Recent Breaches
Breaches
2026PowerSchool62.4M stolen62.4M records stolen2026DISA Global Solutions3.3M stolen3.3M records stolen2026Globe Life850K stolen850K records stolen2026HertzUndisclosed stolenUndisclosed records stolen2026NHS ScotlandUndisclosed stolenUndisclosed records stolen2025Marks & Spencer9.4M stolen9.4M records stolen2025PayPal35K stolen35K records stolen2025Co-operative GroupUndisclosed stolenUndisclosed records stolen2025Jaguar Land RoverUndisclosed stolenUndisclosed records stolen2024National Public Data2.9B stolen2.9B records stolen2026HertzUndisclosed stolenUndisclosed records stolen2026NHS ScotlandUndisclosed stolenUndisclosed records stolen2025Marks & Spencer9.4M stolen9.4M records stolen2025PayPal35K stolen35K records stolen2025Co-operative GroupUndisclosed stolenUndisclosed records stolen2025Jaguar Land RoverUndisclosed stolenUndisclosed records stolen2024National Public Data2.9B stolen2.9B records stolen2026PowerSchool62.4M stolen62.4M records stolen2026DISA Global Solutions3.3M stolen3.3M records stolen2026Globe Life850K stolen850K records stolen
View All →
Why OSS

OT and ICS Security,
Air Gap Storage for the Purdue Model

An OT estate cannot restore from a cloud copy it cannot reach and cannot afford to egress. Firevault is the physical air gap that sits at Purdue Level 3.5, isolated from the domain that ransomware compromises first.

R5
What OT and ICS security means

OT, ICS and the Priority Inversion

Clean definitions for OT, ICS and the security priority ranking that separates industrial estates from IT.

01
The kit that runs the physical world

Operational technology (OT)

Operational technology is the hardware and software that monitors and controls physical processes: valves, motors, robots, breakers, conveyors and the sensors that report on them. It is the plant floor, the substation, the pipeline and the water works, not the office LAN.

Plant floor, not officePhysical outcomes, not ticketsUptime measured in years
02
The category name for OT control kit

Industrial control systems (ICS)

Industrial control systems is the umbrella term for the software and hardware that make OT run: PLCs, RTUs, DCS, SCADA and their engineering workstations. When practitioners say OT/ICS, they mean the whole stack from field devices up to the supervisory layer.

PLC, RTU, DCS, SCADAEngineering workstationsSupervisory HMI and historians
03
Availability first, then integrity, then confidentiality

OT/ICS security, defined

OT/ICS security protects the availability and integrity of industrial control systems from failure and attack. The priority ranking is inverted from IT: an unavailable plant is a safety event, so recovery from a destructive incident is the top design goal.

Availability is the prioritySafety cases drive designRecovery is not optional
Where a physical air gap belongs

Mapping Firevault to the Purdue Model

The Purdue Model splits an industrial estate into levels. The Firevault gold copy sits at Level 3.5 or in a dedicated bunker, isolated from the enterprise domain.

01
Field devices, controllers and HMI

Levels 0 to 2, the plant

The lower Purdue levels are sensors, actuators, PLCs, RTUs and the HMI that supervises them. These systems are engineered for uptime and predictable behaviour, not for defence in depth. Ransomware that reaches this layer stops production and can trigger safety events.

Level 0 field devicesLevel 1 PLCs and RTUsLevel 2 HMI and historians
02
Where OT meets IT

Level 3 and 3.5, operations and DMZ

Level 3 hosts the site operations systems and Level 3.5 is the industrial DMZ. This is where OT talks to IT for reporting, dispatch and remote support, and where most OT ransomware incidents enter. The Firevault gold copy for an OT estate sits at 3.5, isolated from both sides.

Site historians and MESIndustrial DMZ boundaryHighest attacker footfall
03
Corporate estate, cloud, SaaS

Level 4 and 5, IT and enterprise

The upper Purdue levels are the enterprise IT and cloud. These systems have far more attack surface than the plant, and they are the origin of most OT ransomware. A physical air gap between the enterprise estate and the OT gold copy is the boundary of last resort.

Enterprise IT and cloudSaaS and remote accessOrigin of most OT incidents
Why immutable cloud alone is not enough

What Breaks Immutable Backup Inside an OT Estate

The failure modes cloud immutability hits when it meets a real OT site, a real cyber underwriter and a real ransomware operator with domain admin.

01
Cloud restores do not scale to OT sites

Bandwidth ceilings on the plant

OT sites are often on constrained links: microwave, cellular or single fibre. A cloud restore of a compromised historian can take days over that pipe, at a cost per GB that finance did not budget for. A physically local air-gapped copy restores at disk speed instead.

Constrained site linksEgress cost per GBRTO measured in days not hours
02
Object Lock does not survive a domain compromise

Immutable is still on the network

Cloud Object Lock and hardened repositories are logical controls on a network that remains reachable. In an OT estate the attacker often already has domain admin on the IT side. The same credentials weaken the retention policy before the plant is hit.

Reachable from IT planeRetention weakened by adminSame identity system as target
03
Offline, isolated, provable

Insurers now specifically ask

Cyber underwriters have tightened OT wording. Renewals now ask whether an offline copy exists, whether it is isolated from production identity and whether the isolation is provable. A physical air gap with a tamper evident connection log answers all three in one line.

Offline copy requiredIsolated from identityEvidence, not assertion

Buyer checklist

Ten Questions for Any OT/ICS Backup Vendor

Use this list to separate a genuine physical air gap from a hardened appliance sold as one.

  • The gold copy has no network interface enabled while offline (Layer 1, not VLAN)
  • Connection windows are switched out of band, not from the OT or IT domain
  • Every connect and disconnect event is logged on a separate management plane
  • The copy sits at Purdue Level 3.5 or a dedicated bunker, isolated from Levels 4 and 5
  • Restore path does not depend on cloud egress or a rebuild of the domain
  • Encryption keys are held separately from the storage hardware
  • Chain of custody is provable to IEC 62443, NIS2 and NCSC CAF assessors
  • The vendor will attend an incident on site and provide the clean copy in person
  • Pricing is fixed monthly, VAT inclusive, with no egress or restore fees
  • The pattern layers over existing Veeam, Rubrik, Commvault or native ICS backups

OT and ICS Security, Common Questions

Mark Fermor
David Bailey
Kenny Phipps
Online Now
Concierge

Add a physical air gap to your OT recovery plan

Talk to the Firevault team about a Layer 1 offline gold copy for your industrial estate, isolated from the enterprise domain that ransomware compromises first.

Takes about 2 minutes. No account needed.

Free2 minsNo sign-up
    Get started

    Your privacy matters

    We use cookies to keep the site running smoothly and to understand how you use it. You are in control. Privacy Charter · Cookie Policy