Factories humming at full tilt, tied to global schedules and razor-thin margins, now face criminals who stopwatch downtime as leverage, turning every remote connection, legacy controller, and rushed change freeze into a bet the business cannot afford to lose. Manufacturing accounted for roughly a quarter of all attacks in 2025, yet its defenses lag exposure, creating a mismatch that adversaries exploit with ruthless efficiency.
The sector’s economics magnify impact: tight operating windows, complex supply webs, and minimal tolerance for outages. Discrete makers and process industries, from automotive and electronics to chemicals and food and beverage, share the same pain points as tiered suppliers that anchor just-in-time ecosystems. Meanwhile, OT/IT convergence, industrial IoT, and hastily expanded remote access have added pathways faster than safeguards can keep up.
Signals and Consequences: How Threats and Market Dynamics Are Evolving
Ransomware’s Business Model Meets Factory Realities
Ransomware dominates both activity and losses, while state-aligned espionage remains a strategic but less frequent driver. Affiliate and RaaS models compress attacker ramp-up time, and criminals bank on the urgency to restore production, using extortion to force rapid, costly decisions.
Expanded third-party connectivity and automation increased ingress points as security budgets trailed digitalization. This gap is spawning opportunity for managed OT security, secure remote maintenance, outcome-based insurance incentives, and shared supplier controls that raise the floor for entire ecosystems.
By the Numbers: Frequency, Severity, and Forward Indicators
Momentum accelerated: ransomware rose 46% across sectors and 61% in manufacturing through 2025, per KELA data cited by Resilience. Losses were concentrated: roughly 90% of insured losses stemmed from ransomware even though such incidents represented only about 12% of claims, underscoring high-severity, low-frequency dynamics.
Control failures drove outsized damage. Misconfigured MFA accounted for about a quarter of losses; no MFA contributed nearly a tenth. Vulnerability exploitation, including Black Basta-linked events, added roughly 13%. Expect more sophisticated extortion, more supplier-borne incidents, and insurance pricing that tracks verifiable control maturity.
Downtime Aversion, Basic Control Gaps, and How to Break the Cycle
Operational constraints are real: 24/7 lines, safety-critical processes, narrow patch windows, and brittle legacy OT that resists change. However, the worst failures are basic—MFA misconfigurations and coverage gaps across admins, VPNs, SaaS, and older gateways—compounded by weak financial controls and slow vulnerability remediation.
Pragmatic fixes align to factory cadence. Validate MFA end to end, prefer phishing-resistant factors, and remove bypasses. Close coverage gaps for privileged users and remote OT interfaces with step-up policies. Track vulnerabilities with phased remediation tied to maintenance, prioritize internet-facing and high-impact assets, and harden finance with out-of-band verification and segregation of duties.
Compliance Pressure and Security Baselines Reshaping the Factory
Regulation is tightening. NIS2 expands obligations for essential and important entities, CIRCIA raises the bar on incident reporting, and public manufacturers face disclosure scrutiny. Defense suppliers confront DFARS, NIST SP 800-171, and CMMC, while IEC 62443, NIST SP 800-82, and ISO/IEC 27001/2 guide technical baselines.
Insurance and customer mandates operate as de facto regulation, with underwriting controls around MFA, backups, EDR, and patching. The practical shift moves from checklists to evidence: centralized identity across IT/OT, verifiable backups and restore tests, and incident response that stands up to audits.
The Road Ahead: Tech Shifts, Market Forces, and Competitive Advantages
Defenders are leaning on phishing-resistant MFA, zero trust remote access for OT, identity threat detection, and microperimeters that reduce blast radius. Immutable or offline backups with rapid restore turn extortion pressure into a recoverable event instead of a business crisis.
Scale matters next. SBOM-driven prioritization, maintenance-aligned patch orchestration, and compensating controls for unpatchable OT raise resilience. Service-led security—MDR with OT expertise, secure commissioning by integrators, and managed identity for suppliers—helps standardize baselines as adversaries automate credential attacks and sharpen multi-extortion playbooks.
From Avoidable Losses to Durable Resilience: What to Do Now
The central findings were clear: manufacturers were disproportionately targeted; ransomware in this sector outpaced others in frequency and severity; and a small number of catastrophes produced most losses. Crucially, simple failures—especially MFA missteps—turned manageable threats into existential events.
Next steps emphasized action over overhaul. Harden MFA first for admins and remote access, with conditional access and red-team validation. Prove recovery by quarterly restores, golden images for critical systems, and backup isolation from domain compromise. Drive risk-based remediation with segmentation and allowlists where patching must wait. Tighten payment verification, monitor anomalous transfers, and enforce supplier minimums—least-privilege access, credential vaulting, logging, and time-boxed connectivity. Investment favored identity, recovery, and vendor access, paced to production windows and guided by insurance incentives.
