Read the post-incident reports from the famous industrial ransomware cases and a pattern emerges that the headlines miss: the control systems usually kept working. What stopped them was a decision. The corporate network was encrypted, visibility was gone, the shared services were suspect, and someone chose, reasonably, to halt operations rather than run blind. The malware never crossed into OT. The fear did.
Most OT downtime in an IT ransomware event is a precaution, not an infection. Precaution is a design choice you can engineer.
The dependencies that convert IT incidents into OT outages
The bridge is rarely exotic. It is the historian the plant cannot bill without, the Active Directory that the HMIs authenticate against, the jump server that maintenance uses, the licensing service nobody remembered. When those live on the corporate domain, encrypting the office encrypts the plant’s nervous system, whatever the firewall diagram claims. An assessment that maps these dependencies honestly is worth more than another endpoint agent.
Engineering the ability to keep running
- Segment for the bad day, not the audit: OT must be operable, observable and safe with the corporate network amputated.
- Keep an offline island: recovery media, golden images, configuration exports and the passwords to use them, reachable when everything with a keyboard is suspect.
- Drill degraded operations: run the floor for a shift, on paper and local control, on a schedule. The first time cannot be during the event.
- Pre-decide authority: who may keep operating, who may stop, and on what evidence. Courage at 03:00 is a document written at 15:00.
Insurers have caught on: questionnaires increasingly ask about segmentation evidence and recovery drills rather than antivirus brands. The market is pricing exactly the gap this file describes.
We map the dependencies ransomware counts on, before it does. It is quieter work than recovery, and far cheaper.