Manufacturing companies form the very foundation of the global economy. Multiple manufacturing segments are classified as critical infrastructure as they are foundational to other sectors. A strong manufacturing base is an overall indication of a country’s economic strength. Still, recent data reveals that manufacturers suffer from low levels of cyber maturity. Further, they are facing an unprecedented number of incidents, causing 1 in 4 industrial organisations to shut down in the previous year. What makes manufacturing uniquely vulnerable and what are the roadblocks to building cyber resilience in the sector? In what follows, we unpack some of the challenges.
A recent report by Palo Alto Networks, “The State of OT Security: A Comprehensive Guide to Trends, Risks, and Cyber Resilience”, reveals that within the past year, 1 in 4 manufacturers had to shut down their industrial operations in the aftermath of a cyber attack. According to the report, more than 70% of industrial manufacturers had experienced a cyber incident in the previous year.
Recent research by The World Economic Forum reveals that 1 in 4 of all global cyber attacks over the past three years were against manufacturers. Apart from industrial manufacturing, this includes automotive, aerospace and defence, hardware and electronics, consumer packaged goods, transportation equipment manufacturing, and many others.
Only in 2023, manufacturers saw about 25% of all security incidents whereby IT was the main attack vector, with 72% of attacks originating there. Of these, malware—mostly ransomware—made up the majority. The recent IBM X Force’s 2024 Threat Intelligence Report speaks of a 266% increase in “infostealing” malware as threat actors are increasingly seeking innovative ways to harvest email, social media, and banking credentials.
For more information on trends and challenges, read The Cybersecurity Handbook for Mid-sized Manufacturers 2025:
According to the IBM Cost of a Data Breach Report 2024, the impact of a successful attack can reach $4.73m per attack for industrial manufacturers. If the trend continues, the projected global impact will be $10.5tn by 2025.
What makes manufacturers vulnerable to cyber attacks?
Manufacturers operate within complex ecosystems comprising multiple sites, sprawling supply chains, OT and IT systems, as well as various suppliers, contractors, vendors, and partners. Digital transformation and Industry 4.0 have introduced even greater complexities to the sector. Increased connectivity, the need for high data availability, plus the need to collaborate across departments, along the supply chain, and between sites have made manufacturers attractive targets for global cyber criminals.
A disruption anywhere within this complex setup may trigger ripple effects affecting the global economy. Manufacturers’ low tolerance for downtime and supply chain disruptions also make them especially likely to pay ransom in the event of a ransomware attack.
Yet for many manufacturing companies, cyber resilience is not a priority yet. The World Economic Forum recommends embedding cybersecurity into the overall company strategy and driving cyber resilience by design. This means integrating cybersecurity into each aspect of an organisation. People, assets, and processes should all be aligned.
But cybersecurity is not confined to internal organisational change. To build true cyber resilience, manufacturers should invest in managing the complex ecosystems within which they operate. This includes security awareness initiatives that extend to key stakeholders, establishing trusted partnerships, and a sustained effort to manage third-party risk.
What are the top challenges to manufacturers? A recent white paper by the World Economic Forum identifies three types of cybersecurity challenges for companies in the manufacturing sector: technical, organisational, and regulatory.
Organisational challenges rank as the top obstacle
For many stakeholders, the key roadblock to establishing cyber resilience is the gap between enterprise and industrial environments. This involves managing different mindsets across departments and functions, as well as being aware of the different goal setting within individual teams.
Different priorities in IT and OT teams
With the increased confluence between IT and operational technology (OT) within manufacturing organisations, stakeholders are often confronted with different ways of approaching cybersecurity. Apart from this being purely a mindset issue, gaps in understanding priorities translate into incomplete strategies, lack of unified governance, and bottlenecks in cross-functional collaboration.
Added to this is the lack of formal IT/OT consolidation strategy. Every so often, this means that a robust and unified cybersecurity strategy cannot be implemented across the entire organisation. Discrete measures are not backed by a strategy, and cybersecurity know-how may oftentimes remain stuck in silos.
Unclear responsibilities and lack of internal know-how dampen the success of cybersecurity strategies
Even at large manufacturing companies, responsibilities within IT departments may not be clear. Every so often, we have a situation wherein an IT manager must navigate several different types of responsibilities, with cybersecurity being just one out of many areas with no true ownership in place. Best practices such as the segregation of duties often get ignored as IT professionals juggle between a variety of tasks.
Lack of dedicated cybersecurity expertise and internal know-how are a roadblock. Like other sectors, manufacturing is struggling to find and retain talent. The talent shortage is especially severe because of the unique technical expertise required in the sector. Companies are finding it difficult to capture talent with expertise in both manufacturing and cybersecurity.
Lack of a comprehensive, company-wide cybersecurity governance framework
Because of the complex and multilayered structure of manufacturing companies, cybersecurity governance is often fragmented. For many, decision-making is localised at the level of the individual manufacturing site. There are no company-wide policies in place that can be followed by all in the event of a cyber attack or any other type of a major IT security incident.
Also, cybersecurity awareness programmes may not be endorsed across the entire organisation but remain local initiatives. To be effective, security awareness trainings must be offered across all operational sites and made available for all company functions.
Ultimately, cybersecurity measures should be addressed with the same sense of urgency as questions of employee, workplace, and equipment safety. Keeping company information safe and remaining vigilant should not be dissimilar to wearing protective gear or turning off broadcasting devices around sensitive areas.
Cybersecurity measures should be treated in ways similar to established employee safety practices and should be endorsed across the entire organisation, without exception.
Technical challenges: Increased connectivity in Industry 4.0 contexts, heterogeneous devices, and legacy systems
Complete visibility into all company assets plus a unified framework for the management and control of IT systems and operational technology (OT) are the top prerequisites for a robust cybersecurity strategy. This is where manufacturing companies are struggling. Despite the rise of digitalisation initiatives, the state of heightened connectivity does not necessarily translate into enhanced security measures.
High device visibility and connectivity introduced by state-of-the-art technologies
For many manufacturers, legacy equipment coexists with multiple other connected assets. The increased convergence of IT and OT has created environments that enable immediate insight into every asset—from machines on the shop floor to advanced machine learning algorithms in the cloud. Yet these environments often remain vulnerable to cybercriminals.
New technologies come with unexpected complexities and introduce unknown risks. The increased adoption of industrial Internet of Things (IIoT) products with the possibility to roll out ML algorithms developed in the cloud directly on edge devices offer unique opportunities for manufacturers—both in terms of increased operational efficiency and faster insight generation. Yet, they also mean greater attack surfaces and introduce new attack vectors.
Legacy industrial control systems
Even more alarming are legacy industrial control systems and OT with only partial visibility, limited support and no robust access management. Due to the high replacement costs, many of these systems remain in use. They cannot, however, adapt to contemporary cybersecurity standards. Legacy systems therefore pose a vulnerability.
Increased reliance on open-source technology and third-party software products
Many manufacturing processes and key applications involve the use of third-party software that has the mission of increasing operational efficiency and quality assurance standards. Such software products hold the promise of increased interoperability between systems and assets. They deliver critical capabilities that help manufacturers gain a competitive edge. Yet this high connectivity, again, calls for extra vigilance and a focused effort to improve the security posture.
Further, a large portion of the available solutions involve open-source software, making it even more difficult to control and verify security standards. What do the experts recommend?
Complex regulatory challenges within the EU
Manufacturing organisations are subject to multiple regulations and industry standards about data protection and cybersecurity. A decentralised organisational setup and highly fragmented, regional regulatory requirements are making it difficult for manufacturers to maintain a unified strategy.
The Cyber Resilience Act (CRA)
At the EU level, emerging complex regulations such as the Cyber Resilience Act (CRA) are discussing the introduction of mandatory cybersecurity measures for companies manufacturing hardware and software products that contain a digital component. The CRA entered into force on December 10, 2024 and is to encompass the entire lifecycles of such products. Compliant products will bear the CE marking.
With the CRA, the EU aims to address the inadequate cybersecurity levels in products and the lack of consistent security updates for software. The goal is to make it easier to identify which hardware and software products have cybersecurity features in place. For manufacturers, these cybersecurity measures are mandatory, and will have impact on product planning, design, development, and maintenance. Certain products of critical relevance will undergo additional third-party assessment before they can enter the EU market.
The CRA is based on the EU Cybersecurity Strategy (2020) and the EU Security Union Strategy. It supplements the NIS2 Directive. Manufacturing companies under the CRA have until December 11, 2027 to meet their obligations.
The updated Network and Information Security (NIS2) Directive
NIS2 and CER additionally classify certain manufacturing industries as “essential entities”. To mitigate the risks and impact of incidents for the recipients of their services, these manufacturers must adopt a focused approach to managing their cybersecurity posture.
The NIS2 directive is the EU-wide legislation of cybersecurity and aims to achieve a high common level of cybersecurity standards across the EU. The NIS2 Directive came into force in 2023 to modernise the existing cybersecurity framework, considering the evolving threat landscape and the high level of digitalisation within Member States.
To ensure higher levels of cyber resilience and improved incident response capacities, NIS2 expanded to new sectors and entities. The aim is to establish a culture of security across sectors vital for the economy whereby companies identified as “essential” or “important” (such as manufacturing) are required to adhere to NIS2. These companies must take a specific set of security measures and will have to comply with the notification requirements under the Directive.
For more information, see our article “NIS2: How the New EU Cyber Law Protects Your Business” and visit our NIS2 resource center.
The Critical Entities Resilience (CER) Directive
The Critical Entities Resilience Directive entered into force on January 16, 2023. The CER Directive covers eleven sectors and defines critical entities that provide essential societal services to support the economy, preserve the environment, and ensure public health and safety. For these critical entities, the EC has proposed a non-exhaustive list of essential services crucial for the maintenance of a functioning society, broadly conceived. These critical entities will be subject to heightened cybersecurity requirements.
Of these, of relevance here is the “Production, processing and distribution of food sector” that includes manufacturers specialising in large-scale industrial food production and processing, food supply chain services and food wholesale distribution services.
Conclusion and outlook
From ransomware to vulnerabilities in legacy systems and supply chain complexities, the risks to manufacturers are real. To build resilience, companies in the sector are advised to adopt a systematic approach and focus on practical, actionable steps. This includes creating cybersecurity governance frameworks, improving collaboration between IT and OT departments, and ensuring employees receive cyber awareness training.
In 2025, compliance with regulations such as the Cyber Resilience Act and NIS2 will become increasingly relevant. These laws set clear requirements for cybersecurity practices, making it essential for manufacturers to integrate these standards into their operations early.
Investing in robust endpoint protection and incident response capabilities can provide an added layer of defence. Managing third-party risk and securing partnerships with trusted cybersecurity providers are important steps to reducing exposure.
Get in touch to find out how we can help you improve your security posture.
