Overview
CISA’s CI Fortify initiative, launched in May 2026, represents a significant shift in how the agency is framing its guidance to critical infrastructure operators. Previous CISA advisories focused heavily on vulnerability patching, secure-by-design principles, and detection of specific threat actor TTPs. CI Fortify addresses a different problem entirely: what happens when a coordinated cyber campaign severs the connectivity that modern OT systems depend on — and your organisation needs to keep operating anyway.
The initiative is a direct operational response to the confirmed presence of Volt Typhoon and similar nation-state actors in US and allied critical infrastructure networks. CISA’s stated assessment is that these actors are not conducting espionage — they are pre-positioning for potential disruptive attacks timed to geopolitical crises, specifically scenarios involving conflict over Taiwan or other flashpoint events. The target isn’t individual OT systems; it’s the connectivity fabric that holds distributed infrastructure together.
The Specific Risk CI Fortify Addresses
Contemporary OT environments are far more connected than the architectures they were designed to protect. SCADA systems that once communicated over dedicated serial lines now traverse corporate IT networks to reach cloud-hosted historian databases, vendor remote maintenance portals, and centralised control systems. The operators who manage these systems rely on internet connectivity for engineering workstation software updates, vendor support, remote diagnostics, and — increasingly — cloud-based monitoring dashboards.
Volt Typhoon’s confirmed infiltration of US water systems, electric cooperatives, and transportation infrastructure has demonstrated that adversaries have identified these connectivity dependencies and are positioning themselves to exploit them. A coordinated attack that severs internet and cloud connectivity to critical infrastructure operators — while simultaneously degrading telecommunications — would force utilities and operators into a degraded operating mode they have not exercised and, in many cases, have not designed for.
CI Fortify asks operators a question they often cannot currently answer: if you lost all external connectivity tomorrow for 72 hours, could your systems continue to operate safely, and does your staff know how?
What CI Fortify Requires
CISA has published CI Fortify guidance as a framework of capabilities rather than a prescriptive checklist. The core areas:
1. Offline Operating Procedures
OT operators should maintain documented, regularly exercised procedures for operating critical systems without reliance on external connectivity, cloud services, or vendor remote access. This means:
- Local engineering workstation capability: Software, configuration backups, and engineering tools that can operate without internet activation or cloud licence validation
- Paper/offline procedures for critical operations: Documented manual operating procedures for the scenarios most likely to be disrupted — pump control, substation switching, traffic signal management — that trained operators can execute without SCADA visibility
- Out-of-band communications: Satellite communications, private radio networks, or pre-established neighbour-to-neighbour coordination channels that don’t depend on commercial telecom infrastructure
2. Dependency Mapping
Many organisations cannot currently enumerate their OT connectivity dependencies accurately. CI Fortify requires that operators map all external connectivity paths including:
- Internet-facing OT historian connections and cloud integrations
- Vendor remote access paths (VPN, Citrix, vendor-specific remote support tools)
- IT/OT convergence points where OT networks traverse corporate IT infrastructure to reach external services
- Third-party monitoring services and managed OT SOC providers
This mapping serves two purposes: it identifies attack surface for hardening, and it defines the scope of the “connectivity loss” scenario that isolation planning must address.
3. Segmentation Validation
Network segmentation in OT environments is frequently documented but less frequently validated. Firewall rules accumulate exceptions over years of operations; vendor access paths are added without removing old ones; IT/OT boundary controls are bypassed for operational convenience.
CI Fortify calls for periodic validation that documented segmentation controls are actually enforced — through penetration testing, firewall rule audits, and network traffic analysis. For environments using the Purdue Model as their segmentation framework, this means verifying that communication paths between levels are controlled as documented and that lateral movement from Level 3 to Level 2 requires the controls that should be in place.
4. Recovery Capability
Isolation planning without recovery capability is incomplete. CI Fortify’s guidance addresses the full scenario:
- Detection: identify that connectivity has been severed and classify it as an attack versus an infrastructure outage
- Isolation activation: trigger planned isolation procedures without relying on the connectivity that has been severed
- Degraded-mode operation: execute pre-planned procedures for operating critical systems with reduced visibility and external support
- Restoration: staged reconnection procedures that verify systems are clean before re-establishing external connectivity — reconnecting a compromised system to the internet restores attacker access
Practical Implementation for OT Operators
Near-term (0-90 days):
Conduct a dependency mapping exercise. Interview operations technology staff, IT staff managing the IT/OT boundary, and vendor relationship managers to enumerate all external connectivity paths. Pay particular attention to:
- Cloud historian connections (OSIsoft PI, AVEVA, Inductive Automation Ignition cloud editions)
- Vendor remote access tools — many are installed during maintenance and never removed
- “Temporary” IT/OT connections established for a specific project that are still active
Medium-term (90-180 days):
Validate segmentation. Commission either an internal OT network assessment or an external ICS/OT penetration test that specifically tests traversal from the IT network to OT Level 1/2 systems. The results frequently reveal connectivity that operators believed was blocked.
Review engineering workstation software licences and update processes. Identify any OT engineering tools that require internet access for licence validation, signature updates, or software activation, and develop a plan for offline operation.
Ongoing:
Tabletop exercises should now explicitly include the “loss of all external connectivity for 72 hours” scenario. Include operations staff, not just IT/security. The question is not just “can our systems survive the disconnection” but “do our people know what to do.”
The Threat Actor Context
CI Fortify is explicitly informed by CISA’s assessment of Volt Typhoon pre-positioning. The agency’s advisory language is direct: adversaries are already inside portions of US critical infrastructure, and their objective is to be able to activate disruptive capabilities at a time of strategic choice. The geopolitical trigger scenarios CISA is planning for include Taiwan military conflict timelines where cyber disruption to US infrastructure could degrade mobilisation capacity or public confidence.
For OT security practitioners: this is not a hypothetical future risk. The intrusions are confirmed. The pre-positioning is documented. CI Fortify is CISA’s guidance for the scenario where those pre-positioned footholds are activated. Whether that activation comes through Volt Typhoon, through a coalition of state actors, or through another avenue entirely, the operational resilience gaps CI Fortify addresses are real vulnerabilities in how critical infrastructure operates today.