OT and ICS Security,
Air Gap Storage for the Purdue Model
An OT estate cannot restore from a cloud copy it cannot reach and cannot afford to egress. Firevault is the physical air gap that sits at Purdue Level 3.5, isolated from the domain that ransomware compromises first.
OT, ICS and the Priority Inversion
Clean definitions for OT, ICS and the security priority ranking that separates industrial estates from IT.
Operational technology (OT)
Operational technology is the hardware and software that monitors and controls physical processes: valves, motors, robots, breakers, conveyors and the sensors that report on them. It is the plant floor, the substation, the pipeline and the water works, not the office LAN.
Industrial control systems (ICS)
Industrial control systems is the umbrella term for the software and hardware that make OT run: PLCs, RTUs, DCS, SCADA and their engineering workstations. When practitioners say OT/ICS, they mean the whole stack from field devices up to the supervisory layer.
OT/ICS security, defined
OT/ICS security protects the availability and integrity of industrial control systems from failure and attack. The priority ranking is inverted from IT: an unavailable plant is a safety event, so recovery from a destructive incident is the top design goal.
Mapping Firevault to the Purdue Model
The Purdue Model splits an industrial estate into levels. The Firevault gold copy sits at Level 3.5 or in a dedicated bunker, isolated from the enterprise domain.
Levels 0 to 2, the plant
The lower Purdue levels are sensors, actuators, PLCs, RTUs and the HMI that supervises them. These systems are engineered for uptime and predictable behaviour, not for defence in depth. Ransomware that reaches this layer stops production and can trigger safety events.
Level 3 and 3.5, operations and DMZ
Level 3 hosts the site operations systems and Level 3.5 is the industrial DMZ. This is where OT talks to IT for reporting, dispatch and remote support, and where most OT ransomware incidents enter. The Firevault gold copy for an OT estate sits at 3.5, isolated from both sides.
Level 4 and 5, IT and enterprise
The upper Purdue levels are the enterprise IT and cloud. These systems have far more attack surface than the plant, and they are the origin of most OT ransomware. A physical air gap between the enterprise estate and the OT gold copy is the boundary of last resort.
What Breaks Immutable Backup Inside an OT Estate
The failure modes cloud immutability hits when it meets a real OT site, a real cyber underwriter and a real ransomware operator with domain admin.
Bandwidth ceilings on the plant
OT sites are often on constrained links: microwave, cellular or single fibre. A cloud restore of a compromised historian can take days over that pipe, at a cost per GB that finance did not budget for. A physically local air-gapped copy restores at disk speed instead.
Immutable is still on the network
Cloud Object Lock and hardened repositories are logical controls on a network that remains reachable. In an OT estate the attacker often already has domain admin on the IT side. The same credentials weaken the retention policy before the plant is hit.
Insurers now specifically ask
Cyber underwriters have tightened OT wording. Renewals now ask whether an offline copy exists, whether it is isolated from production identity and whether the isolation is provable. A physical air gap with a tamper evident connection log answers all three in one line.
Buyer checklist
Ten Questions for Any OT/ICS Backup Vendor
Use this list to separate a genuine physical air gap from a hardened appliance sold as one.
- The gold copy has no network interface enabled while offline (Layer 1, not VLAN)
- Connection windows are switched out of band, not from the OT or IT domain
- Every connect and disconnect event is logged on a separate management plane
- The copy sits at Purdue Level 3.5 or a dedicated bunker, isolated from Levels 4 and 5
- Restore path does not depend on cloud egress or a rebuild of the domain
- Encryption keys are held separately from the storage hardware
- Chain of custody is provable to IEC 62443, NIS2 and NCSC CAF assessors
- The vendor will attend an incident on site and provide the clean copy in person
- Pricing is fixed monthly, VAT inclusive, with no egress or restore fees
- The pattern layers over existing Veeam, Rubrik, Commvault or native ICS backups
Continue reading on the deployment maps, the standards and the compare set.
OT and ICS Security, Common Questions



Add a physical air gap to your OT recovery plan
Talk to the Firevault team about a Layer 1 offline gold copy for your industrial estate, isolated from the enterprise domain that ransomware compromises first.
Takes about 2 minutes. No account needed.