Ransomware targeting operational technology is no longer hypothetical. We've seen attacks on water utilities that encrypted both the engineering workstations and the backup files that the organization thought would let them recover. When your recovery plan itself is compromised, you're not recovering—you're starting from zero. Industrial organizations need backup strategies that anticipate encryption, network traversal, and the specific constraints of OT environments.
Most IT backup strategies won't work for OT. A cloud backup service is vulnerable if the attacker gains credentials to your cloud environment. A network-attached backup system is vulnerable if the attacker reaches your network and encrypts it along with your production systems. A backup that requires the engineering workstation to restore won't help if the workstation is the entry point for the attack. For OT, backup resilience means building multiple, isolated copies stored in locations an attacker cannot easily reach.
The Three-Copy Rule for OT
We recommend at minimum three independent copies of all critical OT assets: one live copy (your production systems), one cold copy (offline, physically stored), and one warm copy (available for rapid restore but isolated from your production network). The live copy operates normally. The offline copy is updated on a schedule (weekly, for most critical systems) and stored in a locked cabinet or external storage facility. The warm copy lives in an isolated network segment with restricted access—it can be brought online quickly but cannot be reached from normal operations or from the internet.
For PLC configurations and firmware, the offline copy should be on external media—USB drives, external hard drives, or tape. Store these in a physical location separate from your data center. For historians and databases, the warm copy can be a replicated instance in a segregated network or a regular backup file stored on isolated media, updated daily. The key is that an attacker who compromises your main network cannot automatically reach all three copies.
Backup Procedures That Work in OT
- Extract firmware and configs quarterly: At minimum every quarter, extract PLC firmware and HMI configurations and store them offline. If you can extract more frequently without disrupting operations, do so. Use manufacturer-approved tools and follow change management procedures.
- Isolate backup networks physically: Your warm backup copy should live on a network segment that has no dynamic routing back to your production network. Physical air gap if possible; at minimum, a managed firewall with unidirectional rules (backups can be accessed from production, but production cannot initiate connections to backups).
- Test restores regularly: Backups that have never been restored are worthless. At least twice a year, pull a backup and restore it to a test system. Time the restore process. Verify that the restored system functions. Only then can you be confident that the backup will work in an emergency.
- Encrypt backups in transit and at rest: Backups contain sensitive information—control logic, configuration details, network diagrams. Encrypt them when they're being written and when they're stored offline.
Backup Resilience in a Ransomware Response
In a ransomware incident, your backups are your primary recovery path. Your incident response plan should include explicit procedures for backup assessment: which backups are clean, how to verify them, and how to restore from them without re-introducing malware. If you've maintained true separation between production and backup, and if you've tested restores, you can recover without paying a ransom. That's the goal.
Building backup strategies that survive ransomware requires understanding both your OT assets and the threat landscape. We help industrial organizations design redundancy, test recovery procedures, and build confidence in their business continuity plans. Contact us to assess your backup resilience.
This article was written by the Cascadia OT Security practice, which advises Pacific Northwest data centers and manufacturers on industrial cybersecurity. For engagement inquiries, reach our practice team.