Can the backup strategy for Industrial Information Systems (OT) be reduced to simply applying the ANSSI recommendations outlined in its guide “Information System Backup”? Doing so would overlook the very specific constraints of these environments.
This is an increasingly critical challenge for many sectors with the arrival of NIS2, which explicitly emphasizes the need for business continuity.
The 3-2-1 Rule: The Baseline for Backup Strategies
In the field of data backup, the so-called “3-2-1 rule” is often referenced. This simple principle states that any data should exist in three copies, stored on two different media, with one copy kept off-site.
This ensures that a recovery option remains available in the event of data loss, corruption, system failure, or destruction of one of the copies—provided that backups have been properly tested for effective restoration.
At an organizational level, IT backup strategies rely on two key notions: Maximum Tolerable Data Loss (MTDL), Maximum Tolerable Downtime (MTD).
These criteria help determine which data is essential to system availability, how frequently it must be updated, and how restoration processes should be designed.
The concept of Maximum Tolerable Data Loss (MTDL) encourages a shift away from an absolute, “all-or-nothing” view of backup. Accepting that not all data has the same value enables more pragmatic backup and recovery strategies, aligned with actual operational needs.
Are IT Backup Best Practices Applicable to OT?
It must be acknowledged that the 3-2-1 rule is rarely the standard in industrial information systems.
Furthermore, several OT-specific constraints must be taken into account to design an effective backup strategy. Five key points require particular attention:
- Incomplete Mapping of Industrial Systems : In OT environments, certain hidden or undocumented components (shadow OT) may escape backup processes. Network device configurations (switches, routers, etc.) are also frequently overlooked and must be included.
- Undefined Maximum Tolerable Downtime (MTD) : MTD must be clearly defined for all industrial applications and business data. This evaluation must be realistic, as it directly drives backup frequency and restoration design.
- Backup and Recovery in Degraded Mode : During cyberattacks, production sites are often isolated to maintain operations in degraded mode. As a result, the industrial information system is disconnected from the Enterprise Information System (EIS)—and sometimes from backup and restoration procedures themselves.
- Lack of Administration Networks or VLANs: Except in rare cases, industrial environments lack dedicated administration networks or VLANs, even though ANSSI recommends routing backup traffic through them.
Given that deploying a full industrial cybersecurity roadmap often takes 3 to 7 years, organizations should not wait for ideal conditions before implementing an operational backup and recovery system. Such a system is critical to restarting OT systems quickly and limiting the impact of a cyberattack during this vulnerable phase. - Reluctance to Test Restorations: When OT backups exist, restoration testing is often avoided due to production impact and the absence of pre-production environments. Moreover, in facilities relying on centralized backup solutions, industrial networks may not be able to handle the volume of data required for restoration. The process may take several days—frequently incompatible with industrial constraints.
From Failure Risk to Cyber Risk:
Using FMEA to Protect What Matters Most
Adding a cybersecurity dimension to FMEA (Failure Modes, Effects and Criticality Analysis)—explicitly referenced in ANSSI guidance—makes it possible to prioritize backups by identifying and ranking risks according to their cyber criticality. This enables organizations to focus resources on protecting the most vital assets.
Integrating cyber risk into FMEA significantly strengthens industrial backup strategies. By identifying and ranking risks based on cyber criticality, this approach prioritizes protection of systems and data that are essential to operational continuity. Resources are allocated more efficiently, ensuring that critical information and equipment are protected first against failures or malicious attacks.
This proactive approach reduces the risk of irreversible loss and enables faster recovery, strengthening the resilience and security of industrial infrastructures.
How Should Industrial Information Systems Be Backed Up?
It is essential to ensure that backup and recovery infrastructures are compatible with defined MTD requirements. This often involves hybrid solutions, combining local storage for critical data and regular restoration tests on dedicated environments.
Ultimately, the fundamental question of any backup strategy remains the same:
Can industrial information systems be restored within acceptable conditions?
This is particularly challenging for highly critical systems that cannot be networked—and therefore cannot rely on centralized backups. However, it is not impossible: solutions such as local servers or NAS devices can be deployed. That said, removable media (USB drives, external hard disks) must be handled with caution, as they can also become vectors for malware intrusion.
To go further, several essential principles should be considered when designing a backup strategy adapted to industrial environments:
- Define MTDL and MTD precisely : Identify which industrial processes require historical data restoration and which do not.
For example, in a logistics company, losing a few minutes of data may require a full inventory rebuild, whereas a continuous production line PLC may only need its configuration to resume operations.
Backup frequency must therefore align with both process type and MTD constraints. - Design a Backup Architecture Aligned with the Purdue Model : Backup servers must be positioned to avoid incoming traffic from office IT networks.
For enhanced cybersecurity, the architecture should integrate an industrial DMZ. - Back Up Databases : Database backups must be recent and consistent to enable operational restoration.
- Back up program changes: Backup mechanisms for industrial assets must include version management, and any modification to PLC programs must be automatically integrated into the backup server. Dedicated backup solutions make it possible to roll back to a previous version while ensuring that all changes are directly captured and stored on the backup server.
- Implement backup encryption: Sometimes mandated by regulations, encryption protects backups from data compromise and industrial espionage.
- Do not forget secrets: Particular attention must be paid to backing up secrets (such as encryption keys used by industrial protocols, which may be stored in TPM chips on certain controllers). Backup procedures must also include key reallocation processes.
- Anticipate the organizational impact of virtualization: While industrial automation still largely relies on physical controllers, virtual PLCs are becoming increasingly widespread. Virtualization simplifies backups, but raises questions around 24/7 restoration procedures and their organizational impact (e.g. VM restoration handled by IT support teams).
- Secure funding for the backup strategy: Funding for implementing industrial backup best practices must be included in executive roadmaps. While waiting to unlock the necessary budgets, some organizations rely on improvised backup solutions. Care must be taken to ensure these “home-grown” approaches remain secure and do not increase the attack surface (e.g. backups stored on removable media).
Ultimately, OT still has years of catching up to do compared to IT, particularly when it comes to immutable backups. Fortunately, despite its specific constraints, the discipline can rely on proven and mature backup technologies.
At a time when securing a factory can take several years and the likelihood of cyberattacks continues to increase, investing in reliable backups that can be restored quickly is a pragmatic approach that delivers greater peace of mind.
