The OT/ICS Security Vault for
Air-Gapped Recovery
Firevault is a Layer 1 air-gapped, immutable vault for the gold copy of your OT and ICS data. It sits at Purdue Level 3.5, isolated from the corporate identity domain ransomware targets first, with the signed evidence IEC 62443, NIS2 and NCSC reviewers expect.
Mapped to IEC 62443 · NIS2 · NERC CIP · NCSC ransomware-resistant backups
Six Capabilities That Define An OT/ICS Security Vault
Air gap, immutability, Purdue Level 3.5 placement, ransomware recovery, segmentation-friendly deployment and audit-ready evidence, in one appliance line.
Air-gapped OT backup
Firevault holds the gold copy of your OT and ICS data on media with no live network interface. Connection windows are switched out of band, logged on a separate management plane, and closed the moment the sync ends. Ransomware cannot reach what is not on the wire.
Immutable WORM storage
Every copy is written under WORM controls with hardware-enforced retention. Neither an operator nor an attacker with stolen credentials can rewrite, expire or delete a copy inside the retention window. Immutability rides on top of the physical air gap, not in place of it.
Purdue Level 3 and 3.5 deployment
Firevault deploys at Purdue Level 3.5, the industrial DMZ, or in a dedicated bunker adjacent to the OT estate. That placement keeps the copy out of the Level 4 and Level 5 identity domain that ransomware targets first, without adding another VLAN rule to an already busy firewall.
ICS ransomware recovery
Every published post-incident report on a large OT ransomware event follows the same pattern: entry at Level 5, lateral to Level 4, pivot through Level 3.5, then plant shutdown. Firevault gives you the one recovery copy that pattern cannot touch, and the audit trail your insurer requires.
Segmentation-friendly deployment
Firevault does not replace Veeam, Rubrik, Commvault or native ICS backup platforms. Those handle fast operational recovery. Firevault sits alongside them as the one offline copy the 3-2-1-1-0 rule requires, honouring your existing zone and conduit design.
Audit-ready evidence
Every connection window, every write, every restore rehearsal produces a signed record. That evidence pack answers the questions IEC 62443 assessors, NIS2 reporters, NERC CIP auditors and NCSC-aligned reviewers actually ask, without a scramble the week before the audit.
The Three Failure Modes Firevault Is Built Against
A backup on the corporate domain, an immutable appliance mislabelled as an air gap, and a restore that has never been rehearsed across Level 3.5. Firevault removes all three.
Backup on the corporate domain
When the OT backup platform runs on a VM in the corporate hypervisor, joined to the corporate identity domain, a single compromised admin account destroys production data and every recovery copy in the same afternoon. Firevault sits outside that domain by design.
Immutable appliance called an air gap
An immutable appliance still lives on the network, still exposes a management interface, and still trusts an identity plane an attacker can compromise. It is a valuable layer, but describing it as an air gap in insurer paperwork is how claims get disputed. Firevault provides both.
No tested restore across L3.5
The failure mode auditors flag most often is a backup platform that has never been rehearsed across the Level 3.5 boundary. Firevault schedules and logs those rehearsals, so the evidence is already on file when the assessor arrives.
Firevault vs. the alternatives
How the Vault Compares to Cloud Immutable and Tape
Cloud immutable storage and tape both belong in a well-designed OT recovery plan. Neither alone provides the physical isolation, the Purdue Level 3.5 placement and the signed evidence pack a vault does.
| Capability | Firevault OT/ICS Vault | Cloud immutable | Tape |
|---|---|---|---|
| Physical air gap between copies | Yes, Layer 1, no live interface | No, always network reachable | Partial, only when ejected and stored offsite |
| Immutable WORM storage | Yes, hardware enforced | Yes, policy enforced | Yes, by media type |
| Sits at Purdue Level 3.5 by design | Yes | No, lives beyond Level 5 | Depends on library placement |
| Isolated from corporate identity | Yes, separate management plane | No, cloud IAM in scope | Partial, depends on library operator |
| Restore rehearsal evidence pack | Yes, signed per run | Manual, tenant responsibility | Manual, operator responsibility |
| Recovery when corporate domain is destroyed | Yes, unaffected | Blocked, IAM often affected | Yes, if media is offsite |
Outcomes
What Operators Get from a Firevault Deployment
Plant restart from a clean copy
A recovery source that is unaffected when the corporate identity domain and the primary backup platform are both destroyed.
Evidence pack the insurer accepts
Signed connection windows, WORM writes and restore rehearsals mapped to IEC 62443 and NIS2 obligations.
One offline copy, done properly
The 3-2-1-1-0 rule satisfied by a physical air gap, not a marketing claim on an immutable appliance.
Continue with the reference architecture, the segmentation guide and the air gap comparison.
OT/ICS Security Vault, Common Questions



Put the OT gold copy in a vault the corporate domain cannot reach
Talk to the Firevault team about a Layer 1 air-gapped, immutable vault at Purdue Level 3.5, with the signed evidence pack IEC 62443, NIS2 and NCSC reviewers expect.
Takes about 2 minutes. No account needed.