Manufacturing has become the most targeted industrial sector for cyber attacks. Not because of a single defining weakness, but because of how modern production environments operate. For manufacturing cybersecurity teams, that risk is shaped by environments that are highlight connected, tightly integrated, and dependent on systems that cannot be easily taken offline.
Across these environments, systems are closely intertwined; vendors and partners maintain persistent access, and disruptions carry immediate operational consequences. These characteristics create conditions that adversaries can reliably exploit.
The 2026 Dragos OT/ICS Cybersecurity Year in Review, based on insights from across the Dragos Intelligence Fabric, documents what manufacturing cybersecurity risks look like in practice and where the defensive gaps are widest. From that, what emerges is a consistent pattern of intrusion pathways and operational impacts that repeat across manufacturing environments.
Manufacturing accounted for more than two-thirds of all ransomware victims across industrial organizations in 2025. Dragos tracked 119 ransomware groups targeting industrial organizations, a roughly 49 percent increase from 2024, collectively impacting more than 3,300 organizations. That’s nearly twice the number of attacks in the previous year.
Still, the numbers alone understate the problem. A persistent and significant issue is that ransomware incidents affecting manufacturing OT environments are routinely misclassified as IT only. Responders identify a Windows operating system and classify the incident without recognizing the affected system was hosting SCADA software or functioning as an engineering workstation. The OT impact goes unrecognized.
What the report makes clear is that ransomware does not need to touch a PLC or field device to stop production. In 2025, Dragos consistently observed affiliates using valid credentials and compromised remote access to reach VMware ESXi hypervisors hosting SCADA, HMI, historian, and engineering workloads. Encrypting the virtualization layer immediately removed operator visibility and control. The results, including Loss of View, Loss of Control, multi-day production outages, occurred without any interaction with industrial protocols.
How adversaries gain access is consistent: stolen credentials, compromised remote access, and weak segmentation between IT and OT. Ransomware groups do not need sophisticated ICS knowledge. They need access and a flat network.
The reason ransomware propagates so quickly in manufacturing is architecture. Shared IT and OT domains, where enterprise IT networks and operational technology environments are not meaningfully separated, were identified in nearly half of manufacturing assessments. That is the highest of any sector, and more than three times the rate seen in oil and gas and electric environments.
Shared domains create direct pathways between corporate IT and production systems. When ransomware or an adversary compromises the IT network, it can propagate into OT with minimal resistance. There are no effective barriers once access is established.
Beyond ransomware, AZURITE, a newly designated Stage 2 threat group, is actively targeting manufacturing engineering workstations to exfiltrate alarm data, configuration files, process information, and operator credentials. AZURITE is not disrupting operations today. Its assessed intent is to collect OT intelligence that supports developing OT attack capability. Manufacturing’s integrated architecture gives AZURITE exactly the access it needs.
Thirty percent of Dragos incident response cases in 2025 began not with a detected intrusion but with someone saying, “something seems wrong.” In the majority of those cases, the data needed to determine whether a cyber event had occurred had never been collected. OT network telemetry is transient. If it is not recorded, it is gone.
Manufacturing has a particularly acute version of this problem. In 56 percent of network penetration tests, environments were unable to identify adversary activity that used native administrative tools - PowerShell, RDP, WMI - because those tools blend into normal operations and IT-centric detection has no ICS protocol context. Fewer than 5 percent of tested environments had PowerShell execution logging enabled.
The TTX data reinforces the gap. Manufacturing shows Major Challenges in four of seven core incident response capabilities: Detect, Communicate, Contain, and Document. And 24 percent of manufacturing sites have no OT/ICS incident response plan at all, the highest of any sector. When ransomware hits and production stops, many manufacturers are responding without a plan, without visibility into what happened, and without the telemetry needed to understand the scope.
The SANS Five ICS Cybersecurity Critical Controls provide the most direct path to reducing operational risk. For manufacturing, the data points to where those controls are most urgently needed.
- OT/ICS Incident Response: Manufacturing cannot afford to discover a ransomware attack when production stops. Incident response plans need to be built for OT, accounting for scenarios where affected systems are initially misidentified as IT, where engineering workstations and HMIs are involved, and where the response requires coordination between production, IT, and security teams simultaneously. A plan that only addresses IT recovery will leave the OT impact unmanaged.
- Defensible Architecture: The most direct way to slow ransomware in manufacturing is to remove the flat pathways between IT and OT. When production systems and enterprise IT share the same network domain, a compromise anywhere can become a production outage everywhere. Separating those environments and treating OT-support virtualization with the same rigor as operational systems, is what keeps an IT incident from becoming a plant shutdown.
- ICS Network Visibility and Monitoring: Manufacturers need to know what is happening inside their OT networks in real time. IT-centric monitoring tools cannot detect adversary behavior that uses industrial protocols or blends into normal engineering workflows. Without ICS-aware visibility, the first sign of an incident is often an operational anomaly, by which point containment is already harder and more costly.
- Secure Remote Access: Vendor access, remote engineering connections, and third-party integrations are operationally necessary in manufacturing, and they are consistently the pathways adversaries use to get in. Governing these connections with MFA, jump hosts, and strict access policies is not a technical nicety. It is the control that most directly reduces the risk of ransomware affiliates authenticating their way into production environments.
- Risk-Based Vulnerability Management: Manufacturing environments run complex, interconnected systems where patching carries real operational risk. The answer is not to patch everything; it is to know which vulnerabilities are reachable, which systems they affect, and which ones represent genuine operational exposure. That requires asset visibility and operational context, and an approach that prioritizes risk to OT/ICS processes.
Manufacturing is the most ransomware-targeted industrial sector, and the architectural conditions that make it so - shared IT/OT domains, integrated systems, heavy reliance on remote access - are not going away. What can change is visibility, segmentation, and preparedness. Organizations that invest in ICS network visibility, accurate asset inventory, and OT-specific incident response before an incident will contain faster, remediate more effectively, and avoid the costly rebuilds that defined too many manufacturing incidents in 2025.
Watch our on-demand 2026 Manufacturing OT Threat Trends and Defensive Priorities briefing to gain expert insights from Dragos.