"Service delivery [that] can still reach critical infrastructure after the asset owner has disconnected with IT and OT, disconnected from third party vendors and service provider connections and disconnected from third party telecommunications equipment." — Nick Andersen, acting director of CISA.
CISA's CI Fortify initiative: targeted assessments and operational planning
The Cybersecurity and Infrastructure Security Agency (CISA) has launched an effort called CI Fortify intended to help critical infrastructure owners and operators prepare to run essential services for "weeks to months" in isolation. According to the agency’s website and public comments from CISA’s acting director, Nick Andersen, CI Fortify will include targeted technical assessments of critical infrastructure entities and the creation of plans that allow safe operations while disconnected from IT networks and third-party tools.
CISA has already begun engaging with a limited set of companies to pilot those assessments. Andersen declined to name the pilot participants, but said the agency will focus on organizations that support national security, defense, public health and safety, and economic continuity. CISA expects the work to scale up as it hires additional staff in the coming months.
Isolation as an operational posture: turning off third‑party connections
One pillar of the strategy is deliberate isolation: turning off third‑party and business network connections to operational technology (OT) when facing an emergency or an unknown vulnerability. CI Fortify’s goal is not merely to detect intrusions but to enable safe service delivery once an asset owner has intentionally disconnected OT from IT, vendors and telecommunications equipment.
The approach recognizes that many cyber incidents and supply‑chain compromises begin in business IT systems or vendor products and then cross over into OT — the specialized systems that control heavy machinery, water treatment, power substations, data centers and other physical infrastructure. By planning for an operational disconnect, organizations can reduce the attack surface presented by external remote access and third‑party entanglements during a crisis.
Recovery practices: backups, documentation and manual operations
The second pillar CISA highlights is recovery. Best practices cited by the agency include backing up files, thoroughly documenting systems and planning for manual backups for operations when normal computer systems are down. Those measures are intended to let operators maintain acceptable service levels during prolonged isolation and to speed restoration when connections are deemed safe.
Andersen noted assessments will vary across sectors depending on their specific operational tradeoffs. He gave a concrete example: “Water isn’t necessarily designed to prioritize specific customer needs outside of recovery periods, while energy and transportation have more immediate tradeoffs for selecting one load or one set of cargo over another.” That variability shapes which manual workarounds, backup configurations and customer agreements are practicable for each sector.
The threat picture: Salt Typhoon, Volt Typhoon and attacks seen in conflicts
CISA is driving CI Fortify against a threat environment it characterizes as persistent and state‑sponsored. The agency warned that state‑sponsored hackers — particularly two Chinese groups known as Salt Typhoon and Volt Typhoon — continue to threaten critical sectors including electricity, water and internet. U.S. national security officials and cybersecurity defenders, the agency said, have consistently identified those groups as active threats to U.S. critical infrastructure.
The agency pointed to recent real‑world precedents: over the past two years, conflicts in Ukraine, Gaza, Iran and elsewhere have seen water plants, power substations, data centers and other infrastructure targeted by kinetic or cyberattacks. CISA also noted that cybersecurity specialists assume hackers tied to other nations have likely exploited the same basic vulnerabilities and hygiene issues that the Typhoons have used. Agencies such as the FBI and the Federal Communications Commission have touted efforts to purge Chinese hackers and to work voluntarily with telecoms to harden their network security.
What this means for water utilities, energy operators, and telecommunications
- Water utilities: Must plan for operations that prioritize recovery‑period continuity rather than fine‑grained customer selection, and prepare documented manual procedures and backups that work without normal IT support.
- Energy and transportation operators: Face more immediate tradeoffs about which loads or cargo to prioritize during isolated operations; their assessments will need operational playbooks for load shedding, cargo routing and manual control of systems.
- Telecommunications providers and third‑party vendors: Will be central to isolation decisions — CI Fortify emphasizes disconnecting third‑party telecom equipment and service provider connections, and CISA has signaled continued voluntary engagement with telecoms to harden network security.
CISA’s CI Fortify initiative reframes resilience planning for a set of systems traditionally designed to rely on continual connectivity and vendor support. The agency is moving from advisories about threats to hands‑on technical assessments and operational playbooks intended to let essential services continue for weeks or months while isolated. The effort’s immediate next steps are explicit: pilots with undisclosed entities supporting national security, public health and economic continuity, and a planned expansion as CISA adds staff. Whether those pilots translate into repeatable, sector‑specific blueprints will determine how effectively utilities, operators and providers can stiffen themselves against the persistent threats named by the agency.
