CISA’s ‘CI Fortify’ Aims to Secure Critical Infrastructure During Conflicts
The federal government’s top cybersecurity agency is calling on critical infrastructure (CI) organizations to strengthen their environments now to protect against intrusions by nation-state agents in the event of a future “wider geopolitical conflict.”
CISA officials are urging such organizations – including those in such sectors as transportation, water, telecommunications, and energy – to start investing in technology focused on isolation and recovery capabilities to guard against the possibility of foreign adversaries interrupting communications and interfering with control systems.
“In a geopolitical crisis, the critical infrastructure organizations Americans rely on must be able to continue delivering – at a minimum – crucial services,” CISA Acting Director Nick Andersen said in a statement introducing the agency’s CI Fortify effort. “They must be able to isolate vital systems from harm, continue operating in that isolated state, and quickly recover any systems that an adversary may successfully compromise.”
Iran War Brings Cyber Threats
Such threats have been detected in the wake of the U.S. and Israel attacks on Iran that began on February 28. CISA, the FBI, and other agencies warned last month that Iranian-backed threat groups like CyberAv3ngers are targeting U.S. critical infrastructure. Future conflicts likely would lead to similar efforts by adversaries.
In such an event, operators of critical infrastructure – the government lists 16 sectors deemed critical infrastructure, including healthcare, nuclear facilities, and food and agriculture – need to assume that third-party connections like telecommunications, the internet, and service providers will be unreliable and that bad actors will have access to operational technology (OT) networks.
Efforts now to strengthen isolation and recovery capabilities will help mitigate the threat later, according to CISA.
Hard Lessons Learned
The federal government and critical infrastructure over the past several years have gotten an education on what adversaries like China and Iran can do. China in particular has become a concern, with state-sponsored groups like Volt Typhoon, Salt Typhoon, and Flax Typhoon running espionage campaigns aimed at establishing persistence in the networks of critical infrastructure organizations and government agencies.
In the case of Volt Typhoon, the hackers in 2024 were detected hiding in the networks of critical infrastructure companies, essentially lying in wait to disrupt operations should a conflict between the United States and China break out. Meanwhile, Salt Typhoon was found to have infiltrated the networks of major telecommunications companies in the United States and other countries as part of a sprawling cyber espionage campaign.
More recently, such groups were found using the Brickstorm backdoor to quietly access networks and systems of U.S. companies in such areas as technology, software-as-a-service (SaaS), and the law, as well as using massive botnets for their cyber espionage campaigns.
CyberAv3ngers and other Iran-backed groups like CyberAv3ngers even before the war, were targeting critical infrastructure, particularly water systems.
Isolation and Recovery
In terms of isolation, CISA is urging operators to focus on “critical customers” like the military and lifeline services, identifying important OT and other infrastructure to ensure such isolation, and updating continuity plans and engineering processes so they can operate safely for weeks or months while isolated.
Recovery involves documenting systems, backing up critical files, and practicing both replacing systems or shifting to manual operation if isolation fails.
Zero Trust, Segmentation Also Needed
Xage Security CEO Duncan Greatwood applauded the focus on isolation and recovery, “particularly as critical infrastructure is increasingly in the crosshairs of geopolitical tension and AI accelerates how quickly vulnerabilities can be exploited.”
Greatwood noted CISA’s call last month for OT organizations to adopt zero-trust technologies as a key step for resiliency, but also stressed the need for network segmentation as well, saying that if organizations lose control within their environment, isolation won’t be enough.
“The organizations that will be most successful are those that layer control and containment into their environment, allowing them to limit the impact of an attack and keep services running, rather than relying on patching and human-driven recovery after disruption has already occurred,” he said.
