Manufacturing companies face escalating cyber risks as modernization—deploying generative AI; integrating information technology, operational technology, engineering technology and the industrial IoT—expands digital ecosystems and connectivity.
These modern digitized environments deliver productivity gains, efficiency improvements and cost savings, but they also significantly expand attack surfaces. As a result, businesses face heightened risks of cyberattacks that can paralyze production lines, compromise proprietary data, enable IP theft, damage brand reputation and trigger supply chain disruptions. In a recent example, a leading U.S. steel producer halted some production after a cyberattack compromised certain IT systems.
Recent cyber threat data reveals the magnitude of this challenge for manufacturing companies. The 2024 Verizon Data Breach Investigations Report identified over 2,300 cyber incidents targeting the manufacturing sector. According to the IBM X-Force 2025 Threat Intelligence Index, manufacturing retained its position as the most targeted sector globally for the fourth consecutive year, representing 26% of incidents, "emphasizing its critical role in global supply chains and the value of industrial-sector intellectual property." Meanwhile, the average cost of a data breach globally reached nearly $4.9 million in 2024, up 10% from the previous year, according to the IBM Cost of a Data Breach Report 2024..
These cyber challenges compound existing macro pressures manufacturers face. Research from Rockwell Automation ranks cyber risk as the third most significant external threat to manufacturing operations, surpassed only by global inflation and rising energy costs.
Drawing from my experience developing cybersecurity strategies with manufacturing executives at both PwC and Google Cloud, I recommend five key governance approaches that build robust security postures and effectively mitigate these evolving risks.
1. Prioritize executive buy-in
Cybersecurity now represents a fundamental business risk rather than merely a technology problem, carrying governance requirements and potentially serious impacts on shareholders, customers and consumers during security incidents. U.S. Securities and Exchange Commission rules mandate timely cyber incident disclosure, robust risk management programs and formal board oversight.
Effective security leaders must translate complex cyber risks into clear business and financial terms that motivate executives to champion organization-wide security cultures and compliance frameworks. This means demonstrating a deep understanding of core business issues such as production uptime, throughput and safety. By explaining how a cyberattack can directly impact revenue—halting production, damaging brand, disrupting supply chains or endangering safety—security leaders can motivate executives to champion organization-wide security cultures and compliance frameworks. In turn, executives must remain engaged with their cybersecurity teams to reassess both business gains through technology and newly incurred risks.
The rapid deployment of AI systems creates particularly acute governance challenges for manufacturers. In 2023, a tech employee unknowingly uploaded proprietary designs into an open-source AI platform; something that’s unfortunately becoming more common. Executive sponsorship of an AI board, responsible-use policies and employee training would have made a big difference for this company.
2. Rethink risk management for connected manufacturing
Connected devices and automated systems have rendered traditional risk-management approaches insufficient across manufacturing environments. These modern technologies create novel attack vectors that allow threat actors to infiltrate networks and directly disrupt production processes and critical operations.
Oil and gas manufacturers in Asia learned this lesson when an infected thumb drive compromised their supposedly "impenetrable" air-gapped environments with the SOGU malware. Despite maintaining strict network isolation protocols, they overlooked security for physical devices bridging these systems. This illustrates why effective security integrates physical and digital protection strategies.
Managing risk effectively across today's dynamic and interconnected manufacturing environments demands holistic vision and adaptable strategies. Security teams should prioritize these three critical practices:
Comprehensive asset mapping: Document all critical assets, systems and data across every environment—including cloud infrastructures, on-premise systems, hybrid integrations and AI/ML models.
Continuous security assessment: Regularly evaluate cloud vulnerabilities; analyze evolving threat tactics, techniques, and procedures (TTPs); and identify unique risks emerging from AI deployment across operations.
Real-time threat visibility: Deploy advanced monitoring tools that provide comprehensive visibility into both malicious attacks and vulnerabilities throughout your interconnected digital ecosystem.
3. Turn regulatory requirements into market advantage
Forward-thinking manufacturers transform compliance requirements into innovation catalysts rather than treating them as regulatory burdens. When deploying cloud and AI technologies, comprehensive compliance must address both IT and OT environments plus encompass data privacy alongside product and human safety concerns.
One consumer goods company discovered their AI shopping assistant could identify pregnancy status through historical clothing size data. Proactively addressing this sensitive data protected customer privacy and built trust and compliance.
Manufacturers should establish industry-specific compliance standards for common scenarios. For cloud environments, implement security frameworks that address data residency requirements, particularly when operating internationally. With consumer-facing products, embed cybersecurity into design processes to mitigate safety risks in connected devices while satisfying regulatory requirements.
4. Develop cyber expertise across your organization
A skilled workforce forms the foundation of every robust cybersecurity program. Manufacturing organizations should prioritize targeted security training and continuous skills development, especially within teams responsible for protecting converged digital and physical assets in connected OT environments. Product development teams, AI/ML specialists and IT/OT operations staff each require customized security training that addresses their unique risk profiles and operational responsibilities.
Effective security training with visible executive buy-in transcends theoretical knowledge by incorporating hands-on exercises and realistic simulations. Cross-functional threat modeling sessions enable teams to visualize attack impacts and design practical risk mitigation controls.
5. Treat communication as a critical security enabler
Building an enterprise-wide security culture demands transparent communication from security leaders. Effective security executives engage board members regularly with updates on emerging threats, mitigation strategies and progress on security initiatives. Simultaneously, these leaders establish consistent employee communication channels that foster security awareness, promote best practices and reinforce organizational policies across all business units.
Security communication must include customers, suppliers and partners. Share specific data protection requirements with partners handling sensitive information. Inform customers about security controls protecting connected products. Participate in industry threat-sharing forums and security working groups to strengthen defenses.
Every manufacturing executive faces the same choice: invest strategically in cybersecurity governance today or pay an exponentially higher price tomorrow. In today's manufacturing landscape, effective cybersecurity doesn't just prevent attacks—it secures your company's future.