May’s ICS Patch Tuesday activity was lighter than recent months. Siemens carried the most substantial advisory load; Schneider published multiple updates but nothing exceptional. ABB, Rockwell, Mitsubishi, and Phoenix Contact had no new May releases—though that doesn’t mean the broader ecosystem was silent. CISA and other advisory channels still carried relevant ICS updates throughout the month.
Lighter disclosure cycles do occur, particularly during Q2. Vendor release schedules aren’t synchronized, and many are still working through backlogs from heavier March and April waves. Your team likely has plenty of remediation still in progress from those months anyway.
Instead of emphasizing a single advisory in a relatively quiet cycle, this moment presents an opportunity to focus on a more pressing issue. The shift is not driven by CVSS scores, but by recent guidance from CISA indicating that, in a conflict scenario, critical infrastructure operators should be prepared for unreliable third party connectivity and should assume that threat actors may already have some level of access to OT networks.
What CI Fortify Actually Changes
On May 5, CISA launched CI Fortify. The guidance asks critical infrastructure operators to plan for a scenario where OT networks are actively compromised, connectivity to telecommunications networks, vendors, and external services is unavailable, and they must operate for weeks or months while isolated from third-party dependencies and unreliable external communications.
The initiative organizes around two capabilities. Isolation means proactively disconnecting OT systems from third-party and business networks while sustaining essential service delivery in a degraded communications environment (not powering down defensively but keeping the lights on while disconnected). CISA wants operators to identify priority customers including military infrastructure and lifeline services, set service delivery targets based on their needs, and update business continuity plans and engineering processes to allow for safe operations for weeks to months while isolated.
Recovery addresses what happens when isolation fails: documenting systems, backing up critical files, and practicing the replacement of compromised components or transition to manual operations. CISA also flags an underappreciated dependency issue: licensing servers and business network connections may be required to restore systems, and operators need plans for those specifically.
CISA’s planning assumption is straightforward. In a conflict scenario, third-party connections (telecommunications, internet, vendors, service providers, and upstream dependencies) will be unreliable, and threat actors will already have some access to the OT network. That means cloud-connected SCADA, vendor-managed protection relays, and real-time data feeds to third parties all sit on the wrong side of the isolation boundary CISA is now asking you to plan for.
CISA is already conducting targeted assessments starting with defense-critical infrastructure—utilities that serve military bases, dams, radar sites, and satellite communications. The agency is also reinstating more than 300 positions, with reported priorities including state cyber security coordinators and regional advisors who will support on-site assessments of critical infrastructure operators. CISA has separately signaled an increasing focus on OT systems within this broader effort.
The Threat Reality Behind CI Fortify
Three recent developments make this less abstract. Federal agencies warned in April that Iranian-affiliated actors were exploiting internet-exposed Rockwell PLCs, including devices affected by CVE-2021-22681—a CVSS 10.0 vulnerability that requires strict mitigations because it lacks a traditional patch. Adversaries are actively scanning for and finding internet-exposed PLCs, with resulting operational disruptions reported across water and energy organizations. In confirmed incidents, attackers deploy Dropbear SSH—a lightweight backdoor—onto compromised endpoints to establish persistent remote access, ensuring they can return even if the initial vulnerability is later addressed. This campaign succeeded not because of sophisticated zero-day exploits, but because assets that should never have been reachable from the internet were openly exposed.
China’s Volt Typhoon has demonstrated long-term prepositioning activity targeting U.S. critical infrastructure, including utilities. Not launching attacks, not stealing data that anyone has detected—just sitting there, mapping systems, running reconnaissance, and positioning for destructive action during a geopolitical crisis. The assumption that “if nothing bad has happened, nothing is wrong” does not hold when a nation-state adversary is patient enough to wait for the right moment.
Security researchers have increasingly discussed how AI tools could reduce the time required for reconnaissance and vulnerability analysis. In May 2026, Dragos published research describing a real-world intrusion in which attackers used Anthropic’s Claude and OpenAI’s GPT models during an attack against a Mexican water utility. Although there was no breach, the lack thereof should not downplay that there was a legitimate pathway for one.
According to Dragos, the AI-assisted operation accelerated reconnaissance, tooling development, and the identification of OT-adjacent infrastructure after an initial IT compromise. The significance was not novel ICS malware or autonomous attacks, but how quickly commercially available AI tools helped inexperienced attackers identify and prioritize operational environments. The gap between disclosure and exploitation is narrowing, and the old rhythm of “patch within 35 days” assumes a threat environment that no longer exists.
CISA Acting Director Nick Andersen said: “CI Fortify is timely, actionable guidance that helps organizations protect their networks and critical services from cyber threat actors that aim to degrade or disrupt infrastructure. We strongly encourage organizations to review this guidance, implement the recommended actions, and collaborate with CISA to strengthen CI defenses against opportunistic threat actors.” CI Fortify is the tactical blueprint designed to make that resilience possible.
Operational Impact for Utilities and OT Teams
CI Fortify does not create new NERC CIP obligations or penalties. However, federal advisories and CISA assessment findings can shape how regulators, auditors, insurers, and litigants evaluate whether an organization acted reasonably under existing obligations. For NERC-regulated entities, the practical issue is not that CI Fortify creates a new requirement, but that documented evaluation of credible federal cyber guidance may become increasingly important evidence of risk-based decision-making.
On April 7, 2026, one month before CI Fortify launched, CISA, the FBI, NSA, EPA, DOE, and U.S. Cyber Command’s Cyber National Mission Force issued a joint advisory detailing the severity of these ongoing Rockwell Automation attacks. This warning explicitly directed critical infrastructure operators to review existing NERC CIP-relevant guidance from Rockwell Automation, prompting NERC to issue an all-points bulletin to energy sector members.
Litigation following cyberattacks is already happening, and legal analysts have noted that documented responses to federal advisories help demonstrate reasonable action. When federal agencies issue urgent warnings of active exploitation and your utility is assessed under CI Fortify, findings don’t disappear. Under existing NERC CIP standards, organizations may increasingly be expected to demonstrate how they evaluated and responded to federal cyber security guidance during audits, investigations, or litigation.
Ignoring federal warnings costs something.
The first problem most teams face is simple: they don’t actually know what’s connected to what. A substation that was air-gapped ten years ago may have gained a cellular modem for remote monitoring that no one documented. A vendor laptop that gets plugged in once a quarter for maintenance might have open RDP ports that someone set up for convenience and never closed. CI Fortify assumes those connections will be unreliable or hostile during a conflict, which means every undocumented third-party path into your OT network becomes a liability you cannot afford.
The second problem is operational. Some assets cannot be patched until a planned outage. Some vulnerabilities aren’t actually exploitable in your specific configuration. And some patches break things, which is why vendor-approved patching exists in the first place. Running critical infrastructure means dealing with those constraints every day. But CI Fortify changes the starting point: instead of assuming your network is clean, CISA wants you to plan for the opposite. Under that assumption, patching externally accessible systems moves to the front of the queue. Where patching is not feasible, compensating controls need to be in place and actually tested, not just written in a policy document somewhere.
The third problem is that most isolation plans have never been fully operationally validated. A utility might have a document that says a particular substation can disconnect from the main grid and run locally, but when someone actually tries to execute that procedure, they discover that the SCADA link is required to close a breaker or that the manual backup relies on a phone line that was disconnected three years ago. CI Fortify expects tested, working procedures, not paper exercises. That means running drills, documenting failures, and fixing what broke.
How Foxguard Supports CI Fortify Readiness
Most teams don’t know what they have. That’s not a criticism; it’s just the reality of OT environments where assets get installed, replaced, and connected over decades without anyone keeping a master list. Foxguard Discover solves that with a hybrid approach built for regulated environments. It pulls data from existing systems like CMDB and CMMS via APIs, runs scripts in air-gapped networks and imports the results, uses agents where they make sense and agentless methods where they don’t, queries devices directly over SSH, SNMP, Modbus, and S7, and falls back on manual entry for whatever’s left. Everything is tested in Foxguard’s OT lab to avoid disrupting operations. If a Connexium switch is on your network or a vendor connection got added five years ago and forgotten, Discover finds it.
Once you know what you have, you need to know what patches exist for it. Foxguard Patchintel removes the manual work of tracking patch availability across Siemens, Schneider, Rockwell, ABB, and the rest of the OT vendor landscape, by pulling release notes and security bulletins into one place instead of forcing your team to check every vendor portal individually. It documents authenticity checks and integrity verification for every patch—which matters for NERC CIP audits—and helps track OT vendor advisories and updates that may not be consistently represented in the NVD, a genuine gap that leaves teams blind. Patchintel was built with funding from the US Department of Energy’s Cybersecurity for Energy Delivery Systems division, so it’s designed around OT constraints and NERC CIP requirements from the ground up.
If your team doesn’t have the bandwidth to run this themselves, Foxguard’s Patch Management as a Service (PMaaS) and Vulnerability Management as a Service (VMaaS) services handle the prioritization and remediation work—same product, same intelligence, just delivered as a service.
The Work Ahead
CISA just told utilities to plan for weeks or months of isolated operation with adversaries already inside. That changes how you prioritize patching, how you think about vendor access, and what incident response means. A patch that takes thirty-five days to evaluate and deploy might be fine in peacetime, but if CISA’s scenario is correct—that a conflict can degrade telecommunications and third-party connections while adversaries are already inside—then the utilities that fare best will be the ones that already knew their asset inventory, already locked down vendor access, and already tested their isolation procedures before the crisis hit.
A lighter Patch Tuesday cycle is not a reason to relax. It is an opportunity to address the operational gaps that become much harder to fix during active incidents. March was heavy, and April continued to generate significant attention around issues like BlastRADIUS. June and July will pick back up. Use the breathing room to run an isolation drill, audit your vendor connections, or verify that the patches you deployed last quarter actually took. The work does not go away just because the advisory volume is low.
If your utility is connected to defense infrastructure, you may already be on the list. For everyone else, it is a matter of time. CI Fortify may be voluntary guidance, but the planning assumptions behind it are increasingly shaping how critical infrastructure resilience is evaluated.