Field notes · Case F-19 · Cyber

Ransomware never touches the chiller. It does not have to.

In most industrial ransomware events, the OT systems were never encrypted. Operations stopped anyway. The malware attacks machines; the downtime attacks confidence.

Read the post-incident reports from the famous industrial ransomware cases and a pattern emerges that the headlines miss: the control systems usually kept working. What stopped them was a decision. The corporate network was encrypted, visibility was gone, the shared services were suspect, and someone chose, reasonably, to halt operations rather than run blind. The malware never crossed into OT. The fear did.

Most OT downtime in an IT ransomware event is a precaution, not an infection. Precaution is a design choice you can engineer.

The dependencies that convert IT incidents into OT outages

The bridge is rarely exotic. It is the historian the plant cannot bill without, the Active Directory that the HMIs authenticate against, the jump server that maintenance uses, the licensing service nobody remembered. When those live on the corporate domain, encrypting the office encrypts the plant’s nervous system, whatever the firewall diagram claims. An assessment that maps these dependencies honestly is worth more than another endpoint agent.

Engineering the ability to keep running

Insurers have caught on: questionnaires increasingly ask about segmentation evidence and recovery drills rather than antivirus brands. The market is pricing exactly the gap this file describes.

We map the dependencies ransomware counts on, before it does. It is quieter work than recovery, and far cheaper.