The U.S. Cybersecurity and Infrastructure Security Agency (CISA) launched a new initiative to strengthen the resilience of America’s critical infrastructure against disruptive cyber threats. Called ‘CI Fortify,’ the program provides strategic guidance to help organizations across sectors prepare for crises or conflicts, ensuring they can sustain essential operations even while under attack. It prioritizes baseline service continuity and operational resilience during cyber incidents designed to disrupt critical services.
CISA urges critical infrastructure owners and operators to harden systems so essential services can continue through geopolitical conflict. Investing now in isolation and recovery capabilities is key to sustaining operations when adversaries target communications and attempt to manipulate control systems.
CI Fortify is an allied initiative bolstering public health and safety, defense critical infrastructure, continuity of the economy, and national security by ensuring operators are prepared to sustain essential operations during a geopolitical conflict. For planning purposes, operators should assume that in a conflict scenario, third-party connections, such as telecommunications, internet, vendors, service providers, and upstream dependencies, will be unreliable and that threat actors will have some access to the OT (operational technology) network.
“CI Fortify is timely, actionable guidance that helps organizations protect their networks and critical services from cyber threat actors that aim to degrade or disrupt infrastructure,” Nick Andersen, CISA acting director, said in a Tuesday media statement. “We strongly encourage organizations to review this guidance, implement the recommended actions and collaborate with CISA to strengthen CI defenses against opportunistic threat actors.”
Anderson added that “In a geopolitical crisis, the critical infrastructure organizations Americans rely on must be able to continue delivering—at a minimum—crucial services. They must be able to isolate vital systems from harm, continue operating in that isolated state, and quickly recover any systems that an adversary may successfully compromise.”
The CISA initiative recognizes isolation and recovery as emergency planning objectives that can mitigate this threat over the next few years. Isolation involves proactively disconnecting from third-party and business networks to limit impact of cyber incidents on OT and sustain essential functions in a degraded communications environment. The objective is to maintain critical service delivery during an emergency rather than resorting to a full shutdown.
Organizations should identify priority customers, including military infrastructure and other lifeline services, and define service delivery targets based on their needs. They must determine the essential OT and supporting infrastructure required to meet those targets while operating in isolation.
Business continuity plans and engineering processes should be updated to support safe, sustained operations for weeks or even months in a disconnected state. At the same time, operators should monitor communications from the Cybersecurity and Infrastructure Security Agency and relevant SRMAs (Sector Risk Management Agencies) to understand when isolation measures may be necessary.
Recovery focuses on ensuring that organizations can restore operations if isolation fails or systems become inoperable. This includes documenting systems, maintaining secure backups of critical data, and regularly testing the replacement of systems or the transition to manual operations.
Recovery planning must also address dependencies on communications infrastructure, such as licensing servers and business network connections, which may be required to bring systems back online. Operators are encouraged to work closely with managed service providers, system integrators, and vendors to map these dependencies and identify practical workarounds to support recovery under constrained conditions.
Regardless of the source of disruption, these emergency planning efforts leave operators with more resilient infrastructure that is easier to defend and keep running. Planning for communication outages helps sustain essential operations across a wide range of scenarios, including cyber incidents, extreme weather, and safety-related events. It also limits further access by adversaries and cuts off command-and-control channels to compromised systems.
In addition, maintaining clear system documentation reduces recovery time and lowers incident response costs across disruptions, from natural disasters and routine component failures to staff turnover, by removing the need to rebuild networks from scratch.
Commenting on the CISA initiative, Duncan Greatwood, CEO at Xage Security, wrote in an emailed statement that CISA’s CI Fortify initiative reflects the need for resilience in critical infrastructure. “The emphasis on isolation and recovery is important for maintaining continuity during disruption, particularly as critical infrastructure is increasingly in the crosshairs of geopolitical tension and AI accelerates how quickly vulnerabilities can be exploited.”
However, he added that if organizations don’t have control within the environment, then isolation on its own is not enough. “Threats will often move through trusted connections, third parties, or compromised credentials long before a crisis response begins. The focus on segmentation and maintaining operations even in a degraded state is a meaningful step forward and more aligned with how these environments actually function.”
Greatwood highlighted that resilience comes from continuously enforcing who and what can access critical systems, containing nefarious actors and preventing threats from spreading so operations can continue safely. “The organizations that will be most successful are those that layer control and containment into their environment, allowing them to limit the impact of an attack and keep services running, rather than relying on patching and human-driven recovery after disruption has already occurred.”
“CISA’s new initiative to fortify America’s critical infrastructure reinforces a hard operational truth: resilience is not achieved by policy, visibility, or incident response plans alone. Critical infrastructure operators need architectures that keep essential work moving when networks are segmented, degraded, isolated, or under active cyber stress,” Bill Moore, CEO of Xona Systems, wrote in an emailed statement. “That is where remote access becomes a strategic control point. During a disruption, operators, engineers, and vendors still need to reach critical systems, but broad VPN access, jump boxes, and network-level trust can undermine the very isolation and containment measures resilience depends on.”
Moore added that critical infrastructure resilience requires remote access built for crisis conditions: no broad network exposure, no endpoint-to-OT trust assumption, precise session control, and clear evidence of who accessed what, when, and why. “The access layer can either preserve operational control during disruption or quietly become the pathway that makes disruption worse.”
CISA has called on industrial automation and control system vendors and suppliers to take a more proactive role in resilience planning. This includes identifying potential barriers to isolation and recovery, such as contractual or licensing dependencies tied to server connections that could prevent operators from executing emergency measures.
Vendors are also expected to clearly understand and communicate how their systems behave during telecommunications outages, particularly for highly connected OT components. In addition, they should be prepared for increased coordination and engagement from critical infrastructure entities as organizations strengthen their contingency planning.
The agency urged managed service providers and integrators to assist in supporting engineering updates and planning work required to allow isolation, and support local collection of backups and documentation necessary for recovery, as well as communication dependencies.
CISA recommends that security vendors strengthen both pre-crisis and in-crisis support. Before a crisis, vendors should maintain a watch-and-warning capability that communicates early signs of threat actors shifting from espionage to disruptive or destructive activity. During a crisis, they are expected to share timely intelligence on tactics, techniques, and procedures that could hinder recovery, such as malicious firmware updates or undermine isolation measures, including vulnerabilities in software-based data diodes.
