link. At the same time, U.S.-manufactured goods exports set a record in 2024 at more than $1.6 trillion, a reminder that factory floors are tied to global sales and supply chains that now run on software as much as steel link.

The operational stakes are enormous: when a plant stops, revenue and reputation start burning cash immediately.

The threat picture has sharpened. IBM’s latest X-Force index reports that manufacturing was the most attacked industry for the fourth straight year, with extortion and data theft the most common outcomes as criminals lean on downtime pressure to force payment link. Dragos’s 2023 Year-in-Review—a bellwether for operational technology—found that 70 percent of industrial ransomware incidents hit manufacturers, a pattern that persisted into 2024 as more groups targeted shop floors and the systems that steer them link.

Consider a few recent lessons. Clorox disclosed that its August 2023 cyberattack triggered weeks of supply disruptions and a steep, hundreds-of-millions revenue hit during the following quarter, a stark example of how IT problems spill into OT and logistics link. Johnson Controls, a global controls and building systems manufacturer, has been working through the aftershocks of a 2023 ransomware incident whose costs have exceeded tens of millions of dollars and rippled across customers and partners link. And in 2025, Jaguar Land Rover’s production pause following a cyberattack reverberated through the U.K. auto supply chain and prompted government support to stabilize vendors—a reminder that modern plants are nodes in a tightly coupled web link.

Attackers are not only thieves; they are logisticians who understand where stoppage hurts most.

Nation-state activity has raised the baseline risk. The U.S. government warned in 2024 that PRC-linked “Volt Typhoon” actors have focused on pre-positioning inside critical-infrastructure networks using “living off the land” tradecraft, the kind of quiet persistence that can jump from office IT into plant operations if pathways exist link. Even when such campaigns do not trigger outages, they change the calculus for every manufacturer connected to broader grids and transport networks.

Cybersecurity Goals, Updated for the Plant Floor

The goals have not changed—protect IP, prevent equipment damage, and keep lines moving—but the operating environment has. OT networks that once stood apart now ride on TCP/IP, cloud dashboards, and vendor remote access. Surveys of OT leaders show a sharp rise in successful intrusions year over year, with nearly a third reporting six or more incidents in the past 12 months and a material share acknowledging production-impacting outages link.

Intellectual property remains a prime target. IBM tracks a consistent drumbeat of credential theft and data exfiltration aimed at design files, process recipes, and supplier pricing. In practice, that often starts with compromised IT accounts and then pivots into engineering workstations or historians that were never meant to face the internet link.

The second goal is physical safety and asset integrity. Recent incident data confirms an uncomfortable reality: many OT breaches begin in IT. SANS has repeatedly found IT compromise to be a leading vector into ICS/OT, which is exactly what you would expect in converged networks that lack strong segmentation and vendor access controls link.

The third goal is continuity. Supply-chain compromises have put a spotlight on “one-to-many” risk. The MOVEit mass-exploitation campaign, for example, affected thousands of organizations across sectors when a widely used file-transfer tool was breached, a reminder that a single vendor bug can travel a long way inside global manufacturing networks link.

If you invite your supply chain into your network, you inherit its hygiene.

Trends Worth Your Board’s Attention

Persistent adversaries and ransomware crews are getting faster and more automated. Fortinet’s telemetry tied the 2024 surge to automated scanning, commodity credential theft, and reuse of a familiar set of ransomware families that still work against flat or poorly monitored environments link. Manufacturers should also assume that high-profile geopolitical actors are studying their dependencies. The government’s Volt Typhoon guidance is explicit about the objective: pre-positioning for potential disruption, not just espionage link.

Frameworks That Actually Help

The arrival of NIST’s Cybersecurity Framework 2.0 is more than a version bump. CSF 2.0 adds a formal “Govern” function and comes with sector profiles that map outcomes to practical actions, including for manufacturing link. NIST also released the initial public draft of a refreshed CSF 2.0 Manufacturing Profile (NISTIR 8183 Rev. 2) in September 2025, which aligns the familiar Identify-Protect-Detect-Respond-Recover cycle with governance, asset inventories that span IT and OT, and modern vendor-access controls link.

CISA’s updated Cross-Sector Cybersecurity Performance Goals sit alongside CSF as a prioritized “do-first” list that explicitly calls out multi-factor authentication for remote access, authenticated inventories, secure backups, incident response testing, and OT network segmentation—controls that reduce the likelihood and blast radius of the most common attacks link. For supply-chain resilience, NIST SP 800-161 gives manufacturers a blueprint for embedding C-SCRM into procurement and vendor oversight rather than bolting it on after an integration is live. And for connected devices that show up on lines and in warehouses, the NISTIR 8259 series defines a baseline for securable IoT that buyers can require from suppliers link.

What “Good” Looks Like on the Ground

Start with the map. You cannot defend what you cannot see, so maintain a live, reconciled inventory of both IT and OT assets, including firmware versions, network paths, and the remote access methods vendors actually use. Segment like you mean it, with engineering workstations, PLCs, and safety systems living in zones that do not trust corporate IT by default, and brokered vendor access that is time-bound and recorded. Close the front door with phishing-resistant MFA wherever credentials can pivot into production, and treat Windows domain controllers, historians, and jump servers as Tier-0 assets that get the best monitoring and the least standing privilege.

Assume breach and practice recovery. Ransomware groups go straight for backups and OT-adjacent systems that can halt production even when controllers keep running. Keep offline, frequently tested backups of recipes and configurations, document fallback modes, and run joint IT-OT tabletop exercises so downtime decisions are not invented on the fly.

Finally, treat suppliers as part of your network. Require SBOMs or component lists for critical software, enforce vulnerability disclosure timelines in contracts, and rehearse how you will quarantine connectors and third-party services when a widely used tool turns into a distribution vector, as MOVEit did in 2023 link.

-- Governance is not a binder; it is authority to say “no” when risk outpaces reward.

A Note on History

It has been tempting to shrug off earlier alarms. When Boeing experienced a WannaCry scare in 2018, the company reported minimal damage and kept building airplanes. That was a lucky break, not an all-clear. The episode nonetheless captured the modern risk: malware built for IT can find its way to tools that shape titanium and composite link.

The Bottom Line

Manufacturers cannot eliminate cyber risk, but they can box it in. The playbook is mature now: align to CSF 2.0, implement CISA’s priority controls, harden the IT-to-OT bridge, and treat suppliers as part of your security perimeter. The organizations that do this work are the ones that keep lines running when the next mass exploit or extortion wave arrives. If you want a practical crosswalk of controls for a mixed IT/OT environment, start with CSF 2.0 and the Manufacturing Profile draft, then pressure-test your environment against the CISA performance goals and the latest Dragos ransomware patterns [IN-LINE LINK: nist.gov/publications/nist-cybersecurity-framework-csf-20].

The modern perimeter runs through your procurement office, your engineering cabinets, and every remote session into your plant.

CyLogic Insights