Business Continuity Plan (BCP) for OT: What if the main control system is unavailable for 24 hours?

There’s a brutal truth in crisis management that managers often discover too late: the real cost of a cyberattack is rarely from the ransom or data theft itself. The biggest losses are generated by what comes afterwards - crippling downtime. Stopped production lines, unfulfilled orders, contractual penalties and loss of customer confidence are a financial tsunami that can sink even the strongest companies. Fighting the attack itself is only half the battle. The other, much more important, is the battle for business survival during and after the crisis.

Many companies have an incident response plan (IRP) that tells what to do during an attack. Far fewer have a Disaster Recovery Plan (DRP), which describes how to technically restore systems from backups. But an absolute minority have a true Business Continuity Plan (BCP), which answers the all-important question, “How is our company supposed to make money and meet its obligations when our critical technology systems are unavailable?”

In an operational technology (OT) environment, where technology is inextricably intertwined with the physical process of generating value, this question takes on dramatic importance. Having a Business Continuity Plan for OT is no longer a matter of “good practice” - it is a fundamental element of strategic risk management and a prerequisite for survival in an increasingly uncertain digital world.

Shortcuts

• What’s more expensive than the cyberattack itself? The downtime that follows it.
• IRP, DRP, BCP: Why are these three different plans and why do you need all of them?
• What is a Business Impact Analysis (BIA) and why is it the heart of business continuity planning?
• How do you define the key indicators, i.e. your MTPD, RTO and RPO for each process?
• Key Concepts in Business Continuity Planning
• What are the three main strategies for maintaining continuity in OT when digital control fails?
• Manual mode: when and how to safely switch to manual control?
• Degraded mode: Can your machines operate autonomously without a central SCADA system?
• Minimal restoration: What are the absolute key functions that need to be restored first?
• Why must a business continuity plan also consider supply chain dependencies?
• How do you prepare your staff for an emergency?
• Why is the untested BCP plan just a theoretical document with no value?
• How does having a BCP/DRP plan fit into the crisis management requirements of the NIS2 directive?
• How does nFlo support organizations in building and testing realistic business continuity plans for OT?
• Can your factory weather the digital storm, or is it a sandcastle?

What’s more expensive than the cyberattack itself? The downtime that follows it.

When the media reports on ransomware attacks, the main topic is usually the amount of the ransom. In fact, this is often the least of the financial concerns for manufacturing companies. The real costs lie elsewhere. Each hour of unscheduled downtime of a key production line represents hundreds of thousands and sometimes millions of zlotys in lost revenue. An outage lasting several days can easily generate losses many times greater than any ransom demand.

On top of that, there are indirect costs. Failure to produce goods on time means having to pay contractual penalties to your customers. Prolonged downtime can lead to broken contracts and permanent loss of market share to competitors who have been able to maintain continuous supply. Finally, there is the still difficult to quantify but huge cost of loss of reputation and trust.

Understanding this perspective is key. An investment in business continuity planning is not a technology cost. It is a business investment, a form of insurance to protect the company’s fundamental ability to generate revenue under the most difficult circumstances. This is a task for the board and managers, not just the IT department.

📚 Read the complete guide: OT/ICS Security: Bezpieczeństwo systemów OT/ICS - różnice z IT, zagrożenia, praktyki

IRP, DRP, BCP: Why are these three different plans and why do you need all of them?

In crisis management, the three acronyms are often used interchangeably, which is a serious mistake. They represent three different, though related, plans that together form a comprehensive resilience strategy. The simplest way to explain this is with the analogy of a house fire.

The Incident Response Plan (IRP) is a manual for firefighters. It tells how to fight a fire, how to evacuate people and how to secure the scene. Its goal is to contain an active threat. In the digital world, the IRP tells the CSIRT team how to contain and eliminate a cyber attack.

The Disaster Recovery Plan (DRP) is an instruction manual for the construction team. It tells how to rebuild a burned-out house. Its goal is to technically restore the infrastructure to its pre-disaster condition. In the digital world, a DRP is a detailed procedure for restoring servers, applications and data from backups.

A Business Continuity Plan (BCP) is an instruction manual for a family. It tells where the family will live (e.g., in a hotel), how the children will get to school and how the adults will work while their home is rebuilt. Its goal is to maintain key life and business functions during a crisis. In the digital world, BCP is a strategy that allows a company to continue production and customer service even when IT/OT systems are unavailable.

What is a Business Impact Analysis (BIA) and why is it the heart of business continuity planning?

It is impossible to create an effective Business Continuity Plan without knowing what is really most important to our company. The foundation upon which the entire planning process is based is the Business Impact Analysis (BIA). This is a formal process that aims to identify key business processes and assess what the consequences (financial, operational, reputational) of their interruption would be over time.

In the context of OT, BIA requires close collaboration between production, finance and safety managers. For each major production line or operational process, the team must work together to answer key questions: “What revenue does this process generate? What contractual penalties do we face for stopping it? What is the impact of an outage lasting an hour, a day, a week? Which processes are dependent on each other?”.

The result of the BIA is a documented, data-driven hierarchy of the criticality of all the company’s processes. It allows you to objectively determine which operations are absolutely essential to the company’s survival and which can wait. This knowledge is invaluable because it allows you to focus your limited resources and efforts on protecting and planning continuity for what really matters.

How do you define the key indicators, i.e. your MTPD, RTO and RPO for each process?

The result of the BIA analysis is the definition of three key indicators for each process, which provide a quantitative framework for further planning. The first and most important is Maximum Tolerable Period of Disruption (MTPD). This is a purely business indicator that determines how long a company can survive the total unavailability of a process before the consequences become catastrophic and irreversible.

Two technical indicators are defined based on the MTPD. The Recovery Time Objective (RTO) defines the maximum time a particular system or process must be restored after a failure to avoid exceeding the MTPD. If the MTPD for a key line is 24 hours, our RTO for that line’s control system must be much shorter, such as 8 hours, to allow time to stabilize production.

The third indicator is the Recovery Point Objective (RPO). It determines how much data we can accept as lost due to failure. If the RPO for a production database is 15 minutes, it means that our backup procedures must be performed at least every 15 minutes. Defining these three metrics for any critical OT system is the foundation for designing adequate restoration and continuity strategies.

Key Concepts in Business Continuity Planning

AcronymNameWhat does it mean in practice?The question it answersBIABusiness Impact AnalysisThe process of identifying and assessing the consequences of interrupting key business processes.”What is most important to us, and what will be the losses if we lose it?”MTPDMaximum Tolerable DowntimeThe maximum amount of time a process can be unavailable before a disaster occurs.”How long can we survive without this process?”RTOPurpose of Restoration TimeMaximum target time to restore a system or process after a disaster.”How soon do we have to reproduce it?”RPOPurpose of the Restoration PointMaximum acceptable amount of lost data, measured over time.”How much data can we lose?”

What are the three main strategies for maintaining continuity in OT when digital control fails?

Once we know which processes are critical and what their target recovery times are, we can start designing specific business continuity strategies. In an OT environment, where we are dealing with physical processes, these strategies often differ from typical IT solutions. Essentially, they boil down to three main categories.

The first, and most basic, is to switch to manual control (manual operation). In many cases, machines and plants have manual control capabilities, bypassing computerized systems. This is a strategy that requires skilled and trained operators on site.

The second strategy is to operate in degraded mode. It involves keeping the process running, but with limited capacity or with some functions disabled. This can be made possible by using local, autonomous controllers that can operate without connection to a central SCADA system.

The third, and most advanced strategy, is full disaster recovery at a backup location (failover). This is the most expensive solution and is used only in the most critical infrastructures, where a near-mirror backup control system is maintained, ready to take over within minutes.

Manual mode: when and how to safely switch to manual control?

The strategy of switching to manual control is often seen as a last resort, but in many scenarios it may be the only way to avoid a complete halt in production. The key to its effectiveness, however, is preparation. It is impossible to improvise control of a complex plant under crisis conditions.

The Business Continuity Plan must include extremely detailed, step-by-step manual operations procedures for each critical process. These procedures must be developed by the most experienced engineers and operators. They must address all aspects of physical safety - what is the correct order to open valves, what are the maximum allowable parameters and what to do in case of unexpected readings.

Equally important is the training and regular exercise of personnel in these procedures. Operators who work every day clicking away at a computer screen must be able to find and operate the appropriate valves and switches on a physical plant under stressful conditions. Regular, simulated exercises in switching to manual mode are absolutely essential if this strategy is to have any chance of success.

Degraded mode: Can your machines operate autonomously without a central SCADA system?

Many modern control systems are designed in a hierarchical fashion. A central SCADA system manages the entire process, but individual machines or production cells are controlled by local PLCs. If the central system fails, these controllers often have the ability to operate in autonomous or “island” mode.

The strategy for working in degraded mode is to use this capability. The BCP plan should define precisely which parts of the process can continue to operate in such a mode. This could mean producing at a lower speed, producing only one standard type of product, or requiring more frequent operator supervision.

It is crucial that the capabilities and limitations of degraded mode are carefully identified and tested well in advance of a crisis. Engineers need to know how to switch systems into this mode, what functions will be unavailable (e.g., advanced diagnostics, reporting) and what additional operational risks are involved.

Minimal restoration: What are the absolute key functions that must be restored first?

In the event of a major failure, trying to restore all systems simultaneously is a recipe for chaos. A mature Disaster Recovery Plan (DRP) must be based on the priorities defined in the BIA analysis. It must clearly define the order in which individual systems and services are restored.

The minimum viable recovery strategy is to identify the absolutely critical subset of functions that are needed to resume the most critical production process. The goal is to restore as quickly as possible just the few systems that will allow revenue generation to resume, even on a limited basis.

For example, instead of recreating the entire SCADA system with advanced analytics and reporting at once, we can first recreate only its core, responsible for control and visualization, and the historical data server, which is essential for quality control. Only after the core production is stabilized are lower-priority systems restored in subsequent stages.

Why must a business continuity plan also consider supply chain dependencies?

Your ability to maintain business continuity doesn’t just depend on your internal systems, but also on your key partners and suppliers. So what if your plant is fully operational if your only supplier of a key raw material or electricity fails?

Therefore, a mature Business Continuity Plan must go beyond the walls of your company. It must include a supply chain dependency analysis. You need to identify all key suppliers and subcontractors without whom your production cannot function. Then, assess their own resilience and business continuity plans.

As part of your planning, you should consider strategies to mitigate these risks. These may include diversifying suppliers (having an alternative source of supply), maintaining a strategic inventory of raw materials, or signing contracts with suppliers that guarantee a certain level of service (SLA) even under crisis conditions.

How do you prepare your staff for an emergency?

The best, most detailed plan on paper is worthless if the people who are supposed to execute it don’t know it exists or can’t put it into practice. The human factor is a key component of any business continuity strategy.

Staff preparation must cover two areas: training and drills. All employees who play any role in the BCP plan must receive in-depth training, during which they become familiar with their tasks, procedures and the tools they will use in an emergency.

However, theoretical knowledge alone is not enough. Regular practical exercises are needed to test procedures and build “muscle memory.” These can be simple communication exercises (e.g., testing the emergency notification chain) or more complex simulations in which the team must go through the procedure for switching to manual control under controlled conditions “dry”.

Why is the untested BCP plan just a theoretical document with no value?

Like an incident response plan, an untested Business Continuity Plan is just a collection of good intentions and optimistic assumptions. It is during testing that all of its weaknesses come to light: outdated contact information, incompatible backup systems, unrealistic assumptions about the time required to complete individual activities.

Testing a BCP plan is a complex process. It must include verification of all its elements - from technical procedures (e.g., a trial restoration of the system from a backup in a test environment), to operational procedures (e.g., simulation of manual operation), to organizational procedures (e.g., a crisis communication exercise).

Each test should conclude with a formal report that identifies the problems identified and provides recommendations for improvement. The Business Continuity Plan must be a living document that is regularly reviewed, updated and improved based on lessons learned from exercises and real-world incidents.

How does having a BCP/DRP plan fit into the emergency management requirements of the NIS2 directive?

The NIS2 directive places great emphasis on an organization’s ability to deal with the effects of major incidents. Article 21 explicitly lists “incident handling, business continuity, such as backup and disaster recovery management, and crisis management” as one of the minimum security measures that critical and important entities must implement.

Having a well-documented and regularly tested Business Continuity Plan and Disaster Recovery Plan is therefore a direct implementation of this requirement. In the event of a post-incident audit, the organization will have to prove that it had formal plans in place to minimize damage and restore critical services as quickly as possible.

The absence of such plans will be treated as gross negligence and evidence of a lack of due diligence, which can result in heavy financial penalties. NIS2 effectively elevates business continuity planning from the status of “good practice” to a firm legal obligation.

How does nFlo support organizations in building and testing realistic business continuity plans for OT?

At nFlo, we understand that creating an effective BCP/DRP plan for an OT environment is a complex project that requires a unique combination of business, operational and technological competencies. Our methodology is based on partnership and guiding our clients step-by-step through the process.

Our consultants facilitate Business Impact Analysis (BIA) workshops, helping your managers identify key processes and define realistic MTPD, RTO and RPO metrics. We work hand-in-hand with your engineers to understand technical capabilities and develop adequate continuity strategies - from manual control procedures to technical recovery plans for SCADA systems.

Our goal is not only to create documentation, but first and foremost to build real resilience. That’s why a key part of our offering is to help you plan and conduct practical exercises and tests. We verify the created plans under controlled conditions, identify their weaknesses and help in their continuous improvement, ensuring that your organization will be realistically prepared to survive a digital crisis.

Can your factory weather the digital storm, or is it a sandcastle?

Having advanced protection systems against cyber attacks is like building solid walls around a castle. It is absolutely essential. But history teaches that even the strongest walls can sometimes fall. True resilience is not just about the thickness of the walls, but more importantly, having a plan for what to do when the enemy breaks in.

Do you know which chambers in your castle are the most important? Do you have a plan for how to defend the treasury, even when the walls are burning? Do your people know how to survive a siege using backup sources and secret passages? These are the questions that the Business Continuity Plan answers.

Ask yourself these questions today. Because in today’s world, the question is no longer “if” the digital storm will come, but “when.” And it depends on your preparation whether your factory will turn out to be a solid fortress that will weather the storm, or just a beautiful sandcastle that will be washed away by the first major wave.

Related Terms

Learn key terms related to this article in our cybersecurity glossary:

• Incident Response — Incident Response (IR) is an organized process of detecting, analyzing, and…
• Cybersecurity Incident Management — Cybersecurity incident management is the process of identifying, analyzing,…
• Cybersecurity — Cybersecurity is a collection of techniques, processes, and practices used to…
• Blue Team — Blue Team is a group of cybersecurity specialists responsible for defending an…
• Endpoint Detection and Response — Endpoint Detection and Response (EDR) is an advanced cybersecurity solution…

---

Learn More

Explore related articles in our knowledge base:

• OT incident response plan: Why will a copy of the plan from IT do more harm than good?
• Tabletop Exercise at the Factory: How to test your plan in case of a cyber attack without stopping the production line?
• RidgeSphere: Centralized Security Management for MSSPs and Large Organizations
• SD-WAN security: How to protect the wide area network in the era of cloud and remote working?
• What is ISO 22301 and Business Continuity Management? Characteristics and Implementation Benefits

---

Explore Our Services

Need cybersecurity support? Check out:

• Security Audits - comprehensive security assessment
• Penetration Testing - identify vulnerabilities in your infrastructure
• SOC as a Service - 24/7 security monitoring