Manufacturers have long understood the urgency around cybersecurity, and with good reason. The industry has now been the most targeted sector for ransomware for four consecutive years. These ransomware attacks don’t just threaten data, they can shutter production lines, disrupt entire supply chains, and inflict steep financial blowback through ransom payments, revenue losses, and recovery costs.
At the same time, the cybersecurity talent gap continues to grow. The World Economic Forum estimates that 4 million cybersecurity professionals are needed today, a number projected to climb to 85 million by 2030. Despite the shortage, manufacturers can still build a strong defense with targeted training, smart tools, and proactive strategy without adding a dedicated security specialist. Let’s look at how manufacturers can strengthen their defenses and, if an attack occurs, the steps they can take to respond quickly and limit the damage.
Considerations for Securing the Entire Ecosystem
Small to midsize manufacturing businesses are especially vulnerable to cyber threats. Limited resources, unprotected data, and a higher likelihood of paying ransoms make them attractive targets compared to larger enterprises. Strengthening cybersecurity is not only about protecting systems, it is essential for ensuring product safety, maintaining quality standards, and keeping operations running smoothly. A strong foundation includes implementing stringent controls across critical environments such as industrial control systems (ICS), operational technology (OT), and enterprise resource planning (ERP) systems to reduce vulnerabilities.
With a comprehensive risk management strategy, manufacturers can protect customers, ensure operational continuity, safeguard intellectual property, and maintain fiscal responsibility. However, even with the best preventive measures, the possibility of a cyberattack remains. Manufacturers must be ready to detect risks early and respond effectively when incidents occur.
Warning Signs of Ransomware
Timing is critical when assessing cyber threats in manufacturing. Early detection is the most effective way to prevent ransomware from disrupting production, supply chains, and intellectual property. Fortunately, even lean IT teams can put strong monitoring in place without a dedicated cybersecurity specialist. In manufacturing, common warning signs of a ransomware attack include:
- OT network anomalies: Unusual activity on network segments that control machinery, production lines, or ERP systems.
- Suspicious network traffic: Unusual traffic that may indicate external data access or other malicious activity.
- Unexpected data transfers: Data transfers originating from SCADA systems or other critical OT components that you did not expect.
Consider a scenario in which a manufacturer sees a sudden spike in network traffic late at night, when production lines are typically idle. This anomaly could indicate an unauthorized party attempting to transfer data or conducting other malicious activities. Other red flags include unauthorized administrative activities, such as unexpected software installs or sign-ins from unusual locations or unfamiliar devices.
Recognizing these warning signs is crucial for early detection and prompt response, preventing minor breaches from turning into major incidents. However, if an attack does occur, act quickly to mitigate damage and begin recovery.
What to Do in the Event of an Attack
If hackers strike, manufacturers should take these critical steps to prevent significant damage and begin the recovery process:
-
Isolate impacted systems: Identify and isolate compromised systems from the network, including production machinery, assembly lines, SCADA, OT networks, and ERP software. If isolation is not possible, shut them down to prevent further spread.
-
Create an incident document: Maintain and update a document to log discoveries and affected systems, such as computer numerical control (CNC) machines, robotic systems, or programmable logic controllers (PLCs). Use it to coordinate response efforts across the team.
-
Examine detection systems: Review antivirus, endpoint detection and response (EDR), security, information, and event management (SIEM), and intrusion prevention (IPS) systems for signs of compromise, including newly created accounts, or indications of persistence mechanisms. This process should include checking logs from ICS and OT monitoring tools.
-
Report the incident: Contact agencies, such as the US Cybersecurity and Infrastructure Security Agency (CISA), your security vendors, the FBI, or the US Secret Service. Additionally, inform relevant industry groups or associations that can provide guidance and support.
-
Coordinate communication: Work with communications staff to ensure accurate information is shared internally and externally, according to corporate guidelines. Use non-standard communication methods (e.g., phone calls and encrypted messaging apps) to avoid alerting attackers. Notify key stakeholders, including suppliers and customers, about potential impacts on production schedules.
-
Rebuild and restore systems: Prioritize critical systems and restore manufacturing operations first, including manufacturing execution systems (MES), human-machine interfaces (HMI), and other essential production control systems. Issue password resets for affected accounts and restore data from offline encrypted backups to ensure the integrity and availability of production data.
-
Document lessons learned: After containment and recovery, document your insights and update organizational policies, plans, and procedures accordingly. Conduct a post-incident review to identify gaps in the response and improve resilience against future attacks. Include lessons learned about specific manufacturing processes and impacted technologies.
Manufacturing teams know the urgency required to address cybersecurity threats. By recognizing warning signs early, responding quickly, and strengthening security posture, manufacturers can protect themselves against the growing wave of attacks, allowing the industry to build resilience and ensure the continuity of critical manufacturing processes.
