Beyond Detection: Why OT Recovery Readiness Determines Real Resilience

It’s 2 AM on a Saturday. Your security operations centre receives an alert: lateral movement detected across your SCADA network. Anomalous PowerShell activity on an unmanaged jump server. Credentials being harvested from a system that sits outside your EDR coverage.

Your detection tools have done their job. The question is: what happens next?

According to ThreatDown’s 2026 State of Malware report (ThreatDown, 2026), 86% of ransomware attacks are now executed remotely from blind spots in the network, with attackers deliberately timing operations for periods of reduced visibility and response capability. Dwell times have compressed from days to hours. And critically, threat actors now routinely target not just production systems, but the security controls and backup infrastructure that organisations depend on for recovery.

Detection without recovery readiness isn’t resilience—it’s expensive surveillance of your own failure.

Key Takeaways

• The recovery gap is widening: 86% of ransomware attacks now deployed remotely with compressed dwell times, but most organisations remain detection-rich and recovery-poor.
• OT recovery is fundamentally different from IT: Process interdependencies, safety system validation, and minute-scale recovery time objectives make standard IT disaster recovery playbooks inadequate for operational technology environments.
• Australian regulations demand proof of resilience: SOCI Act obligations require demonstrated recovery capabilities, not just threat detection. Risk Management Programs must show you can maintain essential services during and after cyber incidents.
• Supply chain shifts are creating new recovery risks: With 67% of organisations reconsidering supply chains due to economic uncertainty, recovery dependencies are changing and vendor response capabilities must be re-validated.
• Recovery readiness requires five capabilities: Asset inventory with recovery context, tested backup validation, segmented recovery capabilities, third-party coordination, and regulatory evidence trails.

The Recovery Blindspot in OT Environments

Most organisations have invested heavily in threat detection and monitoring. OT networks that were once isolated and invisible now feature comprehensive asset discovery, network traffic analysis, anomaly detection, and integration with security operations centres. This visibility is essential—but it’s table stakes, not sufficient.

The gap between “knowing you’re under attack” and “maintaining operations despite the attack” has become the critical vulnerability in OT cyber resilience strategies.

Claroty’s Global State of CPS Security 2025 (Claroty, 2025) survey of 1,100 cybersecurity professionals found that 45% are concerned about their inability to reduce cyber risk to key assets and processes, while 44% lack confidence in their overall understanding of risk exposure. These concerns are intensifying as 67% of organisations reconsider supply chain geography to mitigate economic and geopolitical uncertainty—a shift that introduces new recovery dependencies and complicates existing business continuity plans.

The attack patterns that are dominating 2025 and 2026 are specifically designed to exploit this recovery blindspot. ThreatDown’s research (ThreatDown, 2026) identifies five key operating patterns that have become standard across ransomware operations:

• Faster attacks: Compressed dwell times leave minimal windows for detection and response
• Working at night: Deliberate timing for periods of low visibility and reduced staffing
• Living off the land: Use of legitimate tools and credentials to blend with normal administrative activity
• Staging from blind spots: Unmanaged and unmonitored systems exploited to stage remote attacks
• Attacking security and backup software: Deliberate targeting of recovery mechanisms to eliminate alternatives to paying ransoms

This final pattern is particularly consequential. Attackers using MITRE ATT&CK technique T1490 routinely delete Windows Volume Shadow Copies, corrupt backup repositories, and disable cloud snapshots before deploying encryption. The message is clear: your recovery capabilities are not just important—they’re primary targets.

For Australian organisations with critical infrastructure assets, this threat landscape intersects with an increasingly demanding regulatory environment. The Security of Critical Infrastructure Act 2018 (SOCI Act) amendments have moved beyond baseline security controls. Entities subject to enhanced cyber security obligations under Part 3A must now demonstrate risk management programs that account for operational resilience. Detection capabilities satisfy the “awareness” requirement, but recovery readiness determines whether you can demonstrate the “management” component that regulators and boards increasingly demand evidence of.

Evidence Snapshot: The Recovery Challenge by Numbers

• 86% of ransomware attacks now executed remotely from unmanaged systems (ThreatDown, 2026)
• USD $4.4 million average total cost of a data breach—6x higher than the average ransom payment (IBM, 2025)
• 5 weeks offline for Jaguar Land Rover following August 2025 cyberattack, with estimated $2.5 billion economic impact (BBC, 2025)
• 2 weeks without medical records for 14 hospitals in Kettering Health system following May 2025 ransomware attack (HIPAA Journal, 2025)
• 80% of SMEs hit by ransomware paid the ransom, but only 60% recovered their data (Hiscox, 2025)
• 73% of organisations re-evaluating third-party remote access to OT operations (Claroty, 2025)

Why OT Recovery Is Different from IT Recovery

The default assumption in many organisations is that operational technology can be recovered using the same playbooks developed for IT systems. This assumption is dangerous and, in practice, demonstrably false.

System Fragility and Process Interdependencies

IT endpoints can typically be reimaged and restored from known-good configurations. A compromised laptop or server can be wiped, rebuilt, and returned to service with relatively low risk once malware is removed and credentials are rotated.

OT systems don’t work this way. Programmable logic controllers (PLCs), human-machine interfaces (HMIs), and SCADA systems often cannot simply be “reimaged.” They require specific firmware versions, vendor-validated configurations, and—critically—process engineering knowledge to ensure that restoration doesn’t introduce safety hazards or operational failures.

Process interdependencies compound this complexity. Restoring one system without understanding its upstream and downstream dependencies can create cascading failures or safety incidents. A water treatment facility, for example, cannot restore chemical dosing controls without first validating that flow sensors and pressure systems are operating correctly. The sequence matters. The timing matters. And the expertise required spans both IT security and process engineering domains—a combination that remains scarce in many organisations.

Time Sensitivity Mismatch

IT disaster recovery planning typically measures recovery time objectives (RTOs) in hours or days. Business systems can operate in degraded mode. Email can queue. Transactions can be deferred.

OT environments measure RTOs in minutes. Every minute of downtime in a manufacturing production line represents lost output that cannot be recovered. Extended outages in power generation or water treatment create public safety concerns and trigger regulatory reporting obligations. The Kettering Health example is instructive: 14 hospitals operating without access to medical records, lab results, or medication histories for nearly two weeks (HIPAA Journal, 2025). This wasn’t just inconvenient—it was a patient safety crisis.

The economic impacts scale rapidly. Jaguar Land Rover’s five-week recovery from a cyberattack in August 2025 cost the company an estimated $50 million per week in lost production, created a $2.5 billion impact on the UK economy, and affected 5,000 organisations across a complex automotive supply chain (BBC, 2025). When Nucor—North America’s largest steel manufacturer—detected unauthorised access in May 2025, the company made the decision to shut down 20 steel mills, recycling centres, and fabrication plants preventatively. The business impact of that decision was significant, but it reflected a calculated judgment that uncontrolled recovery would be worse.

Expertise Gaps and Third-Party Dependencies

IT teams understand servers, endpoints, network infrastructure, and enterprise applications. OT recovery requires process engineering knowledge that IT security professionals typically don’t have, and operational experience that cybersecurity teams haven’t acquired.

This expertise gap is compounded by reliance on third-party vendors for OT systems. According to Claroty’s research (Claroty, 2025), 46% of organisations experienced cybersecurity breaches in the past 12 months caused by third-party vendor access, and 54% discovered security gaps or weaknesses in vendor contracts post-incident. When recovery depends on vendors who may be supporting hundreds of customers simultaneously during a widespread attack campaign, response times extend and recovery windows widen.

For Australian organisations, geographic distribution can further complicate vendor response. While NBN connectivity enables remote support, network architecture designed for resilience becomes critical when recovery depends on reliable, secure remote access under crisis conditions.

The Recovery Readiness Framework

Recovery readiness in OT environments isn’t achieved through a single tool or vendor solution. It requires capabilities across five foundational areas—each of which demands cross-functional coordination between IT, OT, security, and business leadership.

1. Asset Inventory with Recovery Context

Traditional asset inventories answer the question “what do we have?” Recovery-focused inventories must answer “in what order must things be restored?”

This requires process-aware asset taxonomy that maps devices to business functions and understands interdependencies. Which systems are recovery dependencies for others? What can be brought online in isolation, and what requires coordinated restoration sequences? Where are the single points of failure that will block entire recovery paths if not addressed first?

This is where connectivity infrastructure and security become strategic recovery enablers, not just security tools. You need to understand not just what’s connected, but what depends on what—and in what sequence restoration must occur to avoid creating new failures or safety hazards.

2. Tested Backup Validation

The existence of backups does not equal the existence of recovery capability. OT backup strategies must account for:

• Configuration files for PLCs, HMIs, and SCADA systems (not just data)
• Safety system logic and validated sequences
• Network configurations that may be topology-dependent
• Firmware versions and vendor-specific restoration procedures

Regular restore testing in isolated environments is essential—not just to validate that backups are complete and recoverable, but to train the teams who will execute recovery under crisis conditions. This testing must account for the reality that attackers now routinely target backup systems (ThreatDown, 2026). Your backup validation process should assume that primary backup repositories may be compromised and test alternative recovery paths.

3. Segmented Recovery Capabilities

The ability to isolate and restore critical zones independently is fundamental to OT recovery resilience. Network segmentation in OT environments is often discussed as a security control to limit lateral movement during attacks, but it’s equally critical as a recovery enabler that allows partial operations to continue while other areas are being restored.

This requires network architecture that enables:

• Isolation of compromised segments without taking down entire operations
• Restoration of critical functions first, with less critical systems following in priority order
• Visibility into recovery progress across segmented environments
• Testing of restored segments before reconnection to production

For organisations with distributed operations—common in utilities, water treatment, and resources sectors—this segmentation must work at scale across multiple sites, often with varying levels of local expertise and infrastructure capability.

4. Third-Party Recovery Coordination

Given the vendor dependencies inherent in OT environments and the high likelihood of compromise via third-party access (46% breach rate according to Claroty, 2025), recovery planning must explicitly address vendor coordination.

This goes beyond standard service level agreements. Recovery-focused vendor management requires:

• Vendor response SLAs that account for OT recovery urgency and business impact
• Pre-established emergency access protocols that can be activated without going through standard approval workflows
• Clear escalation paths for OT vendor support during multi-customer incident scenarios
• Visibility into vendor security posture and their own business continuity capabilities

With 73% of organisations now re-evaluating third-party remote access to OT operations (Claroty, 2025), this is an opportune moment to pressure-test not just access controls, but recovery dependencies. As supply chains shift due to economic and geopolitical factors, new vendors mean new recovery procedures that must be validated before they’re needed in crisis.

5. Regulatory Evidence Trail

For Australian critical infrastructure entities, recovery readiness isn’t optional—it’s a regulatory requirement. The SOCI Act’s enhanced cyber security obligations under Part 3A require not just incident response plans, but evidence of resilience capabilities that maintain essential services during and after incidents.

The Critical Infrastructure Risk Management Program (RMP) rules require entities to adopt an “all hazards” approach that explicitly includes cyber incidents. This means:

• Documented recovery procedures that demonstrate capability, not just intent
• Testing evidence that shows procedures work in practice
• Regular reviews that account for changes in threat landscape, infrastructure, and dependencies
• Incident response plans that account for regulatory reporting timelines (which create additional pressure on recovery windows)

Combined with ACSC Essential Eight baseline controls and sector-specific requirements (APRA CPS 234 for financial services with OT components, energy sector resilience obligations), Australian organisations face a regulatory environment that increasingly demands proof of resilience, not just detection capability.

For organisations navigating these obligations, we’ve developed SOCI at a Glance: A Practical Guide for OT Leaders—a resource that translates regulatory requirements into actionable recovery readiness steps.

From Theory to Practice: Testing Recovery Readiness

Most organisations have incident response plans. Fewer have tested those plans against OT-specific scenarios that reflect current attack patterns. Even fewer have validated recovery procedures under the time pressure and coordination challenges that characterize real incidents.

The testing gap manifests in several ways:

Tabletop exercises without OT representation: IR planning that doesn’t include process engineers, plant managers, and OT vendors will fail to surface the operational realities that determine whether recovery plans actually work.

Recovery time assumptions that don’t account for vendor dependencies: Plans that assume vendors will be immediately available during widespread attack campaigns affecting multiple customers simultaneously are likely to encounter reality gaps.

Backup restoration testing that validates data recovery but not operational readiness: Successfully restoring a PLC configuration file doesn’t mean the process it controls will operate safely or correctly once restored.

The current moment of supply chain re-evaluation presents an opportunity. With 67% of organisations reconsidering supply chains due to economic uncertainty (Claroty, 2025), recovery dependencies are already under review. This is the time to pressure-test assumptions about vendor response capabilities, geographic distribution impacts on recovery timelines, and the introduction of new technologies that may not integrate cleanly with existing recovery procedures.

The business case for this investment is increasingly clear. With average breach costs at USD $4.4 million—six times the average ransom payment (IBM, 2025)—and recovery timelines measured in weeks rather than days, the cost of recovery unreadiness far exceeds the cost of building recovery capabilities proactively.

Conclusion

Detection tells you the bad news. Recovery determines whether that news becomes a catastrophic operational failure or a contained incident that maintains business continuity and public safety.

As threat actors compress attack timelines, deliberately target backup infrastructure, and exploit the remote access required for distributed OT operations, organisations need to move beyond “we’ll detect and respond” to “we can maintain operations under fire.”

This isn’t just operational best practice—for Australian critical infrastructure entities, it’s a regulatory requirement under the SOCI Act. Risk Management Programs must demonstrate resilience, not just awareness. And with supply chains shifting due to economic and geopolitical pressures, recovery dependencies that were stable are now in flux.

The conversation about threat landscape evolution and recovery readiness continues at the OT Cyber Resilience Summit in Melbourne this March, where we’ll be hosting a roundtable discussion to further explore these challenges. The session will examine current threat intelligence and how organisations can build recovery capabilities that match the speed and sophistication of adversaries operating at machine scale.

Because in 2026, resilience isn’t measured by what you can detect—it’s measured by what you can recover.

Sources and Further Reading

• ThreatDown (2026). State of Malware 2026: The Dawn of Machine-Scale Cybercrime.
• Claroty (2025). The Global State of CPS Security 2025: Navigating Risk in an Uncertain Economic Landscape. https://claroty.com/resources/reports/the-global-state-of-cps-security-2025-navigating-risk-in-an-uncertain-economic-landscape
• IBM (2025). Cost of a Data Breach Report 2025. https://www.ibm.com/reports/data-breach
• Hiscox (2025). Hiscox Cyber Readiness Report 2025. https://www.hiscoxgroup.com/hiscox-cyber-readiness-report-2025
• BBC (2025). JLR cyberattack caused UK car production to hit 70-year low for September. https://www.bbc.com/news/articles/cvgmp1prnv0o
• HIPAA Journal (2025). Kettering Health Confirmed Patient Data Compromised in May 2025 Ransomware Attack. https://www.hipaajournal.com/kettering-health-ransomware-attack/
• Australian Cyber Security Centre. Essential Eight Maturity Model. https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight
• Australian Government. Security of Critical Infrastructure Act 2018. https://www.legislation.gov.au/C2018A00029/latest/text
• MITRE ATT&CK. T1490: Inhibit System Recovery. https://attack.mitre.org/techniques/T1490/