The federal government has a new message for the people who keep America’s water flowing and its lights on: assume hostile hackers are already inside your networks, and start planning for the day they act on it.
In May 2026, the Cybersecurity and Infrastructure Security Agency formally launched CI Fortify, a program that directs operators of critical infrastructure to prepare for cyber-induced outages tied to nation-state campaigns. The initiative is built around industrial control systems, the digital hardware and software that regulate physical processes at water treatment plants, power substations, pipelines, and factories. CISA’s decision to anchor the program in operational technology, rather than conventional IT security, reflects a hard-won lesson from the past two years: the adversaries Washington is most worried about are not stealing data. They are positioning themselves to disrupt services.
A threat picture built on named adversaries
CI Fortify did not emerge in a vacuum. It follows a string of public disclosures, beginning in late 2023, that revealed Chinese-linked hacking groups had burrowed into American infrastructure networks and stayed there for months or years without being detected.
The group known as Volt Typhoon drew the most attention after U.S. and Five Eyes intelligence agencies confirmed it had compromised communications, energy, water, and transportation systems across the country, not to steal secrets, but to maintain access that could be weaponized during a future conflict over Taiwan or another flashpoint. A second Chinese-linked group, Salt Typhoon, was later found inside major U.S. telecommunications providers, raising alarms about the security of the networks Americans rely on for 911 calls and emergency coordination.
In May 2026, the NSA and its Five Eyes partners reinforced that picture with joint guidance naming multiple China-linked threat groups that build and maintain covert infrastructure to sustain large-scale cyber operations. The advisory, backed by signals intelligence agencies from the United States, United Kingdom, Canada, Australia, and New Zealand, details how these actors exploit edge devices, compromised routers, and virtual private servers to mask their presence inside target networks. The tradecraft is designed for persistence: quiet, patient access that can be activated on command.
On a parallel track, the EPA, FBI, CISA, and NSA jointly warned water utilities about Iranian-affiliated hackers targeting their systems. That advisory, which included on-the-record statements from FBI Cyber Division leadership, highlighted the specific vulnerabilities of the water sector: aging programmable logic controllers, limited cybersecurity staffing, and remote access configurations that were never designed to withstand a determined state-backed attacker. The Iranian group CyberAv3ngers had already demonstrated its willingness to hit U.S. water systems in late 2023, when it compromised equipment at a municipal water authority in Aliquippa, Pennsylvania.
What CI Fortify actually provides
At its core, CI Fortify is a framework for thinking about a scenario most utility operators have never had to confront: what happens when a cyberattack knocks out the digital controls that run physical infrastructure, and the attack is timed to coincide with a geopolitical crisis that stretches federal response resources thin?
CISA’s published guidance asks operators to map their dependencies on industrial control systems, identify single points of failure, and develop procedures for operating critical processes manually or through backup systems if digital controls are compromised. The program sits within CISA’s industrial control systems portfolio, which gives it access to the agency’s existing relationships with sector-specific coordinating councils and information sharing organizations.
The three federal actions, CI Fortify, the NSA Five Eyes advisory, and the EPA-led water sector alert, are designed to work as interlocking pieces. CI Fortify provides the operational framework. The NSA advisory maps the adversary infrastructure that defenders need to hunt for. The water sector alert translates that intelligence into guidance tailored to a specific industry’s technology stack and staffing realities.
Significant gaps remain
For all its ambition, CI Fortify arrives with important questions unanswered.
CISA has not published a detailed implementation timeline, budget figures, or measurable performance targets. That makes it difficult to judge whether CI Fortify will function as an enforceable standard or remain voluntary guidance that individual operators can adopt or ignore. The distinction matters. When the EPA attempted in 2023 to require cybersecurity audits for public water systems through existing Safe Drinking Water Act authority, a federal court blocked the effort after legal challenges from Republican state attorneys general and water industry groups. The rule was withdrawn, leaving the water sector without a federal cybersecurity mandate.
That legal and political history hangs over CI Fortify. If the program relies entirely on voluntary participation, its reach will depend on whether operators see enough value to invest time and money in compliance. Federal cybersecurity programs aimed at the private sector have a mixed record on that front. The Transportation Security Administration’s pipeline cybersecurity directives, issued after the 2021 Colonial Pipeline ransomware attack, showed that mandates can drive rapid change, but they also drew complaints from operators about prescriptive requirements that did not fit their systems.
The scope of sector coverage is also unclear. The published CI Fortify page focuses on industrial control systems, which span energy, water, manufacturing, and transportation. But no official statement has confirmed how many sectors CISA intends to bring under the program or whether sector-specific supplements beyond the water advisory are in development.
Perhaps the most consequential gap is the bridge between classified intelligence and the operators who need to act on it. The NSA advisory describes adversary tradecraft in technical detail, but translating that information into actionable defensive steps at a rural water district or a regional electric cooperative is a different challenge. Intelligence sharing between federal agencies and private operators has improved over the past decade through programs like CISA’s Joint Cyber Defense Collaborative, yet friction persists when the most specific threat data is classified and the operators who need it most lack the clearances to receive it.
What operators should do now
Operators who want to act on CI Fortify without waiting for the program to mature have a clear starting point: review the published guidance and the associated threat advisories, then compare those recommendations against existing incident response plans. That comparison should surface specific gaps, whether that means missing backup communication channels, unclear decision-making authority during an outage, or insufficient logging on control system networks.
Water utilities should focus on the EPA-FBI-CISA-NSA advisory, which targets their specific control system weaknesses. Practical steps include segmenting industrial control devices from business networks, enforcing multifactor authentication on all remote access, and maintaining offline backups of controller configurations so that compromised devices can be restored without relying on internet-connected systems.
Energy, transportation, and manufacturing operators can apply the same logic even without a sector-specific CI Fortify supplement. The NSA’s description of covert adversary infrastructure suggests defenders should plan for slow, stealthy intrusions rather than loud, fast attacks. That assumption favors investments in anomaly detection on industrial networks, rigorous account management, and rehearsed procedures for running critical processes in a degraded state.
Smaller utilities with limited budgets face the hardest tradeoffs. For those organizations, a handful of high-impact steps can still make a meaningful difference: establishing a direct incident response contact with CISA’s regional office, running a basic tabletop exercise focused on losing remote access to key sites, and confirming that at least one manual or backup control method exists for every critical process. Over time, CI Fortify could provide a structure for building on those basics, but only if CISA delivers the practical tools, such as pre-built exercise templates, automated threat feeds, and on-site technical assistance, that resource-constrained operators need.
A framework still waiting for proof
The federal government is now speaking with unusual clarity about a specific scenario: hostile states leveraging pre-positioned access to American infrastructure during a geopolitical crisis. CI Fortify gives that warning a name and a structure. The Five Eyes advisory and the water sector alert give it specificity.
What none of these documents can provide yet is evidence that the framework works. No independent assessment of CI Fortify’s effectiveness has been published. No data on operator enrollment or adoption rates is available. The program’s real test will come not from the quality of its guidance but from whether utilities across the country actually change how they build, monitor, and defend the systems that millions of people depend on every day. Until that evidence emerges, CI Fortify represents a serious and overdue federal commitment, but one whose impact remains to be measured.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
