CISA Urges Critical Infrastructure Sectors to Plan for Months-Long Isolation During Cyber Threats

The Cybersecurity and Infrastructure Security Agency (CISA) is urging owners and operators of critical infrastructure to prepare for delivering essential services under emergency conditions—potentially for weeks to months—while isolated from IT networks and third-party tools.

The federal government’s top cybersecurity agency has warned that state-sponsored hackers, particularly two Chinese groups known as Salt Typhoon and Volt Typhoon, continue to pose significant threats to critical sectors, including electricity, water, and internet services.

CISA is now collaborating with the private sector to protect operational technology (OT)—the systems controlling heavy machinery and equipment that power most critical infrastructure—from attacks that may originate through business IT systems or third-party vendor products.

CISA’s CI Fortify Initiative: Strengthening Operational Technology Resilience

The initiative, known as CI Fortify, will involve CISA conducting targeted technical assessments of critical infrastructure entities. The goal is to create plans that allow for safe operations while disconnected from IT networks, third-party tools, and telecommunications equipment, according to the agency’s website.

Nick Andersen, CISA’s acting director, emphasized the importance of service continuity, stating:

“Service delivery [that] can still reach critical infrastructure after the asset owner has disconnected with IT and OT, disconnected from third party vendors and service provider connections and disconnected from third party telecommunications equipment.”

Over the past two years, conflicts in Ukraine, Gaza, Iran, and other regions have seen critical infrastructure—including water plants, power substations, and data centers—targeted by both kinetic and cyberattacks.

Andersen noted that CISA has already begun engaging with some companies to pilot the assessments and expects this work to expand significantly as the agency hires additional staff in the coming months. While he declined to name the entities involved in the pilot program, he confirmed that they will focus on organizations supporting national security, defense, public health and safety, and economic continuity.

Andersen also highlighted that CISA’s assessments will be tailored to each sector’s unique needs. He explained:

“Water isn’t necessarily designed to prioritize specific customer needs outside of recovery periods, while energy and transportation have more immediate tradeoffs for selecting one load or one set of cargo over another.”

Two Pillars of CISA’s Strategy: Isolation and Recovery

CISA’s strategy rests on two key pillars:

• Isolation: Disconnecting all third-party and business network connections to an OT network during emergencies or when vulnerabilities are detected. Organizations must also develop internal plans for acceptable service levels under these conditions and coordinate with critical customers, such as U.S. military installations and lifeline services.
• Recovery: Implementing best practices, including backing up files, documenting systems, and establishing manual backups for operations when normal computer systems are unavailable.

Cybersecurity specialists focused on critical infrastructure and OT widely assume that China is not the only nation to have broadly compromised American critical infrastructure. Hacking groups tied to other nations have likely exploited the same vulnerabilities and hygiene issues identified by the Typhoon groups.

Agencies such as the FBI and Federal Communications Commission (FCC) have promoted efforts to remove Chinese hackers and collaborate with telecoms to enhance network security.