In August 2025, Jaguar Land Rover suffered what the UK Cyber Monitoring Centre would later call the most economically damaging cyber incident in British history. Attackers exploited vulnerabilities in a third-party supplier's software, moved laterally into JLR's core production systems, and deployed ransomware that halted manufacturing across three countries for five weeks. The estimated damage reached £1.9 billion, and more than 5,000 businesses in JLR's supply chain felt the impact. Full recovery wasn't expected until January 2026 [Integrity360].
The JLR attack wasn't an anomaly. It was a preview of what 2026 looks like for manufacturers who haven't addressed the security gap created by connecting factory floors to corporate networks. Manufacturing has been the most targeted sector for cyberattacks four years running, absorbing 26% of all global incidents and seeing a 61% surge in ransomware alone during 2025 [KELA, Bitsight]. Every connected PLC, every SCADA dashboard feeding data to a cloud analytics platform, every vendor VPN tunnel into a production network represents a seam that attackers are learning to exploit faster than most manufacturers can patch.
This guide examines why OT/IT convergence has made manufacturing uniquely vulnerable, and what plant operators, IT directors, and security leaders need to do about it in 2026.
✓ Key Takeaways
- Manufacturing remains the world's most ransomware-targeted sector for the fourth consecutive year, with attacks rising 61% in 2025 and costing an average of $1.9 million per day in downtime.
- OT/IT convergence expands the attack surface by connecting previously air-gapped industrial control systems to enterprise networks, cloud platforms, and third-party integrations.
- Network segmentation following the ISA/IEC 62443 zones-and-conduits model is the single most effective defense against lateral movement from IT into production environments.
- Incident response in manufacturing must prioritize production safety and continuity, not just data recovery, requiring OT-specific playbooks that differ fundamentally from IT incident response.
- Supply chain compromise is now the fastest-growing attack vector, with incidents doubling in 2025 and 70% of organizations reporting at least one material third-party cybersecurity incident in the past year.
$1.9M
Average daily downtime cost
for ransomware-hit manufacturers
61%
Year-over-year increase in
manufacturing ransomware attacks
52%
Of organizations now place
OT security under the CISO
93%
Reduction in incidents with
unified OT security platforms
Sources: Comparitech, KELA, Fortinet 2025 State of OT & Cybersecurity Report
Why Manufacturing Is Different: The OT Security Problem Nobody Designed For
To understand why manufacturing cybersecurity is uniquely difficult, you have to understand a fundamental design tension. Information Technology systems were built around the CIA triad: confidentiality first, then integrity, then availability. Operational Technology flips that hierarchy entirely. A programmable logic controller running an assembly line or a SCADA system managing chemical processes cares about one thing above all else: availability. If a PLC stops responding for even a few seconds, products get damaged, safety systems may fail, and people can get hurt.
This difference in priorities creates friction at every level of security decision-making. You can't simply push Windows patches to a controller running a 15-year-old embedded OS without risking a production outage. You can't install endpoint detection agents on devices with 64MB of RAM. You can't reboot a blast furnace controller during a vulnerability scan. The tools, processes, and assumptions that work in corporate IT environments often fail — or actively cause harm — when applied directly to the factory floor.
| Security Dimension | IT Environment | OT Environment |
|---|---|---|
| Top Priority | Confidentiality (protect data) | Availability (keep production running) |
| Patch Cadence | Weekly or monthly cycles | Quarterly at best; often years between updates |
| System Lifespan | 3–5 years | 15–25+ years |
| Downtime Tolerance | Minutes to hours acceptable | Zero tolerance; seconds can mean physical damage |
| Endpoint Protection | EDR agents, antivirus, DLP | Often impossible; resource-constrained hardware |
| Network Protocols | TCP/IP, HTTP, TLS | Modbus, OPC UA, EtherNet/IP, PROFINET |
| Failure Consequence | Data loss, business disruption | Equipment damage, environmental hazard, human injury |
Yet the economic logic driving convergence is compelling. Connecting OT systems to enterprise IT enables real-time production analytics, predictive maintenance, remote diagnostics, and tighter supply chain integration. By 2025, over 75% of leading manufacturers had implemented some form of IT/OT convergence. The problem isn't that convergence is happening — it's that security hasn't kept pace with connectivity. As Fortinet's 2025 report documented, organizations that still run "flattened" architectures with minimal segmentation between IT and OT are the ones seeing malware move laterally from compromised email accounts straight into production control systems [Fortinet].
The Anatomy of a Manufacturing Breach
Understanding how attackers actually compromise production environments is essential to defending them. The pattern that Dragos, Sophos, and CISA have documented across hundreds of manufacturing incidents follows a remarkably consistent sequence, and it almost never starts on the factory floor.
The initial foothold is typically gained through the corporate IT network — a phishing email that compromises credentials, an exploited vulnerability in a public-facing application, or a breached third-party vendor with VPN access. Sophos found that exploited vulnerabilities were the leading root cause in 32% of manufacturing ransomware incidents in 2025, followed by malicious emails at 23% [Sophos]. Once inside the IT perimeter, the attacker conducts reconnaissance, escalates privileges, and begins moving laterally. If the network between IT and OT is flat — no segmentation, no industrial DMZ, no access controls between zones — the path from a compromised email server to a SCADA workstation may be a matter of hops, not barriers.
The consequences diverge sharply from a typical IT breach at this point. When ransomware encrypts a file server, the organization loses access to documents. When it reaches an HMI (Human-Machine Interface) or a historian server feeding data to PLCs, production lines stop. Sensors go dark. Safety systems may lose visibility into the processes they're designed to protect. In the worst documented cases, attackers have used industrial-specific malware like Industroyer2 and Ekans (designed to kill ICS processes before encrypting) to ensure maximum operational disruption and leverage for ransom demands.
Network Segmentation: The Single Most Important Defense
If there is one security control that matters more than any other in a converged manufacturing environment, it is network segmentation. Every major framework — ISA/IEC 62443, NIST SP 800-82, the Purdue Enterprise Reference Architecture — centers on the same principle: divide the network into zones with distinct security requirements, and strictly control the conduits (communication paths) between them.
The Purdue Reference Model, developed in the 1990s and still foundational to industrial cybersecurity architecture, organizes the environment into hierarchical levels. Understanding this hierarchy is the starting point for any segmentation strategy.
The Purdue Reference Model: Zones and Security Boundaries
Level 5 — Enterprise Network
ERP, email, internet access, cloud services
Level 4 — Business Planning & Logistics
Production scheduling, inventory management, MES data exchange
⚠ INDUSTRIAL DMZ — Critical Security Boundary
Firewalls, data diodes, jump servers, protocol mediation — NO direct traffic between IT and OT
Level 3 — Site Operations
Historian, OT domain controllers, patch servers, engineering workstations
Level 2 — Area Supervisory Control
SCADA servers, HMIs, operator workstations
Level 1 — Basic Control
PLCs, RTUs, DCS controllers, safety instrumented systems
Level 0 — Physical Process
Sensors, actuators, valves, motors, robotic arms
Figure: The Purdue Model segments industrial environments into hierarchical levels. The Industrial DMZ between Levels 3 and 4 is the most critical security boundary — all communication between IT and OT must traverse this controlled choke point. Adapted from ISA/IEC 62443 and Purdue Enterprise Reference Architecture (PERA).
The critical enforcement boundary is the Industrial DMZ sitting between the IT domain (Levels 4–5) and the OT domain (Levels 0–3). In a properly segmented architecture, no traffic flows directly between these zones. Instead, all communication is mediated through purpose-built servers in the DMZ: data historians that replicate production data upward, patch management servers that stage updates before they're deployed to OT, and jump servers that provide audited remote access for maintenance. If an attacker compromises the enterprise email server at Level 5, the Industrial DMZ should be an impassable barrier preventing that compromise from reaching the PLCs at Level 1.
ISA/IEC 62443 builds on this foundation by introducing the zones-and-conduits model, which is more flexible than the rigid Purdue levels. A zone is a collection of assets with similar security requirements — perhaps a single production line or a set of controllers managing a specific process. A conduit is the communication path between zones, and it's where security policies are enforced. The 2025 updates to IEC 62443 have pushed the standard further toward microsegmentation and zero-trust principles, recognizing that modern environments often include cloud connectivity, IIoT sensors, and remote access that don't fit neatly into the original hierarchical model [Dragos].
SCADA and ICS Security: Protecting What You Can't Easily Replace
Securing industrial control systems requires a fundamentally different mindset than securing corporate IT. Standard antivirus is often incompatible with OT devices — PLCs run specialized embedded operating systems, HMIs may rely on legacy Windows versions no longer receiving security updates, and SCADA servers often can't tolerate the CPU overhead of real-time scanning without affecting control loop performance. The traditional IT approach of "install an agent on everything" simply doesn't apply.
Instead, effective ICS security relies on a combination of passive network monitoring, strict access control, and environmental hardening. Passive monitoring tools — offered by vendors like Dragos, Claroty, and Nozomi Networks — listen to OT network traffic without injecting packets or interacting with devices. They learn the normal baseline of communications between controllers, identify anomalous behavior (a PLC suddenly communicating with an unfamiliar IP address, for instance), and alert operators without risking disruption to the process.
Access control in OT environments must address both digital and physical vectors. Remote access, essential for vendor diagnostics and maintenance, is also one of the most exploited attack paths. Every remote session into OT should traverse a jump server with multi-factor authentication, time-limited access windows, and full session recording. Physical security matters equally: USB ports on HMI workstations remain a common malware delivery mechanism, and unattended engineering workstations in accessible areas of the plant present real risk.
Patching remains the most contentious issue in OT security. Unlike IT systems where monthly patch cycles are routine, OT environments often require vendor certification of patches before deployment, scheduled maintenance windows that may occur only quarterly, and extensive testing to ensure patches don't break control system functionality. The practical approach is strategic: maintain a current asset inventory, prioritize patching for internet-facing and DMZ systems, use compensating controls (network isolation, monitoring) for systems that can't be patched quickly, and test everything in a staging environment before it touches production.
Supply Chain: The Threat That Arrives Through Trusted Doors
The JLR attack is a case study in supply chain risk, but it's far from unique. Supply chain-focused cyberattacks doubled in 2025, averaging 26 incidents per month — twice the rate observed through early 2025 [Cyble]. SecurityScorecard's 2025 survey found that over 70% of organizations experienced at least one material third-party cybersecurity incident in the past year, yet fewer than half actively monitor their suppliers' security posture.
For manufacturers, supply chain risk manifests in several distinct ways. Vendor remote access is perhaps the most direct threat — many equipment manufacturers maintain persistent or on-demand VPN connections into their customers' OT networks for diagnostics, updates, and support. If the vendor's network is compromised, that trusted connection becomes a direct tunnel into production. The Sinobi ransomware group, which emerged in mid-2025 and rapidly accumulated victims across manufacturing, specifically exploited compromised third-party provider credentials to gain domain-level access [Dragos].
Software supply chain compromise targets the tools and platforms that manufacturers depend on. Attackers are increasingly targeting SaaS integrations, identity providers, and package repositories used in industrial automation. The manufacturing sector's deep integration with ERP platforms, MES systems, and cloud-based analytics means a compromise in any link of that software chain can propagate into production environments.
Building supply chain resilience requires a shift from implicit trust to verified security. This means requiring cybersecurity standards in vendor contracts, conducting regular third-party risk assessments, implementing network access control that limits vendor connections to only the specific systems they need to reach, and monitoring all third-party sessions in real time. Organizations that adopt a Cyber Supply Chain Risk Management (C-SCRM) framework — as recommended by NIST — treat supplier security not as a checkbox exercise, but as an ongoing operational discipline.
Incident Response When Production Is at Stake
When ransomware hits a corporate IT environment, the standard playbook is straightforward: isolate affected systems, assess the scope, restore from backups, investigate root cause. When ransomware reaches a production environment, the calculus changes dramatically. You can't simply "isolate" a controller managing an exothermic chemical reaction. You can't power off a furnace mid-cycle without risking equipment destruction. The first priority in OT incident response isn't data recovery — it's ensuring the physical safety of people and processes.
Sophos found that 47% of IT and cybersecurity teams in manufacturing reported increased anxiety about future attacks following an incident, and 44% experienced heightened pressure from senior leadership [Sophos]. These aren't abstract concerns. When production is halted, the financial clock starts immediately: manufacturers lose an average of $1.9 million per day to ransomware-related downtime, with outages ranging from hours to 129 days [Comparitech].
An effective manufacturing incident response plan must address several dimensions that standard IT playbooks ignore entirely.
OT Incident Response: Five Critical Phases
▶ Phase 1 — Triage and Safety Assessment
Before any containment action, the response team must assess whether the compromise affects safety-critical systems — Safety Instrumented Systems (SIS), emergency shutdown controllers, environmental monitoring, or fire suppression. If safety systems remain intact, operations may continue in a degraded mode while containment proceeds. If safety is compromised, the priority shifts to controlled shutdown of affected processes using manual procedures. Every manufacturing facility should have documented manual-mode operating procedures that allow safe shutdown without reliance on compromised digital controls.
▶ Phase 2 — Network Isolation Without Production Collapse
Containment in OT requires surgical precision rather than the "pull the plug" approach common in IT. If segmentation is already in place, the response team can sever the conduit between IT and OT at the Industrial DMZ, effectively quarantining the factory floor while maintaining internal OT communications. If segmentation is weak, containment becomes much harder — isolating individual network segments may inadvertently disconnect controllers from the processes they manage. Pre-planned network isolation procedures, documented and tested during tabletop exercises, are essential.
▶ Phase 3 — Parallel Investigation Across IT and OT
Manufacturing incidents require parallel investigation streams: the IT security team traces the initial compromise vector and lateral movement through enterprise systems, while OT specialists assess whether industrial control systems have been affected. These teams must share intelligence in real time — the IT team may identify the malware strain and its capabilities (does it target ICS processes?), while the OT team can confirm whether controller behavior has deviated from baseline. This collaboration demands that IT and OT teams have established communication channels and shared playbooks before an incident occurs.
▶ Phase 4 — Recovery Prioritization by Production Impact
Recovery sequencing in manufacturing is driven by production economics and safety, not just IT system criticality. A historian server may be lower priority than a batch controller managing an active process. Restoration should follow a tiered approach: safety systems first, then process control, then supervisory systems, then enterprise integration. OT backups — including PLC program files, HMI configurations, and SCADA project files — must be maintained separately from IT backups and verified regularly. Many manufacturers discover during incidents that their OT configurations haven't been backed up in months or years.
▶ Phase 5 — Post-Incident Hardening and Lessons Learned
Once operations are restored, the post-incident review must address both IT and OT dimensions. Were the initial segmentation controls adequate? Did the attacker traverse the IT/OT boundary, and if so, how? Are vendor remote access controls sufficient? Sophos found that 42.5% of manufacturing ransomware victims cited insufficient in-house expertise as a contributing factor, while 41.6% identified unknown security gaps. Post-incident hardening should directly address the specific weaknesses the attacker exploited, and findings should drive investment in both technology and skilled personnel.
The Maturity Gap: Where Most Manufacturers Actually Stand
Fortinet's 2025 State of Operational Technology and Cybersecurity Report, based on a survey of more than 550 OT professionals worldwide, paints a picture of an industry that is improving but still has significant ground to cover. The positive trend is clear: 52% of organizations now place OT security under the CISO, up from just 16% in 2022, and 95% have elevated it to some form of C-suite oversight. Organizations with higher maturity levels are experiencing measurably fewer incidents — operational outages impacting revenue dropped from 52% to 42% year-over-year [Fortinet].
However, the gap between leaders and laggards is widening. Organizations that have invested in segmentation, threat intelligence, and vendor consolidation report up to a 93% reduction in cyber incidents compared to those running flat networks. Meanwhile, only 14% of organizations report feeling fully prepared for emerging OT threats. The sector's average breach cost reached $5.56 million in 2025 — an 18% increase — and 51% of ransomware victims in manufacturing still paid the ransom despite improvements in defensive measures [IBM, Sophos].
Manufacturing OT Security Maturity Indicators (2025)
Source: Fortinet 2025 State of Operational Technology and Cybersecurity Report (550+ OT professionals surveyed globally)
The organizations seeing the best outcomes share common characteristics: executive sponsorship that ties OT security to business risk, unified IT/OT security operations rather than siloed teams, and investments in visibility — the ability to identify and inventory every connected device in the OT environment. As Fortinet's data shows, organizations actually become more aware of their blind spots as they mature, which is counterintuitive but important: a manufacturer that reports 100% visibility is likely less mature than one that honestly identifies gaps.
Building a 2026 Manufacturing Cybersecurity Roadmap
For manufacturers that haven't yet addressed OT/IT convergence security — or that have only partially done so — 2026 demands a structured approach. The organizations that are reducing incidents and recovering faster aren't deploying single point solutions. They're building programs that span governance, architecture, monitoring, and response.
The foundational step is a comprehensive OT asset inventory. You cannot secure what you cannot see. Passive asset discovery tools designed for OT environments can identify devices, firmware versions, communication patterns, and vulnerabilities without disrupting production. This inventory becomes the basis for risk assessment, segmentation planning, and incident response.
From there, segmentation is the highest-impact investment. Implementing an Industrial DMZ between enterprise IT and production OT — even as a first phase — immediately reduces the attack surface available to an adversary who compromises the corporate network. This doesn't require rearchitecting the entire plant network overnight; Cisco and other industrial networking vendors recommend a phased approach where each phase builds the foundation for the next, demonstrating value at each step.
Monitoring comes next. Passive OT network monitoring provides visibility into what's happening at the process level without the risks associated with active scanning. Combined with IT security telemetry from endpoint detection and response tools on the IT side, and aggregated through a unified SIEM, security teams gain the cross-domain visibility needed to detect IT-to-OT lateral movement — the pattern that characterizes nearly every major manufacturing breach.
Finally, the human element cannot be overlooked. Fortinet found that manufacturers implementing basic cyber hygiene, user awareness training, and OT-specific security education saw measurable reductions in business email compromise and phishing-initiated attacks. The most effective training programs are tailored to the manufacturing context: plant operators learning to recognize social engineering attempts targeting remote access credentials, engineers understanding why plugging a personal USB into an HMI workstation creates risk, and leadership understanding why OT security investment is production continuity insurance.
What Regulated Manufacturers Must Also Consider
Manufacturers operating in regulated industries face additional requirements that intersect with OT security. Defense contractors pursuing CMMC compliance must demonstrate that Controlled Unclassified Information (CUI) in their production environments is protected according to NIST 800-171 controls, which includes network segmentation, access control, and audit logging — all of which overlap directly with OT security best practices.
Manufacturers in the financial services supply chain must meet vendor security assessment requirements from their banking and insurance customers, increasingly including evidence of OT segmentation and incident response capabilities. Food and pharmaceutical manufacturers face FDA requirements for production system integrity that extend into the cybersecurity realm. In every case, the investments made in OT security serve double duty — protecting production and satisfying compliance obligations.
Sources
- Fortinet — 2025 State of Operational Technology and Cybersecurity Report (550+ OT professionals surveyed globally)
- KELA — Escalating Ransomware Threats to National Security (4,701 incidents tracked Jan–Sep 2025)
- Sophos — State of Ransomware in Manufacturing and Production 2025 (332 organizations surveyed)
- Dragos — Industrial Ransomware Analysis Q3 2025; ISA/IEC 62443 Concepts
- Comparitech — Ransomware Attacks on Manufacturing Companies (2018–2024 analysis)
- Integrity360 — Biggest Cyber Attacks of 2025 (JLR incident analysis)
- Bitsight — Inside Cyber Threats in Manufacturing 2025 (TRACE report)
- Cyble — Supply Chain Attacks Surge in 2025
- SecurityScorecard — 2025 Supply Chain Cybersecurity Trends (550 CISOs surveyed)
- IBM — Cost of a Data Breach Report 2025
Related Resources
Manufacturing IT Support & Cybersecurity
Managed IT services built for production environments, OT visibility, and industrial compliance requirements.
Cybersecurity Services
Enterprise security operations, threat detection, network segmentation, and 24/7 monitoring for critical infrastructure.
Penetration Testing Services
Validate your OT/IT security boundaries with controlled testing that identifies exploitable gaps before attackers do.
Cybersecurity Assessment
Comprehensive evaluation of your security posture, including IT/OT convergence risks and segmentation readiness.
Your Production Network Is an Attack Surface. Let's Secure It.
ITECS helps manufacturers assess OT/IT convergence risks, design segmentation architectures, deploy monitoring solutions, and build incident response capabilities that protect both data and production. Every hour of preparation reduces days of potential downtime.
Schedule a Manufacturing Security Assessment