Critical infrastructure (CI) operators have been urged to plan for  the ability to disconnect from third-party networks and recover compromised systems in the event of a cyber-attack sooner rather than later. 

The call came from the US Cybersecurity and Infrastructure Security Agency (CISA), which launched the initiative, named CI Fortify on Tuesday, as a planning framework for sectors including water, energy, transportation and communications.

CISA framed the program around a worst-case scenario in which telecommunications, internet, vendors and upstream service providers cannot be trusted, and threat actors already have a foothold in the OT network.

Isolation and Recovery as Emergency Objectives

The guidance set two core planning goals. Isolation involved proactively cutting OT systems off from third-party and business networks to prevent cyber impacts from spreading and to keep essential services running in a degraded communications environment.

CISA recommended that operators identify their critical customers, including military and lifeline services, set service delivery targets and update business continuity plans to enable safe operations in isolation for weeks or months at a time.

Recovery focused on documenting systems, backing up critical files and rehearsing the replacement of components or a transition to manual operations if isolation failed.

The agency also asked operators to share the guidance with managed service providers, system integrators and vendors to map out communications dependencies and workarounds.

Read more on OT cybersecurity guidance: IT and OT Are Not Equal. IT Can Fail. Your OT Cannot

Industry Reaction and the Limits of Isolation

CISA Acting Director Nick Andersen said the agency strongly encouraged operators to act on the recommendations.

"CI Fortify is timely, actionable guidance that helps organizations protect their networks and critical services from cyber threat actors that aim to degrade or disrupt infrastructure," he said. 

"We strongly encourage organizations to review this guidance, implement the recommended actions and collaborate with CISA to strengthen CI defenses against opportunistic threat actors."

Industry voices welcomed the focus on continuity but cautioned that disconnection alone would not stop an active intruder.

Duncan Greatwood, CEO of Xage Security, said attackers frequently moved through trusted connections, third parties or compromised credentials well before any crisis response began. "If organizations don't have control within the environment, then isolation on its own is not enough," he said.

Greatwood added that the most prepared operators would be those that layered control and containment into their environments, building on the direction set out in CISA's earlier zero-trust guidance for OT.

The parallel benefit, CISA noted, is that operators who invest in these capabilities end up with infrastructure that is easier to defend across all disruptions, from cyber-attacks to weather events and routine component failures.