Securing Your Automation Cells from Ransomware: Why Manufacturing Is the Most-Attacked Industry
1. What This Resource Covers & Why It Matters
Manufacturing has held the top spot as the most-targeted industry for ransomware four consecutive years, according to IBM’s X-Force Threat Intelligence Index. In 2025, attacks on the sector surged 61% year over year. The raw count of victimized manufacturers nearly doubled from 2024 to 2025. This is not a cybersecurity abstraction. It is a direct operational threat to production floors, robot cells, PLCs, and the MES systems that tie them together.
This article covers why manufacturing attracts attacks, what real companies at different scales experienced, what the recovery actually cost, and what practical steps engineers and operations managers can take to protect automation infrastructure. It focuses specifically on the OT (operational technology) environment: robot controllers, PLCs, HMIs, SCADA systems, and the network connections between them.
This article does not cover enterprise IT security architecture in depth. The focus is the production floor and the automation cell, which carry unique vulnerabilities that generic IT security guidance does not fully address.
2. What’s Actually Happening: Real Attacks, Real Costs
Large Enterprise: Jaguar Land Rover
In late summer 2025, a breach of Jaguar Land Rover’s IT systems escalated into a full shutdown of production across its flagship UK facilities. The attack lasted five weeks and cost an estimated £196 million in direct costs, with broader economic damage to the UK supply chain reaching £1.9 billion. JLR produces vehicles on tightly sequenced lines where a production stop ripples immediately into supplier deliveries, dealer inventory, and customer orders. Five weeks of shutdown on a high-volume automotive line produces losses that compound daily.
Large Enterprise: Nucor Steel
In 2025, Nucor, one of the largest US steel producers, experienced a cyberattack that led to a temporary halt in production operations across affected facilities. The company filed an SEC disclosure confirming that an attacker exfiltrated a limited amount of data from compromised IT systems. Steel production has narrow process windows where temperature, timing, and material flow are all interdependent. Stopping a melt mid-process is not simply an inconvenience. It produces scrap and equipment stress that adds recovery cost beyond the incident itself.
Mid-Size: Brunswick Corporation
Brunswick Corporation, a marine manufacturing company, suffered a cyberattack in June 2023 that disrupted operations across global facilities and cost at least $85 million. Downtime at one acquired subsidiary alone totaled $13 million. Brunswick could not recover lost production days because its schedule was already at full capacity for the rest of the year. The attack did not just pause production. It permanently eliminated production volume that could not be made up.
Small Manufacturer Reality
Small manufacturers face a different version of the same threat. In 2023, organizations with fewer than 500 employees faced an average breach cost of $3.31 million, according to IBM. For a shop generating $5 to $10 million in annual revenue, a $3 million recovery cost is an existential event. The Sophos 2025 State of Ransomware in Manufacturing report found that 22% of manufacturing victims needed more than a month to recover. For a small shop, a month of impaired or halted production can mean losing customers permanently, not just temporarily.
[IMAGE: Infographic showing attack cost comparison: Jaguar Land Rover (£196M), Nucor (production halt), Brunswick ($85M), average small manufacturer ($3.31M breach cost)]
3. Why Manufacturing Gets Hit the Most
The Uptime Pressure Problem
Manufacturing operations cannot tolerate downtime the way office environments can. A hospital can divert patients. A bank can process transactions manually. A production floor running a just-in-time schedule to an automotive customer cannot. Attackers know this. The urgency to restore production makes manufacturers more likely to pay ransoms quickly, which makes the attack economically rational for the attacker. The Sophos report found that 51% of manufacturing victims paid the ransom in 2025, well above the historical average.
The OT/IT Convergence Gap
For decades, factory floor systems ran on isolated networks with no connection to the internet. Automation modernization has changed that. MES systems pull production data to cloud analytics platforms. Robot controllers receive software updates over network connections. Pallet tracking integrates with ERP systems. Each of those connections is a potential entry point. According to Dragos, 25% of ransomware incidents they responded to in 2024 resulted in a complete OT site shutdown. The factory floor is now connected enough to be compromised through an IT breach that crosses into the OT environment.
Legacy Equipment and Unpatched Systems
The average manufacturing facility runs equipment across multiple generations. A robot controller installed in 2008 was not designed with network security in mind. It runs an embedded OS that no longer receives security updates. Exploited vulnerabilities were the leading root cause of manufacturing ransomware attacks in 2025, responsible for 32% of incidents according to Sophos. Many of those vulnerabilities exist in equipment that cannot be patched without a vendor-provided update that never arrives for end-of-life hardware.
4. Integration & Deployment Reality
The Network Segmentation Imperative
The single most impactful step for protecting automation cells is network segmentation: physically or logically separating the OT network from the IT network and from the internet. A robot controller that cannot communicate outside the production network cannot be reached by ransomware that enters through a phishing email on the corporate network. In practice, many manufacturers have VLANs creating logical separation, but not physical separation. VLANs can be traversed by an attacker with sufficient access. Physical air gaps or hardware firewalls at the OT/IT boundary provide more reliable protection.
Large manufacturers typically employ dedicated OT security teams, hardware firewalls at the IT/OT boundary, and commercial OT monitoring platforms from companies like Dragos or Claroty that passively monitor industrial protocol traffic for anomalies without touching the control systems. These platforms detect unusual commands, unauthorized device connections, and traffic patterns consistent with reconnaissance before an attack escalates.
Small manufacturers rarely have OT security budgets for dedicated platforms. However, the foundational steps are accessible without enterprise investment: segment the production network from the office network at the router level, disable unused remote access ports on robot controllers and PLCs, change default passwords on all HMIs and controllers, and implement multi-factor authentication on any remote access tool that reaches the production environment. These steps eliminate the easiest attack paths.
What Vendor Documentation Does Not Cover
Robot and PLC vendor documentation covers the machine’s communication capabilities. It does not cover how to secure those communications in a production network. Most robot controllers ship with default passwords, unused open ports, and remote access capabilities enabled by default. Hardening those configurations requires going beyond the vendor manual. CISA publishes free OT security guidance that covers industrial control system hardening at a practical level. Reference it before any automation cell connects to a broader network.
5. Common Failure Modes & Constraints
Network and Access Failures
| Failure | Root Cause | Signal/Symptom |
|---|---|---|
| Ransomware enters OT network from IT breach | Flat or inadequately segmented network allows lateral movement | Robot controllers encrypt or go offline; HMIs display ransom messages |
| Attacker accesses robot controller remotely | Default credentials never changed; unused remote access port left open | Unauthorized program changes; unexpected robot behavior during production |
| Malware delivered via vendor remote access | Third-party technician’s laptop carries infection into OT environment | System anomalies appearing after a vendor service visit |
Vendor remote access is one of the least-protected entry points in most manufacturing environments. Machine vendors and integrators routinely access robot controllers and PLCs remotely for diagnostics and support. If that access uses a shared account with a permanent credential and no session logging, it is functionally an open door. Define a formal process for vendor remote access: time-limited credentials, session monitoring, and access revocation after each service event.
Recovery Failures
| Failure | Root Cause | Signal/Symptom |
|---|---|---|
| Robot program recovery takes weeks | No offline backup of robot programs or controller configurations | Technicians manually recreate programs from paper documentation or memory |
| PLC logic lost in attack | PLC program stored only on the controller with no backup | Production cannot restart without integrator involvement and significant delay |
| Recovery extends to month-long outage | No tested incident response plan; recovery improvised under pressure | Escalating cost, customer attrition, regulatory disclosure requirements |
Program backup is the most underutilized protective measure in manufacturing automation. Robot programs, PLC ladder logic, HMI configurations, and controller parameter files should be backed up offline, versioned, and stored in a location that a production network compromise cannot reach. A manufacturer that can restore all automation programs from a clean backup within 24 hours recovers dramatically faster than one rebuilding from scratch. This costs nothing beyond the storage and the process discipline to do it consistently.
6. When It’s a Good Fit vs. Bad Fit
Good fit when:
Investing in OT security hardening delivers clear return for any manufacturer whose production floor is connected to a corporate network, cloud platform, or external vendor access point. In other words, it fits almost every modern manufacturing operation. The specific investment level scales with the operation. A small shop implementing network segmentation, credential management, and offline program backup spends thousands, not hundreds of thousands, and eliminates the most common attack vectors.
High risk when:
The investment becomes insufficient when a manufacturer implements IT security measures on OT systems without understanding how those measures affect production. Installing a standard antivirus agent on a robot controller can consume processing resources that interrupt real-time motion control. Applying IT patch management to OT equipment can break validated process configurations. Every security measure applied to OT systems requires validation against production behavior before deployment.
Usually the wrong tool when:
Cybersecurity insurance alone is not a security strategy. Several manufacturers in recent incidents paid significant premiums for policies that covered a fraction of actual losses when the breach involved OT systems specifically excluded from standard IT coverage. Insurance belongs in the risk transfer layer after the technical controls are in place, not as a substitute for them.
7. Key Questions Before Committing
- Is the production network physically or logically separated from the corporate IT network, and has that separation been tested to confirm an attacker who compromises the IT environment cannot reach robot controllers or PLCs?
- What are the default credentials on every HMI, robot controller, and PLC in the facility, and have those credentials been changed and documented in a secured location?
- When were robot programs, PLC configurations, and HMI settings last backed up offline, and does that backup exist in a location unreachable from the production network?
- What remote access does each automation vendor have to production systems, and does a formal process govern credential issuance, session monitoring, and access revocation?
- Has the facility tested its ability to restart production from a clean state, and does an incident response plan exist that names specific people, actions, and escalation contacts for an OT ransomware event?
8. How RBTX Learn Recommends Using This Information
RBTX Learn evaluates OT security posture by starting with the network diagram. Before recommending any security tool or service, map every connection between the production floor and anything external: the corporate network, cloud platforms, vendor access tools, and remote monitoring systems. Every connection on that diagram is a potential entry point. The map reveals the actual attack surface, which is almost always larger than operations managers expect.
For small and mid-size manufacturers, axis recommends three foundational actions before any other security investment: segment the production network, change all default credentials, and implement offline program backup. These steps require no specialized security budget and eliminate the attack vectors responsible for the majority of manufacturing ransomware incidents. They are the equivalent of locking the door before buying an alarm system.
For larger operations with connected automation infrastructure and remote monitoring systems, the next step is an OT-specific security assessment from a firm familiar with industrial control systems. Generic IT security assessments frequently miss OT-specific vulnerabilities because assessors are not trained in industrial protocols. The assessment should cover every device on the production network, not just servers and workstations. The cost of that assessment is a fraction of one day of unplanned downtime.