BLOG

Critical manufacturing has topped the FBI’s IC3 ransomware complaint ranking for the past two years. Manufacturing attacks rose approximately 61% in 2022, making it one of the fastest-growing target sectors. And manufacturing carries the worst recovery profile of any SMB sector: the longest recovery time at 72 hours average, the lowest cyber insurance coverage rate at 22%, and the smallest security investment at just 6% of IT budget. The sector that attackers most want to hit is also the one least prepared to recover.

For small and mid-size manufacturers, the risk calculus is brutal. Production downtime can cost hundreds of thousands of dollars per day. Ransomware-as-a-Service platforms make targeting economically viable even for operations with ten employees. Supply chain attacks give attackers access to multiple downstream manufacturers through a single upstream compromise. And the convergence of IT and operational technology (OT) systems, production equipment, industrial control systems, and shop floor networks now connected to enterprise IT, creates an attack surface that legacy security tools were never designed to cover.

This article explains why manufacturers face this specific threat profile, what the IT/OT convergence problem actually means in practice, and what breach readiness looks like for a small or mid-size operation with limited security resources.

Why manufacturers are the #1 ransomware target

Three structural factors make manufacturing uniquely attractive to ransomware groups, and all three are architectural, they cannot be addressed by buying a single security product:

Production dependency creates irresistible leverage. A ransomware attack on a manufacturer does not just lock files, it halts production. Every hour the factory floor is down costs money that is visible, calculable, and escalating. The pressure to restore operations quickly is more acute in manufacturing than in almost any other industry: customers are waiting for parts, contracts have delivery penalties, and production schedules have no slack. Attackers know this and calibrate demands accordingly. Production downtime averaging $1.5 million per hour in some manufacturing segments explains why manufacturers pay ransoms at rates above most sectors.

IT/OT convergence has created a shared attack surface. Legacy operational technology, PLCs, SCADA systems, HMIs, industrial robots, was originally air-gapped from enterprise IT networks. It was never designed with security in mind because it was never connected to anything external. The integration of industrial IoT, cloud analytics, and remote access capabilities has connected these systems to enterprise networks and the internet without addressing their fundamental security limitations. Ransomware that enters through a phishing email on a Windows laptop can propagate to production systems through the shared network segments that IT/OT convergence created.

Small manufacturers are systematically under-defended. The economics of the Ransomware-as-a-Service model make small manufacturers attractive targets: lower defenses, higher production dependency, and ransom demands calibrated to what a business of that size can pay. 75% of SMBs say they could not continue operating if hit with ransomware. 78% fear a major cyber incident could put them out of business. Critical manufacturing reported more than 400 IC3 ransomware complaints in 2025, more than any other sector.

The OT/IT convergence problem in plain language

Most small manufacturers do not have a CISO or even a dedicated IT security professional. As a result, a formal cybersecurity assessment is often the first step toward understanding operational and cyber risk across IT and OT environments.

. The person responsible for the network also configures the production equipment, manages vendor remote access, and handles employee laptops. When a ransomware actor enters through a phishing email on that network, the blast radius is not limited to the office, it extends to whatever production systems share network segments with the compromised laptop.

The specific OT risks that ransomware groups exploit in manufacturing environments:

• Flat networks, no segmentation between office IT (email, HR, finance) and operational technology (PLCs, HMIs, SCADA). An infection on an office endpoint can reach production systems without crossing any security boundary.
• Unpatched legacy equipment, industrial control systems running Windows XP or Windows 7 that cannot be patched without halting production. These systems have known, publicly documented vulnerabilities that attackers can exploit without sophisticated tools.

• Remote access without controls, vendor and maintenance remote access that was provisioned for convenience without MFA, session recording, or time-limited credentials. Remote access is one of the most common initial access vectors in manufacturing incidents.
• No OT visibility, most small manufacturers have no inventory of their OT assets, no monitoring of OT network traffic, and no ability to detect anomalous activity on production systems before it triggers a production outage. This is where managed SOC services can improve detection coverage and operational visibility.
• Backup gaps, backup strategies designed for IT systems that do not account for OT system configurations, PLC programs, and production recipes. Restoring from an IT backup after an OT compromise may restore data but not production capability.

What breach readiness looks like for a small manufacturer

24% of manufacturing sites have no OT/ICS incident response plan at all, the highest rate of any sector. This means that when ransomware hits and production stops, most small manufacturers are responding without a plan, without visibility into what happened, and without the telemetry needed to understand the scope. The following framework addresses that gap:

1. OT asset inventory, before any other security control, you need to know what is on your network. An OT asset discovery exercise identifies every device connected to your production network: PLCs, HMIs, engineering workstations, SCADA servers, remote access terminals, and any OT device with internet connectivity.
2. Network segmentation, separate production networks from office IT networks using a DMZ or industrial demilitarized zone (IDMZ). Traffic between IT and OT must pass through controlled access points with monitoring. This single control prevents the most common ransomware propagation path in manufacturing environments.
3. Remote access hardening, all vendor and maintenance remote access must require MFA, use time-limited credentials, be logged and monitored, and be terminated when not actively in use. No persistent, always-available remote access connections to production systems.
4. OT-aware detection monitoring of production network traffic for anomalous behaviour using OT-specific detection tools that understand industrial protocols (Modbus, DNP3, EtherNet/IP). Standard IT security monitoring tools do not understand OT traffic patterns.
5. Production-aware backup, backup of OT system configurations, PLC programs, SCADA databases, and production recipes, not just IT data. Tested for restoration in a way that accounts for the specific requirements of production system recovery.
6. OT-specific incident response plan, documented procedures for the scenarios that manufacturing actually faces. Organizations should also establish relationships with incident response services providers before an emergency occurs.
7.  ransomware that has spread to production systems, PLC firmware modification, SCADA compromise, and production system unavailability. Tabletop exercises that include operations management, not just IT staff.

The backup problem in manufacturing

The single biggest predictor of whether a manufacturer pays a ransomware demand is whether its backups work when tested. And manufacturing backups have a specific problem that IT-focused backup strategies do not address: restoring data does not restore production capability.

A manufacturer that restores its ERP system from backup but cannot restore its SCADA configuration, PLC programs, or production recipes is not back in production. A manufacturer whose backup was connected to the production network when ransomware deployed has no clean backup to restore from. And a manufacturer whose backup has never been tested for restoration in a production environment may discover during an incident that the backup job completed successfully but the restoration does not produce a functional system.

The organizations that recover from manufacturing ransomware without paying are the ones that treated OT backup as a separate discipline from IT backup: isolated from the production network, inclusive of OT system configurations and production data, and tested for actual production restoration, not just data recovery.

How does ransomware reach production equipment in a factory?

The most common path is through the shared IT/OT network: ransomware enters via a phishing email on an office computer, propagates through the office network, crosses into the production network through unsegmented connections, and reaches engineering workstations, HMIs, and SCADA servers. In some incidents, attackers enter directly through remote access connections provisioned for vendor maintenance, connections that often lack MFA and persistent credentials. Once on the production network, attackers identify high-value targets (SCADA servers, PLC programming interfaces) and either encrypt them directly or disable them as part of maximum disruption strategy.

What is the difference between IT cybersecurity and OT cybersecurity?

IT cybersecurity focuses on protecting information systems, servers, laptops, cloud platforms, email, where the primary concern is data confidentiality and availability. OT cybersecurity focuses on protecting operational technology, PLCs, SCADA systems, HMIs, industrial control systems, where the primary concern is production continuity and physical safety. OT systems have very different security requirements: they often cannot be patched or rebooted without halting production, they use specialized industrial protocols that standard security tools do not understand, and a security incident can have physical consequences beyond data loss.

Do small manufacturers need a dedicated OT security tool?

Not necessarily as a starting point, the foundational controls (network segmentation, remote access hardening, OT asset inventory, production-aware backup) deliver more value for most small manufacturers than specialized OT security tools. However, once the foundation is in place, OT-aware monitoring and detection tools that understand industrial protocols add significant value by detecting the anomalous activity that precedes a production system compromise. A managed security provider with OT experience can often deliver these capabilities without requiring the manufacturer to build in-house expertise. Many manufacturers achieve this through managed cybersecurity services that support both operational resilience and security monitoring.

Can my cyber insurance cover a manufacturing ransomware incident?

It depends entirely on whether your declared security controls match your actual controls. Manufacturing has the lowest cyber insurance coverage rate of any SMB sector (22%), and many manufacturers who do have coverage discover during a claim that their policy excludes OT systems, or that their failure to implement declared controls (MFA, EDR, tested backups) creates grounds for claim denial. Review your policy before an incident: confirm it covers OT system recovery costs, business interruption from production downtime, and the specific ransomware scenarios your operation faces.