Cyber attacks can be devastating to manufacturers. They disrupt supply chains, lead to downtime, and result in productivity and reputational damage. They may even endanger the physical safety of employees. Once important equipment is compromised, a manufacturing site may experience anything from a production standstill to fire damage and accidents on the shop floor. Read on to find out more about the top cyber threats for manufacturers in 2025 and what to do about them.
Ransomware attacks on industrial companies rose by nearly 50% in 2023, with 71% of attacks directed at manufacturers. That year, ransomware payments reached $1.1bn (EUR 1.05bn), with ransomware attacks on industrial infrastructures doubling in number.
For more information on trends and challenges, read The Cybersecurity Handbook for Mid-sized Manufacturers 2025:
Why are manufacturing companies such an attractive target? The combination of digitalisation, data availability, IT and OT, and relatively low cyber maturity levels compared to other sectors create ideal conditions for threat actors seeking to explore vulnerabilities for financial gain.
Because they are sensitive to downtime, manufacturers are less likely to invest in cybersecurity. For manufacturing companies, even classic precautions such as system updates and patch management may become obstacles to uninterrupted production. Advanced cybersecurity measures may bring entire production lines to a halt. Or incur great costs by replacing legacy equipment.
At the same time, the interconnected nature of manufacturing brings forth risks that go beyond classic supply chains. The industry is known for its large ecosystems that extend from sensors in the field all the way to AI in the cloud, adding both over-the-air operations and cloud services to the mix. Not only do we have larger attack surfaces and new attack vectors, but we are dealing with more complex networks of dependencies.
#1 Ransomware attacks, including RaaS, rank as the greatest threat
Ransomware groups, that is, organised groups of globally active threat actors, use sophisticated extortion techniques to coerce the targeted companies to pay ransom. The targeted information may be anything from customer data and IP, broadly conceived, all the way to specifically targeted trade secrets and R&D data.
Here, attackers take full control of a target’s critical systems and assets, encrypt sensitive data and demand payment (ransom) in exchange for the encryption keys that will make the data available again. In the so-called double extortion scenarios, threat actors will also exfiltrate the data in addition to encrypting it. In other instances, the attackers may steal company data and blackmail an organisation, threatening to disclose the information to the public.
An evolving form of ransomware, RaaS, or Ransomware-as-a-Service, is now widely spread through open-source tools and services such as RansomHub, Farnetwork, and Kryptina.
According to ENISA’s most recent Threat Landscape report, LockBit, Cl0p and PLAY are the top ransomware strains used in RaaS attacks, with LockBit accounting for nearly half of the reported incidents.
Throughout 2024, the industrial and manufacturing sectors have remained “the most frequent, high-impact victims”, according to the report. Within Europe, LockBit, 8Base and C10p are the top RaaS groups, contributing both to the greatest number and most complex of ransomware attacks. Of these, LockBit and 8Base are explicitly focusing on manufacturing companies.
#2 Social engineering attacks
Social engineering exploits human error to get access to sensitive information or a financial incentive. The goal is to make employees perform certain actions that will grant threat actors access to personal data, passwords, back accounts, or credit card numbers. Typically, threat actors impersonate an authority figure and create fabricated messages that require the targeted employee to act fast.
Attackers are using increasingly sophisticated techniques, including open-source information gathering (OSINT) aided by open-source generative AI, to craft alarmingly convincing customised messages. These lure employees into clicking on a link or opening an infected file.
Threat actors may target specific individuals and include contextual information that makes it difficult to differentiate scams from legitimate communication. Or they may use AI automations to send out bulk messages to an arbitrary list of harvested emails. Recent cases of Business Email Compromise (BEC), for instance, use existing email chains to gain credibility and coerce targeted employees into performing certain actions.
Cloud credentials theft, that is, the misuse of cloud-specific credentials and cloud account takeovers, have escalated over the past year, making a case for increased vigilance around identity-based attacks. The top three targeted brands in Q4 2023 are Microsoft (33%), Amazon (9%), and Google (8%). Q1 2024 saw an increase in social engineering cases related to LinkedIn (11%).
#3 Supply chain attacks
In these cyberattacks, threat actors seek to compromise the interactions between manufacturing organisations and their suppliers. The techniques here are varied, ranging from classic social engineering attacks via malware to brute-force attacks and exploitation of software vulnerabilities due to poor patch management.
Supply chain attacks are known to target update mechanisms or seek to compromise the open-source software supply chain, embedding malware in files or luring developers into using compromised software.
Specifically, supply chain attacks involving open-source technology are on the rise. Notable incidents in 2024 include the 3CX case whereby backdoor code was introduced in an open-source project and was only discovered because of CPU spikes resulting from the backdoor.
Another case is related to a series of suspicious, seemingly unrelated emails to the OpenJS Foundation which led the OpenJS Foundation and The Open-Source Security Foundation to issue an official call to all open-source maintainers to protect their projects.
According to recent ENISA data, the sectors most affected by supply chain attacks were digital infrastructure (8%), manufacturing (6%), and business services (8%).
#4 Insider threat attacks
In this type of attack, an employee’s authorised access is used to appropriate sensitive data and ultimately harm the organisation by compromising the confidentiality and integrity of that data.
Typical forms of insider threat attacks are intellectual property theft and cyber espionage. Both forms of attacks can lead to customer or business data being exposed, competitors’ gaining an unfair advantage, or even, in extreme cases, to the manufacturing company losing its standing on the market.
Intellectual property theft can extend to R&D assets such as innovative products or materials, business processes or product design. Without the necessary cybersecurity measures in place, companies may not even realise that the integrity of their data has been compromised and that intellectual property theft has occurred.
Nation-state-sponsored attacks add an additional layer of complexity. Here, cyber espionage is the most common concern. Manufacturers may become the target of nation-states seeking to disrupt the economy of a given country or obtain trade secrets that may give them a global competitive advantage. Because of long supply chains and multiple business partnerships, manufacturers are easy targets here.
#5 Denial of service (DoS) or distributed denial of service (DDoS) attacks
(Distributed) denial of service (DDoS) attacks target system availability and the availability of data. Essentially, they flood the target’s network with traffic until the target cannot respond or crashes. The tactic prevents legitimate users from accessing the systems, devices, data, or other company assets.
The DDoS trend is attributed to the comeback of hacktivism targeting EMEA and EU member states as well as the availability of DDoS-for-hire tools and services significantly reducing the effort of launching and executing DDoS attacks. According to the ENISA Threat Landscape 2024 report, DDoS attacks are also increasingly used as a smokescreen to cover other attacks.
Cloud computing environments are becoming a popular attack vector that allows for the execution of advanced DDoS attacks. Of relevance for manufacturers here is the growing trends towards mobile and sensor-based scenarios.
Another widespread form is Ransom Denial of Service (RDoS), a financially motivated form of a DDoS attack whereby threat actors identify vulnerable systems to carry out extortion-based DDoS attacks that ultimately result in demands to pay ransom.
All in all, ENISA identifies the following trend: attacks are getting less expensive, easier to execute, take place at a larger scale, and are more complex, as in the example of the so-called multi-vector DDoS attacks. Reasons for this are the increased use of highly available dual-use open-source technology, the rise of generative AI, and the widespread adoption of scalable cybercrime-as-a-service offerings.
Conclusion and outlook
It is time for manufacturers to move beyond traditional security measures and adopt proactive, multi-layered defence strategies. As threat actors are getting better, faster, and smarter, manufacturers must integrate cybersecurity into their business continuity plans. A cybersecurity investment means safeguarding operations, intellectual property, and reputation. The ability to anticipate, detect, and respond to threats can be the difference between staying in business and shutting down. This is where Eye Security steps in with 24/7 MDR with IR, expert guidance, and integrated cyber insurance. Reach out to get all the details.
