Operational Technology Under Siege: Why Manufacturing Cybersecurity Can't Wait Until 2027
The shop floor isn't what it used to be. Where isolated machines once hummed along on proprietary protocols with no connection to the outside world, today's factory floor is a dense web of sensors, programmable logic controllers (PLCs), SCADA systems, industrial robots, and cloud-connected dashboards — all feeding data into enterprise networks in real time. That connectivity has unlocked enormous productivity gains. It has also cracked open a door that cybercriminals are sprinting through.
In 2025, manufacturing surpassed financial services to become the most-targeted industry sector for cyberattacks, accounting for nearly 26% of all ransomware incidents globally, according to IBM's X-Force Threat Intelligence Index. The trend has not slowed in 2026. If anything, threat actors have grown more sophisticated, more patient, and more focused on the specific vulnerabilities that exist where information technology (IT) meets operational technology (OT).
If you operate a manufacturing facility — whether you're producing pharmaceuticals, automotive components, food products, electronics, or industrial equipment — this post is written for you. We'll explain what's driving the threat, what a real-world attack looks like, and what practical steps you can take right now to protect your people, your equipment, and your bottom line.
What Is OT/IT Convergence — and Why Does It Create Security Gaps?
Operational technology refers to the hardware and software that monitors and controls physical processes — think CNC machines, conveyor systems, temperature regulators, and assembly-line robotics. For decades, OT systems lived in their own world. They ran specialized, proprietary operating systems, communicated over isolated networks, and were managed by engineers who had little overlap with the IT department.
IT networks, by contrast, are the systems most businesses know well: servers, workstations, Microsoft 365, cloud applications, email, ERP platforms. These are the networks your cybersecurity policies have traditionally been designed to protect.
OT/IT convergence is the ongoing integration of these two worlds. Manufacturers connect PLCs and SCADA systems to enterprise networks to enable remote monitoring, predictive maintenance, supply chain integration, and real-time production analytics. The business case is clear and compelling. The security implications, however, are frequently underestimated.
Here's the problem: OT systems were not designed with cybersecurity in mind. Many PLCs and industrial control systems (ICS) run on operating systems that haven't received a security patch in years — or ever. Some run versions of Windows that Microsoft retired over a decade ago. Others use proprietary firmware with no update mechanism at all. When these systems get connected to enterprise networks (and, by extension, the internet), they become entry points for attackers who know exactly where to look.
The result is a sprawling attack surface that spans both worlds, with security policies designed for neither.
The Threat Landscape: What Attackers Are Actually Doing
Ransomware Targeting Production Lines
The most financially devastating attacks on manufacturers follow a familiar playbook: infiltrate the IT network through a phishing email or compromised vendor credential, move laterally across the environment, identify and encrypt critical systems — including those connected to OT — and demand a ransom to restore operations.
When production stops, the financial bleeding starts immediately. A mid-size manufacturer running three shifts can lose hundreds of thousands of dollars per day when the line goes down. Attackers know this. They time their strikes to maximize pressure — hitting before a major shipment deadline, during peak season, or when they've identified that the target has minimal backup and recovery infrastructure in place.
The 2024 ransomware attack on a major ball bearing manufacturer in the Midwest — one of the suppliers for several tier-one automotive OEMs — halted production for eleven days and resulted in supply chain disruptions that rippled through multiple assembly plants. The manufacturer ultimately paid a ransom reported to be in the seven-figure range. That story, unfortunately, is not exceptional. It is increasingly common.
Living-off-the-Land in OT Environments
Nation-state threat actors, particularly those linked to China, Russia, and Iran, have demonstrated a preference for living-off-the-land (LotL) techniques in OT environments. Rather than deploying noisy malware, they use legitimate OT tools and protocols — Modbus, DNP3, OPC-UA — to move through industrial networks undetected. These attacks are often not about immediate financial gain. They're about persistence and positioning: gaining long-term access to critical infrastructure to enable sabotage, espionage, or leverage in geopolitical conflict.
CISA and the FBI have issued multiple joint advisories in 2025 and 2026 warning that critical manufacturing sectors — including defense industrial base suppliers, chemical manufacturers, and food and agriculture companies — are being pre-positioned by state-sponsored actors for potential disruptive attacks.
Supply Chain Infiltration
Manufacturers rarely operate in isolation. They depend on a complex web of equipment vendors, software providers, contract engineers, and third-party logistics partners — many of whom require remote access to production systems for support and maintenance. Each of those connections is a potential entry point.
The software supply chain is equally at risk. Industrial software updates, firmware packages, and SCADA management platforms have all been weaponized in recent years, echoing the SolarWinds attack model but applied to factory environments.
Why Traditional IT Security Falls Short in Manufacturing
Security tools built for enterprise IT environments don't translate cleanly to OT. Here's why:
You can't just patch everything. In an IT environment, pushing a security patch is routine. In a manufacturing environment, patching a PLC firmware might require shutting down a production line, recertifying a process, or coordinating with an equipment vendor. Many manufacturers simply don't patch OT systems because the operational risk of downtime outweighs the perceived security risk — until it doesn't.
You can't use standard endpoint agents. Traditional endpoint detection and response (EDR) tools require software agents installed on endpoints. Most OT devices — PLCs, HMIs, SCADA servers — cannot run third-party agents, either because of hardware limitations or because doing so would void vendor certifications or warranties.
Network segmentation is often aspirational, not real. Manufacturers frequently say they have segmented OT from IT. In practice, those segments often have far more connections between them than anyone realizes — flat network architecture, shared Active Directory, IT staff remoting into OT systems, production monitoring dashboards running on IT workstations. A proper network segmentation audit frequently uncovers dozens of undocumented connections.
Security teams don't understand OT protocols. Most IT security professionals have deep knowledge of TCP/IP, Windows environments, and web application security. Far fewer have hands-on experience with Modbus, PROFINET, EtherNet/IP, or the nuances of SCADA architecture. This knowledge gap is actively exploited by attackers.
The Regulatory Pressure Is Building
Cybersecurity compliance for manufacturers is no longer a future concern — it's a present reality. Several overlapping frameworks and regulations are converging in 2026:
NIST CSF 2.0 and ICS/OT Guidance
The National Institute of Standards and Technology released Cybersecurity Framework 2.0 in 2024, with significantly expanded guidance for operational technology environments. While the CSF remains voluntary for most private-sector manufacturers, it has become the de facto standard that customers, insurers, and government partners expect manufacturers to demonstrate alignment with.
Cyber Insurance Requirements
Manufacturers seeking cyber insurance — or renewing existing policies — are now facing application questions specifically about OT security. Carriers want to know whether OT and IT networks are segmented, whether asset inventories for industrial systems exist, and whether incident response plans cover production environment scenarios. Manufacturers who can't answer these questions confidently are either being denied coverage or paying dramatically higher premiums.
Defense Industrial Base Requirements
Manufacturers in the defense supply chain face additional pressure from CMMC 2.0 enforcement (which we've covered separately), but there are also emerging requirements around protecting OT environments for DIB suppliers. If your facility manufactures components that end up in defense platforms, expect your prime contractor to begin asking harder questions about your OT security posture in 2026 and beyond.
The EU Cyber Resilience Act
For manufacturers with operations or customers in Europe, the EU Cyber Resilience Act — which entered its enforcement phase in late 2025 — introduces mandatory cybersecurity requirements for products with digital elements, including industrial equipment and connected devices. This has direct implications for manufacturers who design and ship OT-connected products into European markets.
Practical Steps Manufacturers Can Take Right Now
1. Build a Comprehensive OT Asset Inventory
You cannot protect what you don't know you have. The starting point for any OT security program is a complete, accurate inventory of every industrial device on your network — PLCs, HMIs, SCADA servers, sensors, engineering workstations, and every connection between them. Passive network monitoring tools designed for OT environments (such as Claroty, Dragos, or Nozomi Networks) can map your environment without disrupting production.
2. Implement True Network Segmentation
Move beyond the assumption that IT and OT are separated. Conduct a segmentation audit. Identify every connection between your enterprise network and your production floor. Implement a proper industrial DMZ architecture with strict controls over what traffic can flow between segments, and eliminate unnecessary connections entirely. This is foundational work — and it's often more complex than expected, which is where a partner with Infrastructure Pro expertise can be invaluable for planning and execution.
3. Get Visibility Into OT Traffic
Even if you can't install agents on OT devices, you can monitor the traffic they generate. Passive OT monitoring solutions analyze network traffic patterns and flag anomalies without touching the devices themselves. When integrated with a 24x7 SOC and Managed Detection & Response (MDR) capability, this gives your security team the ability to detect lateral movement, protocol anomalies, and unusual communication patterns in real time — before an attacker reaches their objective.
This is exactly the kind of layered visibility Layer27's MDR and 24x7 SOC services are designed to provide. Our security operations analysts are trained to understand the difference between a PLC polling its sensor on a normal cycle and an attacker using that same protocol to probe the environment.
4. Establish a Patch and Vulnerability Management Program for OT
This doesn't mean patching everything immediately — that's not realistic. It means having a documented, risk-based process for evaluating vulnerabilities in OT systems, understanding which ones are exploitable in your environment, and planning remediation or compensating controls. For systems that cannot be patched, network segmentation, monitoring, and access controls become your primary mitigations.
5. Harden Remote Access to OT Systems
Remote access by vendors and internal staff to production systems is one of the highest-risk vectors in manufacturing environments. Implement multi-factor authentication on every remote access session. Use privileged access management (PAM) tools to record and audit sessions. Eliminate the use of shared credentials. Consider a vendor-specific remote access platform that provides session recording, time-limited access, and automatic termination.
6. Build OT-Specific Incident Response Procedures
Your existing incident response plan almost certainly wasn't written with the production floor in mind. Add OT-specific runbooks that answer questions like: Who decides whether to take a production line offline? What's the process for recovering a compromised PLC? Who is the primary contact at each major equipment vendor? How do you maintain safety when IT/OT systems are behaving abnormally?
Layer27's Safe Start service includes foundational security policies and incident response documentation — a natural starting point for manufacturers who need to build these frameworks from scratch.
7. Train Your Operational Staff — Not Just IT
The humans on your production floor are as much a part of your security posture as your firewalls. Maintenance technicians who plug personal USB drives into HMIs, engineers who connect engineering workstations to the guest Wi-Fi, and supervisors who approve vendor remote access without verifying identity are all creating risk. Security Awareness Training tailored to OT environments and manufacturing workflows can close these gaps significantly.
8. Protect Your Data and Build Recovery Capability
When an attack does succeed — and statistically, you should plan for that possibility — your ability to recover quickly determines how much damage you sustain. Backup-as-a-Service (BaaS) and Disaster Recovery-as-a-Service (DRaaS) should cover not just your enterprise IT systems, but your engineering files, HMI configurations, PLC programs, and SCADA databases. Many manufacturers discover during an incident that they can restore their ERP but have no clean copies of the machine configurations needed to restart production. That is a fixable problem — but only if you address it before the attack.
9. Consider a Hybrid Cloud Strategy for Production Data
Manufacturers increasingly rely on cloud-connected platforms for production analytics, supply chain visibility, and predictive maintenance. A well-architected Hybrid Cloud strategy — keeping sensitive OT data processing on-premises or in a Private Cloud while using Public Cloud services for analytics and collaboration — can give you the flexibility of cloud without unnecessarily exposing production systems to internet-facing risk. Layer27's Cloud Services and CloudStart offerings are designed to help manufacturers find this balance.
A Word on Co-Managed IT for Manufacturers
Many manufacturing companies have small IT teams that are excellent at keeping enterprise systems running but have no OT security expertise — and shouldn't be expected to have it. Co-Managed IT is an increasingly popular model in this space: the manufacturer's internal IT staff retain ownership of day-to-day operations and deep knowledge of the business, while a partner like Layer27 provides the specialized security capabilities, 24x7 monitoring, and compliance expertise that a small team simply can't maintain alone.
This model works particularly well for manufacturers with 50 to 500 employees who need enterprise-grade security without the cost of building an internal security operations function.
The Cost of Inaction Is No Longer Theoretical
The argument for deferring OT security investments used to be plausible: "Our systems are isolated," or "Attackers don't understand our equipment." Neither of those arguments holds up in 2026. Attack toolkits targeting Siemens, Rockwell, and Schneider Electric systems are available on dark web forums. Threat actors are spending months inside manufacturing networks learning production schedules, understanding equipment interdependencies, and timing attacks for maximum impact.
The manufacturers that will weather this threat environment are the ones who treat OT cybersecurity as an operational discipline — not an IT project, not a compliance checkbox, but a fundamental part of running a safe and resilient production facility.
The good news: you don't have to solve this alone, and you don't have to solve it all at once. Starting with visibility, segmentation, and a clear asset inventory puts you ahead of the majority of your peers and significantly raises the cost for attackers to succeed against you.
Ready to Assess Your Manufacturing Cybersecurity Posture?
Layer27 works with manufacturers across the United States to build practical, operational security programs that protect both IT and OT environments — without disrupting production. Whether you're starting from scratch or looking to mature an existing program, we can help you understand your risk, close your gaps, and build the resilience your facility needs.
Contact the Layer27 team today to schedule a manufacturing security assessment.