CISA’s “CI Fortify” Initiative Signals New Expectations for Critical Infrastructure Resilience: What Operators and Vendors Need to Know

Background 

On May 5, 2026, CISA announced CI Fortify — an initiative directing critical infrastructure owners and operators to prepare for geopolitical conflict in which OT networks are actively targeted while communications infrastructure is simultaneously degraded.

Based on the growing evidence that adversaries have already established persistent footholds within critical infrastructure networks, CISA is focused on helping organizations sustain essential operations during a geopolitical cyber crisis. CI Fortify signals an emerging expectation that critical infrastructure operators be capable of maintaining essential services while operating in a degraded, disconnected, or partially compromised environment.

This threat picture is consistent with publicly reported pre-positioning campaigns attributed to China state-sponsored actors and Iranian-affiliated groups across energy, water, transportation, and communications sectors. On April 7, 2026, six federal agencies confirmed active Iranian exploitation of internet-facing OT devices used in the water and waste, energy, and government services and facilities sectors, resulting in instances of operational disruptions and financial losses. More recently, Itron — one of the largest utility technology providers serving water, gas, and electric operators across more than 100 countries — disclosed a cybersecurity incident where threat actors obtained access to internal systems.

What Operators Need to Know

CISA’s baseline planning assumption is explicit: Operators should assume that third-party connections will be unreliable and that threat actors will have some degree of access to the OT network. Against that backdrop, CISA identifies two emergency planning objectives for operators:

Isolation: Isolation is the ability of the critical infrastructure operator to proactively disconnect from third-party and business networks to prevent OT cyber impacts while sustaining essential operations. Operators are expected to have built and tested isolation capabilities in advance, following four steps:

• Identify critical customers and set a service delivery target. Operators should identify whose services cannot be interrupted (such as military infrastructure and lifeline services) and define a minimum acceptable level of service delivery during an emergency.
• Determine which OT assets are vital to meet that target in isolation. Operators should maintain a comprehensive, current OT asset inventory that classifies each asset by criticality and function, mapping each asset's physical and network dependencies so that isolation can be achieved without disrupting service delivery.
• Update business continuity plans and engineering processes. The goal is to allow for safe operations for weeks to months while isolated and when vendor support, remote monitoring, cloud-hosted tools, and business network services may all be unavailable.
• Track CISA and Sector Risk Management Agency (SRMA) communications. Operators should identify their sector's designated SRMA — the primary federal coordination point during a crisis (e.g., the Department of Energy for energy and the EPA for water and wastewater) — and establish backup communication channels.

Recovery: Recovery addresses the scenario where an adversary successfully compromises OT components. CISA’s recovery framework includes three elements:

• Document systems and back up critical files. Operators should maintain thorough, current documentation of OT systems and keep backups of critical configurations to avoid recreating networks from scratch after a disruption.
• Practice replacement and manual transition procedures. CISA recommends that operators practice replacing compromised systems and transitioning to manual operations — through tabletop exercises and drills, not merely written plans.
• Address communications dependencies that affect recovery itself. Operators should identify recovery procedures that depend on licensing servers or business network connections. They should also address dependencies that may be unavailable during a crisis that triggers the need for recovery.

How Crowell Can Help

CI Fortify is a reminder for critical infrastructure organizations that operators and vendors who invest in credible isolation and recovery capabilities now, including reviewing the technical and commercial arrangements that could block those capabilities, will be best positioned for the next phase of OT risk. To do so, operators can consider the following:

• Stress test third-party and cloud dependencies to determine whether critical operations can continue when outside providers fail or become unavailable.
• Work with experienced cybersecurity counsel — preferably with significant relevant government experience — to run realistic tabletop exercises that incorporate operational, business, IT, and security functions to test whether your organization can actually operate during a cyber crisis.
• Update incident response and continuity plans to account for OT compromise, vendor outages, and disconnected telecommunications.
• Integrate technical, regulatory, and enforcement preparedness through counsel with deep contacts at the Federal Bureau of Investigation, Department of Justice, and other agencies who can lead incident response, coordinate with law enforcement, navigate regulatory exposure, and help protect your organization before and after a major cyber incident.

Please contact any of the authors of this alert if you are interested in understanding the risks facing industry, potential assessments of exposure, or assistance on tabletops or incident response.