The Difference Between Incident & Catastrophe
CISA says adversaries are pre-positioned in US critical infrastructure. Does anyone care?
A few weeks ago, CISA released CI Fortify: Strengthening Resilience Across Critical Infrastructure.
Its planning assumption is boldly stated, and blunt:
adversaries are already pre-positioned in US critical infrastructure
third-party connections may be unreliable during a conflict
operators need to be ready to sustain essential services
while operating in a degraded, disconnected, or partially compromised environment
The same week, a major OT security vendor teased an upcoming product launch.
Within three hours, a single teaser post had more than double the engagement of the top CI Fortify post from the prior three weeks.
Sit with that for a moment
because the contrast says a lot about the direction and attention of the ICS/OT cybersecurity community.
The ICS/OT cybersecurity ecosystem’s markets, conferences, regulation and capital are mostly structurally tilted toward defense: preventing, detecting, and mitigating attacks. Defense matters, it always has. But defense without resilience is a half measure. And resilience without defense is useless.
The gap between a community that can detect a compromise and one that can operate through it is what separates an incident from a catastrophe.
That’s what CI Fortify is about.
What CI Fortify Is Actually Saying
CI Fortify is a baseline that raises expectations for boards, executives, and legal teams in future regulatory examinations, insurance disputes, or litigation.
It organizes around two emergency planning capabilities: isolation and recovery.
Isolation means proactively disconnecting OT systems from third-party and business networks while continuing to deliver essential services.
Operating through compromise:
Identify priority customers (including military installations and lifeline services)
Set minimum service delivery targets they can sustain while isolated for weeks to months
Recovery for when isolation isn’t enough:
Document how systems operate
Back up critical files
Practice the replacement of systems or transition to manual operations
CI Fortify is grounded in specific, documented intelligence.
In February 2024, CISA, NSA, and the FBI issued Joint Advisory AA24-038A, assessing with high confidence that Volt Typhoon, a PRC state-sponsored group, had been pre-positioning on IT networks to enable lateral movement to OT assets and disrupt functions across communications, energy, transportation, and water systems.
The advisory confirmed the group had maintained footholds in critical infrastructure environments for at least five years.
FBI Director Christopher Wray, in congressional testimony that January, called it “the defining threat of our generation.” Former CISA Director Jen Easterly said the confirmed compromises were “likely the tip of the iceberg.”
In April 2024, Wray told Vanderbilt University that Volt Typhoon had targeted 23 pipeline operators and was developing the ability to “physically wreak havoc on our critical infrastructure at a time of its choosing.”
In April 2026, six federal agencies confirmed active Iranian-affiliated exploitation of internet-facing OT devices across water, energy, and government services sectors, resulting in operational disruptions and financial losses.
Multiple nation-state actors have access to US critical infrastructure OT environments, and the geopolitical context is accelerating.
The PRC strategy, as US officials describe it, is to hold critical infrastructure at risk to deter or delay US military response in a Taiwan contingency. Russia has continued targeting European energy infrastructure. Iran has moved from espionage to operational disruption, blurring lines between criminal, hacktivist, and state-directed activity.
CI Fortify is CISA translating that intelligence into operational guidance, and the operative words in acting director Nick Andersen’s framing: “timely, actionable guidance that helps organizations protect their networks and critical services from cyber threat actors that aim to degrade or disrupt infrastructure” lands on “degrade” and “disrupt,” more than “protect.”
The questions on the bone:
Can you still operate?
Can you still protect people?
Can you still deliver essential services?
Hard questions that only the courageous are willing to ask, and answer, while it’s still voluntary (for now).
Defense and Resilience
Defense’s preventing, detecting, and mitigating attacks is familiar work. It’s visible. It fills conference stages, product demos, and LinkedIn feeds. It’s the world of swords and shields, hunting IOCs, following threat intel, and watching dashboards.
I lived it, circa 2017, when I was battling Locky 2.0 taking down a pharmaceutical manufacturing line. Production and revenue losses matter. The defend-and-prevent work matters; it always has.
But defense without resilience is a half measure. And resilience without defense is useless. You can’t have one without the other.
Defense already has a productizable system and structure in place. It fits neatly into a product and economic structure.
Resilience, historically, has been an organizational discipline. It spans IT, OT, engineering, operations, safety, legal, and executive leadership. It barely fits neatly into anything yet, like conference talks and procurement cycles.
Market structure.
Huh. That sure does seem like a gap.
The Tilt to Defense
Analyst firms estimate the “OT Security” market to be somewhere north of $20 billion in 2025 and project continued double-digit growth.
The dominant product categories are asset discovery, network monitoring, threat detection, vulnerability management, and secure remote access.
Defense functions.
Unsurprisingly, and understandably, venture and growth capital has followed its proven trajectory. The largest funding rounds in OT security over the past two years have gone to detection and monitoring platforms.
The newest wave of product innovation, the “agentic SOC” concept, is entirely about accelerating detection, triage, and response through AI.
More speed, automation, and pew-pew.
The comparable “Resilience” category has barely formed at all yet. Resilience is just starting to figure out how to fit into a productizable, scalable solution and market.
Meanwhile, FERC approved NERC CIP-015-1 in June 2025, mandating internal network security monitoring of east-west traffic inside electronic security perimeters, a detection mandate. Another “visibility” gap and Defense requirement.
EU NIS2 comes closer to resilience because it explicitly requires business continuity planning, supply chain security, and board accountability. But even NIS2 governs management intent and reporting obligations more than it verifies the continued effectiveness of technical controls under operational stress.
Governance-centric regulation establishes accountability. It doesn’t tell you whether a high-hazard industrial process remains observable, controllable, and operable when things go wrong.
More prescriptive OT frameworks, like Saudi Arabia’s OTCC and Singapore’s CCoP, push further by linking cybersecurity requirements directly to facility criticality and mandating concrete technical capabilities. They close gaps that governance-only models leave open.
But globally, the regulatory center of gravity still favors visibility and reporting over tested operational continuity.
Conference economics reinforce the pattern. Major cybersecurity events reward novelty, named adversaries, and offensive research. Resilience planning, the slow work of testing whether an organization can actually run a process manually, coordinate across functions during a crisis, and recover from a to-be-defined state that makes everyone uncomfortable isn’t spectacle.
Then, the measurement problem compounds everything.
Defense produces dashboards: alerts blocked, vulnerabilities patched, mean time to detect.
Resilience depends on how quickly executives align under pressure, whether operators can run in degraded mode, and how well functions coordinate when the process picture no longer makes sense.
What is not easily measured is easily under-funded.
Missing in the Middle
The real rub is between cybersecurity and physical consequence.
Most of the industry’s attention concentrates on system protection:
segmentation
access control
authentication
hardening
patching
monitoring
This is where standards like IEC 62443 focus, and if you can find “a program” (as compared to a tool running), what most OT security programs are built around.
But when system protection degrades or fails, there’s control resilience. It asks what compromised or unreliable automation can still do to the process:
Can it silently become the sole authority over operational decisions?
Can it present a plausible but false picture of the process state?
Can it suppress the signals that would tell an operator something is wrong?
This includes bounded setpoints, rate limiting, permissives, interlocks, staged authority, mode management, anomaly and coherence detection, degraded operating strategies, and operator decision support.
The technology should detect process incoherence, constrain unsafe control authority, and make degraded trust visible.
The people should interpret what that means, decide whether normal operation is still justified, and escalate when the process picture can no longer be trusted.
And then, if automation is degraded, manipulated, or no longer trustworthy, there’s physical consequence. Independent protection layers, physical safeguards, inherently safer design, containment, and segregation.
Defense lives in system protection. Resilience lives in control and physical consequence. They’re complementary. And right now, only one side of that equation has a market.
What Resilience Actually Demands
Resilience work means collaborating, communicating, determining, and planning what to do until, and once, operations are compromised.
It requires acuity, maturity, experience, and patience. Have you ever read a state-mandated emergency plan? Now try putting that into an actual plan you can use during an emergency. Then try executing it.
This is what the safety, emergency, crisis, and continuity professionals who keep the water running and the lights on during and after a compromise, cyber-caused or not, do every day.
The question CI Fortify forces is “can critical infrastructure organizations function when the automation picture is wrong, the network is gone, and the vendor can’t help?”
Defense says test your IR plan.
Resilience says test whether you can still run the process.
Defense work is swords and shields, threat hunting, and the tools that give operators visibility into what is happening on their networks. The SOC analysts, incident responders, and engineers who harden and segment and monitor.
Resilience work is the organizational discipline that spans IT, OT, engineering, operations, safety, legal, and executive leadership. It barely fits neatly into a product category, a conference talk, or a procurement cycle.
Both are necessary and neither is sufficient alone.
What’s it Going to Take?
The challenge is that one has a market, a conference circuit, a venture ecosystem, and a regulatory apparatus that recognizes it. The other does not, yet.
CI Fortify is a signal.
When the nation’s cyber defense agency tells critical infrastructure operators to assume compromise and plan for sustained degraded operations, it is time to pay attention to the other half of the solution.
The professionals who do resilience work, the ones who plan for what happens when the defenses fail, who test recovery, who build the organizational muscle to coordinate under stress, deserve the same solutions.
The work is harder to see and harder to measure. But when it matters, it’ll be the difference between an incident and a catastrophe.