For the fifth year in a row, manufacturing absorbed more cyberattacks than any other industry on earth. According to IBM X-Force's 2026 threat report, the sector accounted for 27.7% of all tracked incidents in 2025.
This is the result of a deliberate, calculated decision by ransomware groups who have studied manufacturing environments and concluded that production floors are places they can toy around with, monkey-baring their way through manufacturer’s most important data.
Walk through a typical job shop or machine shop with a threat actor's eyes and you'll see what they see: machines that haven't been patched in years, a network that runs from the front office straight through to the CNC cells, a VPN a vendor set up three years ago that nobody's touched since, and engineering workstations sitting online because your designers need to pull tool paths.
Every one of those things is an open door. And together, they're just another playground for actors to visit when they have some free time.
Key Takeaways
Manufacturing has been the most-attacked industry for five consecutive years, and it's not a coincidence. The production floor carries a unique mix of legacy equipment, flat networks, supply chain vulnerabilities, and valuable IP that ransomware groups actively study and exploit. This post breaks down each of those vulnerabilities in plain language and explains what real IT solutions for manufacturers look like.
Table of contents
- Why manufacturers are the most targeted industry on earth
- The flat network: an attacker's favorite shortcut
- Vendor remote access: the unlocked side door
- Legacy equipment: when the machine can't be patched
- Your CAD files and production data are the prize
- What a breach costs a shop your size
- Where to start
Why Are Manufacturers the Most Targeted Industry on Earth?
Manufacturing is the most attacked industry in the world because it combines two things attackers want most: valuable assets and an extremely low tolerance for downtime.
When a line goes down, manufacturers lose money by the hour, ultimately making them more lucrative targets for quick ransoms. Unplanned manufacturing downtime costs an average of $260,000 per hour.
Ransomware groups know that number. They've built their pricing models around it. That's why manufacturers pay ransom at a higher rate than almost any other sector, even when they have backups that could theoretically restore their systems. The pressure to get production back online is simply too intense to wait.
Beyond downtime, your shop holds IP that's immensely valuable. Engineering drawings, proprietary process specs, material formulas, customer part files. These are trade secrets that competitors and nation-state actors will pay to acquire.
IBM X-Force found that 40% of manufacturing attacks in 2025 involved data theft targeting financial assets and intellectual property.
The breach doesn't have to shut you down to cost you. Sometimes the point is just to take what's yours.
The Flat Network: An Attacker's Favorite Shortcut
Most small and mid-size manufacturers run what's called a flat network. That means the laptop in accounting, the ERP server, the Wi-Fi in the break room, and the HMIs on the production floor are all part of the same network. There's no barrier between them. If an attacker gets into one, they can reach all of them.
This is the single most dangerous structural gap in manufacturing IT, and it's the reason a phishing email to someone in sales can end with your CMM offline and a ransom note on your production screens.
As Dragos CEO Robert Lee stated in early 2026: "Industrial organizations significantly underestimate the reach of ransomware into OT environments because they think it's just IT."
The attack starts in IT, but it finishes on the floor.
The fix is called IT-OT segmentation: building a deliberate barrier between your office network and your operational technology so that a compromise on one side can't freely cross to the other. It can be accomplished by designing your network with the production floor in mind, which most generic IT providers never do because they've never had to think about it. Organizations with that kind of OT visibility contained ransomware incidents in an average of 5 days in 2025 compared to the industry average of 42 days.
Is Your Vendor's Remote Access a Liability?
Remote access is where attackers find some of their easiest wins in manufacturing environments. And we see the entry point in so many different scenarios:
- Your machine tool rep needed to dial in for a firmware update
- Your ERP integrator set up a VPN tunnel during go-live
- Your calibration tech has TeamViewer installed on a workstation they accessed twice in 2022 and haven't touched since.
None of those connections were malicious. But if they're still live and unmanaged, they're open doors.
In 2025, 42% of manufacturing breaches were directly tied to third-party or vendor access issues, and 46% of manufacturers identified remote access channels as their weakest security link.
Proper vendor access management means knowing exactly who has access to what, requiring authentication every time rather than leaving sessions open, logging all activity, and reviewing and revoking access on a regular cadence.
Legacy Equipment: When the Machine Can't Be Patched
Here's a reality most IT companies don't want to engage with: you can't always patch the machine. Think of a PLC running proprietary firmware from 2009. Or an HMI on Windows 7 that the OEM says will void your warranty if you update. Or a SCADA system that your operations manager has run since before smartphones existed and knows better than anyone alive.
These are frequently found throughout the production floor, and while your team may love them, legacy OT equipment with known, unaddressed vulnerabilities is one of the three primary factors driving the surge in manufacturing attacks. Once a vulnerability in that firmware is discovered and published, it becomes a permanent entry point.
The answer isn't always replacement. It's building security controls around equipment that can't be patched: isolating it from the broader network, monitoring traffic to and from it, and controlling what can actually communicate with it. Your 20-year-old CNC controller can still run parts safely for another decade. It just needs to be managed like the risk it is, not treated like a regular desktop.
Your CAD Files and Production Data Are Another Prize
While ransomware is an important focus for many attackers, it’s not always the number one priority. Sometimes it's quieter than that.
Your engineering workstation has months of design work and proprietary processes your customers trust you to protect. Those files sit on a machine that's connected to the internet because your designers need to pull tool paths, send files, and collaborate with engineers at the prime.
IP theft accounted for a significant share of manufacturing attacks in 2025, and the target is often the CAD environment. If you're doing any defense work, those drawings may also contain Controlled Unclassified Information (CUI), which carries its own set of federal requirements under DFARS and CMMC.
Protecting your engineering environment means treating those workstations differently than general office computers: tighter access controls, better monitoring, and a clear understanding of where your most sensitive files live and who can reach them.
What Does a Breach Cost Small Shops?
The headline numbers in ransomware reports can feel abstract when you're running a 30-person job shop in Colorado, but there’s still plenty of valuable information to take away.
The average manufacturing ransomware incident in 2025 resulted in 26 days of downtime and total recovery costs of $2.41 million. Those numbers skew toward larger operations. But even at a fraction of that scale, the impact is brutal.
A week offline for a small shop means missed deliveries, potential contract penalties, payroll you still owe for employees who can't run parts, and the cost of whoever is helping you recover. Then comes re-keying systems, notifying customers, and managing the reputational fallout with primes who need a supplier they can count on.
Ransomware groups know smaller manufacturers are less likely to have strong defenses. That makes you a target, not an afterthought.
The other cost nobody talks about enough is IP loss. If your engineering files walk out the door alongside the ransomware attack, recovery means rebuilding things you've already built.
Where to Start
If you're reading this and recognizing your own environment in it, the first step is an assessment of where you actually stand.
Start by asking a few simple questions:
- Do you know every device on your network, including the ones on the production floor?
- Do you know who has remote access to your systems and when they last used it?
- Is your office network separated from your production floor, or are they running together?
- When did you last verify that your backups would actually restore?
Most of the vulnerabilities that cost manufacturers the most are the simple things nobody ever formalized.
At The Millennium Group Computing, we work with manufacturers across the Front Range as their fractional IT department, which means we function like an internal team without the overhead of building one. We’d love to start the conversation and help you kick criminals off the playground.