CISA (the Cybersecurity and Infrastructure Security Agency — the U.S. federal agency responsible for protecting civilian infrastructure from cyber threats) has launched a new initiative called CI Fortify, requiring critical infrastructure operators across energy, water, transportation, and healthcare sectors to develop plans for sustaining operations in complete isolation from external networks and third-party vendors for periods ranging from weeks to months. The guidance responds directly to the confirmed pre-positioning of Chinese state-sponsored hackers inside U.S. infrastructure — and sets up targeted resilience assessments that will begin rolling out through regional CISA offices.
CI Fortify: Technical Details and Scope
CI Fortify represents a fundamental shift in how CISA approaches critical infrastructure protection. Rather than focusing solely on preventing intrusions, the program acknowledges that sophisticated attackers — including those operating under Volt Typhoon (a Chinese state-sponsored hacking group confirmed by the FBI and CISA to have pre-positioned capabilities inside U.S. critical infrastructure) — may already have persistent access to OT (Operational Technology — the industrial control systems that physically operate power grids, water treatment plants, pipelines, and transportation networks) environments.
The program's central planning requirement, as reported by Cybersecurity Dive, is that operators must be able to "continue operating in that isolated state for weeks to months" under the assumption that during a geopolitical conflict:
- Telecommunications and internet connectivity will be unreliable or severed
- Third-party vendors and managed service providers will be inaccessible
- Upstream dependencies (fuel suppliers, cloud services, payment processors) will be unavailable
- Threat actors will have some degree of access to the OT network
In other words: prepare to run your power plant, water treatment facility, or transportation system as if it were 1995 — disconnected from everything, relying only on local systems and local staff.
What Operators Must Demonstrate
CI Fortify's targeted assessments, conducted by regional CISA offices, will examine each operator's ability to:
- Identify critical customers (such as nearby military installations, hospitals, or emergency services) and establish service delivery expectations for those customers during degraded operations
- Maintain the OT assets (PLCs, RTUs, SCADA systems, HMIs — the control system hardware and software that directly operates physical equipment) needed to serve those critical customers during isolation
- Update business continuity plans and engineering processes to enable safe isolated operation
- Conduct manual transitions — practicing taking automated, network-connected systems offline and operating them manually or semi-manually
The Dependency Visibility Problem
CSO Online reports that one of CI Fortify's biggest practical challenges is that many critical infrastructure operators do not have a clear, current map of their own third-party dependencies. Before operators can plan to operate without those dependencies, they must first understand what they are — which vendors access their OT networks, what cloud services are embedded in control systems, and which upstream data feeds their SCADA (Supervisory Control and Data Acquisition — the software layer that monitors and controls industrial processes) systems depend on.
This dependency gap has been exploited repeatedly. Volt Typhoon gained footholds in U.S. infrastructure through poorly documented and insufficiently monitored connections into OT environments — connections that operators often did not realize existed until CISA incident response teams mapped them.
Exploitation Status and Threat Landscape
CI Fortify is a direct response to Volt Typhoon, which the FBI and CISA have confirmed pre-positioned offensive cyber capabilities inside U.S. critical infrastructure networks — not for immediate disruption, but to be ready to cause chaos in the event of a military conflict over Taiwan or another flashpoint. The threat model is not ransomware or financial theft: it is strategic sabotage timed to coincide with geopolitical escalation.
Cybersecurity Dive notes that CI Fortify complements the broader concern about Salt Typhoon (a separate Chinese state-sponsored group responsible for the 2024–2025 compromise of major U.S. telecommunications providers, giving China persistent access to call records and network infrastructure for senior government and military officials).
The two campaigns together represent China's strategy of pre-positioning access across both the communications infrastructure (Salt Typhoon) and the physical operational infrastructure (Volt Typhoon) that a modern society depends on — creating leverage for coercive diplomacy or, in a worst case, coordinated attacks that could disrupt power, water, transportation, and communications simultaneously.
Who Is Affected
CI Fortify applies to operators across all U.S. critical infrastructure sectors designated under Presidential Policy Directive 21, with particular focus on:
- Energy sector: Electric utilities, natural gas pipeline operators, and petroleum refiners — which have some flexibility in prioritizing which customers to serve during degraded capacity
- Water and wastewater sector: Water treatment and distribution utilities — which face unique challenges because they lack the operational flexibility to prioritize service and must maintain treatment continuously
- Transportation: Aviation, rail, highway, maritime operators
- Healthcare and public health: Hospitals and emergency medical services
International operators in allied nations should treat CI Fortify guidance as applicable to their own planning: the threat actors driving this initiative operate globally, not only against U.S. targets.
What You Should Do Right Now
- Commission a third-party dependency audit of your OT environment. Map every vendor, MSP, cloud service, and data feed that connects to or influences your control systems. This is the prerequisite step that all other CI Fortify requirements depend on.
- Update business continuity plans to include explicit scenarios for operating without internet, without vendor support, and without upstream data feeds for 30, 60, and 90 days.
- Practice manual transitions for your most critical control loops. Document the procedure for taking automated processes offline and operating them manually. Schedule tabletop exercises and live drills.
- Segment OT from IT networks using unidirectional gateways or air gaps where operationally feasible. OT systems that do not need to communicate with corporate IT or the internet should not be able to do so.
- Review remote access to OT systems. Every VPN, RDP, or vendor remote access tool connected to OT is a potential Volt Typhoon entry point. Remove access that is not actively needed; implement strong authentication for what remains.
- Contact your regional CISA office to understand CI Fortify assessment timelines and begin the self-assessment process before assessors arrive.
Background: Understanding the Risk
Volt Typhoon's strategy is not opportunistic hacking — it is deliberate, patient infrastructure pre-positioning with a specific geopolitical objective. CISA, the NSA, and the FBI published a joint advisory in 2024 describing how Volt Typhoon had been living inside U.S. infrastructure for at least five years, using legitimate system tools and slow, careful lateral movement to avoid detection.
The problem CI Fortify addresses is not novel. Industrial control system security experts have long argued that critical infrastructure operators design for efficiency and uptime, not for adversarial conditions. SCADA systems that once operated in isolation were gradually connected to corporate IT networks for remote monitoring, then to the internet for vendor support, then to cloud services for data analytics — each step making operations more efficient and more exposed.
CI Fortify is, in part, an acknowledgment that the IT/OT convergence of the past 20 years has created vulnerabilities that cannot be fully remediated — and that resilience planning for worst-case scenarios is now essential infrastructure security practice, not a contingency option.
The water sector's particular challenge is instructive: unlike electricity, which can be load-shed by geography, water treatment cannot be easily prioritized or rationed. A water treatment plant that loses its SCADA connectivity must maintain chemical dosing and pressure manually — a process that many modern water utilities have never practiced, having operated continuously on automated systems for a decade or more.
Conclusion
CISA's CI Fortify initiative signals a maturation in U.S. critical infrastructure security posture: from "prevent intrusions" to "assume intrusion, survive anyway." For operators in energy, water, transportation, and healthcare, the immediate priority is mapping third-party OT dependencies — you cannot plan to operate without something you haven't yet identified. CISA regional office assessments are coming; operators who begin the self-assessment now will be in a stronger position than those waiting for the knock on the door.
For any query contact us at contact@cipherssecurity.com
