CISA Tells Utilities and Water Systems to Plan for Operating Alone
The agency's new 'CI Fortify' initiative tells critical infrastructure operators to assume adversaries are already inside their OT networks and that outside help may not come during a geopolitical conflict.
CISA released guidance on May 5 that does something previous federal cyber advisories have mostly avoided: it tells operators of water utilities, energy systems, transportation networks, and defense-connected facilities to plan not for preventing a successful attack, but for surviving one while cut off from the internet, their vendors, and potentially federal responders.
The initiative, called CI Fortify, frames its core planning assumption in direct terms. According to the CISA website reviewed for this piece, operators should assume that in a conflict scenario, third-party connections including telecommunications, vendors, service providers, and upstream dependencies will be unreliable, and that threat actors will already have some access to the operational technology network.
That language is worth sitting with. It's not a warning that a breach might happen. It's an instruction to build continuity plans that treat adversary pre-positioning as a given. The confidence level implied here, based on what CISA has said publicly, is at least moderate: the agency has told reporters it has observed this pre-positioning activity across multiple sectors.
The guidance organizes around two objectives CISA calls isolation and recovery. Isolation, as described in a Federal News Network report on the initiative, means proactively disconnecting from third-party and business networks to protect operational technology from a cyber attack during a crisis. Recovery, per the same report, involves documenting systems, backing up critical files, and practicing the replacement of systems or the transition to manual operations.
CISA Acting Director Nick Andersen said the agency has already begun pilot assessments. According to Federal News Network, Andersen told reporters the agency has already started to kick off the first couple of assessments under a pilot phase of this initiative. He declined to identify which organizations are being evaluated.
The initiative names a priority tier: defense critical infrastructure, which CISA defines as systems crucial to military forces and operations, including dams, radars, weapon systems, and satellite communications. Water utilities and transportation appear in the next tier. Healthcare is implicated throughout, though an analysis published by the law firm Crowell and Moring noted that CI Fortify is not binding regulation today, while observing that it establishes a federal baseline that will be difficult to ignore post-incident.
The operational context for this guidance isn't abstract. In April, several agencies including CISA revealed that an Iranian-affiliated APT group has been exploiting programmable logic controllers deployed across U.S. critical infrastructure sectors including government services, water and wastewater systems, and energy facilities, as reported by Executive Gov and corroborated by the Industrial Cyber trade publication. According to a joint advisory cited by Industrial Cyber, the FBI assessed that Iranian-affiliated actors are targeting internet-exposed PLCs with intent to cause disruptions, likely in response to hostilities between Iran and the United States and Israel. That activity has been ongoing since at least March 2026.
Separately, a CSIS tracker updated this week lists a June 2026 incident in which Russia's FSB claimed to have found malware on the smartphones of senior government officials, though the FSB offered no technical evidence and attributed the operation to unnamed foreign intelligence services. That claim should be treated as a Russian government statement, not a confirmed finding.
The staffing picture at CISA complicates the ambition of CI Fortify. Federal News Network reported that even before a 75-day Department of Homeland Security shutdown ended recently, CISA had already lost roughly 1,000 employees, about one-third of its staff, amid budget cuts under the Trump administration. Most remaining staff were furloughed during the shutdown. The agency is now asking critical infrastructure operators across 16 sectors to open their facilities for pilot assessments while running on reduced capacity.
Andersen has framed the CI Fortify assessments as relationship-building as much as technical auditing. According to Federal News Network, the acting director wants his regional staff to work with local emergency planners and military facilities to understand how long operators can sustain functions without services from critical dependencies. That's a reasonable objective. Whether a depleted agency can execute it at scale, across sectors that range from rural water districts to defense contractors, is a different question. CISA hasn't answered it yet.
Sources cited:
- CISA CI Fortify initiative page (https://www.cisa.gov/topics/industrial-control-systems/ci-fortify)
- CISA press release on CI Fortify (https://www.cisa.gov/news-events/news/cisa-unveils-new-initiative-fortify-americas-critical-infrastructure)
- Federal News Network, CISA CI Fortify coverage (https://federalnewsnetwork.com/cybersecurity/2026/05/cisa-tells-critical-organizations-to-prepare-for-cyber-outages/)
- Crowell & Moring, CI Fortify legal analysis (https://www.crowell.com/en/insights/client-alerts/cisas-ci-fortify-initiative-signals-new-expectations-for-critical-infrastructure-resilience-what-operators-and-vendors-need-to-know)
- Industrial Cyber, Iranian APT PLC advisory (https://industrialcyber.co/cisa/ongoing-cyberattacks-targeting-internet-connected-plcs-disrupt-us-critical-infrastructure-agencies-warn/)
- Executive Gov, CI Fortify and Iranian PLC context (https://www.executivegov.com/articles/cisa-ci-fortify-critical-infrastructure-cyber)
- CSIS Significant Cyber Incidents tracker (https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents)
This release was originally distributed via ETL Newswire. Visit CISA CI Fortify initiative page for the full story, related releases, and contact information.
Visit CISA CI Fortify initiative page →