10 Critical Steps to Fortify Infrastructure: CISA's New CI Fortify Initiative Explained

In an era of escalating geopolitical tensions, the cyber battleground has expanded to include critical infrastructure. On [date], the Cybersecurity and Infrastructure Security Agency (CISA) launched CI Fortify, a bold initiative aimed at hardening operational technology (OT) environments against state-sponsored cyber attacks. With a focus on surviving extended isolation and compromise, this program provides actionable guidance for operators of power grids, water systems, transportation networks, and other vital assets. Below are 10 key things you need to know about CI Fortify, how it prepares your organization for geopolitical cyber conflict, and steps you can take today.

1. What Is CI Fortify?

CI Fortify is CISA's strategic initiative to bolster the resilience of critical infrastructure against sophisticated, long-duration cyber attacks originating from nation-state actors. Unlike traditional cybersecurity programs that prioritize prevention, CI Fortify emphasizes survivability—the ability to operate securely even when systems are compromised or cut off from external networks. The program includes detailed guidance, best practices, and a framework for building OT environments that can withstand extended periods of isolation. This shift acknowledges that in a geopolitical conflict, adversaries may target infrastructure not just for espionage but for disruption, demanding a fundamental change in how we design and defend industrial control systems.

10 Critical Steps to Fortify Infrastructure: CISA's New CI Fortify Initiative Explained — Source: www.securityweek.com

2. Why Now? The Geopolitical Threat Landscape

Recent cyber incidents targeting Ukraine's power grid, Colonial Pipeline, and water facilities have demonstrated that critical infrastructure is a prime target in modern warfare. CISA's warning is clear: as geopolitical tensions rise, the likelihood of coordinated, persistent attacks on U.S. infrastructure increases. CI Fortify responds to the reality that OT systems, often running on legacy technology, are poorly equipped for extended conflicts. The initiative aims to close the gap between traditional IT security and the unique needs of OT environments, where downtime can have catastrophic physical consequences. By preparing now, operators can mitigate the risk of cascading failures during a crisis.

3. Core Principle: Surviving Extended Isolation

A cornerstone of CI Fortify is the concept of extended isolation—the ability to maintain critical operations when network connectivity to the outside world is severed or compromised. In a major cyber conflict, attackers may target communication links, cloud services, or authentication servers to cripple central management. CISA's guidance advises operators to design systems that can run autonomously for days or weeks without external updates or remote commands. This involves local backups, offline authentication mechanisms, and redundant control loops. The goal is to prevent a single point of failure from halting essential services like power generation or water treatment.

4. Surviving Cyber Compromise: Assume Breach Mindset

Another key tenet is the 'assume breach' mindset, which CI Fortify applies specifically to OT. Instead of only focusing on keeping attackers out, operators must plan for inevitable intrusions. The initiative provides guidance on containment and recovery—how to segment networks so that a compromise in one zone doesn't cascade to others, how to detect malicious activity quickly even on isolated systems, and how to restore clean states without relying on intact external backups. This includes air-gapped recovery plans, manual override procedures, and hardware-based trust anchors that cannot be altered remotely.

5. The Role of Hardened OT Architectures

CI Fortify strongly advocates for hardened OT architectures that minimize attack surfaces. This means replacing insecure protocols with authenticated and encrypted alternatives, using unidirectional gateways (data diodes) to prevent outbound command injection, and implementing micro-segmentation at the control level. CISA's guidance includes specific recommendations for industrial Ethernet, serial communications, and field device security. Operators are urged to move away from flat networks where a single vulnerable PLC can expose the entire plant. Instead, they should adopt defense-in-depth designs that isolate critical functions even within the same facility.

6. Practical Guidance for Immediate Implementation

To help operators act quickly, CISA has released a set of practical guidance documents within the CI Fortify framework. These include checklists for inventorying OT assets, identifying gaps in network segmentation, and testing isolation capabilities. The guidance also covers third-party risk management for vendors and integrators who have remote access to OT systems. Operators are advised to conduct tabletop exercises simulating extended isolation scenarios to identify weaknesses. Additionally, CISA encourages sharing of anonymized incident data to improve collective defense, while respecting proprietary or security-sensitive information.

7. Collaboration Between Government and Industry

CI Fortify is not a unilateral government mandate; it is built on public-private collaboration. CISA is working closely with sector-specific agencies (like DOE for energy, EPA for water) and industry associations (such as ISA, ICS-CERT). The initiative includes a voluntary adoption process, with incentives such as expedited threat intelligence sharing and priority access to cybersecurity exercises. CISA also plans to offer technical assistance to small and mid-sized operators who may lack in-house OT security expertise. This partnership approach acknowledges that government cannot secure critical infrastructure alone—every asset owner has a role.

8. Key Differences from Previous Programs

Unlike earlier CISA efforts like the 'Shields Up' campaign or voluntary NIST-based assessments, CI Fortify is specifically tailored for geopolitical conflict. Where previous guidance focused on best practices for daily hygiene, CI Fortify addresses wartime scenarios. For instance, it recommends designing for indefinite offline operation, whereas typical guidance assumes eventual reconnection. It also emphasizes physical security integration—because in a conflict, sabotage may complement cyber attacks. This shift represents a maturation of U.S. cybersecurity policy, acknowledging that critical infrastructure must be a defensive stronghold, not just a resilient business.

9. Resource Requirements and Challenges

Implementing CI Fortify will require significant investment. Operators may need to upgrade legacy equipment, deploy new network monitoring tools, and hire specialized personnel. CISA acknowledges these challenges and recommends a phased approach: start with high-impact assets (e.g., power transformer controls) before tackling lower priority systems. The agency also points to existing grant programs, like the State and Local Cybersecurity Grant Program, as funding sources. However, critics note that many utilities operate on thin margins, and full compliance may take years. CISA urges organizations to begin now, even with small steps, rather than waiting for perfect security.

10. The Urgency of Action: A Call to Operators

CISA's message is urgent: the time to fortify is now, before a crisis strikes. The agency warns that geopolitical adversaries are actively probing OT networks, and the next major conflict could trigger simultaneous attacks across multiple sectors. CI Fortify provides a roadmap, but it requires buy-in from boards, executives, and engineers. Operators are encouraged to conduct a baseline gap analysis using the newly released tools, prioritize critical functions, and begin hardening their OT environments. Even if full isolation is impractical, incremental improvements—like enabling network segmentation or improving backup authentication—can drastically reduce risk. The goal is to ensure that when the moment comes, your systems keep running.

In conclusion, CI Fortify marks a paradigm shift in how we protect the backbone of our society. It moves beyond compliance and prevention to true resilience in the face of state-sponsored attacks. By embracing the principles of extended isolation, assume breach, and hardened architectures, critical infrastructure operators can not only survive a cyber conflict but continue to serve the public. Visit Item 1 for a refresher on the initiative's core, then explore each item to build your action plan.

Tags: