Manufacturers are facing a rapidly evolving cyber threat landscape. Attackers are leveraging legacy operational technology (OT) systems and are looking to capitalize on the growing landscape of IT/OT convergence. What’s more, operational dependencies and global supply chain pressures amplify the attack surface and create an even more fertile ground for cyberattacks, particularly ransomware. The question is no longer whether attackers will target manufacturing organizations, but rather when they will strike.
Manufacturing in the crosshairs
Recent industry reports, such as those from Dragos, confirm what many security leaders already know: Manufacturing is now one of the most targeted industry sectors for ransomware attacks. Unlike industries rich in consumer data, attackers view manufacturing organizations as a path of least resistance. Operational disruption – rather than data theft – is the goal. Less regulatory oversight compared to sectors like energy or finance, paired with less mature cybersecurity programs, make manufacturers particularly vulnerable.
The evidence is clear: Even though many manufacturers may not feel like they are a high-profile target, what the data says is that this is an industry sector that is being targeted specifically in the operational environment. Furthermore, it’s been well-documented that ransomware attacks on OT environments can cost millions in downtime per hour.
Understanding the OT risk landscape
The past year has intensified these challenges due to increased connectivity and the introduction of AI-driven attacks. Furthermore, supply chain vulnerabilities mean manufacturers must secure not only their facilities but also the products they deliver. As the threat landscape increases, it becomes ever more vital for manufacturers of network-connected devices to ensure their products are secure by design.
The most pressing threats include:
- Ransomware and extortion attacks: Manufacturing remains a high-targeted sector for ransomware because attackers know that downtime means lost revenue. These attacks often aim to halt production lines, forcing companies into costly ransom payments.
- Legacy system vulnerabilities: Many OT environments still rely on aging operating systems and hardware that cannot be patched or replaced easily. These legacy systems often lack basic security controls, making them easy entry points for attackers. There also is an ongoing push to connect more devices to enterprise networks, further increasing vulnerabilities.
- Supply chain exploitation: Adversaries increasingly target third-party vendors and contractors that maintain privileged access to OT systems. A single compromised vendor account can provide attackers with a direct path into critical infrastructure.
- Insider and human error risks: Operational teams under pressure to maintain uptime may bypass security protocols, inadvertently creating vulnerabilities. Lack of OT-specific cybersecurity training compounds this risk.
- Emerging threat vectors: The rise of AI-driven attacks, advanced persistent threats (APTs) and the weaponization of industrial IoT devices are accelerating the complexity and scale of OT threats.
Legacy systems meet IT/OT convergence
Many manufacturers face the daunting task of replacing aging systems like Windows XP, which is both costly and disruptive, often necessitating complete plant shutdowns. Additionally, these legacy systems are frequently linked to expensive equipment, making upgrades difficult.
Compounding the issue is the reliance on third-party expertise for programming these systems, leaving manufacturers without sufficient in-house knowledge about maintenance, program changes or device updates. Additional challenges come in the form of convergence, where IT and OT systems become more integrated to meet the demand for real-time analytics and remote monitoring. While this integration is more important than ever for a business to maximize its competitive advantage, every new connection point ultimately creates another potential entryway for attackers.
Building a resilient OT security program: prescriptive measures
In our experience, given the current threat landscape, these 10 steps can elevate a manufacturer’s security over its OT environment:
Step 1: Establish governance. Define who owns OT security – for example, the CISO or COO, or a joint team. Ensure they have authority to act. Align on a framework such as the NIST Cybersecurity Framework 2.0 (NIST CSF 2.0) or IEC 62443. Ensure there is a strong relationship between plant leadership and the person governing OT security.
Step 2: Segment the network. Network segmentation is a critical OT security practice. Not only does it deliver high ROI, but it also limits lateral movement and contains breaches.
Step 3: Gain visibility. Inventory all assets, especially legacy devices; it’s vital to know what’s there so that the organization knows how to protect it. Monitor network traffic for anomalies. Use tools that can discover assets, provide visibility into the environment and detect any issues.
Step 4: Plan for resilience. Disaster recovery and business continuity planning are essential. Assume some level of exposure and prepare to maintain operations during disruptions.
Step 5: Limit internet exposure of OT. Reduce or eliminate direct OT internet connectivity. Use industrial DMZs, allowlisting and unidirectional gateways.
Step 6: Harden access and privilege. Enforce separation of standard versus privileged accounts. Adopt just-in-time access and session recording.
Step 7: Provide role-based OT cyber training. Provide recurring, role-tailored training for engineers, maintenance and site leadership.
Step 8: Establish device and media control. Prohibit unauthorized devices and removable media. Lock down USB ports and scan media before use.
Step 9: Plan OT incident response. Create OT-specific playbooks. Run tabletop and plant floor exercises.
Step 10: Validate controls independently. Conduct periodic third-party assessments against IEC 62443/NIST CSF. Use red/purple teaming.
Don’t overlook third-party risk
Many manufacturers rely on vendors for programming and maintenance. This creates a number of hidden risks that should be managed via the following processes and policies:
- Per-individual identity and logging (no shared vendor accounts)
- Time-boxed, brokered remote access via bastion hosts with MFA
- Vendor device policy (no unmanaged laptops on OT networks)
- Automated offboarding and periodic recertification of vendor access
Cross-functional collaboration is non-negotiable
OT security isn’t just a cybersecurity problem; it’s an operational imperative. Security and operations teams must work together to balance agility with protection. Historically, IT and OT teams have operated in separate spheres, often with conflicting priorities, with IT focusing on confidentiality and data integrity, while OT prioritizes uptime and safety.
This divide can create vulnerabilities, especially if security measures impede operations or if operational changes bypass security protocols. Effective OT security programs demand collaboration between these groups to align on shared objectives, such as maintaining production while reducing cyber risk.
Bottom line
Today’s OT environments are becoming more deeply interconnected with IT networks, cloud platforms and third-party ecosystems. This newfound level of convergence is creating an expanded attack surface, making OT systems prime targets for cybercriminals and nation-state actors.
Research and real-world reports show that manufacturing OT environments are prime targets for attacks. Legacy systems, IT/OT convergence and third-party dependencies make the challenge complex, but not insurmountable. A key point is that OT security cannot be viewed solely as a cybersecurity issue; it has become an enterprisewide operational imperative. A successful attack can disrupt production, compromise safety and damage brand reputation. Organizations that fail to act risk not only financial loss but also regulatory penalties and erosion of customer trust.
The path forward requires a layered defense strategy: strong governance, network segmentation, continuous monitoring and robust incident response planning. With clear governance, layered defenses and a culture of collaboration, manufacturers can build resilience and keep production lines running securely.
Protiviti Associate Director Derek Dunkel-JahanTigh contributed to this article.
