Manufacturing Keeps Making the Same Security Mistakes

Manufacturing is the most attacked sector for the fifth year running – an unenviable title but an unsurprising one to those on the factory floor.

In the race to Industry 4.0, teams are digitizing complex legacy systems and creating an attack surface that’s growing faster than most can defend. Adding insult to injury, admins keep making the same security mistakes, thereby allowing hackers (who know there’s uptime pressure) to exploit exposed systems, steal credentials, and abuse misconfigured remote access.

Let’s take a closer look at the three biggest backdoors manufacturing is leaving open – poor patching, vulnerable identities, and siloed information and operation teams – and consider how the sector can build better defenses to move itself down the list.

See also: Smart Manufacturing Trends 2026: How AI, IoT, and Automation Are Driving Efficiency and Resilience

Another bad year for manufacturing

Last year, manufacturing accounted for more than a quarter (27%) of all cyberattacks, the highest share among industries covered in IBM’s annual threat intelligence index. The trend is unfortunate yet understandable. Year after year, manufacturing continues to evolve its connected equipment and smart factory infrastructure without properly updating its real-time posture.

This is a double-edged sword because digitization and security maturity aren’t moving in lock step. From sensors to devices and cloud integrations, consider that today’s factory floor is a far cry from yesteryear. Only recently did factories run on isolated legacy systems with no external exposure. Fast forward, and everything is now connected, unlocking visibility across production lines, AI-assisted quality control, and predictive maintenance.

It’s in the inadvertent gaps created by digital transformation that bad actors find their opening. Ironically, despite causing real damage through data theft and operational disruption, hacker entry points typically trace back to the same handful of preventable mistakes.

See also: What’s Next for Smart Factories? A Look Ahead to Industry 5.0

The consistent problem with patching

IBM reported that the most common exploitation was public-facing applications, accounting for one-third (32%) of observed cases in manufacturing. In other words, known vulnerabilities with available fixes that haven’t been applied. Malware was the weapon of choice in roughly half (45%) of incidents last year, showing that attackers are focused on operational disruption and financial extortion. This gives a good idea of the first and arguably biggest mistake that admins keep making: poor patching.

Most manufacturing teams simply aren’t plugging software holes fast enough. Adding to the double whammy of legacy infrastructure and poor ecosystem oversight, about 50,000 Common Vulnerabilities and Exposures (CVEs) were published last year. At the same time, the average time to exploit a disclosed vulnerability fell to under a day. The volume and velocity of threats are proving too difficult to manage.

Getting patching right is important for both security and production reliability. This is because outdated endpoints on a production line can introduce latency and operational risks in real-time. A compromised or outdated rugged device, for example, can disrupt a process operating within millisecond tolerances.

To be fair to manufacturers, patching is a pain point for several industries. Things like timely deployment, compatibility fears, and user resistance are common problems and understandable blockers. But, at the same time, they’re not acceptable excuses to forego good digital hygiene.

See also: How Smart Technologies are Helping Simplify Sustainability in Auto Manufacturing

Confusion over who’s connecting

Identity is also a growing attack vector (16% of cases) because hackers know that legitimate credentials effectively mask their activity.

Devices in manufacturing are often shared across shifts, handed between workers, and rarely audited between uses. A device enrolled three months ago can quickly drift from its original compliance state without access moving in kind. An essentially unseen endpoint like this (combined with weak authentication and overly permissive access) risks letting attackers in with little resistance or detection.

This is particularly concerning because, without checks and balances, credential harvesting means the attacker who gets in today can prepare to attack tomorrow. In this context, we need to offer more than multifactor authentication. Instead, identifying both the device and user (and doing a better job coupling the two) and confirming trustworthiness (across compliance status, enrollment state, and current configuration) is a must.

See also: Inside the New Wave of AI Adoption in Manufacturing

Poor detection compounded by siloed teams

Finally, attackers are finding access through remote management tools, VPNs, and remote desktop protocols, with external remote services accounting for 11% of breaches last year. These tools are usually managed by IT but reach deep into OT. Therefore, communication between the two (or lack thereof) is a problem because the two sides of the network are still operating as separate domains with their own tools, teams, and reporting lines.

Teams that remain divided along historical lines with separate dashboards only get half the picture. IT sees one thing, OT sees another, and neither sees the full attack chain. Both can miss alerts meant for the other, and attackers move laterally undetected. Due to this fragmentation, manufacturing dwell times are longer than in most sectors.

The best way to bridge this divide is by framing attacks as both security incidents and production disasters. Every minute of downtime is expensive and detrimental to delivery times and downstream partners. Done right, companies can paint attackers as the common enemy and IT/OT cooperation as key to long-term business continuity.

See also: Digital Twins Pave Way for AI-Enabled Smart Factories

How manufacturers can stop making the same mistakes

The good news is that solutions exist for each of these security pitfalls. Teams can start by taking the legwork out of patching with automation. Connecting endpoints via a centralized platform provides fleet-wide visibility and escalates those that fall out of compliance. Admins can then program patches to roll out automatically during off-peak hours, ensuring minimal downtime between updates.

Identity can and should be tightened, too. Stricter controls are a good first step, such as regularly auditing privileged accounts, removing unnecessary permissions, and monitoring for unusual login behavior. Back this up with stronger links between devices and users to reflect not just who’s connecting but whether the endpoint is compliant and safe. The same goes for baking in consistent confirmation with zero-trust access.

Meanwhile, IT and OT need greater insight into one another. For example, extended detection and response (XDR) solutions can help security teams correlate signals across both environments in real time. This helps catch lateral movement in the moment rather than discovering it after the damage is done.

Don’t let digital transformation become your downfall

The uncomfortable truth is that relatively simple backdoors – rather than sophisticated hacks – continue to be manufacturing’s weakness. If we know the principal attack vectors, there’s no excuse for leaving known vulnerabilities unaddressed and active threats unchecked. Upgrading machinery and unlocking data will be for naught if it comes with a higher likelihood of cyber breach.

This matters because manufacturing will have a target on its back for some time to come. The black-market value of operational and intellectual property data, paired with the sector’s need for uptime (which makes it more likely to pay a ransom), means attackers aren’t moving on anytime soon. This reality makes it all the more important for admins to step up. Your operations are firmly in hacker crosshairs, five years and counting, so don’t give them an inch.