CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 04, 2026

CISA Urges OT Operators to Plan for Worst Case Scenarios

Data Breach Today Archived Jun 04, 2026 ✓ Full text saved

Does No Internet Also Mean No Water or Lights? The latest initiative from the U.S. cyber defense agency aimed at operational technology operators is a little bit different. It's not advice about how to keep hackers out. It's not really about cybersecurity at all. CI Fortify is about what to do when cybersecurity fails.

Full text archived locally
✦ AI Summary · Claude Sonnet


    Business Continuity Management / Disaster Recovery , Critical Infrastructure Security , Governance & Risk Management CISA Urges OT Operators to Plan for Worst Case Scenarios Does No Internet Also Mean No Water or Lights? Shaun Waterman • June 4, 2026     Credit Eligible Get Permission Image: Vectorfusionart/Shutterstock The latest initiative from the U.S. cyber defense agency aimed at operational technology operators is a little bit different. It's not advice about how to keep hackers out. It's not really about cybersecurity at all. See Also: How Cyberattacks Can Turn Battery Farms Into Grid Blackouts Instead, explained Cybersecurity and Infrastructure Security Agency ICS Cybersecurity Lead Matthew Rogers, CI Fortify is about what to do when cybersecurity fails. "There's just a minimum of things that we can't really afford to have fail, at least for any sustained period of time," Rogers said, referring to the most vital sectors of critical infrastructure such as water and power. CI Fortify provides guidance for industrial control system operators so they can prepare for, and rehearse, operating through a cataclysmic, successful cyberattack that cuts them off from the internet or bricks their control systems - either way destroying the ability to remotely monitor and control equipment. "We're operating on an assumed breach model here," Rogers told ISMG in an interview. CI Fortify is meant to have operators figure out how to restore systems or keep them running without relying on external connectivity or third-party providers. The agency faces challenges in rolling out CI Fortify, not least because it lacks regulatory authority and has to rely on partnerships with sector risk management agencies like the Federal Communications Commission for telecommunications and the Environmental Protection Agency for water. CISA's need to work with and through other agencies is a big challenge, said Josh Corman, executive in residence for public safety and resilience at the Institute for Security and Technology and the co-founder of the non-profit UnDisruptable27. In principle, sector agencies should only add sector specific flair to CISA guidance, Corman said. In practice, he said, some of the advice from agencies had been "at variance" with core CISA guidance. The EPA is planning a major national cybersecurity exercise for the water sector next month as part of the initiative, Rogers said, testing how the sector could manage without supervisory control and data acquisition technology. "They were calling it 'A Day Without SCADA,'" Rogers explained, "but then someone had copyrighted that," so the event will be called the EPA 2026 National Cyber Drill. The exercise will have real world and virtual tabletop elements and will be a "no phones, no internet" scenario, Rogers said. U.S. agencies have warned that the Chinese threat actor dubbed Volt Typhoon has been caught prepositioning in the networks of U.S. water and power utilities, for example in the U.S. Pacific Territory of Guam, a staging post for American forces. Separately, agencies have reported that a different threat actor, also linked to Beijing and known as Salt Typhoon, has successfully compromised the operational systems of U.S. telecommunications providers. CI Fortify means "taking a step back," said Patrick Gillespie, practice director for OT security at GuidePoint. In some cases, it might showcase the utility of systems deployed before networking became ubiquitous even in OT equipment. "OT systems have been around a lot longer than the internet," Gillepsie said. CI Fortify was aimed first at owners and operators, explained CISA's Rogers, but there was much work to be done with both equipment manufacturers as well as systems integrators, resellers and third-party providers. "The whole ecosystem needs to be on board." "We have laid out a path for what we want operators to do," Rogers said, but it would be hard for them. "It's uphill both ways in the snow. We're working with the rest of the ecosystem to try and pave the way and make it a little bit of a gentler slope for everybody." There are operational, technical and business issues to be addressed, Rogers said. In a crisis when every customer can point to a service level agreement guaranteeing a mean time to restore or recovery time objective, service providers should still prioritize, Rogers said. "The kind of crass way of saying it from the CISA perspective is, we'd really like you to prioritize the water entity or the electric utility that's supporting these other critical economic needs or critical health needs before the casino or these larger companies that are probably paying you a lot more money." From the technical point of view, newer equipment often comes with built-in cellular connectivity that is difficult to isolate from the internet. "These are the sorts of fun, technical, nitty-gritty conversations that we need workarounds for," Rogers said. "We're establishing a working group with a bunch of the OEMs to work through these problems."
    💬 Team Notes
    Article Info
    Source
    Data Breach Today
    Category
    ◇ Industry News & Leadership
    Published
    Jun 04, 2026
    Archived
    Jun 04, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗