CISA Launches 'CI Fortify' to Bolster Critical Infrastructure Resilience

Executive Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has launched a new strategic initiative named 'CI Fortify'. This program provides actionable guidance to help U.S. critical infrastructure (CI) entities across all 16 sectors improve their resilience and ability to maintain essential services during a significant cyberattack or crisis. The core focus of 'CI Fortify' is on proactive preparation, specifically by developing robust capabilities for isolation and recovery. CISA is strongly encouraging all CI owners and operators to review and implement the guidance to fortify their defenses against sophisticated threat actors seeking to degrade or disrupt the nation's most vital services.

Regulatory Details

'CI Fortify' is not a regulation but rather a set of strong recommendations and a guiding framework. It represents CISA's strategic direction for critical infrastructure defense, emphasizing resilience and continuity of operations over prevention alone. The guidance is designed to be applicable across all 16 critical infrastructure sectors.

The two key pillars of the initiative are:

Isolation: This involves having the pre-planned ability to operate key functions without relying on external or untrusted networks. This includes:
- Proactively disconnecting from third-party dependencies.
- Maintaining the ability to function without reliable internet or external telecommunications.
- Ensuring systems can operate in a segmented or air-gapped state if necessary.
Recovery: This focuses on the ability to rapidly and safely restore compromised systems and services, even while in an isolated state. This includes:
- Developing and regularly testing detailed recovery plans.
- Practicing local and manual operational modes for Industrial Control Systems (ICS).
- Ensuring that recovery assets, such as backups and re-imaging servers, are themselves protected and accessible in an isolated environment.

Affected Organizations

The guidance is aimed at all owners and operators of critical infrastructure in the United States, spanning all 16 official sectors, including:

Energy
Financial Services
Healthcare and Public Health
Water and Wastewater Systems
Communications
Defense Industrial Base

Impact Assessment

The 'CI Fortify' initiative signals a shift in national cybersecurity strategy towards assuming that a breach will occur and focusing on operational resilience. For CI entities, implementing this guidance will require significant investment and planning.

Resource Requirements: Organizations will need to allocate resources to develop and test isolation and recovery playbooks. This may involve architectural changes, such as implementing stronger network segmentation, and investments in out-of-band management capabilities.
Operational Changes: Staff will need to be trained on how to perform their duties using manual or local control systems in the event of a cyberattack that forces isolation.
Increased Resilience: While costly, successful implementation will mean that an organization can continue to provide its essential service (e.g., providing power, clean water, or financial transactions) to the public, even in the face of a severe cyberattack from a nation-state adversary.

Compliance Guidance

While 'CI Fortify' is not a mandate, it aligns closely with and reinforces existing regulatory frameworks like NERC CIP for the electricity sector. Organizations that adopt the 'CI Fortify' principles will find themselves in a stronger position to meet their regulatory compliance obligations. The key is to move beyond paper-based compliance and build true, testable operational resilience.

Tactical Implementation Steps:

Identify Core Services: Determine the absolute minimum set of services and functions that must be maintained during a crisis.
Map Dependencies: Map all internal and external dependencies (network, software, personnel) required for those core services.
Develop Isolation Playbooks: Create step-by-step procedures for disconnecting from the internet and third-party networks while keeping core services running.
Test, Test, Test: Regularly conduct tabletop exercises and full-scale operational tests of both isolation and recovery plans. These tests should simulate a worst-case scenario where external connectivity is lost.

The 'Isolation' component of CISA's CI Fortify initiative is a direct call for critical infrastructure operators to develop and practice Network Isolation. This goes beyond standard network segmentation. Organizations must create and test playbooks for physically or logically disconnecting their operational technology (OT) networks from their corporate IT networks and the internet during a crisis. This could involve configuring firewalls to drop all external traffic with a single command, or training operators to physically unplug network connections at demarcation points. The goal is to create a 'digital island' where essential services can continue to operate using local controls, safe from an attacker who has compromised the IT network. This capability must be tested regularly to ensure it works and that staff are prepared to operate in an isolated state.

CISA Unveils 'CI Fortify' Initiative to Bolster Critical Infrastructure Defenses