Extracted from Law360
The manufacturing industry continues to be one of the most highly targeted industries by cybercrime actors as witnessed by headline after headline.
From the 2021 ransomware attacks on Colonial Pipeline Co. to the more recent cyberattack on the giant steel company Nucor Corp in May of this year, these attacks highlight the figurative bullseye on the backs of manufacturing companies.
In fact, the government has released a number of operational technology-specific cyber alerts, highlighting the cyber threats to manufacturing companies.
These alerts include a May 6 report by the Cybersecurity and Infrastructure Security Agency, the Federal Bureau of Investigation, the U.S. Environmental Protection Agency and the U.S. Department of Energy underscoring the growing threat landscape targeting various manufacturing entities within the U.S.[1]
These attacks reverberate across the global supply chain, both downstream and upstream, exacerbated by the growing attack surface created by the convergence of information technology and operational technology, or OT, environments.
Recent government advisories and alerts highlight an increase in cyberattacks affecting OT and industrial control systems, or ICS, affecting the manufacturing sector as a whole.
Manufacturing companies' infrastructure uniquely comprises both IT and OT. OT, the hardware and software used to detect, monitor and control physical devices, processes and systems in industrial environments, is distinct from IT in that it directly interacts with the physical world, e.g., robotic arms assembling car parts, whereas IT systems manage data and digital processes — e.g., email servers, databases and business applications.[2]
Notably, manufacturing's infrastructure calls for tailored cybersecurity controls, policies and incident response protocols, and introduces legal risks that require careful attention. To help navigate this complex and fast-evolving threat landscape, here are five key things that manufacturing companies' general counsel should be thinking about.
1. The manufacturing sector remains a top target for ransomware actors.
The manufacturing sector remains a top target for ransomware attacks.[3] In 2024, Dragos reported that more than 50% of all observed ransomware victims were in the manufacturing sector,[4] with an 87% increase in ransomware attacks against industrial organizations over the previous year.[5]
While other sectors on average experienced a decrease in ransomware attacks over the last year, the manufacturing sector has experienced a stark increase — according to a Sophos survey of 585 manufacturing companies, 65% of the organizations reported that they were hit by ransomware in 2024, an increase from the previous two years.[6]
Dragos reported that of the ransomware incidents they responded to in 2024, 25% of the incidents resulted in a complete shutdown of an OT site, and 75% resulted in a partial shutdown.[7]
These operational disruptions can be long-lasting and costly — Sophos reported the mean cost to recover from a ransomware attack in 2024 was $1.67 million, and almost a quarter of manufacturing companies needed more than a month to recover.[8]
Several factors likely contribute to the continued targeting of manufacturing companies by ransomware and criminal threat actors, with the primary factor including the potential to cause widespread operational disruption and the cascading effects across global supply chains.
For instance, imagine a targeted ransomware attack on a major automotive parts manufacturer. If the attack encrypts production data and halts operations for even a few days, the consequences extend far beyond the company itself.
Car manufacturers relying on just-in-time delivery of those parts may be forced to shut down assembly lines, leading to delays in vehicle production, lost revenue and unmet customer demand. Dealerships may face inventory shortages and consumers may experience delays in receiving their vehicles.
Moreover, suppliers upstream may also suffer. Raw-material providers might face order cancellations or delays, while logistics companies could see disrupted schedules and rerouted shipments.
Ultimately, the business disruptions caused by cyberattacks on manufacturing companies aren't confined to the targeted organization; they affect partners, customers and even public infrastructure. The financial impact can be staggering, with losses accumulating across multiple tiers of the supply chain.
2. OT systems are increasingly becoming in scope and within reach for cyber threat actors.
Due in part to the expanding attack surface — driven in large part by the increasing convergence of IT and OT environments and including the incorporation of the Internet of Things into these environments — OT systems are increasingly in scope and within reach for cyber threat actors. The interconnectedness of OT and IT has practical implications during cyber incidents.
While most cyber threats still originate in IT environments, the growing interconnection means access to one domain can now more easily allow access to the other.
Even if only IT systems are infected, and access to the OT environment is uncertain, out of an abundance of caution to contain the cyberattack, companies often bring down the OT systems, especially in environments where IT and OT systems are co-located or share network infrastructure.
Even if OT assets are not directly infected, they may still be taken offline — causing significant operational disruption. Of course, this is in the context of threat actors targeting IT systems; customized malware for OT systems does exist, though it is typically developed by highly sophisticated advanced persistent threat groups with geopolitical motivations, as reported by Dragos.[9]
Compounding this risk, OT is designed to inherently prioritize uptime and production, leading to persistent online exposure and unpatched vulnerabilities.
As Dragos noted, OT environments must remain operational for safety and production, making it difficult for asset owners to mitigate vulnerabilities as swiftly as in IT environments.
Attackers can use inexpensive, user-friendly tools — often indistinguishable from legitimate ones — to scan networks and identify exploitable assets 24/7. Moreover, many OT devices are incompatible with modern endpoint detection and response tools.
But even if endpoint detection and response tools were compatible, their deployment assumes that assets can be identified and monitored, which is increasingly difficult due to the prevalence of legacy systems running proprietary software on outdated hardware.
Traditional asset management tools, typically designed for IT systems, often lack support for OT-specific protocols, leaving manufacturers with limited visibility into their OT infrastructure.
In fact, the previously referenced May 6 CISA report urged entities to act swiftly to improve their "cybersecurity posture against cyber threat activities specifically and intentionally targeting internet connected OT and ICS."[10]
Notably, between May 6 and June 24, the CISA issued 13 alerts covering 88 ICS, including one noting an increasing number of "unsophisticated cyber actor(s) targeting ICS/SCADA systems within U.S. critical infrastructure sectors (Oil and Natural Gas), specifically in Energy and Transportation Systems."[11]
The CISA's alerts provide manufacturing entities with information about vulnerabilities that cybercriminals may exploit and offer ways to protect against vulnerability exploitation.
While each alert contains unique mitigation strategies, CISA generally recommends removing ICS connections to the public internet, changing default passwords, segmenting IT and OT networks, and securing remote access to OT networks.
3. Legal notification requirements are evolving.
Companies in most sectors are familiar with reporting requirements when a cyber incident affects personally identifiable information. These obligations have been expanding globally for several years and have traditionally not been seen as a significant burden for companies in the manufacturing sector because of the relative lack of personally identifiable information held.
There's now a trend toward a requirement to report all significant cyber incidents to authorities, regardless of whether personally identifiable information is affected. These increased reporting requirements will affect the manufacturing sector and potentially require compliance uplifts.
An important new law imposing reporting obligations on the manufacturing sector is the EU's Network and Information Security 2 Directive, or NIS2.[12] NIS2 imposes cybersecurity requirements on critical and important manufacturing sectors, including chemicals; food; medical devices; computer, electronic and optical products; electrical equipment; machinery and equipment; motor vehicles, trailers and semitrailers; and other transport equipment.
NIS2 requires covered entities to report significant incidents to the competent authority in the relevant EU jurisdiction.
An incident will be considered significant if: It has caused or can cause severe operational disruption of the services, or financial loss for the entity concerned; or it can affect a natural or legal person by causing considerable material or nonmaterial damage.
An early warning notification will need to be made within 24 hours, a notification within 72 hours and a final report not later than 30 days after the notification — unless the investigation isn't complete, in which case, progress reports should be submitted every 30 days until the final report is submitted.
Similarly in the U.S., the proposed rules to be made under the Cyber Incident Reporting for Critical Infrastructure Act will require covered entities to report substantial cyber incidents within 72 hours, and to notify of ransom payments within 24 hours.
India's more expansive regime, which applies regardless of industry or sector, requires that certain cybersecurity incidents be reported to the Indian Computer Emergency Response Team within six hours of discovery.
As countries worldwide increase their regulation of cybersecurity compliance and seek to protect their economies from cyber threat actors, it seems likely that this trend to require reporting of incidents by manufacturers, at least in certain sectors, will continue.
4. Unique challenges abound in the strengthening cyber defenses, including in securing OT.
Manufacturing companies can take proactive steps to reduce the likelihood of cyberattacks, limit their attack surface and mitigate potential impacts. Consistent with CISA's alerts, key strategies include network segmentation, maintaining a comprehensive asset management inclusive of IoT and OT, and enhancing visibility into these assets and systems — especially legacy infrastructure.
Network Segmentation
Segmenting networks is a critical defense mechanism that limits lateral movement within systems, making it significantly harder for cybercriminals to access and compromise OT environments. While the convergence of IT and OT systems offers certain operational benefits, it also introduces new risks — particularly because most malware is designed for IT environments.
Isolating OT systems is critical for minimizing the risks of cyber threats' impacts, which could be devastating because these systems often control critical infrastructure such as power grids and water treatment facilities. This is easier said than done due to the growing reliance on interconnected technologies and cloud-based platforms.[13]
Asset Visibility
You can't protect what you can't see. Establishing and maintaining a comprehensive, up-to-date inventory of all assets — including OT — is foundational to any effective cybersecurity strategy.
Beyond cataloging assets, organizations can further reduce risk by understanding how these assets interact, assessing their risk profiles and continuously updating the inventory. This visibility enables better prioritization of cybersecurity initiatives and enhances both threat detection and incident response capabilities.
Legacy OT Systems
Legacy systems can present a significant vulnerability, particularly in manufacturing environments. These systems often contain well-documented weaknesses that are publicly known and actively exploited by threat actors.
For example, the Chinese state-sponsored group Salt Typhoon recently executed what Sen. Mark Warner, D-Va., described as "the worst telecom hack in our nation's history," exploiting outdated systems with known vulnerabilities. To mitigate risks to legacy OT systems, manufacturing companies should consider enforcing strong authentication and access controls and isolating/segmenting these systems to the extent feasible.
5. Planning for resilience includes preparing OT systems for cyber threats.
As the saying goes, "failing to plan is planning to fail" — a truth that resonates strongly here because preparation is essential for minimizing cyberattacks' impacts on manufacturing operations.
It's critical to have business continuity plans and ensure that OT systems can be operated manually when appropriate, particularly for manufacturing companies operating critical infrastructure. This capability is vital for restoring operations quickly, as emphasized in the May 6 CISA report, and practicing manual operations can significantly reduce downtime — especially important given that 22% of ransomware victims in the manufacturing sector take over a month to recover.[14]
Because risks and capabilities vary across organizations, generic scenarios are insufficient and preparation strategies — tabletop exercises and response plans are equally helpful — must be tailored. Companies should consider exercises that reflect the specific operational realities of each entity, including the possibility of complete OT system outages.
Business continuity, disaster recovery and incident response plans should all account for total system unavailability and plan for manual operations or other recovery mechanisms. Regular testing and customization of these plans can maximize the possibility that, if an attack occurs, the organization is equipped to respond effectively and limit further damage.
[1] CISA, "Primary Mitigations to Reduce Cyber Threats to Operational Technology," https://www.cisa.gov/resources-tools/resources/primary-mitigations-reduce-cyber-threats-operational-technology.
[2] An important subset of OT is ICS, which comprise various control systems such as supervisory control and data acquisition (SCADA) systems, that are specifically designed to operate and automate industrial processes in sectors like manufacturing, energy, water and transportation.
[3] See CrowdStrike, 2025 Global Threat Report, p. 11; see also Dragos, OT/ICS Cybersecurity Report, Year in Review 2025, p. 39.
[4] Dragos, OT/ICS Cybersecurity Report, Year in Review 2025, p. 39.
[5] Id. at 5.
[6] Sophos, The State of Ransomware in Manufacturing and Production 2024, p. 3.
[7] Dragos, OT/ICS Cybersecurity Report, Year in Review 2025, p. 44.
[8] Sophos, The State of Ransomware in Manufacturing and Production 2024, pp. 14–15.
[9] Dragos, OT/ICS Cybersecurity Report, Year in Review 2025, p. 27.
[10] CISA, "Primary Mitigations to Reduce Cyber Threats to Operational Technology."
[11] CISA, "Unsophisticated Cyber Actor(s) Targeting Operational Technology," https://www.cisa.gov/news-events/alerts/2025/05/06/unsophisticated-cyber-actors-targeting-operational-technology.
[12] Available here: https://eur-lex.europa.eu/eli/dir/2022/2555/2022-12-27/eng.
[13] Trustwave, 2025 Risk Radar Report, Manufacturing Sector.
[14] Sophos, The State of Ransomware in Manufacturing and Production 2024, p. 15.