Critical infrastructure (CI) operators have received an urgent call to action regarding the importance of developing strategies to disconnect from third-party networks and enhance their ability to recover compromised systems in the event of a cyber-attack. This significant directive emanated from the US Cybersecurity and Infrastructure Security Agency (CISA), which recently launched an initiative known as CI Fortify. This program serves as a proactive planning framework aimed at sectors that include water, energy, transportation, and communications.
CISA has positioned the CI Fortify initiative within the context of a worst-case scenario. In such a scenario, operators could face situations where telecommunications, internet providers, and upstream service vendors can no longer be considered trustworthy, and threat actors could potentially have already infiltrated the operational technology (OT) network. By establishing this framework, CISA aims to ensure that critical infrastructure can withstand and recover from various cyber threats.
### Isolation and Recovery as Emergency Objectives
Within this framework, CISA has outlined two primary objectives centered around isolation and recovery. The first objective—isolation—involves a proactive approach to severing OT systems from third-party and business networks. This strategy is critical to preventing the escalation of cyber impacts and ensuring that essential services can continue to function, even amidst compromised communications.
To facilitate this, CISA has recommended that operators identify their crucial customers, which include military and lifeline services, and set clear service delivery targets. Additionally, it is essential for operators to update their business continuity plans to ensure they can maintain safe operations for extended periods, possibly spanning weeks or even months, while isolated from external networks.
The second primary objective, recovery, emphasizes the need for thorough documentation of systems, regular backups of critical files, and rehearsals for the replacement of components or transitions to manual operations in the event that isolation measures fail. CISA encourages the adoption of a comprehensive recovery strategy to ensure minimal disruption to services and quick restoration of operations.
CISA has also highlighted the necessity for operators to disseminate this guidance among managed service providers, system integrators, and vendors. Mapping out communication dependencies and establishing potential workarounds is essential for cultivating a cohesive response to potential security breaches.
### Industry Reaction and the Limits of Isolation
Nick Andersen, the Acting Director of CISA, expressed strong encouragement for operators to act on these recommendations, declaring, “CI Fortify is timely, actionable guidance that helps organizations protect their networks and critical services from cyber threat actors that aim to degrade or disrupt infrastructure.” He stressed the importance of reviewing this guidance, implementing the prescribed actions, and collaborating with CISA to bolster defenses against opportunistic threat actors.
Industry stakeholders have shown support for the focus on continuity, underscoring its importance in today’s threat landscape. However, some experts caution that mere disconnection from networks does not provide a foolproof solution to counter active intruders. Duncan Greatwood, CEO of Xage Security, noted that attackers often navigate through trusted connections, third-party services, or compromised credentials long before any crisis response measures are initiated. He argues, “If organizations don’t have control within the environment, then isolation on its own is not enough.”
Greatwood further elaborated that the most resilient operators are those who layer control and containment measures within their systems, building upon the guidance provided in CISA’s earlier recommendations pertaining to a zero-trust approach for operational technology.
Moreover, CISA pointed out the added benefit of investing in such capabilities. Operators who proactively enhance their defense infrastructure not only bolster their cybersecurity posture but also establish systems that are easier to defend against a range of disruptions, including cyber-attacks, natural disasters, and routine equipment failures.
As the digital landscape continues to evolve, the emphasis on proactive strategies, robust isolation measures, and comprehensive recovery plans is increasingly critical for the protection of critical infrastructure. Through initiatives like CI Fortify, the aim is to forge a path forward that prioritizes resilience, security, and continuity against an ever-present backdrop of cyber threats. CISA’s guidance reflects a broader understanding of the complexities inherent in safeguarding vital sectors and highlights the importance of preparedness in a world where cyber threats are both prevalent and evolving.