Shining a light on cyber threats hiding on the plant floor

Each year we analyse threat data from across the industrial sector and publish what we find. In 2025 one pattern stands out: manufacturing remains the most targeted industrial sector for ransomware. Unfortunately, too many incidents are still treated as IT problems rather than OT issues, even though they have direct operational consequences.

The Dragos 2026 OT/ICS Cybersecurity Report tracked 119 ransomware groups targeting industrial organisations last year, a 49% increase YOY, affecting approximately 3300 organisations globally. Manufacturing bore roughly two-thirds of that volume, around 2200 victims.

These figures are alarming, but understanding why manufacturing is such an attractive target points toward practical action.

The connectivity factor

As the backbone of the global economy, manufacturing has transformed over the past decade. Digital transformation, automation, and remote operations have improved efficiency and competitiveness — but also expanded the attack surface.

Modern facilities rely on increasingly connected, often standardised systems. Where facilities once ran isolated proprietary equipment, they now use shared network infrastructure and enterprise systems tightly linked to production. As a result, an incident in an enterprise system can cascade into operational disruption. A compromised supplier or vendor connection can become an entry point across multiple sites.

Our field data reflects this. Manufacturing environments have the highest rate of shared IT and OT network domains of any sector we assess, at 46%. While this integration is often necessary, it requires security architectures designed to prevent adversaries from exploiting those pathways.

What adversaries are actually doing

The threat landscape in 2025 showed not only higher volume but greater sophistication. Ransomware groups increasingly targeted virtualisation infrastructure — hypervisors and virtual machines hosting SCADA systems, historians and HMI platform critical to operations.

Because engineering workstations and HMIs often run on Windows, attacks are frequently classified as IT incidents. Yet the consequences — halted production, loss of process visibility, and complex recovery requiring OT expertise — are operational. Organisations that respond using only IT playbooks typically recover more slowly and less completely.

We also observed extensive operational data theft. Threat actors exfiltrated information on how industrial processes are controlled and monitored — activity that indicates preparation rather than immediate disruption. Understanding system configurations allows adversaries to develop more advanced future attacks.

Supply chains add another layer of risk. Threat groups deliberately targeted OT equipment suppliers, using compromised vendors as pathways into customer environments. Any facility relying on third-party remote access should treat that as a priority security concern.

The visibility problem

A central challenge in OT cybersecurity is determining what happened when something goes wrong. On the plant floor, operators cannot often distinguish between mechanical failure, configuration error, or a cyber incident because the necessary monitoring data simply does not exist.

This is not negligence; it reflects how OT systems were designed. Industrial systems prioritise uptime and reliability, not security telemetry. Many are legacy platforms never intended to produce detailed logs. Consequently, incident response often means reconstructing events from incomplete evidence — precisely when clarity is most needed.

A practical path forward

Effective OT cybersecurity does not require solving everything at once. The SANS Institute's five critical controls for OT cybersecurity provide a practical framework: developing an ICS-specific incident response plan; implement defensible architecture with segmentation; gain visibility into OT networks; secure remote access; and apply risk-based vulnerability management.

Importantly, vulnerability management in OT differs from IT patching. Many industrial systems cannot be routinely taken offline. Prioritising vulnerabilities based on real operational exposure is more effective than applying standard IT timelines.

Remote access remains a major weakness. Most ransomware response cases Dragos handled in 2025 involved compromised VPNs or remote access systems, through vulnerabilities or stolen credentials. Strengthening controls, including multi-factor authentication and strict governance of third-party access, directly addresses the most common attack pathway.

Manufacturing leaders understand the value of visibility in their operations. The same principle applies to OT cybersecurity. Knowing what is running on operational networks, how systems communicate, and where anomalies occur is foundational. Without that visibility, both defence and recovery become far more difficult.

The 2025 data makes the case clearly: adversaries have adapted to manufacturing environments, and security programs must evolve. Facilities that treat OT cybersecurity as an operational discipline, not simply an IT function, will be best positioned to withstand future threats. *Nicholas Tangey is the Senior Manager, Threat Hunting at Dragos, where he manages a team primarily focused on enabling and providing detection, threat hunting, and response services within the OT Watch managed service to monitor and safeguard industrial client environments through threat hunting, security assessments, and IR services.

Top image credit: iStock.com/Wanniwat Roumruk