Manufacturing plants have become the world's number-one cyber target — not because their data is the most valuable, but because when a production line stops, every day costs a fortune. The good news: most attacks don't start with a genius hacker, but with a basic gap you can close.
Manufacturing plants have become the world's number-one cyber target, and there's a cold logic to it: when the production line stops, every day costs a fortune, and the pressure to pay a ransom is enormous. Here are the five risks we encounter most often in the field — and what to do about each one. No scare tactics, just the practical truth.
Manufacturing accounted for about half of all ransomware attacks worldwide, and a production-line shutdown can cost millions per day.
Risk 1: Ransomware that gets in through an employee and a password
A ransomware attack (Ransomware — software that encrypts your files and systems and demands payment to release them) is the number-one financial threat. But the important point is how it gets in: usually not through a sophisticated vulnerability, but through the simplest thing — an employee who clicked a link, or a weak password.
The data is clear: phishing (Phishing — impersonating a trusted party in an email or message to steal access credentials) was the most common attack of 2025, and usually the entry point for ransomware. And on the defense side — the costliest weakness in manufacturing plants is misconfigured two-factor authentication (MFA), responsible for about a quarter of all losses; another ~10% came from a complete absence of MFA. In other words: the problem is hygiene, not magic.
Enable two-factor authentication (MFA) on all remote access and admin accounts — the cheapest defense with the highest return. Add brief awareness training for employees (how to spot phishing), and enforce a strong password policy. These three alone block most attacks.
Risk 2: The production floor (OT network) is exposed
This is the risk unique to manufacturing, and in Israel it's especially severe. The OT network (Operational Technology — the systems that run the machines, the PLCs, SCADA and the production lines) was designed in a pre-cyber world: unencrypted protocols, old equipment that gets no security updates, and all of it now connected to the office IT network.
An expert in the field put it bluntly: to hit the production line you don't need to break into the servers — it's enough to get onto the OT network and flip the switch. And in Israel the regulatory gap widens the risk: there's no legislation requiring OT network security, and plants outside the hazardous-materials or defense fields aren't defined as critical infrastructure. In other words — no one will require you to protect the production floor. It's on you alone.
The first and most important step is separation (segmentation) between the office IT network and the OT network, so that a breach of an office computer doesn't allow direct passage to the machines. In parallel, map which OT components are connected to the network and to the internet at all — old, forgotten connections usually turn up.
Risk 3: Your supplier is your back door
A modern plant is connected to dozens of suppliers — ERP software, a maintenance company that connects remotely to the machines, a cloud provider, a payroll consultant. Each such connection is a door, and someone else's door is harder to guard.
The case that illustrated this in 2025 was carmaker Jaguar Land Rover: the attackers exploited a vulnerability in an external supplier's software to move into the core network, production was halted for five weeks, and more than 5,000 businesses in the supply chain were affected. The damage was estimated at around a billion pounds.
Map which suppliers connect to your systems and at what access level. Reduce permissions to the necessary minimum, disconnect remote-maintenance connections when not in use, and contractually establish the supplier's security responsibility. This also ties directly to the Data Processing Agreement (DPA) obligation that Amendment 13 requires with every supplier that processes data.
Risk 4: Data theft and double extortion
Today's ransomware no longer just encrypts — it also steals. In 2025, data theft was confirmed in 77% of ransomware attacks, up from 57% in 2024. Attackers pull sensitive data out of the plant — engineering plans, price lists, customer and employee details — and threaten to publish it unless a ransom is paid. Sometimes they even contact the breached company's customers directly to increase the pressure.
Here a critical link to regulation comes in: an organization that suffered a ransomware attack and meets the definition of a "serious data-security incident" is required to report to the Privacy Protection Authority — and is exposed to fines under Amendment 13. In other words, a single cyber incident can also become a regulatory exposure.
We expanded on this in a separate post: Amendment 13 — What Every Business Must Do, and the Fines If You Don't →
Reduce the amount of sensitive data you store (what you don't have can't be stolen), restrict who accesses what, and prepare an incident-response procedure in advance — including who reports to the Authority and when. The difference between an improvised response and a rehearsed one is the difference between a crisis and a managed event.
Risk 5: A backup that doesn't really work
This is the silent risk, and it's what determines whether an attack costs you a day or a month. Many plants are sure they have a backup — until they discover, under the pressure of an incident, that the backup was connected to the same network that was hit and got encrypted too, or that they never tested whether they could actually restore from it.
Make sure you have a backup disconnected from the network (offline / immutable) that an attacker can't encrypt. And no less important — test an actual restore, not just that the backup "ran." Whoever practices a restore once a year knows exactly how long it'll take to get back to work; whoever doesn't, finds out at the worst possible moment.
How to approach this without becoming a tech company
This list can sound intimidating, but the opposite message is the true one: most of the risks are closed with orderly steps, not huge budgets. The first step is always knowing where you stand — which systems you have, what's connected to what, and where the gaps are. That's exactly what a risk assessment gives you: a clear picture and a priority order, instead of a gut feeling.
Want to know where your plant is exposed? Book an intro call (30 min, free, no commitment) →
Sources
- Check Point — Manufacturing Threat Landscape 2026 (Industrial Cyber)
- Resilience — Manufacturing cyber threats report (Cybersecurity Dive)
- Microsoft — Digital Defense Report 2025 (עברית) (Hebrew)
- Techtime — Exposure of OT networks in Israel (עברית) (Hebrew)
- Globes — The ransom industry and incident reporting under Amendment 13 (עברית) (Hebrew)
Information is current as of the publication date. Threat trends and attack figures are updated continuously — verify against the latest publications.
This content is general information and does not constitute specific information-security advice. To assess your plant's specific exposures, a professional risk assessment is advisable.