Full Report
The Cybersecurity and Infrastructure Security Agency – fresh out of the longest shutdown in government history and ready to begin hiring again after shedding staff for the past year – is out with new cybersecurity crisis planning guidance for critical infrastructure organizations. CISA’s new “CI Fortify” initiative notably pushes water utilities, the transportation sector and other critical…
Analysis Summary
# Best Practices: CI Fortify (Cybersecurity Crisis Planning)
## Overview
These practices address the operational risks posed by "geopolitical crises" that may result in targeted cyberattacks or the loss of connectivity to internet, telecommunication, and third-party technology services. The primary goal is to ensure critical infrastructure (CI) can maintain "essential operations" through proactive isolation and rapid recovery.
## Key Recommendations
### Immediate Actions
1. **Identify Essential Operations:** Define which core functions must continue during a total loss of internet or third-party connectivity.
2. **Inventory Network Dependencies:** Map all connections between Operational Technology (OT), Industrial Control Systems (ICS), and business/external networks.
3. **Establish Out-of-Band Communication:** Ensure backup communication channels (e.g., satellite, radio, or offline protocols) are ready for use if telecommunications fail.
### Short-term Improvements (1-3 months)
1. **Develop Isolation Protocols:** Create step-by-step procedures to "proactively disconnect" OT/ICS environments from the Corporate/IT network and the open internet without shutting down physical operations.
2. **Tabletop Exercises:** Conduct drills specifically modeling a "geopolitical crisis" scenario where third-party services (SaaS, cloud, remote monitoring) are unavailable.
3. **Access Control Review:** Implement or harden multi-factor authentication (MFA) and tighten firewall rules between IT and OT segments.
### Long-term Strategy (3+ months)
1. **Resilience Infrastructure:** Invest in hardware and software that support "manual" or "analog" overrides for critical machinery to bypass digital failures.
2. **Geopolitical Risk Integration:** Incorporate national security threat intelligence into the organization’s high-level risk management framework.
3. **Redundant Supply Chain:** Localize or diversify critical technology dependencies to avoid single points of failure during international conflicts.
## Implementation Guidance
### For Small Organizations (e.g., local water utilities)
- Focus on manual operational capability; ensure personnel are trained to operate valves or switches without digital interfaces.
- Maintain physical "run books" (paper-based instructions) for emergency operations.
### For Medium Organizations (e.g., regional transportation)
- Implement robust network segmentation to allow for the immediate severance of the IT/OT bridge.
- Conduct quarterly audits of vendor remote access permissions.
### For Large Enterprises (e.g., national energy/telecom)
- Build out fully redundant, "clean-room" recovery environments.
- Establish an internal "Sustained Operations" team dedicated to maintaining CI functions during long-term network outages.
## Configuration Examples
While specific code is not provided in the guidance, the initiative emphasizes **Network Segmentation Configuration**:
- **Standard State:** IT and OT networks connected via a managed jump box or firewall with deep packet inspection.
- **Crisis State (Isolation):** "Kill-switch" configuration—immediately dropping all packets at the IT/OT boundary firewall and disabling all inbound VPN/Remote Desktop Protocol (RDP) sessions from third-party vendors.
## Compliance Alignment
- **CISA Performance Goals (CPGs):** Directly aligned with the cross-sector cybersecurity performance goals.
- **NIST CSF 2.0:** Aligns with the *Protect* (mismatch of connectivity) and *Recover* functions.
- **IEC 62443:** Corresponds to standards for industrial communication network security.
## Common Pitfalls to Avoid
- **"All or Nothing" Thinking:** Shutting down the entire plant when only the business network is compromised.
- **Dependency Miscalculation:** Assuming cloud-based security tools will work during a connectivity crisis.
- **Stale Documentation:** Having isolation procedures that haven't been updated to account for new vendor connections or software updates.
## Resources
- **CISA CI Fortify Initiative:** hxxps[://]www[.]cisa[.]gov/topics/industrial-control-systems/ci-fortify
- **CISA ICS/OT Best Practices:** hxxps[://]www[.]cisa[.]gov/ics
- **Federal News Network Report:** Reference for emergency planning objectives.