The Difference Between Incident & Catastrophe

Cabreza Blog

SubscribeSign in

The Difference Between Incident & Catastrophe<br>CISA says adversaries are pre-positioned in US critical infrastructure. Does anyone care?

Jason Rivera<br>May 30, 2026

Share

A few weeks ago, CISA released CI Fortify: Strengthening Resilience Across Critical Infrastructure.<br>Its planning assumption is boldly stated, and blunt:<br>adversaries are already pre-positioned in US critical infrastructure

third-party connections may be unreliable during a conflict

operators need to be ready to sustain essential services

while operating in a degraded, disconnected, or partially compromised environment

The same week, a major OT security vendor teased an upcoming product launch.<br>Within three hours, a single teaser post had more than double the engagement of the top CI Fortify post from the prior three weeks.<br>Sit with that for a moment

because the contrast says a lot about the direction and attention of the ICS/OT cybersecurity community.

Underneath CI Fortify

CI Fortify organizes around two emergency planning capabilities: isolation and recovery.<br>Isolation includes proactively disconnecting OT systems from third-party and business networks while continuing to deliver essential services.<br>Operating through compromise:<br>Identify priority customers(including military installations and lifeline services)

Set minimum service delivery targets they can sustain while isolated for weeks to months

Recovery for when when isolation isn’t enough:<br>Document how systems operate

Back up critical files

Practice the replacement of systems or transition to manual operations

Paving the Fortify Way

CI Fortify isn’t binding regulation, it just establishes a baseline . A baseline that also raises expectations for boards, executives, and legal teams in future regulatory examinations, insurance disputes or litigation.<br>CI Fortify is grounded in specific, documented intelligence.

In February 2024, CISA, NSA, and the FBI issued Joint Advisory AA24-038A, assessing with high confidence that Volt Typhoon, a PRC state-sponsored group, had been pre-positioning on IT networks to enable lateral movement to OT assets and disrupt functions across communications, energy, transportation, and water systems.<br>The advisory confirmed the group had maintained footholds in critical infrastructure environments for at least five years.<br>FBI Director Christopher Wray, in congressional testimony that January, called it “the defining threat of our generation.” Former CISA Director Jen Easterly said the confirmed compromises were “likely the tip of the iceberg.”

In April 2024, Wray told Vanderbilt University that Volt Typhoon had targeted 23 pipeline operators and was developing the ability to “physically wreak havoc on our critical infrastructure at a time of its choosing.”

In April 2026, six federal agencies confirmed active Iranian-affiliated exploitation of internet-facing OT devices across water, energy, and government services sectors, resulting in operational disruptions and financial losses.

It’s not an ambiguous pattern. The intelligence has already determined that multiple nation-state actors have access to US critical infrastructure OT environments. So, CI Fortify is CISA translating that intelligence into operational guidance.<br>Defense and Resilience

Defense work, the work of preventing, detecting, and mitigating attacks, is familiar.<br>It’s visible, fills conference stages, product demos, and LinkedIn feeds. It’s the world of swords and shields, hunting IOCs, following threat intel, and watching dashboards.<br>I lived it, circa 2017, when I was battling Locky 2.0 taking down a pharmaceutical manufacturing line.<br>Production and revenue losses matter. The defend and prevent work matters; it always has.<br>But defense without resilience is a half measure. And resilience without defense is useless. You can’t have one without the, other.

The problem is structural in that Defense already has a productizable system and structure in place. It fits neatly into an product and economic structure.<br>Resilience however, has historically been an organizational discipline.<br>It spans IT, OT, engineering, operations, safety, legal, and executive leadership. It barely fits neatly into anything yet, not to mention conference talks or procurement cycles.<br>Market structure.

Huh. That sure does seem like a gap.<br>The Tilt to Defense

Analyst firms estimate the “OT Security” market to be somewhere north of $20 billion in 2025 and project continued double-digit growth.<br>The dominant product categories are asset discovery, network monitoring, threat detection, vulnerability management, and secure remote access.<br>Defense functions.<br>Unsurprisingly, and understandably, venture and growth capital has followed its proven trajectory.<br>The largest funding rounds in OT security over the past two years have gone to detection and monitoring platforms.<br>The newest wave of product innovation, the “agentic SOC” concept, is...