Cybercriminals have discovered a trick that will help them become even richer. Attacking a company's core business operations instead of its peripheral systems like credit card databases generates the highest ransom payments. Think of it this way: When production lines grind to a halt, manufacturers will pay almost anything to get things back up and running to avoid cascading supply chain disruptions.
The risk-reward calculation is particularly attractive because manufacturing attacks generate less government scrutiny or police and FBI investigation than targeting critical infrastructure like power plants.
This stark reality explains why manufacturing has become the second most targeted industry globally, experiencing an exponential increase in cyberattacks. High financial incentives for attackers, relatively low enforcement risk and rapidly expanding attack surfaces through these connected systems create a perfect storm. For four years in a row, manufacturing is the number one industry targeted by cyberattacks. With 91% of organizations planning to adopt new technologies over the next 12 months, this threat is only intensifying.
Manufacturing: The new training ground
Beyond financial motivations, manufacturing is becoming a proving ground for hacker groups and individual cybercriminals. This also represents a fundamental shift in the motivation, the knowledge and the understanding of the OT environment. There was no virus, no malware, no education, no information a decade ago. Today you can download malware to attack a standard IT or OT system.
The evolution is evident in our botnet monitoring, where we saw the U.S. overtake China as the primary source of compromised devices for the first time since 2022. Mirai variants are driving IoT botnet activity spikes, with attackers commonly using default credentials to target privileged accounts.
Although it’s mainstream, digital transformation in manufacturing remains a double-edged sword. Factories depend on connected IT, IoT and OT systems, including industrial control systems (ICS), to drive efficiency and maintain a competitive edge. The result is a complex set of interdependent networks that increase productivity, but also introduce cyber risk. After years of analyzing operational technology threat trends, our data shows that network Denial of Service attacks account for 17.7% of incidents, followed by Denial of Service attacks targeting response functions at 17.6%, all tactics designed to cripple production lines and force ransom payments.
The hidden wireless vulnerability
Our global sensor network shows that manufacturing's digital transformation has also introduced massive wireless blind spots. Most organizations confidently state, "there's no wireless here," yet our telemetry reveals Bluetooth communications from more than 50 different device manufacturers, including Samsung, Apple and Intel, operating across monitored industrial environments.
Even more concerning, 83% of wireless networks lack Management Frame Protection (MFP), a critical security feature. Without MFP, attackers can exploit well-known techniques to disconnect devices, impersonate access points, or interfere with wireless traffic without breaking encryption.
The authentication landscape is equally vulnerable, with 95% of Wi-Fi networks relying on shared passwords rather than enterprise-grade authentication methods. This eliminates user attribution and hampers incident response when breaches occur. Our endpoint telemetry also reveals concerning trends. USB-based threats account for 18.08% of endpoint security alerts, with 10.5% involving clearly malicious devices. These physical attack vectors are particularly dangerous in OT environments where endpoints are physically accessible and security agents may be absent.
Attackers are also exploiting legitimate tools for malicious purposes. PowerShell-based download detection rules were triggered nearly 50,000 times in the first half of 2025, highlighting how adversaries use trusted system utilities to blend in with routine activity.
While six of the top 10 CVEs affecting customer environments have high-risk CVSS scores of 8.8, only 10% of critical vulnerabilities fall into the highest exploitation probability tier, suggesting that strategic, risk-based prioritization can be more effective than attempting to patch everything.
Immediate actions manufacturing leaders must take
OT engineering and SecOps teams must work together to transform operations while ensuring business continuity and cyber resilience. Based on current threat intelligence, manufacturing organizations should prioritize these essential steps:
- Audit wireless infrastructure immediately. Conduct comprehensive wireless security assessments to identify the networks lacking MFP protection. Implement enterprise-grade authentication methods to replace shared password systems that eliminate user accountability.
- Strengthen credential management. Change all default passwords immediately, particularly for privileged accounts like root and admin that attackers commonly target. Implement multi-factor authentication across all systems.
- Monitor physical access points. Deploy USB device monitoring and controls, given that nearly one in five endpoint alerts involve USB-based threats. Establish clear policies for removable media usage in operational environments.
- Implement behavioral monitoring. Deploy solutions that detect anomalous behavior rather than relying solely on signature-based detection. Focus on identifying legitimate tools being misused for malicious purposes.
- Adopt risk-based vulnerability management. Prioritize vulnerabilities based on both severity scores and exploitation probability rather than attempting to patch everything. Focus resources on the 10% of critical vulnerabilities most likely to be exploited.
Segment networks strategically. Separate IT, OT and IoT systems to contain potential breaches. Ensure that wireless networks cannot provide direct access to critical operational systems.
The challenge ahead requires OT engineering and SecOps teams to collaborate more closely than ever before. When compromised, it's not just a company website that might be taken down, but an entire supply chain—making proactive defense and integrated security measures essential from day one.
