The numbers are difficult to ignore. According to IBM's 2026 X-Force Threat Intelligence Index, manufacturing accounted for 27.7 percent of all cyberattacks tracked across industries in 2025, the highest share of any sector, and the fifth consecutive year the industry has held that unwanted distinction.
For anyone working in industrial operations, plant management, or the broader manufacturing supply chain, that statistic warrants serious attention. But the more important question isn't just why manufacturers are being targeted. It's what, exactly, is at risk, and whether the industry's current security posture is adequate to protect it.
Interconnected Systems, Interconnected Risk
Exploitation of public-facing applications was the most common vector for breaching manufacturing environments in 2025, according to the IBM data. While this is driven in part by missing authentication controls, attackers are also exploiting vulnerabilities to gain initial access.
We’re likely to see this trend continue. With AI at their fingertips, attackers can identify and exploit weaknesses faster than organizations can patch them.
That last point deserves emphasis. AI is changing the economics of attack. Reconnaissance that once took weeks can now happen in hours. The defenders' traditional advantage, that attackers had to find the one vulnerability while defenders only had to patch it, is eroding. And manufacturers, with large estates of aging embedded software and OT systems that can't easily be patched or replaced mid-production, are exposed.
The Software Problem at the Heart of OT Security
To understand why manufacturing systems are so vulnerable, you have to look at the software that runs them. Much of the code embedded in industrial controllers, sensors, and edge computing devices is written in C and C++, programming languages that offer performance advantages but are what the security community calls “memory unsafe.”
Memory safety vulnerabilities account for somewhere between 40 and 70 percent of all exploitable flaws in embedded systems, depending on the codebase. That’s a staggering concentration of risk in a single category. The challenge for manufacturers is compounded by the fact that many of these systems weren't designed with network connectivity in mind. The threat model was different, and the software reflects that.
The software supply chain adds another layer of complexity. Modern manufacturing environments incorporate components from software written in-house as well as dozens of third-party and open source components.
The IBM report found that large supply chains and third-party compromises have nearly quadrupled over the past five years, as attackers target environments where software is assembled and deployed. A vulnerability in a single shared library or embedded component can have downstream effects across many systems and many facilities, often before anyone realizes the risk is present.
What's Actually at Stake
When we talk about cybersecurity risk in manufacturing, it's worth being specific about what a successful attack can do. At the lower end, there is data theft, the most commonly observed outcome in the IBM data, including intellectual property, production specifications, supplier contracts, and customer information.
These are costly, but recoverable.
More serious is operational disruption. For example, a ransomware attack on a manufacturing facility can halt production lines, idle workers, delay deliveries, and create safety hazards when systems fail unexpectedly. Active ransomware and extortion groups increased by 49 percent in 2025, according to IBM's data, and manufacturing's combination of operational urgency and aging infrastructure makes it an attractive target for exactly this kind of pressure.
Additionally, nation-state actors regularly look for vulnerabilities in ICS/OT environments and software to pre-position for future attacks. In the case of conflict, the ability to directly manipulate physical processes, like adjusting temperatures, pressures, speeds, or other parameters, can be used as leverage. Documented attacks on industrial infrastructure show that adversaries with sufficient access and motivation can cause real-world physical harm.
What to Do About Vulnerable Software in ICS/OT
To shore up industrial software, we need to start at the beginning. That means building security into the software development lifecycle from the beginning rather than adding controls after systems are already deployed.
It also means taking software supply chain security seriously and maintaining visibility into third-party and open source components in software. Software Bills of Materials (SBOMs) are an important tool here, enabling organizations to understand exactly what is running in their environments and to match those components against known vulnerability databases.
It also means addressing the memory safety problem at scale without assuming that rewriting legacy codebases is a practical near-term option. For most manufacturing organizations, that is simply not realistic given timelines, costs, and technical dependencies.
There are, however, techniques that can eliminate entire classes of memory vulnerabilities at runtime without requiring a single line of code to be rewritten and without adding runtime overhead that would affect system performance. In operational technology environments where even small performance impacts can be unacceptable, this matters.
Of course, AI-driven exploit development needs to be considered as well. The window between a vulnerability disclosure and active exploitation is narrowing. Organizations that rely on quarterly or even monthly patching cycles, without compensating controls in place, are taking on increasing risk.
Security and Operations Are No Longer Separate Conversations
When production equipment runs on networked software, when ICS and SCADA systems communicate with enterprise platforms, and when supply chain integrations create trust relationships between dozens of organizations, security becomes an operational question as much as a technical one.
The IBM findings are a clear signal that adversaries understand this. They are targeting manufacturers not despite their operational complexity but because of it. Systems with long software lifecycles, limited patching windows, and critical real-time requirements are attractive targets precisely because they are harder to defend using conventional approaches.
Tools and approaches to address these risks have matured considerably. The question for manufacturing leaders is whether the urgency of the threat, now in its fifth consecutive year at the top of IBM's sector rankings, is sufficient to drive the investment and organizational change that a serious security posture requires. The data suggests it should be.
Joe Saunders is Founder & CEO of RunSafe Security.
