On May 5, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) released its CI Fortify initiative, new guidance instructing electric utilities and other critical infrastructure (CI) operators to plan for a geopolitical crisis in which their operational technology (OT) networks are actively compromised and/or their connectivity to telecommunications, internet, vendors, and service providers is gone.
The program’s core planning assumption is blunt: in a conflict scenario, threat actors will already have some level of access to your utility’s OT network, and you cannot count on outside help to restore it.
CI Fortify is not routine agency guidance. It is the federal government’s formal acknowledgment that a destructive, nation-state cyberattack against U.S. utilities and other critical infrastructure is a realistic near-term contingency that operators must begin planning for today. This is a significant escalation in official posture, and the power industry should take note.
What the Guidance Requires
CI Fortify organizes around two emergency planning objectives: isolation and recovery.
Isolation means proactively disconnecting OT systems from third-party and business networks to limit the impact of a cyber incident while sustaining essential service delivery in a degraded communications environment. The objective is to keep delivering essential services while disconnected from external networks, not to power down defensively. Operators are directed to identify priority customers, including military infrastructure and lifeline services, set service delivery targets based on their needs, and update business continuity plans and engineering processes to allow for “safe operations for weeks to months while isolated.”
Recovery addresses what happens if isolation fails: documenting systems, backing up critical files, and practicing the replacement of systems or transition to manual operations. CISA also flags an underappreciated dependency issue, noting that licensing servers and business network connections may be required to restore systems, and operators need plans for those specifically.
CISA is already conducting targeted assessments, prioritizing defense-critical infrastructure, with a pilot phase underway. For utilities running cloud-connected supervisory control and data acquisition (SCADA) systems, vendor-managed protection relays, or historian platforms with real-time feeds to third parties, the gap between current architecture and CI Fortify’s objectives is likely significant.
The Threat Context Behind the Guidance
Iran represents the most immediate concern. Islamic Revolutionary Guard Corps (IRGC)-linked cyber units have demonstrated willingness to deploy data-wiping malware against multiple organizations simultaneously, show sustained interest in OT environments, and have largely abandoned the restraints that once characterized nation-state cyber operations.
China and Russia are more sophisticated: both have invested in long-term pre-positioning inside Western grid infrastructure. Beyond nation-states, criminal extortion groups and politically-aligned hacktivists are acquiring tools capable of operational disruption, from weaponized ransomware to wiper malware. The line between criminal, hacktivist, and state-directed activity is increasingly difficult to draw.
Artificial intelligence (AI) is accelerating all of it, enabling more systematic scanning for exposed OT interfaces and faster operationalization of newly disclosed vulnerabilities across environments that were historically difficult to attack at scale.
Operational Priorities for Power Operators
CI Fortify’s framework translates into several concrete actions for utilities and independent power producers.
Map OT Connectivity and Dependencies. Start with CISA’s core question: how long can you operate without external connectivity? Answering it requires an accurate picture of every third-party connection to your OT environment. Most utilities assume more isolation than they actually have, and the audit frequently surfaces undisclosed connections that represent immediate exposure.
Build and Exercise Isolation Procedures. Document and practice disconnecting from external networks while maintaining generation dispatch, load management, and protection coordination. Which substations can island? What are the manual fallbacks for SCADA-dependent functions? These questions require engineering analysis and operator training, not just a plan on paper.
Prioritize “N-Day” Patching on Externally Accessible Systems. Identify unpatched vulnerabilities on systems with vendor remote access or internet adjacency. Where patching is not operationally feasible, implement compensating controls: network segmentation, strict allowlisting of remote access sessions, and enhanced logging on OT-adjacent systems.
Enforce Least-Privilege on All Vendor Access and Harden Against Spearphishing. Third-party vendor connections and targeted phishing of engineers and OT administrators are among the most reliable initial access vectors. Implement just-in-time vendor access with defined time windows, require multi-factor authentication (MFA) on all remote sessions, and ensure security awareness training reflects OT-specific threats.
Develop Out-of-Band Communications Capability. CI Fortify anticipates telecommunications disruption as a deliberate tactic, not just collateral damage. Establish redundant communications paths with neighboring utilities, balancing authorities, independent system operators (ISOs), and priority customers that function independently of commercial telecommunications.
Pursue CISA’s Assessment Program. CISA is conducting targeted resilience assessments, prioritizing defense-critical infrastructure. Organizations serving military installations or other national security-relevant loads should proactively engage at cisa.jcdc@cisa.dhs.gov.
What CI Fortify Represents
CI Fortify is the federal government’s formal acknowledgment that destructive attacks on critical infrastructure are no longer a tail risk to be modeled; they are now an operational planning assumption.
The adversaries driving that conclusion have demonstrated both intent and capability: Iran’s IRGC units deploying wipers with little warning, China’s Volt Typhoon embedded inside U.S. utility networks for months, Russia’s Sandworm hitting European grid infrastructure as recently as December 2025. What CI Fortify adds is a concrete operational framework that translates that intelligence picture into specific requirements. Power operators should treat it as such.
—JP Castellanos is the director of Threat Intelligence at Binary Defense, a former member of U.S. Central Command’s Active Cyber Defense Team, and a volunteer member of the U.S. Marine Corps Cyber Auxiliary (MCCA). Castellanos previously worked in the U.S. energy sector supporting security operations center threat intelligence. He is an expert in cyber threats targeting information technology and operations technology systems.
