The CISA portal describes the program this way: “‘CI Fortify’ is an allied initiative bolstering public health and safety, defense critical infrastructure, continuity of the economy, and national security by ensuring operators are prepared to sustain essential operations during a geopolitical conflict. For planning purposes, operators should assume that in a conflict scenario third-party connections — such as telecommunications, internet, vendors, service providers, and upstream dependencies — will be unreliable and that threat actors will have some access to the OT network. Isolation and Recovery are emergency planning objectives that can mitigate this threat within the next few years.”
Here’s a related quote from Acting CISA Director Nick Anderson: “In a geopolitical crisis, the critical infrastructure organizations Americans rely on must be able to continue delivering — at a minimum — crucial services. They must be able to isolate vital systems from harm, continue operating in that isolated state, and quickly recover any systems that an adversary may successfully compromise.”
DIGGING DEEPER
Going a bit further, you are probably wondering what is meant by “Isolation” and “Recovery.” Here are those details from CISA: “Isolation includes proactively disconnecting from third-party and business networks to prevent OT cyber impacts and sustain essential operations in a degraded communications environment. The goal is to ensure essential service delivery occurs during an emergency rather than completely shutting down. This involves:
- Identifying critical customers, such as military infrastructure and lifeline services, and setting a service delivery target based on their needs.
- Determining vital OT and supporting infrastructure to meet that target in isolation.
- Updating business continuity plans and engineering processes to allow for safe operations for weeks to months while isolated.
- Tracking CISA and Sector Risk Management Agency (SRMA) communications to know when to isolate. Subscribe to updates from CISA.
“Operators should share and discuss this page with their managed service providers, system integrators, and vendors to help understand their communications dependencies and potential workarounds.”
THE ONGOING CYBER THREAT
Back at the beginning of March, I covered the challenges of protecting critical infrastructure in a time of war in this blog. More than two months later, the problems have only grown more severe.
Several months back, CISA warned that nation-state cyber actors have already prepositioned themselves within critical infrastructure systems and could target operational technology and telecommunications networks during geopolitical conflicts. The Center for Strategic and International Studies described the situation in more detail in this white paper last week: The Iranian Cyber Threat to U.S. Critical Infrastructure.
Here’s a brief excerpt: “Recently, CISA and other U.S. agencies published an advisory notice warning of the threat posed to U.S. critical infrastructure by Iran-affiliated actors — many of which are thought to be associated with the Islamic Revolutionary Guard Corps. CISA warned that cyber incidents exploiting vulnerabilities in programmable logic controllers (PLCs) — types of computers that control and monitor industrial equipment or machinery — had caused disruption to an unspecified number of U.S. organizations across multiple critical infrastructure sectors (including local government, water, and energy), gaining unauthorized access to systems and manipulating data displayed on monitors. Though the number of victims was not confirmed, the advisory stated that the incidents had resulted in operational disruption and financial loss.”
The Record from Recorded Future News elaborates here: “In comments to Recorded Future News, [CISA Acting Director Nick] Andersen argued that the CI Fortify effort was ‘not in response to any particular nation-state actor’ and denied that it was aimed specifically at Volt Typhoon. The initiative was designed to ‘prevent the potential destructive impact to OT by any nation-state actor,’ he said. ...
“Andersen added that artificial intelligence is also a primary concern prompting the pivot to CI Fortify. He told reporters on Tuesday that CISA and the Trump administration have had deep discussions about ‘the increasing speed and velocity at which … artificial intelligence is going to sort of change and morph the types of impacts we would see for cyber defenders across the board, both for critical infrastructure and operational technology as well as traditional information technology.’”
Cybersecurity researchers have reported multiple recent cases of hackers using AI models to conduct large portions of cyber intrusions. Incident response firm Dragos said on Wednesday that a hacker used an AI model to compromise a municipal water and drainage utility in Monterrey, Mexico.
FINAL THOUGHTS
While it appears that the war with Iran could be winding down, with a ceasefire still in place and strong hopes for an agreement at the time I am writing this piece, the cyber attacks will not stop and may just be getting started at a new level.
State and local governments must take aggressive steps to follow CISA’s guidance as released in CI Fortify in the past week.
