Security

What CISA’s CI Fortify Initiative Means for State and Local Governments

The Department of Homeland Security program helps agencies prepare critical infrastructure for disruptive cyberattacks and emergencies.

Matt Harper

Matt Harper is Field CIO and Executive Technology Strategist at CDW.

For years, critical infrastructure cybersecurity conversations have focused on familiar threats: ransomware, phishing attacks and account compromises. Those risks remain very real, but the Cybersecurity and Infrastructure Security Agency’s CI Fortify initiative is a reminder that state and local government leaders also need to prepare for something larger.

CI Fortify encourages critical infrastructure operators and public sector organizations to think beyond routine cyber incidents and consider the possibility of attacks designed to disrupt essential services at scale. That shift in thinking is important because today’s cyberthreat environment increasingly includes nation-state actors whose goals may not be financial gain, but disruption itself.

For state and local governments, the stakes are high. Public utilities, water systems, transportation networks and emergency services all rely on interconnected operational technology (OT) and digital infrastructure. If those systems are interrupted, the consequences extend far beyond IT.

The challenge is that many organizations still separate cybersecurity planning from emergency management planning. Traditionally, emergency response exercises focused on physical or kinetic events, while IT teams handled digital incidents separately. CI Fortify creates an opportunity to bridge those conversations.

A cyberattack against operational technology is not just a technology problem. It is also a public safety problem, a communications problem and potentially a logistics problem. Governments need to think through some difficult questions: What happens if a utility cannot remotely operate equipment? What if citizens lose confidence in the safety of drinking water? How will agencies communicate if networks are overloaded or unavailable? Is there a plan for offline access to critical documentation during an event?

These are the kinds of scenarios tabletop exercises are designed to explore, and they become even more important as IT and OT environments continue to converge.

Click the banner below to consider elements of a successful cybersecurity strategy.

Infrastructure Protection Requires Integrated IT and OT Security

For years, many organizations attempted to air gap critical systems by keeping them disconnected from broader networks. In practice, however, most operational environments eventually became connected because organizations wanted access to data for operational efficiency, analytics and business decision-making. That connectivity created new opportunities, but it also introduced new attack surfaces.

CI Fortify is a useful reminder for agencies to revisit the technology decisions they have made around critical infrastructure. That does not necessarily mean disconnecting systems entirely. It means taking a thoughtful approach to segmentation, resilience and operational continuity. Agencies should evaluate which functions are truly mission-critical, what can operate manually during an outage and how systems can be isolated if necessary.

Preparedness also requires agencies to think differently about risk.

In cybersecurity, organizations often focus heavily on prevention, but critical infrastructure resilience also depends on understanding impact and velocity. If a disruption occurs, how severe would the consequences be? How quickly could the situation escalate? Would agencies have minutes to respond, or weeks?

Those questions matter because attacks against critical infrastructure are fundamentally different from traditional cybercrime. In some cases, the objective may not be to steal information or collect ransom payments. The objective may be to create confusion, panic or operational disruption.

We have already seen examples globally of cyberattacks targeting infrastructure systems in ways that caused lasting operational damage. In some incidents, attackers did not simply disable systems temporarily. They rendered devices unusable, forcing organizations to replace physical equipment and navigate difficult supply chain challenges.

That kind of disruption changes the entire response model.

Infrastructure Resilience Depends on Planning Beyond Technology

State and local governments are not just responsible for restoring technology services. They also have to manage the public response. During any major disruption, citizen behavior can complicate recovery efforts. Communications networks may become overwhelmed. Transportation systems may experience congestion. Fuel, utility and emergency response operations can all be affected simultaneously.

No agency can plan for every possible scenario, but agencies can prepare the fundamentals. That includes establishing clear incident command structures, improving communication plans, identifying trusted partners, and conducting regular cross-functional exercises that include both technology and emergency management stakeholders.

The CI Fortify initiative is valuable because it encourages organizations to think about resilience at a broader level. It pushes agencies to consider not only how they will defend systems, but also how they will continue operating during periods of uncertainty or disruption.

For state and local governments, that mindset is becoming increasingly important. Cybersecurity is no longer only about protecting data. It is about resilience of the essential services citizens rely on every day.

This article is part of StateTech’s CITizen blog series.