CISA plans CI Fortify guidance for degraded operations
The shift is from keeping attackers out to keeping water, power and pipelines running after they are already inside.
TL;DR
CISA plans to release isolation and recovery guidance in the next couple of months under CI Fortify, Inside Cybersecurity reports, citing industrial control systems lead Matt Rogers. Critical infrastructure operators, contractors and state CISOs should expect the guidance to focus on sustaining essential services in degraded conditions, including when third-party connections and operational technology networks cannot be trusted. The uncomfortable assumption is now explicit: prevention failed, or at least was not enough.
CI Fortify is CISA’s survivability program. Inside Cybersecurity reports that industrial control systems lead Matt Rogers said CISA plans to release more isolation and recovery guidance, along with lessons learned from CI Fortify assessments, in the next couple of months. The point is not another reminder to patch, segment and monitor. It is planning for the day a Colonial Pipeline-type operator has to keep running while disconnected from vendors, telecommunications, internet services and other dependencies.
That framing is materially different from the old Shields Up mode. Rogers said those short-time-frame campaigns often told operators to perform standard cybersecurity practices they already knew they should be doing, while operators needed time to support the work. CI Fortify starts from a harsher engineering premise: a critical infrastructure entity may need to operate a pipeline, substation, energy grid or water system in a degraded condition because racing back to normal is not the first available option.
CISA’s own CI Fortify page says operators should assume, for planning purposes, that third-party connections will be unreliable and that threat actors will have some access to the operational technology network (https://www.cisa.gov/topics/industrial-control-systems/ci-fortify). That is the part practitioners should notice. The program is not only about incident response paperwork. It asks whether the organization can isolate vital systems, operate locally or manually, and recover compromised systems while still cut off.
The open question is how concrete the next guidance gets. If CISA publishes sector-neutral resilience principles, compliance teams will file them next to the other admirable nouns. If it publishes usable isolation patterns, recovery exercise expectations and lessons from real assessments, engineers and state CISOs get something closer to a Monday problem: prove which essential functions can survive when the network architecture stops being friendly.
Published ·Deep Fathom