Ransomware is malware that encrypts a victim's data and demands payment for the decryption key. The relevant question for OT operators is not how ransomware works — it is how IT ransomware causes OT to stop even when the control systems themselves were never touched.
The pattern across documented OT impact
Five incidents define what ransomware looks like from an OT operator's perspective:
Norsk Hydro (LockerGoga, 2019). Ransomware encrypted roughly 22,000 IT endpoints across 170 sites globally. The smelters and rolling mills kept running — operators fell back to manual processes using paper and legacy systems. Damage was estimated at $70M+. No control-system malware was deployed.
Colonial Pipeline (DarkSide, 2021). Ransomware hit the billing systems. The pipeline itself was not compromised. The operator shut down 8,850 km of pipeline for five days as a precaution because the absence of billing data meant they could not bill downstream shippers. Fuel shortages across the US East Coast followed.
JBS Foods (REvil, 2021). Ransomware against IT systems forced a temporary halt at meat-processing plants in the US, Canada, and Australia. The company paid $11M. Control systems on the plant floor were not encrypted.
Clorox (2023). An unspecified cyber event — attributed to Scattered Spider — disrupted IT systems enough to halt production at multiple facilities for weeks. Annual revenue impact was $356M.
MKS Instruments (2023). Ransomware hit corporate IT during a semiconductor industry slowdown. Fab production at customer sites that depended on MKS for equipment-control software was disrupted.
The common structural cause
IT ransomware produces OT impact through shared dependencies, not direct compromise of controllers:
- Shared authentication. OT operators log into engineering workstations using the same Active Directory that is now locked or deleted.
- Shared file services. Production orders, recipes, and G-code sit on IT file servers that are now encrypted.
- Shared historians and MES. Batch records, quality data, and shift reports cannot be written, so production cannot be released.
- Precautionary shutdown. Even if no OT system is technically impaired, operators cannot verify system integrity and shut down deliberately.
What reduces OT ransomware impact
Three patterns consistently show up in post-incident reviews as factors that limited impact:
- Network-layer isolation between IT and OT. Not just a firewall rule — an identity-enforced boundary where IT malware cannot traverse to OT assets even if an engineer's credentials are stolen.
- Independent authentication for OT. A separate identity system for OT access so that IT AD compromise does not lock OT operators out of their own systems.
- Production-independence runbooks. Pre-planned manual procedures for running production without IT dependencies — the Norsk Hydro pattern.
Regular backups, endpoint protection, and employee training remain table stakes for the IT side. The OT-specific controls are structural.
Related terms
Access Gate connection
Access Gate provides identity-enforced isolation between IT and OT with independent authentication — limiting ransomware blast radius by preventing traversal and keeping OT login paths intact when IT AD is compromised. See DoD Zero Trust OT Alignment.
