CISA’s CI Fortify: How Critical Infrastructure Can Withstand Disrupted Communications and OT Compromise

What would you do if your control room went quiet, your screens froze, and your teams couldn’t reach each other—just as critical equipment demanded attention? That’s the nightmare scenario many operators quietly fear. On May 6, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) answered that fear with CI Fortify: a resilience-first playbook designed to keep critical services running when cyberattacks sever communications and compromise operational technology (OT).

This isn’t another “patch faster” memo. CI Fortify is about staying online when attackers try to take you offline—especially during hybrid crises that blend cyber operations with physical or geopolitical turbulence. In this guide, we’ll break down what CI Fortify means for operators across energy, water, transportation, and manufacturing; what to prioritize in the next 30–90 days; and how to turn resilience into a measurable, repeatable business capability.

If you run systems that communities and economies depend on, this is your moment to pressure-test continuity—before attackers do it for you.

Read Industrial Cyber’s coverage of the launch: CISA’s CI Fortify prepares operators for cyber scenarios involving disrupted communications and OT compromise
Explore CISA resources: CISA.gov | JCDC | Shields Up | ICS/OT Security

What Is CI Fortify—and Why It Matters Now

CISA’s CI Fortify is a new initiative to help critical infrastructure operators maintain baseline service continuity during cyber incidents engineered to cause disruption. Rather than chasing perfect prevention, the program prioritizes:

Playbooks for communications blackouts, OT ransomware, and advanced APT intrusions targeting ICS.
Strategic guidance for segmenting IT/OT, deploying redundant communications, and conducting realistic exercises.
Integrating threat intelligence into SOC workflows to get ahead of emerging techniques.
Proactive collaboration with CISA for assessments and coordinated responses.

Why this, and why now? Because the threat landscape keeps shifting toward sustained disruption. Nation-state-linked groups have targeted infrastructure during conflicts, and operators have seen renewed attempts at attacks reminiscent of Colonial Pipeline—only now with AI-enhanced reconnaissance, weaponized deepfakes for social engineering, and faster exploitation cycles. CI Fortify builds on lessons learned from CISA’s collaborative frameworks like the Joint Cyber Defense Collaborative (JCDC), putting resilience front and center.

In short: CI Fortify helps you plan for the day you hope never comes—with the clarity and muscle memory to keep critical services available when it does.

The Scenarios CI Fortify Prepares You For

CI Fortify is anchored in three realistic, high-impact scenarios that can upend continuity in minutes.

1) Disrupted Communications at Scale

What happens: DDoS floods, routing manipulation, or upstream outages sever your external connectivity. Dispatch centers can’t reach field crews, remote sites lose telemetry, and vendor access is blocked mid-maintenance.
Risks: Loss of visibility into remote operations, delayed response to alarms, increased safety hazards, and inability to coordinate with partners or regulators.
What resilience looks like: Pre-established out-of-band channels (radio, satellite, multi-carrier LTE/5G), agreed fallback protocols, cached procedures and schematics locally, and a clearly defined communications ladder that works even if email, VoIP, and VPNs are down.

2) Ransomware Locking Up OT Systems

What happens: OT HMIs, engineering workstations, or data historians are encrypted or otherwise unavailable. Operators experience loss of view, potential loss of control, or both.
Risks: Unsafe operations if control is attempted blindly, prolonged shutdowns, and delayed return to steady state.
What resilience looks like: Gold-image recovery playbooks, offline and immutable backups, manual operation procedures validated in drills, and a decision tree that prioritizes safety and service continuity over hasty restoration.

3) APT Intrusions Targeting ICS

What happens: Sophisticated actors move laterally from IT into OT, live off the land, and pre-position themselves to degrade operations or corrupt safety functions.
Risks: Stealthy manipulation of set points, data tampering, silent exfiltration of sensitive configurations, and strategic disruption under cover of other crises.
What resilience looks like: Hardened network boundaries, allowlist-only communications, secure remote access, continuous monitoring with OT-aware detections, and rehearsed containment that doesn’t jeopardize operations.

Core CI Fortify Recommendations (and Why They Work)

CISA’s guidance echoes what high-reliability operators already know: resilience is a system property—technical, procedural, and human. Key recommendations include:

Segment IT and OT networks with rigor, using DMZs, firewalls, and one-way data flows where feasible.
Deploy redundant communication paths and out-of-band options for command, control, and coordination.
Conduct regular, realistic tabletop and technical exercises—including comms-blackout drills.
Integrate timely threat intelligence into SOC operations and OT monitoring.
Collaborate early with CISA for vulnerability assessments and coordinated response planning.
Prioritize metrics that matter to operations—like Recovery Time Objectives (RTOs) tied to critical services—over generic “patch counts.”

These steps convert theoretical security into practical continuity when the network is loud, late, or lying.

Turn Guidance Into Action: Your 30–60–90 Day Plan

You don’t have to do everything at once. Here’s a pragmatic ramp to reduce risk quickly while building durable muscle.

Days 0–30: Stabilize and See

Define critical services and set RTOs and MBCOs (Minimum Business Continuity Objectives) for each.
Inventory assets in both IT and OT. Prioritize “crown jewels”: control servers, HMIs, safety systems, and communications gateways.
Validate offline, immutable backups of configurations, recipes, and set points. Test one controlled restore.
Establish at least one out-of-band comms channel (e.g., radio, satellite, or multi-carrier mobile). Distribute contact trees on paper and devices.
Subscribe to CISA alerts and ICS advisories: CISA ICS and Shields Up.
Run a one-hour “comms blackout” tabletop: simulate loss of email/VPN/phones. Identify choke points and update call-down lists.
Register engagement pathways with CISA and sector partners (e.g., JCDC) for faster coordination: CISA JCDC.

Days 31–60: Contain and Control

Implement or tighten IT/OT segmentation. Enforce allowlisted communications between zones; deploy a DMZ for data sharing.
Introduce secure remote access with MFA and jump hosts. Remove direct vendor access to OT segments.
Expand logging and central visibility for OT gateways, historians, and engineering workstations. Baseline normal traffic.
Harden backups: offline copies, restore tests in a sandboxed OT lab, and gold-image procedures for HMIs/engineering stations.
Draft manual operations guides and cross-train operators and maintenance staff. Validate safety interlocks under manual modes.
Map top OT assets and chokepoints to MITRE ATT&CK for ICS. Add detections for high-risk techniques.

Days 61–90: Redundancy and Rehearsal

Add redundant comms paths for critical sites (e.g., secondary fiber, microwave, satellite, multi-carrier LTE/5G bonding).
Pilot data diodes or unidirectional gateways where one-way telemetry suffices.
Finalize runbooks for three scenarios: comms outage, OT ransomware, and suspected APT lateral movement.
Conduct a cross-functional exercise with external partners (vendors, regional utilities, emergency management).
Stand up a resilience dashboard: RTOs, detection-to-containment times, comms uptime by path, backup restore times, and manual-ops readiness.
Align budget and leadership support using impact scenarios tied to RTOs and regulatory obligations.

Building Communications Resilience When the Network Goes Dark

Communications failures magnify every other problem. Design for graceful degradation:

Multiple paths, different dependencies: Combine wired, microwave, and satellite for true diversity. Use multi-carrier LTE/5G with automatic failover at remote sites.
Out-of-band by design: Equip leaders and field teams with radio, satellite messengers, or push-to-talk devices. Pre-stage frequencies, talkgroups, and protocols.
Local survivability: Cache procedures, P&IDs, emergency contacts, and maintenance histories on-site and offline. Maintain local historian buffers where feasible.
Names and numbers that still work: Host critical DNS locally with fallback records. Maintain printed directories and laminated quick-cards.
Clear comms ladders: Who declares a comms outage? Who coordinates with regulators? Who switches to alternate channels? Write it down, rehearse it, and keep it simple.

Pro tip: During exercises, actually turn off a primary path. Nothing exposes single points of failure faster than a real disconnection.

Protecting OT/ICS: From Perimeter to Procedure

Defending OT is about enabling safe control under duress—not just blocking packets.

Segmentation that holds: Apply the Purdue model with strict ACLs. Use industrial firewalls with protocol-aware filtering. Consider unidirectional gateways for critical telemetry.
Allowlist everywhere feasible: Only approved hosts, services, and ports. Block all else by default, including lateral IT-to-OT protocols.
Secure remote access: MFA, dedicated jump hosts, time-bound approvals, and session recording. No dual-homed laptops bridging zones.
Golden baselines and backups: Immutable images for HMIs/EDS. Store vendor firmware, configurations, and logic offline. Test restores regularly.
OT-aware detection: Monitor for unusual commands, changes to logic, or anomalous traffic patterns. Baseline normal cyclic behavior and alert on deviations.
Maintenance windows with guardrails: Apply patches methodically, with rollback plans and pre/post-change validation.
Vendor governance: Contractually require secure update channels, vulnerability notifications, and rapid on-call support during incidents.

Map controls and practices to recognized frameworks to stay aligned and audit-ready: – NIST SP 800-82 (Guide to Industrial Control Systems Security): NIST 800-82 Rev. 2 – MITRE ATT&CK for ICS techniques and mitigations: ATT&CK ICS

Exercises That Actually Move the Needle

Drills should test decisions, not just documents.

Tabletop, then technical: Start at the conference table to validate roles and choices. Graduate to live-fire drills in a lab or test environment.
Measure what matters: Time to detect loss of view, time to reach alternate comms, time to manual mode, and time to safe state.
Practice the hard calls: When do you isolate a plant? Who authorizes a controlled shutdown? What triggers notification to regulators and CISA?
Include third parties: Vendors, mutual-aid partners, and carriers must be part of the simulation—attacks don’t respect organizational charts.
Document, fix, repeat: Capture gaps, assign owners, and re-test within 60 days.

If you’ve never tried to run operations while your SIEM, email, and VPN are unavailable, you’ve never truly tested resilience.

Bringing Threat Intelligence Into Your SOC and OT

Threat intel is only useful if it drives faster, better decisions.

Ingest and normalize: Subscribe to CISA alerts and ICS advisories; use STIX/TAXII where available. Prioritize items that map to your deployed tech.
Tag by impact: Link indicators and TTPs to specific ICS equipment, firmware, and critical services. Don’t treat all alerts equally.
Operationalize detections: Convert high-fidelity TTPs into use cases in your SOC and OT monitoring stack. Tune to reduce noise.
Hunt with purpose: Run periodic hunts for known ICS intrusion patterns—credential reuse, rogue remote access, unexpected engineering changes.
Close the loop: Feed incident learnings back into playbooks, blocklists, and training.

Start here for authoritative guidance and alerts: – CISA ICS/OT Security: cisa.gov/ics – Shields Up advisories: cisa.gov/shields-up

Working With CISA: Faster Assessments, Better Coordination

You don’t have to go it alone. CISA offers collaboration channels that shorten response times and raise your resilience baseline:

Voluntary assessments and hygiene services
ICS advisories, alerts, and joint advisories via JCDC
Coordinated incident response and information sharing

Establish contact pathways now so you’re not trading business cards in the middle of a crisis: – CISA homepage: cisa.gov – Report an incident: cisa.gov/report – JCDC collaboration: cisa.gov/jcdc

Metrics That Prove You’re Resilient

Shift from vanity metrics to continuity metrics:

Service-level RTOs and actual recovery times during drills
Mean time to alternate communications (primary to OOB)
Time to safe state (loss of view/control to stable operations)
Backup integrity and restore success rates
Detection-to-containment interval for OT-relevant events
Manual operation readiness (qualified personnel per shift/site)

When leadership can watch these numbers improve quarter over quarter, funding follows.

Sector Notes: Practical Nuances by Vertical

Energy: Validate blackstart and manual generation procedures; coordinate with transmission operators on fallback comms; ensure substation access plans if digital locks fail.
Water/Wastewater: Pre-plan manual valve and chemical feed adjustments; stock spare parts for remote sites; test telemetry loss scenarios during peak demand.
Transportation: Simulate comms loss for rail signaling or port crane operations; define safe halts and staged restarts; prioritize radio discipline under stress.
Manufacturing: Create production-specific restoration sequences; rehearse manual quality checks; manage interdependencies with suppliers and logistics.

A Walkthrough: Comms Blackout Meets OT Ransomware

It’s 2:07 AM. Your NOC flags elevated packet loss across multiple links. Minutes later, primary internet circuits for three plants drop. Your SOC sees inbound DDoS traffic. Simultaneously, operators at Plant B report frozen HMIs—error messages suggest ransomware.

What CI Fortify-ready looks like:

The incident commander declares a comms outage. Teams shift to radio and satellite per the playbook; call-down lists execute without delay.
Plant B moves to manual operations using validated procedures. Gold images are pre-staged for recovery once containment is confirmed.
The OT boundary is locked down. Vendor access is suspended; jump hosts and MFA remain enforced. OT logs are captured locally for later analysis.
The SOC prioritizes detection around ICS-specific TTPs and hunts for lateral movement. They consult ATT&CK for ICS and CISA advisories to refine queries.
Leadership is briefed with RTOs: Services remain above MBCO thresholds; regulatory notifications are issued; CISA is engaged via known channels.
Within hours, DDoS scrubbing activates on upstream paths; alternate links carry critical traffic. Plant B restores HMIs from gold images after thorough checks.
Post-incident, teams log time-to-alt-comms, time-to-manual, and recovery times, updating runbooks and requesting budget for another redundant link at Plant C.

No heroics. Just rehearsed, documented resilience.

Getting Started Today

Read the announcement and context: Industrial Cyber coverage
Bookmark CISA resources: CISA.gov | JCDC | Shields Up | ICS
Kick off a 30–90 day plan focused on comms resilience, OT segmentation, and realistic exercises.
Define service-level RTOs and test them through drills.
Establish contact and reporting pathways with CISA now: cisa.gov/report

Resilience isn’t a product you buy; it’s a capability you build—one realistic scenario, one clean runbook, and one well-rehearsed team at a time.

FAQs

Q: What is CISA’s CI Fortify in simple terms?
A: It’s a resilience-focused initiative that gives critical infrastructure operators practical playbooks and priorities to keep essential services running during cyber incidents—especially when communications are disrupted or OT/ICS systems are targeted.

Q: How is CI Fortify different from JCDC?
A: JCDC is a collaboration framework for joint cyber defense across government and industry. CI Fortify builds on that ecosystem with targeted guidance and scenarios specifically aimed at maintaining operational continuity under stress.

Q: Who should implement CI Fortify guidance?
A: Operators in energy, water/wastewater, transportation, manufacturing, and other critical infrastructure sectors. It’s especially relevant for organizations with OT/ICS environments and distributed field operations.

Q: What are the top three actions to start this week?
A: 1) Stand up an out-of-band communications path and paper-based contact trees. 2) Inventory OT crown jewels and validate offline, immutable backups. 3) Run a one-hour tabletop simulating a comms blackout and update your playbook accordingly.

Q: Does CI Fortify require major new tools?
A: Not necessarily. It emphasizes architecture (segmentation, allowlists), procedures (manual ops, runbooks), and rehearsals. Where tools help—like protocol-aware firewalls, data diodes, or multi-path connectivity—they should support clear resilience outcomes.

Q: How do we integrate threat intelligence effectively?
A: Subscribe to CISA alerts, map relevant TTPs to your assets using MITRE ATT&CK for ICS, and convert them into tuned detections. Run periodic hunts for OT-relevant anomalies and close the loop by updating playbooks.

Q: How should we handle third-party vendor access?
A: Require MFA, jump hosts, time-bound approvals, and session recording. Remove direct access to OT segments, and ensure vendors participate in your exercises and incident escalation plans.

Q: Where can we report an incident or request help?
A: Use CISA’s reporting portal: cisa.gov/report. Establish these channels and POCs now so engagement is fast and coordinated during an event.

Q: What metrics should leadership watch?
A: RTOs per critical service, time to alternate communications, time to safe state, backup restore success rates, detection-to-containment times, and manual-ops readiness.

The Takeaway

CI Fortify is a timely shift from “keep attackers out” to “keep services up.” In an era of hybrid threats and AI-accelerated intrusions, continuity depends on realistic scenarios, redundant communications, hardened OT boundaries, and teams that know exactly what to do when the lights flicker. Start with your 30–90 day plan, practice the hard days before they arrive, and measure resilience by the services you sustain—no matter what hits the network.

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring!

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!

CISA’s CI Fortify: How Critical Infrastructure Can Withstand Disrupted Communications and OT Compromise

What Is CI Fortify—and Why It Matters Now