Business Continuity Management / Disaster Recovery,
Critical Infrastructure Security,
Governance & Risk Management
Does No Internet Also Mean No Water or Lights?
Recently, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) launched a new initiative aimed specifically at operators of operational technology (OT). This endeavor reflects a shift from traditional cybersecurity measures, as it focuses not on preventing intrusions by hackers, but on preparing for situations where cybersecurity fails entirely. According to Matthew Rogers, the ICS Cybersecurity Lead at CISA, this initiative, named CI Fortify, provides operators with essential guidelines on mitigating the impacts of a successful cyberattack. The ultimate goal is to ensure that vital services such as water and electricity continue to function, even when connectivity is compromised.
Rogers articulated the urgency of this initiative by stating, “There are just a minimum of things that we can’t really afford to have fail, especially for any length of time.” This straightforward acknowledgment sets the stage for a comprehensive approach to maintaining essential services during adverse situations, including catastrophic cyber events. CI Fortify equips industrial control system operators with tactics to not only prepare for but also practice operating under conditions where the internet is cut off, or control systems are rendered inoperative, thus preventing any possibility of remote monitoring and control.
Operating under the assumption that breaches are inevitable, CI Fortify encourages operators to devise strategies to maintain system functionality and restore operations independently, without defaulting to external connectivity or relying on third-party service providers. However, this undertaking is not without hurdles. According to CISA, collaboration with other agencies, including sector risk management entities like the Environmental Protection Agency (EPA) and the Federal Communications Commission (FCC), is essential. Rogers acknowledges the obstacles in coordinating these partnerships, particularly as CISA lacks regulatory authority, thus complicating the advisory process.
Josh Corman, an executive in residence for public safety and resilience at the Institute for Security and Technology, noted that while the principle behind sector partnerships is to enhance CISA guidance by adding relevant sector-specific insights, there can be inconsistencies in the advice offered by these agencies. He pointed out that this divergence can add to the complexity of applying guidance effectively across different sectors.
As an integral part of this initiative, the EPA is preparing a significant national cybersecurity exercise tailored for the water sector. This drill, set to take place next month, aims to evaluate how the sector can effectively manage operations in the absence of supervisory control and data acquisition (SCADA) technology. Initially dubbed “A Day Without SCADA,” the exercise will now be referred to as the EPA 2026 National Cyber Drill due to copyright issues. The drill will incorporate both real-world scenarios and virtual tabletop components, simulating an environment without phones or internet access.
The pressing need for such preparations has been underscored by intelligence reports indicating that Chinese state-sponsored threat actors, identified as Volt Typhoon, have been infiltrating U.S. water and power utilities, particularly in strategic locations like Guam. Moreover, another group linked to the same geopolitical context, known as Salt Typhoon, has successfully compromised operational systems within U.S. telecommunications companies. These developments underline the potential risks that could disrupt critical infrastructure and the necessity for immediate action.
Patrick Gillespie, practice director for OT security at GuidePoint, emphasized the significance of CI Fortify as a foundational step back to traditional operational measures that preceded the internet’s pervasiveness in OT frameworks. He observed that operational technology systems have been in place long before modern networking capabilities became standard, suggesting a need for a dual approach that leverages both contemporary and historical techniques to safeguard critical systems.
Initially, CI Fortify appears to be directed at owners and operators within the critical infrastructure domains. However, it is clear that collaboration with equipment manufacturers, systems integrators, resellers, and third-party providers is crucial. Rogers elaborated on this point by acknowledging that the entire ecosystem surrounding operational technology must be involved for the initiative to be effective.
Rogers stated, “We have laid out a path for what we want operators to do,” while recognizing the challenge involved. He characterized the process as “uphill both ways in the snow,” indicating the substantial work ahead to make compliance feasible for all stakeholders. From operational and technical perspectives, various issues must be resolved to create a smooth implementation process.
In a crisis situation, the need for prioritization becomes especially critical. Rogers highlighted that service providers should focus on the essential services that support public health and economic stability before less critical clients, regardless of the contractual obligations that favor bigger clients. This emphasis is part of a broader call to enhance resilience in essential services.
On the technical side, the adoption of advanced equipment, including those with cellular connectivity, presents unique challenges. Rogers stated the need for continued dialogue aimed at finding practical solutions to these integration complications. To address these technical hurdles, CISA is establishing a working group consisting of various original equipment manufacturers (OEMs) to facilitate problem-solving and knowledge sharing.