators (not Iranian, but same playbook) exploited a firewall at a small manufacturer, enumerated the domain, found a PC named "Waterjet", which is a CNC machine, and were attempting to steal AutoCAD files for a part that goes into something much more sensitive. The lesson: if you're a contractor working on critical infrastructure, you're a target whether you realize it or not.

The Real Questions to Ask Yourself

Forget the drones for a minute. Here's what you should actually be thinking about:

1. If your main cloud provider went down tomorrow, not for an hour, but for a week, what would you do? Do you know how to access your critical systems? Do you have local backups? Could you spin up a VM on-premises if you had to?

2. What happens if single sign-on goes down? Remember that Okta outage last year where a whole West Coast data center went offline and suddenly nobody could log into anything? Everyone forgets about this one. If your SSO provider dies, do you have a way to access your critical applications? Do you even remember what those passwords are?

3. Is your physical security tied to your IT network? Badge swipes, cameras, access control, in most organizations, this stuff lives on the same network as everything else and authenticates against Active Directory. Which means when you get hit with ransomware, your physical security goes down too. That's not theoretical, it's happened to Sony, it's happened to ports, it happens all the time. Separate those systems.

4. Are you still running traditional VPN for remote access? The days of having services listening on the boundary of your network need to end. Every firewall VPN appliance; Fortinet, SonicWall, you name it, has had critical vulnerabilities exploited in the wild. The new model is zero trust network access, where nothing is listening on the edge, and you're only going to be scanning to see if someone messed with your stuff, not trying to keep them out of an open door.

5. Who in your organization knows so much that they're irreplaceable? This isn't about drones, it's about buses. If your one IT person gets hit by a bus (or takes a job somewhere else, or wins the lottery), can your business function? One panelist's advice: "If you see that, give them a high five and pay them more money, then figure out how to add a few more people or something to offload that knowledge."

The Uncomfortable Truth About AI Security

One more thing that came up in this discussion, and it's worth mentioning because it ties into everything else: when asked about AI security specifically, how do you make sure your data isn't leaking out into these AI systems. The expert who spent eight years as a Chief Information Security Officer before founding a major cybersecurity company gave the most honest answer I've heard:

"I don't think there is a good answer for that yet. And that's a very scary position to be in. There's such a gap in the transparency and observability as to what is happening behind the scenes that is frightening to me. It definitely keeps me awake at night."

That's not a scare tactic. That's a senior security professional being honest. The AI providers: OpenAI, Anthropic, the rest, are getting better. But the technology is moving faster than the security controls. So be thoughtful about what you're feeding into these systems.

I'm not trying to scare you into thinking Iranian drones are going to hit the Phoenix data center where your Procore instance lives. That's not the point. The point is this: we just watched the world change. Commercial cloud infrastructure is now a legitimate military target. The line between "civilian" and "military" technology infrastructure has officially blurred. And the bad guys, whether they're nation-states or ransomware crews (and sometimes they're both) are paying attention.

So maybe this is the week you actually dust off that business continuity plan (or for many create one). Actually run through what you'd do if Microsoft 365 went dark for a week. Actually think about whether your backups are in a different geographic region than your primary systems. Actually segment your physical security from your IT network.

Never waste a good crisis.

This one's a wake-up call. Whether you hit snooze is up to you.

Want to talk through your business continuity plan? Schedule a free assessment with our team.
Book a Free Consultation Review with Computer Dimensions.

For over 20 years, Computer Dimensions has been the trusted IT partner for Arizona's architecture, engineering, and construction industry. We help AEC firms communicate better, collaborate smarter, and actually use the technology they've invested in. Because in construction, the tools only work if your team does.

IT Built For Builders.

P.S. One of the panelists mentioned that our military just fired more Patriot missiles in the first week of operations against Iran than Ukraine received in their entire four-year war with Russia. Patriots cost about $3-5 million per interceptor. Those Iranian Shahid drones? About $20,000 each, made mostly of styrofoam. That's the math of asymmetric warfare and it's the same math in cybersecurity. The attacker only has to find one weakness. You have to defend everything. That's why we focus on detection and response, not just prevention. Because eventually, something's going to get through.