The One Misstep That Crashed Two Manufacturing Companies

Understand Manufacturing Attacks

A manufacturing cyberattack can bring your production lines to a halt, inflict millions in downtime costs, and erode stakeholder confidence. Whether it’s a ransomware infection, a supply chain compromise, or a business email compromise (BEC), you need clear insight into the threat landscape before you can defend your operations. As you refine your IT strategy, recognizing how attackers target operational technology (OT) and information technology (IT) will help you lock down weak points and build a resilient posture.

Rising Threat Landscape

Manufacturing has become a prime target for cybercriminals. In 2023, the sector ranked as the third-most targeted industry for ransomware and fourth-most for BEC incidents, with the median ransom demand at $500,000 USD. By 2025, manufacturing accounted for 22 percent of 4,853 attacks where sector attribution was possible, according to the Bitsight TRACE report. Threat actor activity surged 71 percent between 2024 and Q1 2025, driven by:

• Supply chain attacks through third-party vendors  
• Phishing campaigns as the initial infection vector in over 90 percent of incidents  
• Exploits in open-source components widely used in production software  

Unique OT Vulnerabilities

Your OT environment often relies on legacy controllers and unpatched hardware that were never designed with security in mind. Historic attacks like Stuxnet in 2010 and Triton in 2017 showed how sabotage at the PLC level can cause physical damage and even threaten human safety. Without proper segmentation between IT and OT, attackers who gain a foothold on corporate networks can move laterally into critical systems, encrypt files, or disable safety mechanisms, leaving you with massive remediation costs and operational disruption.

‍

Assess Two Major Breaches

Examining real-world incidents can reveal the single misstep that often turns a recoverable event into a crisis.

Clorox Supply Chain Attack

In 2023, Clorox experienced a crippling ransomware attack that disrupted its supply chain for weeks. The breach shut down production lines, leading to a 20 percent decline in sales and an estimated $356 million USD loss due to operational downtime and remediation costs. Attackers leveraged sophisticated credential theft followed by lateral movement into OT systems, highlighting gaps in network visibility and access controls.

Norsk Hydro Ransomware Impact

Norsk Hydro’s 2019 LockerGoga incident forced plants across Europe and North America to switch to manual workflows after attackers encrypted critical files. Opting not to pay a ransom of approximately $70 million USD, the company faced weeks of slower, error-prone operations before regaining full control. Lack of network segmentation allowed the malware to spread unchecked from IT into OT environments, underscoring the importance of clear boundaries between those domains.

‍

Identify the Critical Misstep

In both Clorox and Norsk Hydro, the same oversight proved most damaging: insufficient segmentation between IT and OT networks. When you treat your production floor as part of the corporate LAN, you risk exposing critical controls to threats that originate in email phishing or partner portals.

Ignored Network Segmentation

By default, many manufacturers connect SCADA, PLC, and other OT gear to the same switches or VLANs used for desktops and servers. That simplifies management but removes any barrier against lateral movement once an attacker breaches corporate defenses. Without segmentation:

• Malware can spread from a compromised workstation to PLCs  
• Attackers can exfiltrate IP or blueprints directly from OT archives  
• Recovery efforts become more complex as cross-domain dependencies multiply  

Consequences of Lateral Movement

Once ransomware or an intruder jumps from IT into OT, you face multiple challenges:

• Expanded scope of remediation, including both network and control systems  
• Longer downtime because safety checks and manual overrides become manual processes  
• Higher ransom demands reflecting the critical nature of encrypted systems  

Your incident response costs can balloon into the tens or hundreds of millions, as seen in both high-profile cases. Preventing that jump is the single most effective way to limit blast radius.

‍

Harden Your Network Segmentation

Segmenting IT and OT isn’t a one-off project. It’s an ongoing process that combines policy, architecture, and technology. Here’s how you close the gap.

Segment IT and OT

Design your network so that corporate services and production controls live in separate zones. Use firewalls and jump servers to mediate necessary traffic. This approach aligns with IT vs OT security best practices and ensures that:

• Only explicitly approved protocols traverse between zones  
• Monitoring tools in each domain catch anomalies before they spread  
• Change controls govern any configuration updates  

Apply Multi-Factor Authentication

Credential theft is the entry point for most attacks. Implement MFA everywhere, but especially on:

• Administrative interfaces for PLCs and SCADA systems  
• Remote access portals used by third-party vendors  
• VPN or jump server logins  

Platforms that update security strings frequently, rather than every 40 seconds, offer extra resilience against OTP interception, protecting your environments from stolen or replayed tokens.

Enforce Access Controls

A zero-trust mentality reduces unnecessary privileges and clarifies ownership:

• Adhere to least-privilege for all user accounts, service accounts, and vendor logins  
• Rotate credentials on a strict schedule and retire unused accounts promptly  
• Audit access logs regularly to spot unusual patterns  

Combining these controls with clear segmentation keeps attackers from moving freely after an initial breach.

‍

Strengthen Incident Response

No defense is foolproof. When an attack occurs, you need a plan that lets you contain and recover quickly. Focus on the first 48 hours, when decisions shape your entire response.

Prepare First 48 Hours

The initial actions determine how far an incident will spread. Your playbook should include:

1. Isolation protocols for affected segments  
2. Backup verification and recovery sequencing  
3. Communication guidelines for stakeholders and vendors  

For detailed guidance on rapid containment, see our first 48 hours ransomware resource.

Train Your Teams

Human error often accelerates a breach. Regular exercises and tabletop drills help your IT and OT operators:

• Recognize phishing attempts linked to an email ransomware breach  
• Follow escalation paths without hesitation  
• Validate that backups and recovery tools work as intended  

When staff know their roles, you reduce confusion and speed up decision making under pressure.

‍

Monitor and Test Continuously

Building segmentation and planning response is not a set-and-forget activity. Attack techniques evolve, and so must your defenses.

Conduct Vulnerability Assessments

Schedule periodic reviews to uncover:

• Unpatched firmware on OT devices  
• Misconfigured firewalls or jump servers  
• Default credentials still in use  

Treat the results as actionable tickets, and prioritize fixes based on potential impact to production.

Implement Threat Detection

Deploy visibility tools that span both IT and OT zones:

• SIEM solutions that ingest logs from PLCs, SCADA, and network devices  
• Anomaly detection to flag unusual traffic between zones  
• Endpoint monitoring on critical servers and workstations  

Early detection of lateral movement or data exfiltration can avert a full-scale crisis.

‍

Measure ROI and Impact

You need to justify your investments in segmentation and response. Focus on metrics that matter to leadership.

Track Operational Uptime

Compare your mean time to recovery (MTTR) before and after security initiatives. Even a 10 percent reduction in downtime can translate to millions saved, given that car makers may lose up to $22,000 per minute of halted production.

Review Response Metrics

Gauge the effectiveness of your incident playbook by measuring:

• Time from detection to containment  
• Number of compromised systems per incident  
• Frequency of tabletop drill participation  

When you link security outcomes to business resilience, your next budget conversation becomes easier to defend.

‍

Summing Up Key Takeaways

Manufacturing cyberattacks exploit the smallest misstep in your network architecture. When you treat IT and OT as part of a single flat network, you give attackers a free path to critical controls. Clorox and Norsk Hydro paid the price in lost revenue, manual operations, and brand reputation. By segmenting networks, enforcing multi-factor authentication, and sharpening your incident response, you ensure that if a breach occurs, it remains contained and your operations stay resilient.

‍

Need Help With Incident Response?

Need help with incident response challenges? We help you design robust segmentation, craft rapid containment playbooks, and select the right providers to secure both your IT and OT environments. Whether you’re modernizing your defenses or auditing existing controls, our team guides you through every step. Contact us today to defend your operations and build confidence in your cyber resilience.