{"id":16175,"date":"2026-05-05T17:21:50","date_gmt":"2026-05-05T17:21:50","guid":{"rendered":"https:\/\/newestek.com\/?p=16175"},"modified":"2026-05-05T17:21:50","modified_gmt":"2026-05-05T17:21:50","slug":"cisa-pushes-critical-infrastructure-operators-to-prepare-to-work-in-isolation","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=16175","title":{"rendered":"CISA pushes critical infrastructure operators to prepare to work in isolation"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

The US Cybersecurity and Infrastructure Security Agency (CISA) has unveiled a new national initiative aimed at helping critical infrastructure operators withstand and recover from major cyberattacks by preparing to operate in isolation from the internet and third-party dependencies.<\/p>\n

The program, CI Fortify<\/a>, is designed to ensure that organizations can continue delivering essential services even when their networks are degraded, disconnected, or under active cyberattack. \u201cResilience and reliability begin with planning and investing,\u201d said acting CISA director Nick Andersen during a media briefing, emphasizing that operators must be ready to function even when cut off from external connectivity.<\/p>\n

\u201cCI Fortify gets the doctrine right,\u201d said James Winebrenner<\/a>, CEO of network security vendor Elisity. \u201cWhat\u2019s missing is the operator-side investment that would make this guidance executable.\u201d<\/p>\n

The initiative arrives as US officials warn that adversaries are already pre-positioned inside critical infrastructure networks, with the potential to disrupt electricity, water, and communications during geopolitical conflict.<\/p>\n

What CISA is trying to solve<\/h2>\n

At its core, CI Fortify is about operational resilience under worst-case conditions. CISA is urging organizations to assume that connectivity, particularly to external providers, may not be available during a major incident and to plan accordingly.<\/p>\n

That resilience means developing the ability to intentionally disconnect from third-party services, telecommunications, and even portions of their own IT environments, while continuing to operate critical systems. It also means being able to restore compromised systems rapidly while in that isolated state.<\/p>\n

CISA officials stress that this is not about traditional air-gapping, but about controlled isolation combined with the ability to operate locally and manually when needed. The goal is to sever adversaries\u2019 access while maintaining essential service delivery.<\/p>\n

\u201cWhen a cyberattack occurs, well-planned emergency capabilities help ensure the affected organization can still deliver critical services,\u201d CISA\u2019s Andersen said.<\/p>\n

The agency said it will support the effort through targeted assessments, guidance, and exercises, with a pilot phase already underway and additional much-needed staffing planned to scale the program across sectors.<\/p>\n

In practical terms, the initiative pushes organizations to answer difficult questions: How long can they operate without external connectivity? Which dependencies are critical? And what is the minimum viable level of service they must maintain during disruption?<\/p>\n

A familiar playbook under a new name<\/h2>\n

While the framing of CI Fortify is new, the underlying concepts are not. Several experts say the initiative largely repackages long-standing practices around disaster recovery, business continuity, and incident response \u2014 areas where many organizations have historically underinvested.<\/p>\n

\u201cIt looks to me like traditional business continuity planning, disaster recovery, and incident response,\u201d said Richard Forno<\/a>, associate director of the UMBC Cybersecurity Institute. \u201cThese are things organizations should have long since incorporated into their cybersecurity planning.\u201d<\/p>\n

That gap between theory and practice is precisely what CISA is trying to close. The agency\u2019s message is that planning alone is insufficient: Operators must build and test capabilities that work under real-world stress.<\/p>\n

Bill Moore<\/a>, CEO of Xona Systems, a secure remote access vendor, framed the issue in architectural terms, arguing that resilience depends on how systems are designed to function during disruption.<\/p>\n

\u201cResilience is not achieved by policy, visibility, or incident response plans alone,\u201d Moore said. \u201cCritical infrastructure operators need architectures that keep essential work moving when networks are segmented, degraded, isolated, or under active cyber stress.\u201d<\/p>\n

The visibility problem<\/h2>\n

One of the biggest challenges facing CI Fortify is that many organizations lack a clear understanding of their own dependencies, particularly in operational technology environments.<\/p>\n

Modern critical infrastructure is deeply interconnected, relying on layers of vendors, managed service providers, integrators, and licensing systems. That complexity makes it difficult to map out what needs to be disconnected and what must remain operational during a crisis.<\/p>\n

\u201cYou can\u2019t plan to operate disconnected from third parties for weeks to months until you can actually list who those third parties are,\u201d Elisity\u2019s Winebrenner said. \u201cMost operators can\u2019t.\u201d<\/p>\n

This visibility gap has been highlighted in recent incidents, including one involving utility technology provider Itron<\/a> and another involving Iranian threat actors compromising programmable logic controllers<\/a> at critical infrastructure facilities, where attackers exploited poorly understood connections into OT environments. Without a comprehensive inventory of dependencies, isolation planning may become largely theoretical.<\/p>\n

CISA\u2019s emphasis on assessments and dependency mapping acknowledges this challenge, but closing the gap will require sustained effort\u2014and likely new tooling\u2014on the part of asset owners.<\/p>\n

Cost, incentives, and reality<\/h2>\n

Even when organizations understand what needs to be done, the economics of resilience remain a major barrier.<\/p>\n

Building systems that can operate without external dependencies often requires redundant infrastructure, backup systems, and alternative communication channels, all of which come at a cost.<\/p>\n

\u201cTo do what they are proposing requires having a ton of resources on hot standby, which costs money,\u201d UMBC\u2019s Forno said. \u201cCompanies are, in many cases, not going to spend the money to ensure that they can unplug and seamlessly transition.\u201d<\/p>\n

That tension between security and cost is likely to shape how CI Fortify is adopted. Industry resistance to past regulatory efforts suggests that voluntary guidance alone may not drive widespread change.<\/p>\n

Remote access as a control point<\/h2>\n

Another key theme is the role of remote access as both a necessity and a risk.<\/p>\n

During a disruption, operators, engineers, and vendors still need to access critical systems. But traditional approaches \u2014 such as VPNs and broad network-level access \u2014 can undermine isolation efforts by expanding the attack surface.<\/p>\n

Xona Systems\u2019 Moore argues that remote access must be rethought as a tightly controlled, auditable function designed for crisis conditions.<\/p>\n

\u201cCritical infrastructure resilience requires remote access built for crisis conditions: no broad network exposure, no endpoint-to-OT trust assumption, precise session control, and clear evidence of who accessed what, when, and why,\u201d he said.<\/p>\n

What CISA is effectively asking operators to do now is confront these critical questions of resilience before a crisis forces the issue. Whether the initiative gains traction will depend less on the clarity of the guidance coming from the government than on whether operators can map their dependencies, justify the cost of resilience, and re-architect access without disrupting the systems they are trying to protect.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

The US Cybersecurity and Infrastructure Security Agency (CISA) has unveiled a new national initiative aimed at helping critical infrastructure operators withstand and recover from major cyberattacks by preparing to operate in isolation from the internet and third-party dependencies. The program, CI Fortify, is designed to ensure that organizations can continue delivering essential services even when their networks are degraded, disconnected, or under active cyberattack. \u201cResilience… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-16175","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16175","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=16175"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/16175\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=16175"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=16175"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=16175"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}