The US DHS, Cybersecurity and Infrastructure Security Agency (CISA) is launching new cybersecurity crisis planning guidance for critical infrastructure organizations. CISA’s new “CI Fortify” initiative notably pushes water utilities, the transportation sector and other critical infrastructure organizations to plan for a “geopolitical crisis” involving cyber-attacks that could sever their connections to internet, telecommunications and other technology services.
CISA’s guidance features two primary emergency planning objectives: “isolation” and “recovery” to mitigate threats. The former involves “proactively disconnecting from third-party and business networks” to safeguard operational technology, such as industrial control systems, from cyber-attack during a crisis. CISA says organizations should be prepared to sustain “essential operations” rather than completely shutting down.[1]
“Recovery” involves documenting systems, backing up critical files, and practicing “the replacement of systems or the transition to manual” in case a cyber-attack shuts down critical systems, according to CISA. CISA says it plans to perform “targeted assessments” of how prepared certain critical infrastructure organizations are to meet CI Fortify’s objectives. CISA is prioritizing “defense critical infrastructure,” meaning systems that are crucial to military forces and operations, including dams, radars, weapon systems, satellite communications and other facilities.
Acting CISA Director Nick Andersen said the cyber agency has already started evaluating some organizations, which he declined to identify. “We’ve already started to kick off the first couple of assessments under a pilot phase of this initiative that is already up and moving,” Andersen said during a call with reporters today.
The CI Fortify guidance also calls on industrial automation control system vendors, managed service providers, and security vendors to support critical infrastructure in planning for emergency scenarios. “Success for us in the near term is going to come from those targeted assessments we’re doing with critical infrastructure to help them be able to operate within isolation,” Andersen said. “Then the long-term side is making this sort of emergency planning easier to do. Be that OT equipment manufacturers making isolation information available in a factory acceptance test, or system integrators designing safer connectivity patterns for remote management.”
The guidance comes after CISA was prevented from doing many planning and engagement activities during the 75-day Department of Homeland Security shutdown. Most CISA staff were furloughed during the lapse in funding, which ended after Congress passed fiscal 2027 appropriations for most of DHS last week. But even prior to the shutdown, CISA was weathering the departure of roughly 1,000 employees (one-third of its staff) amid recent budget cuts. Those cuts and the elimination of certain authorities have left the agency’s cyber partnerships at a “standstill.” But Andersen pointed to recently approved plans for CISA to make 329 “mission-critical” hires as evidence of new Homeland Security Secretary Markwayne Mullin’s support for CISA. Andersen said that represented “an initial tranche of additional hiring.”
Andersen also said CISA’s 10 regional offices, which will have a key role in overseeing the CI Fortify guidance, are “high on that priority list” for the agency’s current hiring plan. “All of our regional operators, from the [protective security advisors] that are focused more on physical and traditional security, and our [cybersecurity advisors] focused more on cybersecurity, each one of them will have a role to play here in helping to assess the potential impact in assessing the security of these critical infrastructure owner operators as part of CI Fortify, as well as our Washington, DC metro area based staff,” Andersen said. He said CISA is also encouraging critical infrastructure owners and operators to work with local, community-based emergency planners and military facilities, along with “lifeline sectors and those dependencies they have, such as the chemical or fuel sector.”
The goal is “understand how long they can operate without services from those that represent critical dependencies,” Andersen said. “From those conversations, we’re hoping are going to get to a better understanding of acceptable downtime and the minimum needs of those most important customers within those service delivery areas.”
The focus on defense-connected critical infrastructure comes as military planners and intelligence analysts expect any modern geopolitical crisis to feature cyber-attacks targeting systems critical to the economy and national security.
In a heavily redacted January 2025 audit of “cyber vulnerabilities impacting defense critical infrastructure,” the Defense Department inspector general found the Navy had made “minimal process” in mitigating cybersecurity vulnerabilities in some critical infrastructure systems. “These vulnerabilities, if left unmitigated, provide adversaries or malicious actors with opportunities to adversely affect critical missions or functions and the DON’s ability to deploy, support, and sustain military forces worldwide,” the IG report states. Meanwhile, CISA has also increasingly focused on OT systems relied upon by critical infrastructure. In April, CISA released guidance on “accelerating zero trust adoption” in OT systems.
Duncan Greatwood, chief executive of Xage Security, said CISA has placed an increasing emphasis on “resilience” in recent cybersecurity guidelines, rather than a narrow focus on just preventing cyber-attacks. “Resilience comes from continuously enforcing who and what can access critical systems, containing nefarious actors and preventing threats from spreading so operations can continue safely,” Greatwood said. “The organizations that will be most successful are those that layer control and containment into their environment, allowing them to limit the impact of an attack and keep services running, rather than relying on patching and human-driven recovery after disruption has already occurred.”
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information (CTI) via a notification/Tier I analysis service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://federalnewsnetwork.com/cybersecurity/2026/05/cisa-tells-critical-organizations-to-prepare-for-cyber-outages/
Comments