CI Fortify Defines Isolation as a Core OT Capability. Most Remote Access Architecture Cannot Satisfy It by Design
CISA published the CI Fortify framework last week, and it changes the regulatory expectation for critical infrastructure operators in a way that should reach procurement teams quickly.
The planning assumption is the part worth reading carefully. CISA states that in a conflict scenario, third-party connections (telecommunications, internet, vendors, service providers) will be unreliable, and that nation-state actors will already have access to the OT network. The framing is not "how do we prevent intrusion" anymore. It is "how do we operate after one."
CI Fortify asks operators to demonstrate two capabilities: isolation and recovery. Isolation means deliberately severing third-party connections and operating in an isolated mode for weeks or months. CISA is conducting targeted assessments to evaluate whether operators actually have this capability, not just whether they describe it in policy.
This creates a concrete architectural question for procurement. VPN, ZTNA, and software PAM gateways all satisfy the isolation requirement procedurally. You can disable a tunnel, revoke a policy, shut down a gateway. But the network path between remote users and OT assets exists until someone executes that procedure. If the attack that triggered the need to isolate has disrupted operations or the management plane, the procedure may not run.
Hardware-enforced non-IP remote access works differently. There is no IP path between the remote operator and the OT asset to begin with. Only pixels cross outbound, only keyboard and mouse input cross inbound. The isolation CI Fortify expects operators to build as a capability is the default operating state.
For energy, water, transport, and defense industrial base operators preparing for CI Fortify assessments, the remote access architecture decision made now is the isolation capability decision. There is no policy layer that converts a connected architecture into a structurally isolated one.
Full breakdown of the structural vs. reactive isolation distinction: https://www.zeroport.com/blog/cisa-ci-fortify-isolation
#OTSecurity #CriticalInfrastructure #CIFortify #ICS #IndustrialCybersecurity