The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has launched a new initiative called “CI Fortify” aimed at helping critical infrastructure operators prepare for disruptive cyberattacks linked to geopolitical conflicts. The initiative comes amid growing concerns over nation-state cyber threats targeting operational technology (OT) systems that support essential services across the United States.
The CI Fortify initiative focuses on improving critical infrastructure resilience through two key objectives: isolation and recovery. CISA said the effort is designed to help operators maintain essential operations even if adversaries compromise telecommunications networks, internet services, or industrial control systems.
According to the agency, nation-state actors are no longer limiting their activities to espionage. Instead, threat groups have increasingly been pre-positioning themselves inside critical infrastructure environments to potentially disrupt or destroy systems during future geopolitical conflicts.
CI Fortify Initiative Focuses on Isolation and Recovery
Under the CI Fortify initiative, CISA is urging critical infrastructure organizations to assume that third-party communications and service providers may become unreliable during a crisis. Operators are also being asked to plan under the assumption that threat actors may already have some level of access to OT networks.
Nick Andersen, Acting Director at CISA, emphasized the need for organizations to prepare for worst-case operational scenarios.
“In a geopolitical crisis, the critical infrastructure organizations Americans rely on must be able to continue delivering, at a minimum, crucial services,” Andersen said. “They must be able to isolate vital systems from harm, continue operating in that isolated state, and quickly recover any systems that an adversary may successfully compromise.”
The isolation strategy outlined under CI Fortify involves proactively disconnecting operational technology systems from external business networks and third-party connections. CISA said this approach is intended to prevent cyber impacts from spreading into OT environments while allowing organizations to continue delivering essential services in a degraded communications environment.
The agency advised operators to identify critical customers, including military infrastructure and other lifeline services, and determine the minimum operational capabilities needed to support them during emergencies.
CISA also recommended updating engineering processes and business continuity plans to support safe operations for extended periods while systems remain isolated.
Recovery Planning Central to Critical Infrastructure Resilience
Alongside isolation, the CI Fortify initiative places strong emphasis on recovery planning. CISA urged operators to maintain updated system documentation, create secure backups of critical files, and regularly practice system replacement or manual operational transitions.
The agency noted that organizations should also identify communications dependencies that could complicate recovery efforts, such as licensing servers, remote vendor access, or upstream network connections.
CISA encouraged operators to work closely with managed service providers, system integrators, and vendors to understand potential failure points and establish alternative recovery pathways.
The initiative also highlights broader benefits of emergency planning beyond cybersecurity incidents. According to CISA, the same planning processes can help organizations maintain operations during weather-related disruptions, equipment failures, and safety emergencies.
The agency said isolation planning can help cut off command-and-control access to compromised systems, while strong recovery preparation can reduce incident response costs and shorten recovery timelines.
Security Vendors and Service Providers Asked to Support CI Fortify
The CI Fortify initiative extends beyond infrastructure operators and calls on cybersecurity vendors, industrial automation suppliers, and managed service providers to support resilience planning efforts.
Industrial control system vendors are being encouraged to identify barriers that could interfere with isolation and recovery procedures, including licensing restrictions and server dependency issues.
Managed service providers and integrators are expected to assist organizations in engineering updates, local backup collection, and recovery documentation planning.
Meanwhile, security vendors are being asked to support threat monitoring and provide intelligence if nation-state actors shift from espionage-focused activity to destructive cyber operations.
CISA also requested vendors share information related to tactics that could undermine recovery or bypass isolation protections, including malicious firmware updates and vulnerabilities affecting software-based data diodes.
Volt Typhoon Cyberattacks Continue to Shape U.S. Cybersecurity Strategy
The launch of CI Fortify is closely tied to ongoing concerns surrounding the Volt Typhoon cyberattacks, which U.S. officials have linked to Chinese state-sponsored threat actors.
CISA’s initiative specifically references the Volt Typhoon campaign as an example of how adversaries have attempted to establish long-term access inside U.S. critical infrastructure systems to potentially support disruptive actions during military conflicts.
The Volt Typhoon operation first became public in 2023, when U.S. authorities revealed that Chinese hackers had infiltrated multiple sectors of American critical infrastructure.
Former CISA Director Jen Easterly stated in 2024 that the agency had identified and removed Volt Typhoon intrusions across several sectors. She later reiterated in 2025 that efforts continued to focus on identifying and evicting Chinese cyber actors from critical infrastructure environments.
Despite these operations, cybersecurity researchers and some government officials have warned that Chinese threat actors may still retain access to portions of critical infrastructure networks. Several experts have argued that nation-state groups remain deeply embedded in certain environments despite years of remediation efforts.
With the CI Fortify initiative, CISA appears to be shifting focus toward operational resilience, recognizing that prevention alone may not be sufficient against sophisticated nation-state cyber threats targeting U.S. critical infrastructure.
