Intro
The modern landscape of critical infrastructure is no longer just under threat; it is effectively occupied territory. For decades, the standard defensive playbook centered on hardening the perimeter — building higher digital walls to keep adversaries out. However, we have reached a watershed moment in federal cyber policy. As nation-state actors move from simple espionage to prepositioning for disruptive strikes, the Cybersecurity and Infrastructure Security Agency (CISA) is signaling a fundamental, if sobering, shift in its strategy.
The unveiling of "CI Fortify" represents a pragmatic evolution in national security. It is an admission that in a world of constant connectivity, our greatest vulnerability is the digital lifeline itself. CI Fortify isn't just another compliance framework; it is a survival doctrine designed to ensure that when — not if — the network fails, the mission continues.
Disconnecting to Stay Online
The core objective of CI Fortify is a pivot toward radical isolation. The directive is clear: critical infrastructure organizations must proactively prepare to operate "offline." This means developing the capability to deliver essential services even when telecommunications are severed and the internet is dark.
In a technical sense, this requires organizations to identify and sever "third-party dependencies." In our hyper-connected ecosystem, these dependencies often include cloud-based management tools, remote maintenance access for vendors, and shared services that bridge the gap between corporate IT and operational technology (OT). While these connections provide efficiency, they also serve as conduits for infection.
By operating in an isolated state, organizations can ensure that a breach in a non-essential system does not lead to a total collapse of physical operations. While the initiative was born out of the shadows of major campaigns, Acting Director Nick Andersen is quick to frame this as a universal shield. According to Andersen, the goal is to "prevent the potential destructive impact to OT by any nation-state actor," referencing not just Chinese activity, but also recent Russian cyberattacks on OT networks in Poland.
"CI Fortify is timely, actionable guidance that helps organizations protect their networks and critical services from cyber threat actors that aim to degrade or disrupt infrastructure," Andersen noted.
The Hard Truth: We Can't Just "Kick Them Out" Anymore
The most striking element of this shift is the admission that "eviction" — the complete removal of an adversary from a network — is no longer a guaranteed near-term outcome. The poster child for this frustration is the Volt Typhoon campaign. Chinese threat actors have been deeply embedded within U.S. critical infrastructure, in some cases since 2019, specifically to enable destructive action in the event of a kinetic military conflict.
Despite a multi-year effort by federal agencies to "identify and evict," these actors remain. The technical reality is that they don't just "hack" a system; they "reside" in it. By stealing domain credentials, they maintain a persistent presence that allows them to reconstitute and re-target victims even after a supposed cleanup. This makes traditional incident response feel like a game of digital whack-a-mole.
CI Fortify represents a strategic pivot: if you cannot reliably evict the intruder, you must limit their "blast radius." Matthew Hartman, a leading cybersecurity expert, describes this as a necessary evolution. "Eviction remains the objective, but it cannot be the lone strategy," Hartman explained. "Prioritizing segmentation and resilience is a pragmatic shift, assuming compromise and limiting blast radius rather than chasing a constantly reconstituting threat."
The AI Catalyst: Speed as a Weapon
The urgency behind CI Fortify has been significantly accelerated by the rise of artificial intelligence. CISA leadership and the Trump administration have engaged in deep discussions regarding the "speed and velocity" at which AI-driven attacks can now manifest.
When attackers leverage AI models, they move at "machine speed," conducting large-scale intrusions with an efficiency that makes traditional, human-speed Security Operations Center (SOC) responses obsolete. We are already seeing the first tremors of this shift; recently, hackers utilized an AI model to compromise a municipal water and drainage utility in Monterrey, Mexico.
When the adversary can automate the discovery of vulnerabilities and the execution of exploits, the only viable defense for a water plant or a power grid is to remove the path of attack entirely. If the OT system is isolated, the AI's velocity is irrelevant — it simply has nowhere to go.
Segmenting the Future: Isolation as the New Standard
To achieve this vision, CI Fortify focuses on the strict segmentation of Operational Technology (OT) from traditional Information Technology (IT) networks. This is designed to halt lateral movement — the process by which an attacker enters through a low-security office workstation and migrates to the high-stakes controllers of a physical power grid.
Rather than a one-size-fits-all mandate, CISA is rolling out industry-specific, targeted assessments. These evaluations are designed to ensure that emergency plans are not just theoretical, but actionable. The technical goal is two-fold:
- Isolation Capability: The ability to instantly sever third-party and IT-to-OT links during a crisis.
- Isolated Restoration: The capacity to restore and verify compromised systems while remaining completely disconnected from the broader internet.
The focus is no longer on the "digital lifeline," but on the "analog anchor" — the ability to keep the lights on when the world goes dark.
Resilience
The introduction of CI Fortify marks the end of the era of naive connectivity. By acknowledging that total integration creates unacceptable national security risks, the federal government is effectively telling critical sectors that the safest way to operate in the 21st century is to return, in part, to the 20th.
As we move toward this "unplugged" model of defense, we must confront a difficult question: Has the price of total connectivity finally become too high? If our most essential services — our water, our power, our transport — are only truly safe when they are isolated, then we must wonder if our "connected" society has built its foundation on digital sand. Resilience through isolation may be the only viable path to true digital sovereignty, but it is a path that requires us to choose security over the very convenience we once thought was progress.