Many manufacturing plants depend on OT systems that stay in service for many years. That long run can hide significant cybersecurity risks.
17 Jun 2026
•
,
5 min. read
In a manufacturing plant built around uptime, a machine that has run the same physical process for years with barely a hiccup earns something less commonly discussed than a track record of throughput: institutional trust. Over time, such quiet reliability has a way of making a certain kind of scrutiny feel unnecessary, to the point that the equipment might become a security blind spot.
For a long time, there was a logic to ‘leaving well enough alone.’ Much of the operational technology (OT) in manufacturing was designed to keep the physical process stable, and once the production line worked, the sensible move was to keep the equipment in good shape so that it could continue to do its job.
Over the years, however, the ground beneath the machine has shifted, and the equipment least amenable to change now often needs the most protection around it. Many manufacturing environments today face burning questions, including: who can touch the equipment from the network, how vulnerable are the systems that the machines depend on, and has the old bargain – don’t touch it if it works – become part of the risk?
Aging out?
Two or three decades ago, few in manufacturing lost sleep over internet-borne attacks. The threat either didn’t exist or was confined to a handful of nation-state targets. The fact that the industrial protocols had no security baked in didn’t matter much – the machines were isolated from IT and nothing untrusted could reach them. They simply worked, and there wasn’t a compelling reason to touch them.
Until there was. The ‘marriage’ of IT and OT, a hallmark of digitization and Industry 4.0, changed the equation as industrial control systems (ICS) were connected to networks that those systems were never designed for. Of course, connecting production systems to enterprise networks delivers tangible benefits, but the security implications – that systems once safe were suddenly no longer so – arrived more quietly. The various security shortcomings – including weak authentication, limited logging, insecure defaults, and update processes that may require costly downtimes – suddenly became liabilities.
According to the SANS Institute, almost 60% of OT attacks across various industries are believed to stem from compromises in corporate IT environments. Furthermore, the institute’s recent survey found that 22% of organizations in essential industries reported a cybersecurity incident over the past year, with 40% of the events causing operational disruption and nearly 20% taking over a month to remediate.
The severity of the threat ultimately revealed itself with damaging cyberattacks, such as the one that hit Jaguar Land Rover in 2025 and is now thought to be the most damaging cyberattack in British history. Additionally, since supply chains run on tight schedules and little-to-no tolerance for error, halting a supplier with just-in-time delivery commitments spawns a full-blown production crisis that engulfs a long list of other companies.
The cost of touching a running line
Interrupting a running production line to upgrade infrastructure with no obvious operational problems is generally a hard sell. The assets are too deeply embedded in the physical process; indeed, they’re often trapped in what the world’s top cybersecurity agencies aptly call ‘self-established obsolescence.’
Meanwhile, ransomware gangs that started paying serious attention to manufacturing found an attack surface that had been expanding for years without corresponding security investments. Causing damage that impacts an operational environment is also different from a pure IT breach. Ransomware operators, some of whom are developing dedicated OT capabilities, understand this math and calibrate their demands accordingly. Sometimes, infiltrating enterprise IT and letting the dependencies do the rest is enough.
To be sure, the business equation is shifting, albeit often from the outside in. Supplier contracts increasingly contain security-related provisions while cyber-insurers require evidence of security controls, to the point that organizations that can’t provide it have to swallow steep premiums or are left without coverage. Regulatory requirements are also tightening across a number of jurisdictions; for example, NIS2 imposes stricter cybersecurity requirements for Europe’s critical industries while the broad regulatory environment in the US also mandates specific actions that drive security maturity in critical industries.
Top cyberthreats up close
Few security vendors have been as close to threats facing critical infrastructure as ESET. Over the years, its threat research team has peered inside some of the most significant incidents on record – including BlackEnergy that triggered a 4–6 hour power outage for 230,000 people in Ukraine in 2015, its successor, GreyEnergy, and Industroyer, the highly customizable malware that speaks several industrial communication protocols used in critical infrastructure systems worldwide and caused a blackout in Kyiv in 2016. In 2022, ESET researchers also identified Industroyer2, which took aim at Ukraine’s energy infrastructure again. In addition, ESET’s analysis of NotPetya documented how an attack with no specific OT target can still devastate organizations running operational technology at scale, including manufacturers.
(Re)building security around your critical equipment
Naturally, you can’t protect what you can’t see, and proper asset visibility remains the foundation of any self-respecting risk mitigation strategy. Start by mapping which systems in an environment are connected and have no security coverage, where IT and OT networks intersect, which segments are unmonitored, and which production systems have fallen outside any vendor support agreement. Given the complexity of cyber-physical systems, there clearly isn’t any one-size-fits-all approach to asset inventory and other tasks.
Actual deployment architecture also needs to be resolved early. Whether by design or due to customer contracts, regulatory obligations or other reasons, some manufacturing environments operate under air-gap requirements. Security platforms built primarily around cloud connectivity may not, therefore, fit the requirements or the budget.
Meanwhile, off-the-peg security tools often don’t efficiently meet the enterprise requirements in legacy OT systems that run on older hardware and outdated operating system versions. The tools need to be stable and unobtrusive enough to run on constrained systems without affecting production. Network protection, for its part, earns its keep on equipment that can’t run any security agent at all, which in most manufacturing environments is by no means an edge case.
Long-term support addresses what the other layers can’t fully close. When an ICS vendor ends development on a platform version, updates eventually stop. The production systems running that version continue to operate for years, accumulating exposure to more threats. Support commitments that outlast the original vendor’s support window are the cybersecurity equivalent of signing a long-term parts agreement for a car discontinued years ago. The machine stays ‘roadworthy.’
Built to run for years
Manufacturing has a long history of engineering its way out of crises. It’s also learned a number of hard lessons, including that ignoring a known problem tends to shift – and often multiply – the cost attached to it. The cyberthreat to OT infrastructure is now well-documented, and the tools to tackle it exist. In this industry, this should be enough to get things moving – and, ultimately, build cyber-resilience into the industry’s operations.
