The manufacturing sector was the most targeted by hackers in 2025, for the fifth year in a row, according to a recent IBM X-Force report. But although many manufacturers have taken some steps to protect their systems, cybersecurity experts say most can do more to prevent attacks, or at least limit the damage if an attack occurs.
Manufacturers are targeted by hackers in part because they have “high‑value intellectual property and complex legacy systems that are harder to patch and therefore easier to exploit,” Ryan Anschutz, North American incidence response lead at IBM X-Force, said in an email.
Adding to the problem, Anschutz said, is that manufacturing organizations often do not have the capital to fund good cybersecurity programs.
Patrick Garrity, security researcher at VulnCheck, agreed that older systems make for attractive targets.
“Many manufacturers still rely on legacy technologies and industrial systems that were not designed with modern cybersecurity in mind,” he said in an email. “Modernization often happens slowly, leaving organizations operating a mix of old and new systems that can expand the attack surface.”
Manufacturers are also under constant pressure to keep operating even if they are the victim of an attack, Corey Nachreiner, chief security officer at WatchGuard Technologies, said in an email.
”To a manufacturer, every minute of uptime translates to money,” he said. “Cybercriminals and ransomware threat actors realize this. Every hour they can keep a manufacturer down costs the company revenue and profit, so they can really turn the screws with extortion if they can lock up a manufacturer with a cyberattack.”
In addition to being relatively soft targets, experts said manufacturers often make mistakes that increase their vulnerability. Some of the most common include:
- Treating operational technology environments as separate from cybersecurity programs. “When OT systems are not integrated into centralized monitoring or detection workflows, threats can go unnoticed for long periods,” Adam Marrè, chief information security officer at Arctic Wolf, said in an email.
- Underestimating the risk associated with identity security and remote access. “Attackers frequently log in using stolen credentials rather than breaking through defenses, which means weak authentication controls or overly permissive access policies can create major exposure,” Marrè said.
- Lacking a disaster recovery and business continuity plan. “Often, [manufacturers] may not have the strongest plan to keep operations running manually in the event of tech disasters,” Nachreiner said.
- Delaying technology modernization. Older systems “may still function operationally, but they can introduce significant security risks if patching, asset visibility and vulnerability management are not consistently maintained,” Garrity said.
- Failing to back up systems regularly. “Some organizations keep backups online or do not test restoration regularly, which leaves them vulnerable to ransomware that encrypts or deletes backup data,” Reegun Jayapaul, director of threat research at Cyderes, said in an email,
According to Jayapaul, attackers typically gain initial access through phishing, exposed remote services, or compromised supplier accounts.
“If network segmentation between IT and OT is weak, they can move laterally toward industrial controllers or manufacturing execution systems,” he said.
Attackers also frequently target edge network devices, virtualization platforms and server infrastructure.
“These systems are often exposed to the internet or sit at critical points within the network, making them attractive entry points,” Garrity said. “When vulnerabilities exist in these technologies, especially if patches are delayed, they can provide attackers with an initial foothold that can then be used to move deeper into operational environments.
No matter where the attack comes from, “cyber incidents can quickly become physical, costly, disruptions,” Richard Springer, senior director of OT solutions marketing at Fortinet, said in an email. “An attack can halt production lines, damage equipment or interrupt critical supply chains, which raises the stakes beyond traditional IT breaches.”
Despite the wide range of threats that manufacturers face, there are several steps they can take — starting immediately — to shore up vulnerabilities and protect their systems.
Strengthen IT/OT collaboration, but keep them separate
One important way that manufacturers can strengthen their defenses against cyberattacks is to improve collaboration between their information technology and operational technology departments. Companies need to adopt a “continuous, proactive approach to identifying weaknesses across IT and OT environments,” Anschutz said.
“Threat actors exploit gaps between these environments frequently,” he said. “Taking a shared visibility, common process and unified response workflow will reduce environmental blind spots and accelerate containment should an incident occur.”
At the same time, Marrè said, it is critical to separate IT and OT to limit the spread of an attack. “Effective segmentation also allows organizations to apply stricter monitoring and access policies around critical industrial systems that directly support manufacturing operations,” he said.
Shore up identity security
Anschutz said that many threat actors access manufacturers’ systems by abusing credentials, especially for customer-facing applications.
“That is why it is critically imperative that manufacturers gain better visibility into identity-based risks and threats,” he said. “By combining AI-powered identity threat detection and response and identity security posture management, they can more quickly and efficiently identify vulnerabilities and prevent attacks from happening.”
It is also important to regularly use multifactor authentication across remote access tools, administrative accounts and critical systems, Marrè said.
In addition, companies should “regularly audit privileged accounts, remove unnecessary permissions, and monitor for unusual login behavior such as logins outside normal working hours or from unfamiliar locations,” he said. “Strong identity controls help ensure that even if credentials are compromised, attackers cannot easily move deeper into the environment.”
Update software quickly
Nachreiner said manufacturers should patch all of their systems as quickly as possible when upidates become available to limit attackers’ ability to find their way in.
“Whether the back office or business side software or hardware, or the OT and industrial control systems used on the manufacturing factory floor, you should make sure to update software and firmware quickly,” he said. “If an update has high or critical vulnerabilities, you should patch it at least within 30 days.”
Prioritize vulnerabilities
Manufacturers should remember that not all threats are equally dangerous.
“Prioritize vulnerabilities based on real-world threat activity, not just severity scores like the [Common Vulnerability Scoring System],” Garrity said. “Threat-informed prioritization helps organizations focus on vulnerabilities attackers are actually exploiting.”
According to the SANS Institute, a cybersecurity training and certification organization, the CVSS is a way to evaluate and rank reported cybersecurity risks in a standardized and repeatable manner. Although a CVSS score and similar approaches can help compare vulnerabilities across applications and vendors, it should be not blindly relied upon, Garrity said.
Build cyber resilience into operations
Planning for downtime needs to be part of a company’s cybersecurity strategy.
“Plan for downtime scenarios, test your recovery processes regularly and ensure teams can restore operations quickly while under duress,” Anschutz said. “We want to take the idea that we build resilience into operations, so downtime does not become leverage for the threat actor.”
