Key Takeaways
- CISA’s new CI Fortify initiative helps critical‑infrastructure owners prepare for and sustain operations during geopolitical conflicts by assuming third‑party connections will be unreliable and threat actors may infiltrate OT networks.
- Isolation involves proactively disconnecting from external networks, identifying essential customers, defining vital OT assets, updating continuity plans, and monitoring CISA/SRMA alerts to know when to isolate.
- Recovery focuses on documenting systems, backing up critical files, practicing manual or replacement operations, and addressing communications dependencies such as licensing servers.
- Nation‑state actors—particularly Iran‑affiliated groups linked to the Islamic Revolutionary Guard Corps—have already pre‑positioned themselves in critical‑infrastructure OT, exploiting PLC vulnerabilities to cause disruption and financial loss.
- Artificial intelligence is accelerating the speed and sophistication of cyber intrusions, with recent cases showing AI‑model‑driven attacks on municipal water utilities.
- Operators should share CI Fortify guidance with vendors, managed service providers, and integrators to understand dependencies and develop workarounds, and state/local governments must aggressively adopt the recommendations to maintain resilience.
CI Fortify: A New CISA Initiative for Conflict‑Resilient Infrastructure
The Cybersecurity and Infrastructure Security Agency (CISA) recently unveiled CI Fortify, an allied program designed to bolster public health and safety, defense critical infrastructure, continuity of the economy, and national security. The initiative’s core premise is that, in a geopolitical conflict, operators must assume that external links—telecommunications, internet services, vendors, and upstream dependencies—will be unreliable and that adversaries will have some foothold within operational‑technology (OT) networks. By focusing on isolation and recovery as emergency‑planning objectives, CI Fortify aims to enable essential services to continue even when networks are degraded or compromised.
Understanding Isolation: Keeping Essential Services Running
Isolation, as defined by CISA, means proactively disconnecting from third‑party and business networks to prevent OT cyber impacts while sustaining essential operations in a degraded communications environment. The goal is not a full shutdown but the continued delivery of crucial services to critical customers such as military infrastructure and lifeline utilities. To achieve isolation, operators must first identify which customers and services are indispensable, then set service‑delivery targets based on those needs. Next, they determine the vital OT and supporting infrastructure required to meet those targets when isolated. Business continuity plans and engineering processes must be updated to allow safe, weeks‑to‑months‑long operation without external reliance. Finally, organizations should track CISA and Sector Risk Management Agency (SRMA) communications to know precisely when to initiate isolation and subscribe to timely updates.
Recovery Planning: Preparing for the Worst‑Case Scenario
Recovery complements isolation by ensuring that, if an adversary successfully compromises isolated systems, the organization can restore functionality quickly. CISA advises operators to document all critical systems, maintain regular backups of essential files, and practice procedures for replacing compromised components or transitioning to manual operations. Recovery also entails addressing communications dependencies—such as licensing servers or business‑network connections—that may be needed to rebuild or reconnect systems after an incident. By sharing this recovery guidance with managed service providers, system integrators, and vendors, operators can map out dependencies, identify potential workarounds, and test restoration scenarios before a real crisis occurs.
The Persistent Cyber Threat Landscape
Even as diplomatic tensions fluctuate, the cyber threat to U.S. critical infrastructure remains severe and evolving. Earlier in March, CISA warned that nation‑state cyber actors have already pre‑positioned themselves within critical‑infrastructure OT networks, poised to strike operational technology and telecommunications during geopolitical conflicts. A recent Center for Strategic and International Studies white paper highlighted the Iranian cyber threat, noting that CISA and other U.S. agencies issued an advisory about Iran‑affiliated actors—many linked to the Islamic Revolutionary Guard Corps—exploiting vulnerabilities in programmable logic controllers (PLCs). These PLC‑focused intrusions have caused operational disruption and financial loss across multiple sectors, including local government, water, and energy, by gaining unauthorized access and manipulating data displayed on monitoring screens.
Artificial Intelligence: Accelerating Attack Speed and Sophistication
Acting CISA Director Nick Anderson emphasized that artificial intelligence (AI) is a primary driver behind the push for CI Fortify. He noted that discussions with the Trump administration have centered on how AI’s increasing speed and velocity will transform the nature of cyber impacts—not only for OT and critical infrastructure but also for traditional information technology. Cybersecurity researchers have already observed hackers employing AI models to automate large portions of intrusion campaigns. For example, incident‑response firm Dragos reported that an AI‑driven compromise affected a municipal water and drainage utility in Monterrey, Mexico, demonstrating how AI can scale attacks, evade detection, and reduce the time adversaries need to achieve their objectives.
Practical Steps for Operators and Government Entities
CI Fortify is not merely a theoretical framework; it calls for concrete action. Operators should review the CI Fortify portal, isolate and recovery checklists, and integrate them into existing risk‑management and incident‑response plans. Engaging third‑party partners early—managed service providers, vendors, and integrators—helps map communication dependencies and develop alternative pathways should primary links fail. State and local governments, which often oversee water, energy, and transportation systems, must treat CI Fortify guidance as a priority, allocating resources for training, backup infrastructure, and regular drills that simulate isolation and recovery scenarios. Continuous monitoring of CISA and SRMA alerts ensures that organizations know when to activate isolation protocols based on real‑time threat intelligence.
Conclusion: Building Resilience Against Future Conflicts
While the immediate prospect of a large‑scale kinetic war may appear uncertain, the cyber dimension of conflict is already active and likely to intensify. CI Fortify offers a structured, actionable pathway for critical‑infrastructure owners to preserve essential services even when external networks are untrustworthy and adversaries have infiltrated OT environments. By embracing isolation, rigorously practicing recovery, acknowledging the growing role of AI in cyber attacks, and collaborating closely with partners and government agencies, operators can enhance their resilience and help safeguard the nation’s security, economy, and public safety in an increasingly volatile threat landscape.