Recent Breaches
Breaches
2026PowerSchool62.4M stolen62.4M records stolen2026DISA Global Solutions3.3M stolen3.3M records stolen2026Globe Life850K stolen850K records stolen2026HertzUndisclosed stolenUndisclosed records stolen2026NHS ScotlandUndisclosed stolenUndisclosed records stolen2025Marks & Spencer9.4M stolen9.4M records stolen2025PayPal35K stolen35K records stolen2025Co-operative GroupUndisclosed stolenUndisclosed records stolen2025Jaguar Land RoverUndisclosed stolenUndisclosed records stolen2024National Public Data2.9B stolen2.9B records stolen2026HertzUndisclosed stolenUndisclosed records stolen2026NHS ScotlandUndisclosed stolenUndisclosed records stolen2025Marks & Spencer9.4M stolen9.4M records stolen2025PayPal35K stolen35K records stolen2025Co-operative GroupUndisclosed stolenUndisclosed records stolen2025Jaguar Land RoverUndisclosed stolenUndisclosed records stolen2024National Public Data2.9B stolen2.9B records stolen2026PowerSchool62.4M stolen62.4M records stolen2026DISA Global Solutions3.3M stolen3.3M records stolen2026Globe Life850K stolen850K records stolen
View All →
Why OSS

The OT/ICS Security Vault for
Air-Gapped Recovery

Firevault is a Layer 1 air-gapped, immutable vault for the gold copy of your OT and ICS data. It sits at Purdue Level 3.5, isolated from the corporate identity domain ransomware targets first, with the signed evidence IEC 62443, NIS2 and NCSC reviewers expect.

S1

Mapped to IEC 62443 · NIS2 · NERC CIP · NCSC ransomware-resistant backups

What the vault does

Six Capabilities That Define An OT/ICS Security Vault

Air gap, immutability, Purdue Level 3.5 placement, ransomware recovery, segmentation-friendly deployment and audit-ready evidence, in one appliance line.

01
Layer 1 physical isolation

Air-gapped OT backup

Firevault holds the gold copy of your OT and ICS data on media with no live network interface. Connection windows are switched out of band, logged on a separate management plane, and closed the moment the sync ends. Ransomware cannot reach what is not on the wire.

No live network interface offlineOut-of-band switchingTamper evident connection log
02
Write once, retain for the policy window

Immutable WORM storage

Every copy is written under WORM controls with hardware-enforced retention. Neither an operator nor an attacker with stolen credentials can rewrite, expire or delete a copy inside the retention window. Immutability rides on top of the physical air gap, not in place of it.

Hardware-enforced retentionNo admin overrideVerified restore evidence
03
Where the gold copy belongs

Purdue Level 3 and 3.5 deployment

Firevault deploys at Purdue Level 3.5, the industrial DMZ, or in a dedicated bunker adjacent to the OT estate. That placement keeps the copy out of the Level 4 and Level 5 identity domain that ransomware targets first, without adding another VLAN rule to an already busy firewall.

Sits at the industrial DMZIsolated from corporate identityFirebreak hardware option
04
A copy the attacker cannot reach

ICS ransomware recovery

Every published post-incident report on a large OT ransomware event follows the same pattern: entry at Level 5, lateral to Level 4, pivot through Level 3.5, then plant shutdown. Firevault gives you the one recovery copy that pattern cannot touch, and the audit trail your insurer requires.

Breaks the L5 to plant chainRestore rehearsals on scheduleInsurer-ready evidence pack
05
Layers over existing OT security

Segmentation-friendly deployment

Firevault does not replace Veeam, Rubrik, Commvault or native ICS backup platforms. Those handle fast operational recovery. Firevault sits alongside them as the one offline copy the 3-2-1-1-0 rule requires, honouring your existing zone and conduit design.

Works with existing backup toolsRespects IEC 62443 zonesOne offline copy done properly
06
IEC 62443, NIS2, NERC CIP, NCSC

Audit-ready evidence

Every connection window, every write, every restore rehearsal produces a signed record. That evidence pack answers the questions IEC 62443 assessors, NIS2 reporters, NERC CIP auditors and NCSC-aligned reviewers actually ask, without a scramble the week before the audit.

IEC 62443 mappedNIS2 and NCSC alignedNERC CIP evidence trail
Why most OT backups still fail

The Three Failure Modes Firevault Is Built Against

A backup on the corporate domain, an immutable appliance mislabelled as an air gap, and a restore that has never been rehearsed across Level 3.5. Firevault removes all three.

01
The single most common failure

Backup on the corporate domain

When the OT backup platform runs on a VM in the corporate hypervisor, joined to the corporate identity domain, a single compromised admin account destroys production data and every recovery copy in the same afternoon. Firevault sits outside that domain by design.

No corporate domain trustNo shared admin planePhysical, not logical, boundary
02
Immutability is not isolation

Immutable appliance called an air gap

An immutable appliance still lives on the network, still exposes a management interface, and still trusts an identity plane an attacker can compromise. It is a valuable layer, but describing it as an air gap in insurer paperwork is how claims get disputed. Firevault provides both.

Immutability plus air gapNo management plane exposureTruthful insurer paperwork
03
A copy you have not restored is a hope

No tested restore across L3.5

The failure mode auditors flag most often is a backup platform that has never been rehearsed across the Level 3.5 boundary. Firevault schedules and logs those rehearsals, so the evidence is already on file when the assessor arrives.

Scheduled restore rehearsalsSigned evidence per runReady before the audit

Firevault vs. the alternatives

How the Vault Compares to Cloud Immutable and Tape

Cloud immutable storage and tape both belong in a well-designed OT recovery plan. Neither alone provides the physical isolation, the Purdue Level 3.5 placement and the signed evidence pack a vault does.

Capability Firevault OT/ICS Vault Cloud immutable Tape
Physical air gap between copies Yes, Layer 1, no live interface No, always network reachable Partial, only when ejected and stored offsite
Immutable WORM storage Yes, hardware enforced Yes, policy enforced Yes, by media type
Sits at Purdue Level 3.5 by design Yes No, lives beyond Level 5 Depends on library placement
Isolated from corporate identity Yes, separate management plane No, cloud IAM in scope Partial, depends on library operator
Restore rehearsal evidence pack Yes, signed per run Manual, tenant responsibility Manual, operator responsibility
Recovery when corporate domain is destroyed Yes, unaffected Blocked, IAM often affected Yes, if media is offsite

Outcomes

What Operators Get from a Firevault Deployment

Plant restart from a clean copy

A recovery source that is unaffected when the corporate identity domain and the primary backup platform are both destroyed.

Evidence pack the insurer accepts

Signed connection windows, WORM writes and restore rehearsals mapped to IEC 62443 and NIS2 obligations.

One offline copy, done properly

The 3-2-1-1-0 rule satisfied by a physical air gap, not a marketing claim on an immutable appliance.

Continue with the reference architecture, the segmentation guide and the air gap comparison.

OT/ICS Security Vault, Common Questions

Mark Fermor
David Bailey
Kenny Phipps
Online Now
Concierge

Put the OT gold copy in a vault the corporate domain cannot reach

Talk to the Firevault team about a Layer 1 air-gapped, immutable vault at Purdue Level 3.5, with the signed evidence pack IEC 62443, NIS2 and NCSC reviewers expect.

Takes about 2 minutes. No account needed.

Free2 minsNo sign-up
    Get started

    Your privacy matters

    We use cookies to keep the site running smoothly and to understand how you use it. You are in control. Privacy Charter · Cookie Policy