What happened
CISA has launched CI Fortify, a new initiative designed to help US critical infrastructure operators maintain essential services during active cyberattacks, operating under the explicit assumption that adversaries have already embedded themselves inside critical systems and telecommunications networks and are positioning to cause physical disruption if geopolitical conflict escalates.
The agency issued accompanying guidance warning that nation-state intrusion ambitions extend well beyond espionage toward the capability to cripple operational technology underpinning public health, national defense, and economic systems. CI Fortify is built on two core capabilities operators are urged to develop immediately.
The first is isolation: the ability to deliberately sever connections to outside networks and business systems to prevent an attack from spreading into OT, while maintaining delivery of essential services for weeks or months in a disconnected state. The second is recovery: thorough system documentation, maintained and tested backups, and regularly rehearsed procedures for restoring compromised components or switching to manual operations when isolation alone is insufficient. The program also accounts for the scenario in which internet access, vendors, and third-party service providers all become unreliable simultaneously during a conflict period.
CISA Acting Director Nick Andersen called on operators to review the guidance, implement its recommendations, and work directly with the agency to harden defenses.
Who is affected
Critical infrastructure operators across sectors including public health, energy, water, transportation, and defense industrial base are the primary audience. The guidance is specifically aimed at organizations running OT environments where a cyberattack could translate into physical service disruption affecting communities and national security.
Why CISOs should care
CI Fortify is a significant shift in how CISA is framing the threat. The agency is no longer discussing potential future risk. It is stating that adversaries are already inside critical systems and that the relevant question is whether those systems can continue operating when those adversaries act. The isolation and recovery framework also challenges a common assumption in continuity planning, that vendors, third parties, and internet connectivity will be available during an incident. CI Fortify explicitly plans for a scenario where none of those resources can be relied upon.
The AI acceleration dimension is also worth noting. CISA’s guidance acknowledges that AI is compressing the time between vulnerability discovery and exploitation, narrowing the window available for defensive response in exactly the environments where manual fallback is hardest to execute.
3 practical actions
- Develop and test OT isolation procedures that can sustain essential services without internet, vendor, or third-party access: CI Fortify’s core requirement is the ability to operate in deliberate isolation for extended periods. Map which OT functions are dependent on external connectivity or vendor support, and build manual or locally self-sufficient alternatives for each critical process that cannot be interrupted.
- Establish and regularly rehearse OT recovery procedures including manual operations fallback: Documentation and backup maintenance are necessary but not sufficient without regular rehearsal. Schedule tabletop and operational exercises that simulate the need to restore compromised OT components or switch to manual operations under degraded conditions, and identify gaps before a crisis forces them into view.
- Engage directly with CISA’s CI Fortify program for sector-specific guidance and threat intelligence: CISA is actively inviting operators to work with the agency through CI Fortify. For security leaders in critical infrastructure sectors, that engagement provides access to threat intelligence about adversary pre-positioning that may not be available through commercial channels, as well as sector-specific implementation guidance tailored to OT environments.
Also in the news today:
- CMS Provider Directory Database Found Leaking Healthcare Providers’ Social Security Numbers
- RXNT Healthcare Software Breach Exposes Patient Data Across Multiple Provider Clients
- Mirai-Based xlabs_v1 Botnet Exploits Android Debug Bridge to Hijack IoT Devices
- Cisco Releases Fix for DoS Flaw That Requires Manual Reboot to Recover
- MuddyWater Hackers Use Chaos Ransomware as a Decoy in Espionage Attacks
- Palo Alto Networks Warns of Firewall RCE Zero-Day Exploited in Attacks
