CISA's CI Fortify Means Running Offline for Months

Weeks to Months. No Internet. Keep Running.

CISA launched CI Fortify this week -- a new initiative telling critical infrastructure operators to prepare for operating without internet, telecommunications, or third-party services for "weeks to months" during a geopolitical conflict (CISA). The guidance targets water utilities, energy operators, transportation systems, and any organization supporting national security or economic continuity.

This isn't a tabletop exercise. CISA plans to conduct targeted assessments of how ready specific organizations are to meet these objectives (CyberScoop).

What CI Fortify Requires

The initiative has two planning tracks (Federal News Network):

• Isolation: Proactively disconnecting operational technology from third-party and business networks. Operators should assume that telecommunications, internet, vendors, service providers, and upstream dependencies will be unreliable -- and that threat actors already have some access to the OT network.
• Recovery: Documenting systems, backing up critical files, and practicing the replacement of components or a transition to manual operations if isolation fails and systems are destroyed.

The planning assumption is blunt: during a conflict, your internet goes down, your telecom fails, your vendors disappear, and you still need to deliver water, power, or transit service.

Why Now

The backdrop is not hypothetical. For years, U.S. officials have assessed that China-linked groups -- including the Volt Typhoon campaign -- are pre-positioning inside American critical infrastructure to enable sabotage during a conflict over Taiwan. The ongoing U.S.-Iran military confrontation has added a second active cyber threat vector, with Iranian-affiliated hackers already disrupting PLCs at U.S. water and energy facilities (CISA Advisory AA26-097A).

CI Fortify is CISA calling time on the assumption that connectivity will always be available. Initial assessments will prioritize defense-critical infrastructure -- dams, radar systems, weapons platforms, satellite communications -- before expanding to civilian water and energy operators (Nextgov).

What Operations Teams Should Do

Inventory your cloud dependencies. List every system that stops working if your internet connection dies. SCADA dashboards hosted off-site, cloud-based access control, remote monitoring tools, third-party analytics -- all become unavailable in an isolation scenario. Know your exposure before CISA assesses it.

Build manual fallback procedures. If your water treatment plant's dosing controls are automated via a cloud platform, do your operators know how to run them manually? CI Fortify expects you to answer yes. Recovery planning means documenting how to keep essential functions running on local controls alone.

Coordinate isolation decisions with physical risk context. Knowing when to isolate is as important as knowing how. Disconnecting OT during a false alarm is expensive. Failing to disconnect during a real campaign is catastrophic. Orion monitors the geopolitical and physical risk conditions that precede these scenarios -- giving infrastructure operators context on when threat conditions are escalating before isolation becomes necessary.

Engage your vendors now. CISA is calling on ICS vendors, managed service providers, and security integrators to identify blockers to isolation -- including contractual and licensing issues. If your OT vendor's software requires a constant server connection to function, that's a CI Fortify gap. Start that conversation before an assessment finds it.

Wrapping Up

CI Fortify is the clearest signal yet that the U.S. government expects critical infrastructure to face sustained cyber operations during a geopolitical conflict. The question for operators isn't whether it will happen, but whether they can keep running when it does. Request a demo to see how Orion tracks the conditions that drive these scenarios.