Full Report
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has launched a new initiative called “CI Fortify” aimed at helping critical infrastructure operators prepare for disruptive cyberattacks linked to geopolitical conflicts. The initiative comes amid growing concerns over nation-state cyber threats targeting operational technology (OT) systems that support essential services across the United States. The CI Fortify initiative focuses on improving critical infrastructure resilience through two key objectives: isolation and recovery. CISA said the effort is designed to help operators maintain essential operations even if adversaries compromise telecommunications networks, internet services, or industrial control systems. According to the agency, nation-state actors are no longer limiting their activities to espionage. Instead, threat groups have increasingly been pre-positioning themselves inside critical infrastructure environments to potentially disrupt or destroy systems during future geopolitical conflicts. CI Fortify Initiative Focuses on Isolation and Recovery Under the CI Fortify initiative, CISA is urging critical infrastructure organizations to assume that third-party communications and service providers may become unreliable during a crisis. Operators are also being asked to plan under the assumption that threat actors may already have some level of access to OT networks. Nick Andersen, Acting Director at CISA, emphasized the need for organizations to prepare for worst-case operational scenarios. “In a geopolitical crisis, the critical infrastructure organizations Americans rely on must be able to continue delivering, at a minimum, crucial services,” Andersen said. “They must be able to isolate vital systems from harm, continue operating in that isolated state, and quickly recover any systems that an adversary may successfully compromise.” The isolation strategy outlined under CI Fortify involves proactively disconnecting operational technology systems from external business networks and third-party connections. CISA said this approach is intended to prevent cyber impacts from spreading into OT environments while allowing organizations to continue delivering essential services in a degraded communications environment. The agency advised operators to identify critical customers, including military infrastructure and other lifeline services, and determine the minimum operational capabilities needed to support them during emergencies. CISA also recommended updating engineering processes and business continuity plans to support safe operations for extended periods while systems remain isolated. Recovery Planning Central to Critical Infrastructure Resilience Alongside isolation, the CI Fortify initiative places strong emphasis on recovery planning. CISA urged operators to maintain updated system documentation, create secure backups of critical files, and regularly practice system replacement or manual operational transitions. The agency noted that organizations should also identify communications dependencies that could complicate recovery efforts, such as licensing servers, remote vendor access, or upstream network connections. CISA encouraged operators to work closely with managed service providers, system integrators, and vendors to understand potential failure points and establish alternative recovery pathways. The initiative also highlights broader benefits of emergency planning beyond cybersecurity incidents. According to CISA, the same planning processes can help organizations maintain operations during weather-related disruptions, equipment failures, and safety emergencies. The agency said isolation planning can help cut off command-and-control access to compromised systems, while strong recovery preparation can reduce incident response costs and shorten recovery timelines. Security Vendors and Service Providers Asked to Support CI Fortify The CI Fortify initiative extends beyond infrastructure operators and calls on cybersecurity vendors, industrial automation suppliers, and managed service providers to support resilience planning efforts. Industrial control system vendors are being encouraged to identify barriers that could interfere with isolation and recovery procedures, including licensing restrictions and server dependency issues. Managed service providers and integrators are expected to assist organizations in engineering updates, local backup collection, and recovery documentation planning. Meanwhile, security vendors are being asked to support threat monitoring and provide intelligence if nation-state actors shift from espionage-focused activity to destructive cyber operations. CISA also requested vendors share information related to tactics that could undermine recovery or bypass isolation protections, including malicious firmware updates and vulnerabilities affecting software-based data diodes. Volt Typhoon Cyberattacks Continue to Shape U.S. Cybersecurity Strategy The launch of CI Fortify is closely tied to ongoing concerns surrounding the Volt Typhoon cyberattacks, which U.S. officials have linked to Chinese state-sponsored threat actors. CISA’s initiative specifically references the Volt Typhoon campaign as an example of how adversaries have attempted to establish long-term access inside U.S. critical infrastructure systems to potentially support disruptive actions during military conflicts. The Volt Typhoon operation first became public in 2023, when U.S. authorities revealed that Chinese hackers had infiltrated multiple sectors of American critical infrastructure. Former CISA Director Jen Easterly stated in 2024 that the agency had identified and removed Volt Typhoon intrusions across several sectors. She later reiterated in 2025 that efforts continued to focus on identifying and evicting Chinese cyber actors from critical infrastructure environments. Despite these operations, cybersecurity researchers and some government officials have warned that Chinese threat actors may still retain access to portions of critical infrastructure networks. Several experts have argued that nation-state groups remain deeply embedded in certain environments despite years of remediation efforts. With the CI Fortify initiative, CISA appears to be shifting focus toward operational resilience, recognizing that prevention alone may not be sufficient against sophisticated nation-state cyber threats targeting U.S. critical infrastructure.
Analysis Summary
# Best Practices: CI Fortify (Isolation and Recovery for Critical Infrastructure)
## Overview
The CI Fortify initiative addresses the risk of nation-state threat actors (such as Volt Typhoon) pre-positioning themselves within critical infrastructure (CI) to disrupt or destroy systems during geopolitical conflicts. These practices shift focus from pure prevention to **operational resilience**, ensuring essential services continue even when external communications are compromised or IT/OT networks are partially breached.
## Key Recommendations
### Immediate Actions
1. **Assume Compromise:** Operate under the assumption that threat actors already have persistent access to Operational Technology (OT) networks.
2. **Map Dependencies:** Identify critical customers (e.g., military bases, hospitals) and determine the absolute minimum operational level required to sustain them.
3. **Secure Critical Backups:** Create offline or immutable backups of vital configuration files, firmware, and logic for all programmable logic controllers (PLCs) and industrial controllers.
4. **Audit Documentation:** Ensure physical or local digital copies of system architecture and manual overrides are current and accessible without internet access.
### Short-term Improvements (1-3 months)
1. **Isolation Planning:** Develop and test procedures to proactively disconnect OT systems from external business networks and third-party vendor connections.
2. **Third-Party Risk Assessment:** Inventory all dependencies on external services (e.g., licensing servers, cloud-based monitoring, remote vendor access) that could fail during a crisis.
3. **Manual Transition Drills:** Regularly practice transitioning from automated/networked operations to manual or degraded-state operations.
4. **C2 Disruption:** Implement rules to cut off known Command-and-Control (C2) pathways at the perimeter to prevent remote activation of destructive payloads.
### Long-term Strategy (3+ months)
1. **Engineering Process Updates:** Redesign engineering workflows to support safe operations for extended periods while systems remain in an isolated state.
2. **Alternative Recovery Pathways:** Work with system integrators to establish recovery methods that do not rely on standard internet connectivity or upstream vendor infrastructure.
3. **Infrastructure Hardening:** Address "software-based data diodes" and vulnerabilities in firmware that could allow adversaries to bypass isolation protections.
4. **Integrated Resilience:** Incorporate CI Fortify planning into general business continuity plans to cover weather-related disruptions and equipment failures.
---
## Implementation Guidance
### For Small Organizations
- Focus on manual overrides and "low-tech" resilience. Ensure you can run essential pumps/valves without a network.
- Prioritize local backups of essential controller configurations on encrypted physical drives.
### For Medium Organizations
- Conduct a formal dependency audit of managed service providers (MSPs).
- Establish "Isolation Playbooks" that define exactly who is authorized to pull the plug on the IT/OT bridge and under what conditions.
### For Large Enterprises
- Work with vendors to remove "phone-home" licensing requirements that would brick equipment if the internet is disconnected.
- Deploy specialized threat monitoring aimed at detecting a shift from espionage (data theft) to destructive positioning (system manipulation).
---
## Configuration Examples
* **OT Perimeter:** Implement hardware-enforced or strictly defined software isolation between the Enterprise Resource Planning (ERP) network and the Industrial Control System (ICS) environment.
* **Dependency Redundancy:** Configure local license servers for OT software instead of relying on vendor-cloud licensing.
* **Identity Management:** Disable all permanent remote access tunnels; move to "on-demand" local authentication for OT maintenance.
## Compliance Alignment
- **NIST CSF 2.0:** Aligns with the *Recover* and *Protect* functions.
- **NIST SP 800-82:** Specific to OT/ICS security and segmentation.
- **ISA/IEC 62443:** International standards for the security of IACS (Industrial Automation and Control Systems).
- **CPG (CISA Cybersecurity Performance Goals):** Directly maps to goals regarding asset inventory and incident response.
## Common Pitfalls to Avoid
- **Over-Reliance on Cloud OT:** Assuming that cloud-managed industrial tools will be available during a regional or global internet disruption.
- **Ignoring Firmware:** Failing to verify the integrity of firmware updates, which could be used as a vector for "bypassing isolation."
- **Lack of Staff Training:** Having a manual override plan but failing to train operators on how to execute it without digital dashboards.
## Resources
- **CISA CI Fortify Portal:** [cisa[.]gov/ci-fortify]
- **Volt Typhoon Advisory:** [cisa[.]gov/news-events/cybersecurity-advisories/aa24-038a]
- **NIST Guide to ICS Security:** [nvlpubs[.]nist[.]gov/nistpubs/SpecialPublications/NIST.SP.800-82r3.pdf]