CISA to Infrastructure: Plan for Going Offline

"Assume Your OT Network Is Compromised"

On May 5, 2026, CISA released CI Fortify -- a new initiative telling critical infrastructure operators to prepare for a scenario most have never tested: running essential services for weeks to months with no internet, no third-party connections, and adversaries already inside their OT networks (CISA).

That's not a tabletop exercise premise. It's now the government's baseline planning assumption.

What CI Fortify Actually Says

The initiative has two objectives: isolation and recovery.

• Isolation means proactively disconnecting OT systems from business networks, vendors, and the internet -- before an attack forces it. Operators should be able to sustain essential service delivery in a "degraded communications environment" where telecom and internet are unreliable (CyberScoop).
• Recovery means having documented OT systems, backed-up configurations, and the ability to rebuild or switch to manual operations if adversaries destroy compromised components (Cybersecurity Dive).

CISA is prioritizing defense critical infrastructure -- systems that support military operations, including dams, satellite communications, power grids, and water treatment. But the guidance applies to all 16 critical infrastructure sectors.

Why Now

Two factors drove this.

First, the Iran conflict. Since March 2026, Iranian-affiliated hackers have exploited Rockwell Automation PLCs across water, energy, and government facilities. CISA issued a joint advisory with the FBI, NSA, and Cyber Command in April after attacks caused real operational disruption (CISA Advisory AA26-097A). CI Fortify is the next step: stop assuming you can defend the perimeter. Start planning for when it fails.

Second, the broader pattern. Cyber attacks on operational technology create physical consequences. A compromised PLC at a water plant doesn't crash a server -- it changes water chemistry. A manipulated SCADA display at an energy facility hides the problem from operators. The boundary between "cyber event" and "operational outage" is gone.

What Operations Teams Should Do

Identify your minimum viable service. Which customers and functions must keep running if you disconnect from everything external? CISA recommends starting with military infrastructure and lifeline services, then working outward.

Map your third-party dependencies. Most OT environments depend on vendor connections for monitoring, patching, and remote support. If those connections go dark, can your team operate the systems manually? If the answer is no, that's your first gap.

Update your continuity plans for isolation, not just outage. Standard business continuity plans assume a temporary disruption. CI Fortify asks you to plan for sustained operations without external connectivity. That's a different problem. Orion monitors the geopolitical and physical risk conditions that precede these scenarios -- giving infrastructure teams advance warning to begin isolation procedures before the situation forces it.

Talk to your vendors. CISA explicitly called on equipment manufacturers to "remove barriers to isolation and recovery." Ask your OT vendors what their products need to function without a network connection and how quickly you could switch to that mode.

Wrapping Up

CI Fortify is a signal shift. The government is no longer just telling operators to patch and defend. It's telling them to plan for failure -- and keep running anyway. If you operate critical infrastructure, this guidance is worth reading in full.

Request a demo | More content