Factories have embraced connectivity to improve quality, speed, and visibility across supply chains. That same connectivity creates new paths for disruption. In 2025 the sector’s view shifted: cybersecurity is now a business risk that competes with labor and supply chain issues for leadership attention. A recent Rockwell Automation study reported by Cybersecurity Dive placed cyber in the top three risks for manufacturers, and many executives said OT security drives technology investment decisions.
Ransomware activity explains much of the urgency. Zscaler’s 2025 analysis shows a sustained level of attacks against industrial firms, with data‑theft tactics used to increase leverage. Entry points are familiar: stolen credentials, exposed remote services, and third‑party connections. Once inside, attackers move toward systems that can stop a line, corrupt quality data, or leak designs and recipes. Plants still run legacy operating systems and custom applications that are hard to patch, so a minor oversight can have major effects.
Strengthening the Foundation: Visibility, Identity, and Recovery
Progress begins with knowing what you have. Asset inventories in many plants are still partial lists updated during audits. A better approach combines passive discovery on the network with owner and firmware details for each device. With that foundation in place, segment by cell or zone and restrict traffic to what each process requires. The path between IT and OT should be narrow and auditable. Vendor access should pass through a gateway that enforces multifactor authentication and records sessions.
Identity hygiene applies on the plant floor. Shared passwords on engineering workstations and standing admin rights undo careful segmentation. Moving to just‑in‑time access for privileged tasks and requiring stronger authentication for any session that can change a controller’s configuration reduces the chance that one stolen password disrupts production. When integrators need access, grant it for a specific job and remove it afterward.
Monitoring should understand the process. Plants that baseline protocols and expected traffic catch misconfigurations and malicious changes earlier. Alerts should trigger on configuration downloads, unusual writes, or logic changes, not only on known malware signatures. Correlate OT telemetry with your IT detections so a suspicious email to an engineer or an odd VPN login appears alongside changes in the cell. Teams that see the whole chain of events can contain incidents faster.
Patching remains difficult in OT, so compensating controls matter. When you cannot patch quickly, reduce reachable pathways, limit what can execute through application whitelisting, and use change windows that make configuration drift obvious. Above all, assume some systems will need to be rebuilt in an incident. Keep offline, immutable backups of engineering workstations, HMI images, and controller logic. Test restores every quarter on spare hardware. The first time you rebuild a system should not be during a production outage.
Suppliers and machine builders play a central role. Contracts should require software bills of materials, reasonable vulnerability response timelines, and incident‑response commitments, including access to relevant logs. Tabletop a supplier outage scenario with procurement and plant management so that communications, spare parts, and cutover steps are not improvised.
Best‑practice focus areas:
- Visibility and segmentation: current inventory with owner and firmware, cell/zone segmentation, tight IT‑to‑OT pathways.
- Identity and access: phishing‑resistant MFA, just‑in‑time elevation for engineering tasks, session recording for privileged work.
- Monitoring that understands OT: passive network monitoring, alerts on configuration downloads and logic changes, correlation with IT events.
- Compensating controls: allow‑lists and strict change windows where patching is constrained.
- Recovery muscle: offline, immutable backups for HMIs and controllers, quarterly restore tests.
- Supplier accountability: SBOMs, vulnerability timelines, and IR SLAs in contracts; joint exercises with top vendors.
Proving Progress: Integrating Tools and Measuring Resilience
Tool selection then becomes a means to an end. Most plants rely on a core set of capabilities that work together rather than a long list of point products. Network monitoring that understands industrial protocols reveals context general IT tools cannot. Endpoint detection on Windows and Linux near the line closes an important gap. Privileged access management reduces the risk that a powerful account is misused. Multifactor authentication and zero‑trust access make vendor sessions safer. Email security filters the phishing that often starts incidents. Secure backup platforms with immutability and fast restore limit downtime. Vulnerability and configuration management tailored to maintenance cycles keep systems predictable. Data‑loss controls protect design files and quality data when they leave the network. Deception and honeytokens can reveal lateral movement early.
The recent disruption at Jaguar Land Rover shows why this mix matters. A single incident cascaded from plant operations to suppliers and retail channels. Even when customer‑facing systems are available, stalled production creates real cost. Programs that combine visibility, narrow trust, and proven recovery bounce back faster and carry more credibility with customers.
Boards want proof that progress is concrete. Metrics that resonate include the percentage of OT assets with an assigned owner and current status, the number of direct IT‑to‑OT pathways reduced quarter over quarter, mean time to contain line‑impacting incidents, restore success rates and times for HMIs and controllers, and supplier participation in joint exercises. These measures report on resilience, not just compliance, and they help justify continued investment.
Manufacturing will keep connecting machines, people, and partners. That trend is healthy for the business when the security program keeps pace. Plants that know their environment, keep trust narrow, and practice recovery with their suppliers keep orders moving while others scramble.
References:
-
- Cybersecurity Dive, “Cybersecurity ranks among top three risks to the manufacturing sector”: https://www.cybersecuritydive.com/news/cybersecurity-ranks-among-top-three-risks-to-manufacturing-sector/757811/
- Cybersecurity Dive, “Zscaler ransomware report: manufacturing targeted”: https://www.cybersecuritydive.com/news/zscaler-ransomware-report-manufacturing-targeted/756147/
- Advanced Manufacturing, “Best practices to safeguard against cyberattacks in the manufacturing industry”: https://www.advancedmanufacturing.org/technologies/software-update/best-practices-to-safeguard-against-cyberattacks-in-the-manufacturing-industry/article_f15e47f5-45b4-4e8a-90d6-358cbcd69220.html
- Cyber Magazine, “Top 10 cybersecurity solutions” (industry roundup): https://cybermagazine.com/top10/top-10-cybersecurity-solutions
- The Record, “Jaguar Land Rover disruption after cyber incident”: https://therecord.media/jaguar-land-rover-disruption-cyber-incident