Manufacturers live on up-time, which means security upkeep often takes a back seat. As a result, the devices and systems that manufacturers rely on can become outdated. The combination of legacy systems, outdated security controls and unpatched vulnerabilities have left manufacturers particularly vulnerable to cybercriminals aiming to cause operational havoc and extract large ransoms.

Sixty-five percent of manufacturing and production organizations reported they were hit by ransomware in 2024,according to a Sophos report based on the experiences of 585 IT/cybersecurity leaders working in the sector. This is a notable increase from the previous two years (56% in 2023 and 55% in 2022) and represents a 41% increase since 2020.

Manufacturers also have faced high ransom payouts, with the average payment over the last year reaching $1.2 million, according to the report.

While the industry is working hard to modernize and improve operating efficiencies, technology improvements such as the Internet of Things (IoT) and 5G connectivity also significantly expand the cyberattack surface. 

Manufacturers are in the process of adopting digital transformation technologies (including IoT) and transitioning from legacy systems, but this is no easy feat. Capital requirements for new machinery are often high, which incentivizes manufacturers to keep their equipment running as long as possible to maximize the output and return on investment. The longer those systems run, the more likely that software will go without updates or reach end of life and are no longer supported.

IoT’s Role in Modernization

Two of the goals of modernization are to become more efficient and gain a competitive advantage. As a result, we have seen the adoption of IoT and a push for the creation of smart factories aimed at revamping how operations are conducted. According to a Ubisense survey of manufacturing and IoT in 2023, 62% of manufacturers have embraced IoT technologies in their manufacturing or assembly processes. IoT can help manufacturers automate their production processes by connecting machines to a monitoring and control system. Sensors are a critical part of those systems. They send information during various stages of production and trigger real-time alerts to enable automatic adjustments, reducing or eliminating manual intervention.

IoT connectivity can help reduce downtime and deliver data to optimize performance. However, rapid digitization leaves room for entry, especially if security controls are lacking. Proper security should not be ignored.

Factor in additional new technologies and processes such as AI-powered devices, digital twins and cloud computing, and addressing cybersecurity gaps becomes more complex.

Cybercriminals Take Aim at Manufacturers

Cybercriminals often consider manufacturers' network vulnerabilities a prime target because downtime is inherent in this industry. It’s often necessary to halt production for things like shift changes, routine maintenance and equipment inspections. Downtime is planned for manufacturing schedules so that operators can minimize disruptions to the production flow.

In targeting manufacturers’ network vulnerabilities, cybercriminals rely on the consequences of wreaking havoc and the potential to cause even more downtime to secure massive payouts. A halt in production may make some manufacturers more willing to pay attackers to get back up and running than to face more downtime. According to Splunk, the average annual cost of downtime for manufacturers is $255 million. And no manufacturing sector is immune. Upstream Security issued a report that found that 42% of automotive manufacturing cyber incidents in 2023 involved service and business disruptions.

Vulnerability Management Remains a Weak Spot  

According to Corvus’ claim data, vulnerability management has been a significant weak spot for the manufacturing industry, with 47% of attacks originating from unpatched vulnerabilities. Organizations have made strides, but this remains an ongoing issue for organizations with legacy systems that are not able to be patched.

As mentioned, manufacturers have a low tolerance for downtime, and cybercriminals thrive on this. Other vulnerabilities include increasing entry points through third parties and a larger attack surface area to target.

Protecting Against Cyberattacks

Manufacturers are well aware of the need to be more aggressive to prevent cyberattacks and make a concerted effort to adopt strong security controls. According to a cybersecurity survey from the Manufacturing Leadership Council, nearly 62% of manufacturing companies said that they have a formal cybersecurity plan in place. That number was up from 2018, when barely 33% of manufacturers indicated they had devised and adopted formal cybersecurity plans that encompassed their plant floors.

Here are six cybersecurity security controls to help organizations manage cyber risk:

• Implement Multifactor Authentication (MFA): Prevention is the best defense. MFA – which requires the use of two or more authentication factors to verify the legitimacy of account access attempts – can make you 99% less likely to be hacked according to the Cybersecurity and Infrastructure Security Agency. MFA should be used for all users all the time to help prevent cybercriminals from accessing a business’s system or infiltrating a network, which can lead to ransomware attacks and other cybercrime schemes.
• Segment critical devices: Every manufacturing system or device should be placed on a secured network segment or use endpoint segmentation to restrict access to the systems. Access to the secured network segment should require a hardened jump box, which is monitored for any suspicious activity.
• Keep systems up to date: Make good cyber hygiene part of your plan. Maintaining awareness and control of your IT assets is key. Your cybersecurity plan should include strategies for keeping systems up to date. An unpatched vulnerability is one of the easiest and most common methods used to compromise a computer system or network. Enable automatic updates where possible, replace unsupported systems, and test and deploy available patches quickly.
• Use endpoint detection and response (EDR): An EDR solution helps protect against malicious attacks and can provide far greater capabilities than a traditional antivirus solution. EDR can help protect and monitor every asset in an enterprise network by identifying suspicious activity before the rest of the corporate network is exposed to unnecessary risk. EDR technologies monitor anomalous behavior on each system rather than simply searching for malware.
• Have an incident response (IR) plan: The goal of an IR plan is to provide a clearly defined, focused and coordinated approach to responding to cyber incidents. This will enable the organization to limit the damage and hasten a return to normal. Getting back to business with limited impact after an attack is only one benefit of having a good IR plan. Your IR plan also shows your partners, suppliers and clients that you take cybersecurity seriously.
• Back up your data: Make copies of important data and system configurations and protect them. Businesses and organizations typically store many kinds of data, using a variety of computer systems, on networks that may be local, global or somewhere in between. Data on a system or network can include Protected Health Information (PHI), Payment Card Information (PCI), Personally Identifiable Information (PII), intellectual property or other proprietary or confidential information.

Jason Rebholz is the Chief Information Security Officer at Corvus. He has over a decade of experience performing forensic investigations into sophisticated cyberattacks and helping organizations build secure and resilient environments. As Corvus’s CISO, Jason leverages his incident response, security, and infrastructure expertise to drive security strategy and reduce the risk of security threats internally at Corvus and for Corvus's policyholders. Prior to joining Corvus, Jason held leadership roles at Mandiant, The Crypsis Group, Gigamon, and MOXFIVE.