On May 6, 2026, CISA unveiled CI Fortify β a new initiative designed to prepare critical infrastructure operators for the specific threat scenario the agency is now treating as a planning baseline: a geopolitical conflict involving coordinated cyberattacks that sever connections to cloud services, telecommunications networks, and third-party service providers.
This is a meaningful shift from how CISA has historically framed its guidance. Previous frameworks focused primarily on hardening systems against intrusion. CI Fortify starts from the assumption that intrusion will occur β or that the threat environment will force disconnection from normal operating dependencies β and asks operators to demonstrate that they can sustain essential functions anyway.
The practical implications for critical infrastructure security programs are significant. So are the career implications for the professionals who work in this space.
What CI Fortify Actually Requires
The initiative is organized around two planning objectives that CISA is calling Isolation and Recovery.
Isolation covers the capability to proactively disconnect critical operational technology from third-party networks, cloud services, business IT systems, and internet connectivity β and continue operating in that disconnected state. The scenario CISA is planning for is one where maintaining connectivity creates more risk than losing it: a situation where connected systems are actively being attacked through third-party vectors, or where a geopolitical escalation makes maintaining external connections untenable.
For most critical infrastructure operators, this is an uncomfortable capability gap. Modern water treatment facilities, transportation management systems, power distribution networks, and similar infrastructure have become increasingly dependent on cloud-based monitoring, vendor remote access, centralized data systems, and internet-connected industrial control systems. The benefits of connectivity β remote monitoring, predictive maintenance, vendor support, operational efficiency β are real. The assumption that connectivity is continuous and safe is the problem.
Isolation planning requires operators to document exactly which functions depend on which external connections, identify what breaks when those connections are lost, and build operational procedures for maintaining essential functions in a degraded or fully disconnected state.
Recovery covers the capability to restore systems to normal operation following a cyber event that has corrupted, disabled, or destroyed operational technology systems. This requires current documentation of all systems and configurations, tested backup and restore procedures, inventory of backup parts and components for critical equipment, and β critically β procedures for transitioning from automated to manual operations when digital systems are unavailable.
The manual operations piece is particularly significant. Many infrastructure systems have lost their manual operating procedures over decades of automation. Operators who have only ever worked with computerized systems may not know how to operate the underlying physical processes without digital control. CI Fortify is asking operators to document and practice those procedures before they need them in a crisis.
The Assessment Component
CISA has announced that it will conduct targeted assessments of how prepared specific critical infrastructure organizations are to meet CI Fortifyβs objectives. The priority population for these assessments is βdefense critical infrastructureβ β systems that are crucial to military forces and operations, including dams, radars, weapon systems, satellite communications, and other facilities.
This assessment process creates a compliance dynamic that will drive hiring. Organizations that receive a CISA assessment and score poorly will need to build programs to close the gaps. Organizations that anticipate assessments will want to build those programs before the assessment arrives. Either way, the practical outcome is demand for professionals who understand how to build, test, and document resilient operational technology environments.
The guidance also calls on industrial automation control system vendors, managed service providers, and security vendors to support critical infrastructure in planning for emergency scenarios. This extends the hiring effect upstream to the vendor ecosystem, not just the operators themselves.
The OT/ICS Security Opportunity
The career lane this creates is specific: operational technology security specialists who understand both the cybersecurity dimensions of industrial control systems and the operational realities of the physical infrastructure those systems control.
This is a role that requires bridging two worlds that have historically operated separately. IT security professionals understand network architecture, threat modeling, incident response, and vulnerability management. OT engineers understand PLCs, SCADA systems, HMIs, industrial protocols, and the physical consequences of disrupting process control. The professionals who have genuine fluency in both are rare, in demand, and becoming more so.
CI Fortify specifically creates demand for the following specializations:
OT incident response β Responding to cyberattacks in industrial environments is fundamentally different from IT incident response. Containment decisions in an OT environment must account for physical safety, process continuity, regulatory requirements, and the difficulty of taking industrial systems offline. CISAβs emphasis on Recovery planning means organizations need people who know how to execute a controlled restoration of operational technology following a cyber event.
Resilience engineering for ICS β Designing OT environments to maintain essential functions during disruption requires understanding of network segmentation, data diode implementations, unidirectional security gateways, historian architectures, and the specific redundancy patterns used in industrial environments. This is a specialized design competency that is distinct from general security architecture.
ICS/SCADA vulnerability assessment β Evaluating the attack surface of industrial control systems, identifying paths that could allow an attacker to reach operational technology from business networks, and quantifying the risk of specific vulnerabilities in an OT context. Most security assessment firms do not have staff who can do this credibly.
Backup and manual operations documentation β Less glamorous but directly relevant: the work of documenting manual operating procedures, validating backup configurations, testing restore processes, and building the technical runbooks that operators need to function in a degraded state. This work is labor-intensive, requires deep system knowledge, and will be in demand across every operator that takes CI Fortify seriously.
Vendor risk management for OT β CI Fortifyβs guidance covers the vendor ecosystem. Organizations running third-party remote access connections into OT environments, using cloud-based monitoring, or depending on vendor support for critical systems will need to evaluate those relationships and build plans for operating without them. Vendor risk management with OT-specific expertise is a niche within a niche.
Why This Lane Has Structural Protection
The CI Fortify-driven opportunity in critical infrastructure security has characteristics that make it structurally more stable than other security hiring markets.
Regulatory anchor. CI Fortify is a CISA initiative backed by federal mandate authority. Critical infrastructure operators in the priority sectors face real assessment pressure. This is not market-driven demand that can disappear when a CFO decides to cut security budgets β it is compliance-driven demand tied to federal oversight programs.
Geographic presence requirement. Critical infrastructure security work for water utilities, power facilities, transportation systems, and defense-supporting operations requires on-site presence. This work cannot be offshored and cannot be done remotely in any meaningful way. In an environment where geographic portability is a layoff risk factor, physically-rooted work has a structural advantage.
Clearance pathway. Defense critical infrastructure work frequently requires or benefits from security clearances. The CI Fortify priority population includes facilities directly supporting military operations. Professionals who hold or can obtain security clearances have access to a hiring market with demand that substantially exceeds supply.
Long replacement cycles. Industrial control systems in critical infrastructure have operational lifespans measured in decades. The expertise required to work with them β understanding legacy protocols, equipment that predates cybersecurity awareness, physical process interdependencies β accumulates slowly and is difficult to acquire outside of hands-on experience. This creates durable value for practitioners who invest in the specialization.
Getting Into the Field
For security professionals considering the critical infrastructure lane, the entry points are specific.
The ICS/SCADA security certifications with the most signal value in this market are GICSP (Global Industrial Cyber Security Professional) from GIAC, the ISA/IEC 62443 Cybersecurity Certificate Program from the International Society of Automation, and CISAβs own free ICS training through the Idaho National Laboratory curriculum. The INL courses in particular cover the technical specifics that CI Fortify is concerned with β detection, response, and resilience for operational technology environments.
Hands-on lab experience matters enormously in this space. Employers in critical infrastructure security are skeptical of credentials without demonstrated practical experience. If you are transitioning from IT security, find ways to work with actual OT hardware β many community colleges with industrial automation programs will allow access to PLCs and SCADA simulators, and purpose-built ICS cyber training ranges exist at several universities and government training facilities.
The CI Fortify initiative is explicitly a warning about what CISA believes is coming. Taking it seriously as a career signal means positioning in a space where the threat is real, the regulatory pressure is real, the demand for qualified practitioners exceeds supply, and the work has structural characteristics that make it resistant to the forces compressing other parts of the security market.
That combination is not common. It is worth paying attention to.
