Cyberattack magnet? Unyielding threats plague the industrial sector

Those reading annual security and threat intelligence reports often look to attack statistics and threat actor tactics to gauge their own organization’s risk factors. One of those statistics has been an ongoing trend that one would not have expected a mere 5 years ago: the focus attackers place on the industrial sector, rather than the typical bullseye on the financial industry. In the past 4+ years, manufacturers and industrial organizations more generally remain at the top of a gloomy list of the most targeted sectors facing cyberattacks and security incidents. Further supporting this startling statistic is the fact that out of all industrial sector attacks, 70% of incidents that X-Force responded to in 2024 involved critical infrastructure organizations.

This was not always the case for manufacturers and industrial firms. Reports dating back a few years were rather predictable when they featured the finance industry in the top position year after year. It was not until around 2020-2021, at the height of the COVID pandemic, that a significant shift in attacker preferences put the industrial sector in the crosshairs of a nefarious variety of threat actor categories. From nation-state-sponsored groups who are after intellectual property and innovation, to organized cybercrime and even lower-grade con-artist fraudsters working in smaller factions. Each has found its place in the threat landscape that targets industrial organizations of all types.

In terms of financial impact, IBM’s Cost of a Data Breach Report 2024 reported that the industrial sector experienced the costliest increase of data breaches of any industry, rising by an average of USD 30,000 per breach over the previous reporting period.

Targeting manufacturers and industrial organizations more generally has notoriously been the focus of adversarial nation-state attackers. For many years, these threat actors focused on attempts to generate kinetic consequences by attacking industrial controls and the systems that manage them operationally. There has been phishing and even Business Email Compromise (BEC) fraud, but the extent of those attacks on the manufacturing sector has not managed to surpass the influx of incidents experienced by the financial sector.

It was around the COVID pandemic (late 2020), as the entire world was still in the throes of dealing with an unexpected crisis, that industrial organizations moved to the center stage in several ways.

• First, these organizations were critical to moving goods that everyone suddenly needed, like masks, hand sanitizers, and gloves.
• They also had to now distribute goods in a world that was limiting movement for fear of spreading disease, forcing them to look at alternative partners and routing options, and thereby diluting the trust they had established in their existing supply chains.
• More critically, manufacturers that were part of helping the world get vaccinated had to facilitate the production and distribution of the COVID-19 vaccine. Communications, coordination, and distribution channels all became the targets of cyber attackers of varying motivations and sophistication levels.

The ongoing turmoil and global confusion were exactly what attackers needed to double down on targeting a sector in a state of emergency. One of the more interesting attacks at the time was discovered by IBM X-Force when nation-state threat actors attempted to compromise the vaccine’s cold chain.

That focus on the industrial sector appears to hold true, so let’s review some other factors that could be making attackers take aim at global manufacturers:

• Many industrial organizations are highly innovative technologically, but can lag in security. As such, many in the sector have priceless intellectual property, trade secrets and valuable data that attackers can profit from, at a relatively low price in terms of the efforts attackers have to put in to carry out a successful attack.
• The attack surface is vast and varied, with both OT and IT entry points. The continued digitization of these environments, ML, AI, robotics, and connecting them across networks add more layers that attackers can target to find a way in.
• Hiring the right expertise and enacting incident response planning across IT and OT environments can be challenging, leaving security teams understaffed and unprepared.
• In many cases, industrial organizations are less focused on training teams how to spot fraudulent activity, but this aspect is especially important in departments that pay out large amounts of money for raw materials coming from other countries.

There is no lack of motivation. What are some ways by which attackers gain initial footholds?

X-Force’s 2025 Threat Intelligence Index reports that more than 25% of incidents impacting the industrial sector exploited some type of vulnerability. And vulnerabilities in the Industrial Control Systems (ICS) realm are growing in number and ease of access to exploits. In 2022, the Cybersecurity and Infrastructure Security Agency (CISA) released 370 advisories warning organizations about ICS vulnerabilities to watch for, and by the end of 2024, that number had risen 14% to 422 advisories, proving that the ICS attack surface continues to grow, providing attackers with more opportunities to compromise vulnerable environments. On dark web forums, hackers openly trade relevant exploits – fueling a growing market of tools that can work against power grids, healthcare networks, and industrial systems.

X-Force’s analysis further reports that what proves to be an enduring challenge is when attackers encounter very little resistance: outdated systems and slow patching cycles make industrial organizations even more vulnerable and easier to breach.

Once attackers have found a way in, they deploy malware in 40% of the incidents that X-Force responded to in 2024, with ransomware being the malware of choice and occurring in 30% of malware deployments. In environments that are extremely sensitive to unexpected disruption and prolonged downtime, these types of attacks can be very costly and have a long tail of costs in the shape of legal, regulatory, and reputational impacts. Taking from actual attacks that organizations dealt with in 2024, IBM’s Cost of a Data Breach report found that average breach costs were indeed higher when business disruption was greater, increasing costs by an average of about 8% for those who reported significant disruption.

On top of the existing and already severe threats to organizations in the industrial sector, new and emerging threats are also joining an attacker’s arsenal. Those trying to catch up with existing security awareness will have to bring employees and leadership up to speed on more novel threats as well. One of those rising issues is deepfakes, used by attackers to facilitate fraud, extortion, theft of intellectual property, and robbing millions of dollars at a time from those who fall prey to this sophisticated threat.

In a recent study by the Ponemon Institute, researchers asked about the ability to detect a deepfake. Respondents stated that their visibility into erroneous activity is poor, and they have low confidence that an executive could identify a deepfake attack that has targeted or is targeting them. At their current state, industrial organizations must be watchful of deepfake attacks, which are picking up momentum in the wild, enhancing social engineering attempts. Think of voice clones, fake videos, and even fake live video conferences that are harder to discern than other types of social engineering attacks.

These attacks, and more to come in a booming AI era, are only some of the emerging threats that require catching up quickly and effectively, or risk serious consequences that can make an impact to the point of forcing companies out of business.

With the industrial sector seeing more attacks than it has before, these organizations must continue maturing their security programs on several fronts to better protect operational continuity, health and safety, and important data that attackers often seek out:

While many CISOs repeatedly speak to this concept, many run into common implementation hurdles that may include an organizational culture that is less receptive to change, actual integration challenges, and resource/expertise dearth. Reckoning with these challenges is not always easy but yields benefits over time. Adopting Secure by Design (SbD) is paramount for major manufacturers aiming to safeguard legacy systems while fostering innovative projects. SbD integrates security into the core of your technological infrastructure and processes from the initial stages of product development, rather than being an afterthought. Find out more about SbD here.

Human error remains one of the most significant causes of security breaches. Employees who receive little to no training on security risks that could very well be targeting them may unknowingly expose the company to threats through phishing scams, weak passwords, or mismanagement of sensitive data. Conversely, a security-conscious workforce acts as an additional layer of defense, complementing technical security measures. Employees can better recognize suspicious activities, report incidents promptly, and adhere to established security protocols, thereby minimizing the risk of data leakage or system compromise.

For industrial organizations, training all employees can be more challenging since not all employees may have equal access to computers or high-speed internet for e-learning platforms. For employees not working on computers, the challenge is to deliver security awareness without relying on digital platforms. This may involve face-to-face training sessions, workshops, or printed materials tailored to their specific roles and responsibilities.

Role-based training for your executive team is where security awareness meets the higher risk zone. Executives often have privileged access to sensitive information and decision-making capabilities. They should be well-versed in recognizing and responding to security incidents that could impact the company's reputation or financial stability, especially in an era where what you see is not necessarily what you get.

While some organizations have created incident response plans for their IT environments, not many have thought about OT response flows. Industrial enterprises, especially those with dispersed facilities such as factories, can find themselves fighting cyberattacks locally, effectively turning an incident into a crisis cell of sorts, and having to rely on their own local or regional staff and plans.

Extending the security team’s incident response planning to the plants and ensuring that they have crisis management playbooks is a critical step in mitigating the risks of extended disruption by cyberattacks. Planning allows teams to think together about how they can collaborate to report and solve issues on the technical level and on the business aspects that are bound to be part of any major cyberattack.

Standardizing plans across all facilities in your organization holds significant importance as it builds a rapid escalation process everyone follows, response uniformity allows headquarters to better support local plants/offices and deploy resources effectively. Furthermore, unifying messages internally and to external parties prevents communication breakdowns and errors, and ultimately, the executive team can better orchestrate a response to detrimental events.

What if you could train your team to recognize deepfakes, or at least know what to do if they have fallen for one? How will your organization work together during a ransomware attack? What will your team do in the case of a major data breach?

The power of training and drilling response plans can give everyone in the company an opportunity to review their role, create some muscle memory and gain confidence by knowing what they need to (and can) do in case of a major incident. Drills also provide an opportunity to identify gaps in your incident response plans or procedures. By observing the team's actions, you can pinpoint areas needing improvement or clarification. Repeatedly going through response procedures, team members become less likely to panic in real incidents, and this calmness leads to more rational, effective decision-making.

Holding regular drills that include the main response tiers in the overall organization raises awareness of the risks and impacts you will face during cyberattacks. It proves to senior management that incident readiness and response are a priority as part of managing business risk overall. This commitment can boost morale and engagement, all while checking the box for compliance and even cyber insurance prerequisites. Drills, exercises and tabletops are no less than a key component of a robust and adaptive security strategy.

When it comes to cyber threats, you can’t always predict when attacks will occur, but you can prepare. Responding to a cyber incident is a business-wide responsibility. Your entire organization should be prepared to react with speed, agility, and common purpose. This is true for any organization, but even more so in the industrial sector, where companies must rethink defense and response strategies, especially to major incidents and cyber-related crises.

If your organization is thinking about creating better response plans, integrating workstreams, standardizing response methodologies and creating a training calendar, X-Force can help. Reach out to us today to explore how we can best help you mature your organization’s response capabilities, raise awareness among your C-suite/Board, and train your teams to face cyberattacks with preparedness and confidence.