For many manufacturers, your Manufacturing Execution System is the best investment you’ve made in years. Work orders push to the floor automatically, quality data logs itself, and traceability records build in real time.
Oddly enough, it’s also the system most shops have never thought about from a security angle. The MES got filed in the same mental category as the CMM or the surface grinder: if it's running, leave it alone. And for a while, that logic held. When MES systems were truly isolated, "don't touch it" was actually decent risk management.
The problem is that most of those systems are no longer isolated, and they haven't been for years. And the shops running them haven't updated their thinking to match. If this sounds like your shop, your MES could be a manufacturing security risk worth looking into.
Key Takeaways
Manufacturing execution systems sit at the intersection of your business data and your shop floor, making them one of the highest-leverage targets for ransomware groups. Most shops treat their MES like a machine: if it's running, don't touch it. That instinct may protect uptime in the short run, but it creates serious security exposure over time. This post breaks down why the "set it and forget it" approach is leaving MES systems exposed, what attackers do when they get in, and what good protection includes.
Table of Contents
- How manufacturing execution systems have become a security risk
- The assumption that's leaving your MES exposed
- How attackers get into an MES
- How to reduce your MES security risk
How Manufacturing Execution Systems Have Become a Security Risk
A manufacturing execution system (MES) is the software layer between your ERP and your shop floor. Your ERP plans the work: it holds the orders, customer records, and financials. Your MES executes it, routing jobs to machines, tracking work orders in real time, logging quality data, and building the traceability documentation your customers and auditors ask for.
But in order to understand the security implications, it’s crucial to think about where this sits in your ecosystem. It touches your ERP above and your machines below and often connects to a customer portal on one side and a vendor support tunnel on the other.
When attackers get into the MES layer, they don't need to reach a PLC to shut down your floor. Disrupting the MES is enough.
Dragos named MES servers explicitly as high-value targets in both their Q3 and Q4 2025 ransomware reports. Their analysts noted that ERP platforms, MES servers, and remote access infrastructure will continue to be primary targets because disrupting that layer can translate directly into production delays and shutdowns, without attackers needing to touch a single industrial control system.
Critical Manufacturing put it plainly after reviewing the Asahi and Jaguar Land Rover attacks in 2025: the MES has become both the crown jewel and the weak link of modern manufacturing. When MES is compromised, safe and efficient production becomes impossible.
When you add in the fact that manufacturing absorbed 72% of all industrial ransomware incidents in Q3 2025, it’s increasingly clear the danger that MES carriers when left unattended.
The Assumption That's Leaving Your MES Exposed
Here's what we see when we walk into manufacturing environments that have been running an MES for several years.
- The implementation happened during a push for efficiency: better floor visibility, automated work orders, real traceability instead of paper traveler cards.
- The integrator came in, built it out, connected it to the ERP, wired up a customer portal for order status, and set up a remote support tunnel so they could troubleshoot without sending someone on-site.
- Then they left. The shop went back to running parts. The MES did its job, nobody touched it, and it got filed in the mental category of infrastructure that works.
That's the "set it and forget it" problem. And on its own, it's manageable. The deeper issue is what it's layered on top of.
When those shops implemented their MES, many of them assumed that the system was isolated. Air-gapped from the internet, separate from the office network, protected by the fact that nobody outside the four walls had direct access to it. And at the time of installation, that may have been close to true.
It stopped being true the day the integrator plugged in the ERP connection. It got further from true when the customer portal went live. By the time the remote support tunnel was set up, the system had three connections running outside the production floor, and the shop's mental model hadn't updated at all.
We've walked into environments where the owner was confident the MES was isolated. When we started mapping what it actually connected to, we found the ERP integration, a vendor's standing remote access credential that hadn't been used in 14 months, and an unsecured path from the office network straight to the MES server.
And because nobody was actively managing those connections, nobody noticed when they became a liability.
The instinct to leave a working system alone is sound when the system is isolated. Once it's connected, though, it needs to be managed like the critical infrastructure it is.
How Do Attackers Get Into an MES?
The entry points are the same gaps that exist in any under-managed system, just with higher consequences.
- The flat network path: In many shops, the office network and the MES server share the same infrastructure. A phishing email to someone in accounting can give an attacker a foothold that reaches straight to the MES. We've covered the flat network problem in depth in our post on production floor cybersecurity risks, but it's worth naming here because the MES server is often the most valuable destination that path leads to.
- Integrator and vendor access that was never closed: The company that implemented your MES three years ago may still have an open remote connection. Not because anyone asked them to keep it, but because nobody asked them to close it. This is a version of the vendor access problem we see across manufacturing environments, but MES-specific: it's often the implementation partner, not the ongoing vendor, who left the door open.
- Unpatched MES software: When your operating philosophy is "don't touch it," patches don't get applied. MES software has update cycles just like any other system, and skipping them leaves known vulnerabilities sitting open. We've seen MES installations running versions that were two or three updates behind because nobody wanted to risk a disruption during production hours.
- Shared shift credentials with no MFA: Line operators log in under a shared account. The maintenance tech uses the same credentials as the line supervisor. When something goes wrong, there's no audit trail because every action looks the same. And if those credentials get compromised through a phishing attack anywhere in the chain, the attacker has full MES access with nothing to trip an alarm.
How to Reduce Your MES Security Risk
The starting point is understanding what your MES is actually connected to. Most shops that go through that exercise are surprised by what they find. From there, the controls aren't complicated, but they do require someone to own them.
1. Audit every connection the MES has
Map what it talks to: your ERP, any customer portals, every vendor or integrator with remote access. List the credentials associated with each. You're looking for connections that are still live but shouldn't be, and access that's broader than it needs to be.
2. Close dormant vendor and integrator access
If a vendor hasn't touched your MES in six months, their credentials shouldn't still work. Revoke standing access and move to a model where access is granted for a specific window and disabled when the work is done. This is a procedural change as much as a technical one, and it requires someone to own the follow-through.
3. Put the MES on a patch schedule
Treating updates like threats to uptime is how you end up running known vulnerabilities for years. If a patch might affect a customization, test it first, then apply it. Skipping it permanently is the more expensive option.
4. Require MFA and individual accounts
Every person who logs into the MES should have their own credentials. Multi-factor authentication should be on by default. Shared accounts make auditing impossible and credential theft trivially easy. This is consistent with the access control discipline that anchors the NIST Cybersecurity Framework and applies as directly to MES as it does to any other critical system.
5. Segment the MES server from the rest of your network
Your MES should not be reachable from the same path as your general office network. Putting it behind its own network limits what an attacker can reach if they get into your environment through another door.
6. Back it up and test the restore
If the MES goes down, how long does recovery take? If you don't know, that's the first thing to find out. A tested backup and recovery plan is the difference between a bad afternoon and a production shutdown that drags on for days.
7. Get help from an IT Partner
A good IT partner has the ability to look at how your MES fits into your specific environment, what it connects to, how it was configured, what the integrator left behind, and treat it like the critical system it is. That's the kind of work we do with manufacturers across Denver and the Front Range. We understand how these environments are built because we've been in enough of them to recognize the patterns on sight. Reach out for a free consultation and we'll take a look at what's running in yours.