Launch an OT Security Program for Manufacturing

Analyst perspective

Turn OT security complexity into clear priorities

This research is designed to give CIOs a practical, defensible way to understand, prioritize, and act on OT security risk in manufacturing environments. Rather than attempting to catalog every possible control or threat, it focuses on helping CIOs make informed decisions about where to focus attention, funding, and leadership effort first. The research translates the complexity of OT, such as ICS, SCADA, PLCs, and IIoT, into a structured assessment, prioritization, and action framework that can be applied immediately.

The urgency for this research is clear. Manufacturing continues to be one of the most frequently targeted industrial sectors, with ransomware and disruptive cyber activity increasingly intersecting with operational environments. Public advisories and threat reporting consistently highlight persistent exposure in industrial networks, including weak segmentation, unmanaged remote access, and insufficient containment and recovery capabilities. For CIOs, this reinforces the need to reduce adversary dwell time, prevent escalation from IT environments into OT, and ensure the organization can contain and recover from incidents without prolonged production or safety impacts.

At the same time, manufacturers are accelerating digital initiatives such as connected operations, advanced analytics, and automation, which expand the attack surface and introduce new dependencies between business systems and the factory floor. As these initiatives scale, cybersecurity has emerged as a top external risk cited by manufacturing executives, particularly where legacy equipment, third-party access, and limited maintenance windows constrain traditional security approaches.

Against this backdrop, this blueprint provides a CIO-oriented approach that connects business risk appetite to operational realities. The goal is not to run a compliance audit, but to enable security leadership to move from reactive firefighting to deliberate, prioritized execution. By grounding decisions in recognized threat models and practical operating constraints, the research helps CIOs build measurable, board-visible resilience that protects people, production, and profitability.

Shreyas Shukla
Principal Research Director, Industry
Info-Tech Research Group

Executive summary

Your Challenge

Fragmented visibility across assets, connectivity, and plants prevents CIOs from forming a clear, shared view of where risk truly resides and what requires immediate action.

Aging control systems, vendor-dependent architectures, and bespoke integrations limit control options and force difficult trade-offs between security, uptime, safety, and maintainability.

Inadequate segmentation, remote access sprawl, and uneven monitoring allow threats to move laterally, turning isolated incidents into production and safety impacts.

OT security responsibilities span IT, engineering, operations, and third parties, but ownership is rarely explicit, leading to inconsistent execution and misaligned risk tolerance.

Common Obstacles

Many OT assets lack native telemetry, logging, or standardized protocols, making it difficult to establish a consistent, enterprise-wide view of asset behavior and security posture.

Scarce maintenance windows, restart limitations, and safety-critical processes cause engineering teams to prioritize availability and stability over proactive security changes.

Proprietary technologies, external support models, and contractual constraints limit the organization's ability to enforce uniform access, monitoring, and change controls.

IT, OT, engineering, and third parties operate with different priorities and risk language, preventing clear ownership, slowing decisions, and leaving risk unquantified at the business level.

Info-Tech's Approach

Focus assessment and discovery effort on the OT assets, access paths, and dependencies that materially affect safety, uptime, and business risk, rather than attempting exhaustive inventories upfront.

Identify where adversarial activity would most likely escalate or disrupt operations and concentrate effort on limiting blast radius, preserving production continuity, and improving recovery readiness.

Translate leadership risk appetite into clear urgency signals so teams know where security changes are required now versus where risk is consciously accepted.

Establish accountability across IT, OT, engineering, and operations to prevent stalled initiatives.

OT security success is defined less by stopping every intrusion and more by preventing localized issues from becoming enterprise-level disruptions.

Manufacturers struggle to keep pace with emerging threats

Manufacturers are being hacked more easily in part because OT environments are now highly connected, complex, and full of exposed, vulnerable devices and remote access paths.

Attackers are gaining deeper understanding of OT, while manufacturers deploy digital twins, IIoT, 5G, and AI/ML that expand the attack surface.

More exposed OT devices
BitSight reported that global ICS/OT exposure to the public internet rose 12% in 2024, with more than 180,000 ICS/OT devices visible each month and a trend toward roughly 200,000 in 2025.¹

Insecure remote access and segmentation gaps
Dragos's OT Year in Review found that 65% of industrial sites it assessed had insecure remote access conditions, including default credentials, unpatched VPNs, and exposed RDP sessions into OT networks.²

Increasing friction between IT and OT
A global OT security study by ABI Research and Palo Alto Networks observed friction between IT and OT teams in 40% of organizations and noted that 72% of attacks originated in IT before moving laterally into OT.³

"…only 14% of organizations report feeling fully prepared for emerging threats, highlighting a persistent capability and cultural divide between IT and OT teams."⁴
– Industrial Cyber

Sources:
1 – "BitSight warns of…," Industrial Cyber, 2025.
2 – "8^th Annual Year…," Dragos, 2025.
3 – "Palo Alto Networks…," Palo Alto Networks, 2024.
4 – "OT cybersecurity culture…," Industrial Cyber, 2025.

Purdue Enterprise Reference Architecture for a modern manufacturer*

*Illustrative, not meant to be specific or exhaustive.

Your Challenge

Manufacturers lack a shared, decision-grade view of OT security risk.
CIOs and operational leaders often have fragmented visibility into assets, connectivity, and exposure across plants, making it difficult to confidently assess what truly matters, where risk is concentrated, and which issues warrant immediate action versus longer-term attention.

OT environments were not designed for today's threat landscape, yet they must be secured without disrupting production.
Manufacturers depend on legacy control systems, tightly coupled vendor solutions, and custom integrations that predate modern cyberthreats. These realities limit the feasibility of traditional security controls and force CIOs to balance risk reduction against uptime, safety, and maintenance constraints.

Threats that traverse IT and OT remain difficult to detect, contain, and prioritize.
Weak segmentation, unmanaged remote access, and inconsistent monitoring allow adversaries to move laterally between enterprise and operational environments. When containment capabilities are unclear or untested, localized incidents can escalate into production outages, safety risks, and enterprise-wide disruption.

Accountability for OT security decisions is inconsistently applied.
Responsibilities are often split across IT, engineering, operations, and third parties without clear decision rights or ownership. This fragmentation makes it difficult to align on risk tolerance, enforce consistent practices, or communicate security priorities in business terms that resonate with executives and the board.

The primary OT security failure in manufacturing is not a lack of controls, but a lack of prioritization.

OT makes securing manufacturing organizations complex

Cybersecurity complexity in manufacturing is being driven by:

• Global escalation of geopolitical tensions and conflicts
• Complex supply chains and increasing lack of transparency and predictability among suppliers, partners, and distributors
• Escalating pace of technology adoption leading to new attack surfaces
• Increasing compliance burden due to regulatory requirements
• Understaffed and under skilled security teams
• Rapidly growing sophistication of threat actors and the proliferation of nation-state espionage, "Ransomware-as-a-Service," and "Credential-theft-as-a-Service" offerings

In fact, smaller organizations are particularly struggling.

"71% of cyber leaders…believe that small organizations have already reached a critical tipping point where they can no longer adequately secure themselves against the growing complexity of cyber risks."
– World Economic Forum

Geopolitical tensions

Supply chain dependencies

AI and emerging technology

Regulatory requirements

Cyber skills gap

Sophisticated attacks

"54% of large manufacturers identified supply chain challenges as the biggest barrier to achieving cyber resilience"

Source: "Global Cybersecurity Outlook 2025," World Economic Forum, 2025.

Common Obstacles

Limited OT visibility is structural.
Many OT assets were never designed to generate security telemetry, logs, or standardized event data. Industrial protocols often lack native authentication, encryption, or inspection capability. As a result, no single platform can provide complete visibility, and organizations struggle to form a reliable picture of normal versus abnormal behavior across plants. This makes risk assessment inconsistent and reactive.

Operational constraints outweigh cyber risk in day-to-day decisions.
Maintenance windows are limited, system restarts are disruptive, and engineering teams are accountable for safety and uptime above all else. Security changes that introduce uncertainty are often deferred, even when exposure is understood. Without a structured way to prioritize risk, security improvements compete poorly against production schedules and operational stability.

Vendor and OEM dependencies introduce persistent blind spots.
OT environments depend heavily on external vendors for system configuration, maintenance, and remote support. Proprietary platforms, closed protocols, and contractual limitations restrict visibility and control. Organizations often inherit trust relationships they cannot easily govern, making consistent access control, monitoring, and lifecycle management difficult to enforce.

Fragmented ownership prevents decisive action.
OT security spans IT, engineering, operations, procurement, and external partners, each with different incentives and risk perspectives. Without clearly defined decision rights, initiatives stall while teams debate responsibility, acceptable risk, or implementation approach. Risk remains difficult to express in business terms, preventing leadership from making confident, timely decisions.

OT security stagnates not because risks are unknown, but because constraints are unmanaged.

Manufacturing has become the most targeted sector for cyberattacks globally

Manufacturing has been the most targeted industry for cyberattacks for at least three consecutive years, accounting for around 25-26% of all observed attacks.¹ Ransomware and OT/ICS compromises are now driving frequent plant outages, multimillion dollar losses, and large scale data breaches in manufacturing.

The increasing sophistication of cybercrime has manufacturing CIOs worried:²

26% Worry about vulnerabilities in complex supply chains

22% Increasing sophistication of cybercrime

20% Uncertainty arising from geopolitical tensions

12% Rapid adoption of emerging technologies

7% Cyber skills gap

6% Expanding regulatory requirements

6% IT–OT convergence

Manufacturing has a very low tolerance for downtime, with every minute of disruption resulting in massive losses and compounding effects across supply chains.

"The global financial impact from catastrophic cyber events that disrupt operational technology could near $330 billion on an annual basis…"³

Data breaches are increasing.
89.2% increase in the number of confirmed data breaches in 2024.⁴

Ransomware attacks continue to dominate.
47% of all manufacturing breaches in 2024 involved ransomware.⁴

Human risk continues to remain a vulnerability.
22% of all manufacturing breaches involved social engineering.⁴

Sources:
1 – "3 Ways Manufacturers…" World Economic Forum, 2024.
2 - "Global Cybersecurity Outlook 2025," World Economic Forum, 2025.
3 – "Financial Impact…" Cybersecurity Dive, 2025.
4 – "47% of Manufacturing…" Security, 2025.

Manufacturers continue to face a growing wave of security incidents

Over the last five years, manufacturing companies have endured numerous major cyberattacks that directly halted or severely disrupted operations, often through ransomware exploiting IT–OT convergence vulnerabilities.

These incidents typically involve initial IT compromises spreading laterally to OT systems, causing plant shutdowns, supply chain ripples, and massive financial losses. Here are some key examples.

Metal Processing

In 2025, unauthorized actors gained IT network access using stolen credentials, leading to proactive shutdowns at multiple plants including those in Kentucky and Alabama.¹

Medical Devices

In 2025, an unauthorized intrusion occurred into the medical device maker's networks, compromised servers and production planning tools.¹

Appliances

InterLock ransomware hit Presto in 2025, encrypting IT systems across the manufacturer's diverse units including ammunition and household appliances.²

Sensors

A ransomware attack encrypted critical files at the sensor maker's global plants serving automotive and aerospace clients. Manufacturing and shipping stopped for a week.²

Semiconductor

A ransomware group targeted the Taiwan PCB manufacturer, encrypting critical systems, which disrupted production lines and forced a full operational shutdown.²

Tires

LockBit ransomware struck Bridgestone in 2022, severing network connections at tire factories, halting production and retreading operations for 10 days.³

Chemicals

A ransomware attack overwhelmed IT systems, crashed automated ordering, production, and distribution at bleach and cleaning product plants leading to a $49M quarterly loss.³

Food & Beverage

The NotPetya malware hit the manufacturer's servers halting production across 47 facilities in 25 countries, costing $100M+ in losses.³

Construction Materials

A cyberattack forced all IT systems offline at the building products firm, disrupting production and distribution for months and resulting in a Q4 revenue drop of 20%.³

Source(s):
1 – "Noteworthy Cyberattacks…," Asimily, 2025
2 – "Major Cyber Attacks…," SOCRADAR, 2025
3 – "The Top 10…," Arctic Wolf, 2024

Manufacturing OT cyber incidents routinely cost in the millions per event

Source: "Industrial Defender Risk Assessment Calculator," Industrial Defender.

Even where average ransom demands are "only" in the low million range, the broader operational and supply chain losses can quickly dwarf the payment itself.

Direct financial impact
A 2025 sector snapshot reports average ransom demands against manufacturing and production at about US$1.2 million, with average payments around US$1 million per attack.¹

Downtime and lost production
Sources estimate that large plants can lose around US$1.9 million in revenue per day of outage.²

Broader economic and critical sector impact
One 2025 ransomware study counted 838 ransomware attacks against manufacturing alone between January and September 2025, a 61% year over year increase, underscoring how frequently these multimillion dollar events now hit the sector.³

Sources:
1 – "The State of…" Sophos, 2025
2 - "Noteworthy Cyberattacks…" Asimily, 2025
3 – "Half of 2025…" Industrial Cyber, 2025