Gabriel Marcus, a well-known cyber architect and Google's cyber champion for 2022, discusses industrial cybersecurity, the core challenges facing ICS and OT organizations, and why the future of defense is not only prevention but also containment, recovery, and operational continuity.
According to Marcus, ICS integrates hardware, software, and network connectivity for running and supporting critical infrastructure. That creates a dual challenge for industrial cybersecurity: on the one hand, identifying and defeating malicious activity, and on the other hand, ensuring a swift recovery from any successful attack before it causes widespread damage, production delays, and major cost issues.
In industrial environments, the real challenge is not only stopping an attack, but recovering fast enough that downtime does not become the most damaging part of the incident.
Marcus explains that in the world of critical infrastructure, the challenge is not merely preventing intrusion. It is managing the full cycle of risk, from the possibility of a threat to the point of returning to normal operations after an attack. With the increasing rate of attacks on critical infrastructure, every organization must be prepared with a recovery plan. It is no longer a question of "if" but of "when".
He agrees that it should. Business continuity is often described only in terms of firewalls, detection, and threat elimination, but in reality it must also address attack scenarios, incident response, containment, and the return to normal operations. In the current threat environment, preparation for the aftermath of an attack is just as important as prevention.
Marcus points to downtime as the major weakness. In his view, organizations today do not simply "defend"; they contain and recover. When production lines stop or operational systems are disrupted, the damage is measured not only in lost data but also in halted production, delayed delivery, and significant business cost.
Until a few years ago, many OT companies used, and some still use, manual or semi-automatic backup solutions such as Ghost, Acronis, and NetApp. Marcus notes that while these may be good backup solutions, they leave organizations with two main problems: attackers are aware of them and may target them directly, including through ransomware that reaches backup protocols over the network; and second, full recovery after a ransomware attack may take days depending on the size and scope of the affected data.
That is why, in his view, the real modern solution must include a fast offline recovery device that cannot easily be attacked and that also provides very rapid recovery capability.
In OT, the primary goal is not necessarily restoring the latest version of a file, but reducing downtime and returning the operation to production as quickly as possible.
Marcus explains that in the IT world, where data is the main concern, efforts revolve around protecting information and sometimes restoring files to a specific prior minute. In OT, however, the dominant concern is operational continuity. As a result, the answer depends on the organization, its tolerance for downtime, and its willingness to accept ransomware-related risk. He also emphasizes that organizations cannot be everywhere all the time, so automatic solutions are essential.
Marcus jokes that, for starters, he was not able to hack it. He explains that the solution consists of a cyber Recovery Unit, agent software, and a monitoring system. The recovery unit is based on patented air-gapped technology and is designed to resist both infrastructure and application attacks. One of its major advantages, according to Marcus, is the ability to recover systems in record time and dramatically reduce the cost impact of a ransomware attack.
He adds that the combination of unique hardware and software, developed in a dedicated lab environment, makes it extremely difficult to reverse-engineer the product or develop vulnerabilities and zero-day attacks against it.
Marcus believes the field will continue to evolve at an even faster pace. The world is moving into a period in which OT becomes a key element of infrastructure development and production. Computers will be faster, capabilities will improve, and understanding of cyber warfare will become far more advanced.
He also points to Ransomware as a Service as an already large and still-growing industry that will continue to become more impactful and dangerous. Organizations, therefore, will need to move faster, adapt more aggressively, and remain agile in an environment where the threat landscape never stops changing.