# CISA Launches 'CI Fortify' Initiative to Harden Critical Infrastructure Against Geopolitical Cyber Threats


The Cybersecurity and Infrastructure Security Agency (CISA) has unveiled CI Fortify, a comprehensive guidance framework designed to strengthen the resilience of critical infrastructure operators against sustained cyber attacks and geopolitical conflict scenarios. The initiative calls for organizations to fundamentally rethink their operational technology (OT) environments, emphasizing the ability to survive extended isolation, maintain operations during compromise, and recover rapidly from coordinated attacks.


This strategic shift reflects growing concerns within the U.S. government about the vulnerability of essential services—from power grids and water systems to transportation networks and communications infrastructure—to increasingly sophisticated nation-state actors. As geopolitical tensions continue to escalate, particularly with advanced persistent threat (APT) groups linked to hostile foreign governments, CISA is urging operators to move beyond traditional cybersecurity postures toward true operational resilience.


## The Initiative: Building Cyber-Survivable Infrastructure


CI Fortify represents a departure from conventional cybersecurity frameworks that focus primarily on prevention and detection. Instead, CISA's guidance acknowledges a harsh reality: prevention alone is insufficient. Even well-defended networks may eventually be compromised by determined, well-resourced adversaries. The initiative therefore prioritizes what CISA calls "survivability"—the ability of critical infrastructure to continue functioning even when under active cyber attack or following a successful breach.


The core tenets of CI Fortify include:


  • Operational continuity during compromise: Systems should remain functional even if attackers have established footholds within the network
  • Extended isolation capability: Infrastructure must be designed to operate independently if disconnected from external networks, cloud services, or centralized control systems
  • Rapid recovery mechanisms: Organizations should be able to quickly identify and eject attackers while restoring systems to known-good states
  • Distributed decision-making: Reducing dependency on centralized control to prevent single points of failure

    • CISA emphasizes that these capabilities are not luxuries but necessities for sectors where disruption could endanger public safety or national security.


    ## Background and Context: The Evolving Threat Landscape


    The timing of CI Fortify reflects mounting evidence that the cyber threat environment has fundamentally changed. Recent years have witnessed unprecedented coordination between nation-state actors and criminal ransomware groups, increasingly destructive attacks on critical infrastructure, and successful campaigns targeting multiple sectors simultaneously.


    Several high-profile incidents have underscored the vulnerability of operational technology systems:


    | Incident | Impact | Lesson |

    |----------|--------|--------|

    | Ukraine power grid attacks (2015, 2016) | Extended blackouts affecting millions | OT networks are active targets in geopolitical conflict |

    | Colonial Pipeline ransomware (2021) | Fuel shortage across Eastern U.S. | Operational disruption cascades across economy |

    | Iran's response to sanctions | Persistent reconnaissance of U.S. infrastructure | Advanced actors conduct sustained campaigns |

    | Recent APT activity | Targeting ICS/SCADA systems directly | OT is no longer air-gapped or "too difficult" |


    Geopolitical developments—including great power competition with China and Russia, regional conflicts, and international sanctions—have created an environment where attacks on critical infrastructure are now considered viable tactical and strategic options for hostile nations.


    CISA's CI Fortify guidance is therefore positioned as a proactive response, helping operators anticipate and prepare for worst-case scenarios rather than reacting after attacks succeed.


    ## Technical Resilience Requirements: What Organizations Must Address


    CI Fortify guidance focuses on several critical technical domains:


    ### Operational Technology Hardening


    OT systems—including industrial control systems (ICS), supervisory control and data acquisition (SCADA) systems, and programmable logic controllers (PLCs)—were designed for availability and reliability, not cybersecurity. Many legacy systems lack encryption, authentication, or even basic network segmentation. CI Fortify calls for:


  • Air-gapping critical systems where possible, reducing dependency on networked connections
  • Implementing manual override capability for all automated processes
  • Establishing backup manual operation procedures that require no digital systems
  • Applying security patches to OT environments on aggressive timelines, despite operational disruption concerns

    • ### Network Architecture and Resilience


    Organizations are urged to redesign networks around resilience principles:


  • Defense in depth with multiple isolated security zones rather than single perimeters
  • Redundant communication paths so that loss of any single connection doesn't compromise operations
  • Local processing and decision-making to reduce dependency on centralized cloud infrastructure or corporate networks
  • Encryption end-to-end for critical control communications

    • ### Supply Chain and Third-Party Risk


    The guidance emphasizes that vulnerabilities in third-party software and hardware pose existential risks. Organizations must:


  • Validate vendor security controls before integrating systems
  • Establish contractual language requiring rapid notification and patching of vulnerabilities
  • Maintain inventory of all hardware, firmware, and software in OT environments
  • Reduce dependency on foreign-sourced components in critical systems, where national security implications exist

    • ## Implications for Critical Infrastructure Operators


    CI Fortify's guidance will have significant implications across multiple sectors:


    Energy Sector: Utilities must invest heavily in system hardening and manual operational capability. Many operators are already behind, with aging infrastructure and limited budgets for cybersecurity investment.


    Water and Wastewater: These systems are vulnerable to both disruption and physical damage through cyber-attacks. The guidance will require substantial infrastructure improvements.


    Transportation: Airports, rail, and port operators must design systems that can function during loss of centralized control, presenting significant operational and safety challenges.


    Communications: Service providers must ensure networks can route around damage and maintain service during attack or compromise.


    Healthcare: While not primarily addressed in the industrial-focused CI Fortify guidance, hospitals and health systems relying on OT-adjacent infrastructure should align their security posture.


    The initiative implicitly acknowledges that implementing these recommendations will be expensive and disruptive. However, CISA frames this as the cost of strategic resilience in an era of acute geopolitical tension.


    ## Implementation Recommendations: How Operators Should Respond


    Organizations should begin by:


    1. Conducting resilience assessments to identify which systems must survive extended isolation and which can tolerate brief downtime


    2. Prioritizing OT network segmentation and implementing air-gaps for the most critical processes


    3. Developing and testing manual operation procedures now, before they're needed under crisis conditions


    4. Engaging supply chain partners on security timelines and vulnerability management


    5. Investing in redundancy for systems that cannot tolerate single points of failure


    6. Training staff on both cyber-security practices and manual operations when digital systems are unavailable


    7. Participating in CISA's sectoral working groups to share lessons learned and coordinate defenses


    ## The Road Ahead: A Strategic Shift


    CI Fortify represents a strategic acknowledgment from U.S. government cybersecurity leadership that the threat environment has fundamentally shifted. The initiative signals that prevention is no longer sufficient—organizations must now design for a world in which compromise is possible and even likely.


    This philosophy marks a significant departure from traditional "prevent all breaches" messaging and reflects hard lessons learned from decades of cyber conflict between nation-states.


    For critical infrastructure operators, the implications are clear: the era of bolted-on cybersecurity is ending. Resilience must now be architected into operational systems from the ground up. The cost is substantial, but so is the cost of allowing essential services to fail during the next geopolitical crisis.