CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 18, 2026

CISA Urges OT Resilience in Dark Remarks About Cyberattacks

Data Breach Today Archived Jun 18, 2026 ✓ Full text saved

Vital Service Providers Need a Plan to Work Through Internet Outages, CISA Says Critical U.S. infrastructure like water, power and even banking systems will be successfully hacked by enemy cyber warriors in the event of a military confrontation with a peer adversary like Russia or China, officials from the nation's civilian cyber defense agency said.

Full text archived locally
✦ AI Summary · Claude Sonnet


    Critical Infrastructure Security , Governance & Risk Management , Operational Technology (OT) CISA Urges OT Resilience in Dark Remarks About Cyberattacks Vital Service Providers Need a Plan to Work Through Internet Outages, CISA Says Shaun Waterman • June 18, 2026     Credit Eligible Get Permission What happens to critical infrastructure if it all goes down? (Image: Shutterstock) Critical U.S. infrastructure like water, power and even banking systems will be successfully hacked by enemy cyber warriors in the event of a military confrontation with a peer adversary like Russia or China, officials from the nation's civilian cyber defense agency said. See Also: How Cyberattacks Can Turn Battery Farms Into Grid Blackouts That means utilities must learn to operate at some level, for some time without reliable internet connectivity or the technology it enables, they said. "Every one of us is operating right now on the front lines of a war that is never going to be declared," Nick Andersen, acting director of the Cybersecurity and Infrastructure Security Agency, told a security conference in Washington, D.C. Wednesday (see; Cyberspace Locked in a Nation-State Contest, Says NCSC CEO). And, he made clear, it isn't a war America is winning. In the event of a confrontation, "We are going to see severe disruptions to civilian infrastructure," he warned. It's hardly news that America's adversaries are seeking to establish cyber toe-holds in the computer systems of the companies that provide critical services like power and water, but the darker tone of Andersen's comments represents a new focus by his agency: Ensuring those companies, or at least the most important of them, can somehow continue to operate without external connectivity in the event of successful cyberattacks. The online attacks, and their cumulative impact, will shake Americans' faith in their critical services like healthcare, power supplies and law enforcement, Anderson told Critical Effect, an annual gathering of operational technology and industrial control systems security specialists, engineers and advocates. "It's going to have a significant psychological impact on the safety of the American people, and their trust that they [can] count on the lights to come on" whenever they flick a switch, he predicted. Even the U.S. financial system, generally considered the most cyber-secure of all private sectors, may not be entirely reliable in such a crisis, he said. "It might be okay for us to have a local bank branch that's down for a couple of weeks [or] maybe a couple of these ATMs aren't available," he said. The key was to maintain faith in the system overall, he said. "Maybe I can't log on to my bank's website right now, but you know what, the whole payment processing system is going to be secure. The bond auction system is going to continue to operate. The things that are the core and critical underpinnings of our economy," Andersen said. For OT owners and operators, explained the agency's ICS Cybersecurity Lead Matthew Rogers, the working assumption of CISA's new CI Fortify initiative, is "your third-party links that you rely on, your leased fiber lines, your … networks, all these vendor connections that you have to have just to operate a normal business, could potentially be unreliable." The aim was to get way beyond initiatives like Shields Up, Rogers told the conference. "It's not necessarily useful to tell people to do the kind of standard cybersecurity practices that we wish they'd been doing anyway," he said. Instead, he called for "real emergency planning." "I'm not a luddite. I'm not saying go back to manual everything," he told ISMG in a brief interview after his remarks. "It's more: In the event of an emergency, do you have those capabilities on hand?" In an era where increasing automation was the norm and a generational turn over meant the departure of a cohort of engineers with the skills to operate systems manually, "How do we make sure that there's that little pocket of 'We could still operate if we needed to in a degraded state?'" CISA was doubling down on CI Fortify, he added, moving staff who had been working on other OT assessments to the new initiative. "All of our OT resources are going towards … CI Fortify," Rogers said. CISA staff will conduct somewhere between 75 to 100 CI Fortify assessments over the next year, he said, aimed at preparing the assessees for a "functional test" of their ability to operate in isolation, cut off from reliable broadband internet connectivity. The EPA is planning a major national cybersecurity exercise for the water sector next month as part of the initiative, Rogers said, testing how the sector could manage without supervisory control and data acquisition technology. Given the scale of critical infrastructure - 50,000 water utilities serve residential communities in the United States - the number of assessments is a "drop in the bucket," acknowledged Rogers. He said the plan was to "democratize" the assessment process. After "five or ten" assessments, conducted to test out the agency's approach, it would publish the assessment materials. Andersen, Rogers and event organizers repeatedly used the term "ruthless prioritization" to describe the triage process critical service providers needed to think through as part of the planning process: If only a certain amount of water or power is available, who should get it? "We are not necessarily having the difficult conversations of 'is it the trauma center, is it the dialysis center, or is it the military base?'" said Rogers, "The goal and the point of emergency planning is to try and make it so you don't have to make those hard choices." But if those difficult conversations do have to take place, the military bases may win out, said retired Navy Adm. Mark Montgomery. Prioritization decisions in a conventional crisis like a weather disaster are typically driven by a mix of national security, economic and public health and safety factors, he told a panel discussion. Montgomery was executive director of the congressionally chartered Cyberspace Solarium Commission and now leads CSC 2.0, a nonprofit that tracks the implementation of its recommendations. In a military confrontation, where a loss of critical services was part of an attack designed to prevent the U.S. from responding, national security considerations were likely to win out. "If this is done by a nation state as part of a larger crisis that's going on, that's going to win," he said. Andersen argued that public opinion was likely to be less forgiving of the government response to a cyberattack than it was to the handling of a weather disaster. "When it's a natural disaster, like a hurricane that hits us, we naturally become a little bit more lenient," he said. The public understands "It's going to take a little while. We're going to have to send out road crews … We're going to have to send out linemen to do the hard work restoring the lines, we're going to send people out with water bottles in cargo pallets to distribute water in the meantime." He said the government wouldn't enjoy "the same level of kindness and understanding from the public when it comes to a cyber incident. We're going to have a lot of people who are going to look at us and go, 'I don't understand. Can't you just turn it off and turn it on again?'"
    💬 Team Notes
    Article Info
    Source
    Data Breach Today
    Category
    ◇ Industry News & Leadership
    Published
    Jun 18, 2026
    Archived
    Jun 18, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗