Manufacturing is one of the most targeted sectors by cyber criminals, with research* suggesting 78 per cent of UK industrial businesses were attacked in the last 12 months. Of those, three in four experienced one to seven days of downtime, with 53 per cent reporting lost revenue, 44 per cent seeing supply chain disruption and 39 per cent missing delivery deadlines. While over 50 per cent faced costs exceeding £250,000, and nearly 20 per cent above £1m, the sums pale in comparison to the £1.9bn the cyberattack on Jaguar Land Rover last year is reported to have cost.
Experts at the Cyber Monitoring Centre call it “the most economically damaging cyber event to hit the UK,” estimating that 5,000 businesses, including suppliers, logistics firms and retailers, were affected, “demonstrating how a cyberattack on a single manufacturer can reverberate across regions and industries.”
A smart connected factory offers the opportunity to unlock competitive advantage, but only if cybersecurity evaluation is built in from the very start
Dr Stuart McLeod, Technology Manager at MTC
Manufacturing’s role in producing essential goods and services, from food and medical supplies to utilities and national defence, helps explain the appeal. But attackers are largely sector-agnostic, selecting victims based on vulnerability, sensitivity to downtime and whether they hold data worth ransoming. Manufacturers tick all three boxes.
As production environments become more connected and digitally dependent, that exposure is only increasing. The modern factory is now a dense network of digital endpoints, spanning automated machinery, robotics, cloud-based monitoring systems and remote access tools. Yes, these advancements bring new efficiencies and insights, but they also expand the attack surface.
In many cases, hardware is being introduced without the same level of scrutiny applied to enterprise software. Even the most innocuous device can provide a route in. A now well-known example saw a hacker gain access to a North American casino’s network via an internet-connected thermometer in a fish tank. They managed to obtain masses of customer information, causing significant financial and reputational damage.
The example highlights a broader structural issue. As connected devices proliferate, organisations are losing sight of what sits on their networks and how those assets are secured. “One of the biggest challenges for cybersecurity in manufacturing is basic visibility. Many organisations simply don’t know what assets are on their network or where they physically are, which makes effective protection extremely difficult,” says Luke Appleby, director at security and risk management firm Equilibrium Risk.
Don’t assume modern devices are secure
Many cyberattacks are linked to legacy production hardware, often ageing PCs running unsupported operating systems such as Windows XP or 2000. These systems no longer receive security updates or patches, leaving known vulnerabilities permanently open to exploitation. Despite the risk, research shared by Made Smarter suggests 74 per cent of manufacturing and engineering firms still rely on legacy systems or spreadsheets for day-to-day operations.
But the risk isn’t limited to legacy equipment. Newer technologies can be just as exposed. One organisation working to highlight that issue is Bosch. The Bosch Group operates as both a manufacturer and technology provider, with nearly 250 highly digitised production sites and millions of connected products in use globally, from smart home appliances and power tools to driverless transport systems. That dual role has shaped its focus on ‘security by design’ and strengthened its emphasis on industry collaboration.
Bosch recently worked with the Manufacturing Technology Centre (MTC) to see if physical equipment can be tested with the same rigor and methods as IT systems, and if so, could testing be carried out before deployment in a live production environment.
Connected devices are a growing source of vulnerability for manufacturers – Bosch
At the MTC’s Digital Proving Ground (DPG) in Liverpool – a controlled environment for testing new products and processes – a widely used, commercially available 3D printer underwent a series of penetration tests.
Researchers examined how the printer interacted with local and cloud-based systems, and whether it could be accessed or manipulated through exposed interfaces such as Wi-Fi connectivity, USB ports and network services. Simulated attacks included attempts to interfere with print jobs, access design files and alter production instructions.
“The testing identified several potential vulnerabilities, including poorly secured open ports and exposed communication pathways that could, in certain circumstances, provide a route into the device,” explained Raj Prasun, leader of Bosch’s Global Cybersecurity Business. “It also demonstrated how manipulation of digital instruction could create risks not only to data integrity, but to physical production processes themselves.”
The test underscores that cybersecurity cannot be assumed, Raj said. While OEMs are responsible for identifying, assessing and addressing vulnerabilities in their products, manufacturers must also factor security earlier in their planning and procurement, not as an afterthought.
“A smart connected factory offers the opportunity to unlock competitive advantage, but only if cybersecurity evaluation is built in from the very start and testing is ongoing, proportionate and risk-based,” said Dr Stuart McLeod, Technology Manager at MTC.
Start with the basics
If the Bosch/MTC test highlights anything, it’s that cybersecurity failures are rarely exotic. More often, they stem from basic controls not being in place. Cyber Essentials, the UK government-backed certification scheme, is designed to protect organisations against the most common threats. It sets a benchmark across five core controls: firewalls, secure configuration, software updates, user access control and malware protection – areas responsible for many of the vulnerabilities in both legacy and modern systems.
Despite being launched in 2014, uptake remains uneven. Adoption among larger companies has risen from 23 per cent to 30 per cent, according to the latest figures, but many SMEs have yet to grasp the need. With cyber threats costing UK businesses £14.7bn a year, the government is pushing to increase adoption.
“No business is out of reach from cybercriminals,” said Minister for the Digital Economy Baroness Lloyd, warning that many smaller firms still assume attackers only go after big brands. “Criminals look for easy opportunities and without basic protections in place, any business of any size can become a target,” she said.
Developed by the National Cyber Security Centre, the scheme is designed to be practical, providing a clear starting point without requiring large in-house security teams. Certification is renewed annually, with Cyber Essentials Plus offering a more rigorous, independently verified audit.
The NCSC encourages a “zero trust” approach where no user or device is assumed to be secure – Bosch
For some manufacturers, certification is already becoming a commercial requirement. Cornwall-based Topan Group, which specialises in temporary hoarding and permanent fencing, secured Cyber Essentials accreditation as part of its work with the MOD and MOJ.
Having held Cyber Essentials certification for several years, automation specialist Amplicon has progressed to Cyber Essentials Plus. “This certification provides additional assurance to our customers and partners that we apply robust, industry-recognised measures to safeguard data and support secure business operations,” said a company spokesperson.
Focus on what you can control
For all the complexity of modern cyber threats, the weakest link is still people. Phishing, weak passwords and accidental data leaks account for the vast majority of breaches, with humans linked to more than 80 per cent of successful attacks.
A single click on a convincing phishing email can bypass the most well-configured and robust technical controls. And those emails are becoming harder to spot, often tailored, targeted and indistinguishable from legitimate communications. That is why education is vital, said Luke Appleby.
Training needs to go beyond annual compliance exercises. Employees must be taught to recognise threats and understand how their actions affect the wider business. Embedding that mindset from day one, particularly during onboarding, is key, he says. Leadership matters too. If cybersecurity is treated as an IT issue, it will be ignored elsewhere.
“A strong first step is to understand what you actually have – hardware, software and network architecture – then assess the risk and identify the security gaps compared to industry standards,” said Grace Lim, cybersecurity specialist at the University of Sheffield Advanced Manufacturing Research Centre (AMRC). “That includes the value of the data, the likelihood of attack and the potential impact. From there, you can identify where the security gaps are and what needs to be addressed.”
But identifying gaps is only half the job. “There’s no point if no one is accountable for fixing them,” Lim added. Leadership has to commit time and resources, and provide clear ownership.
Formalising that approach is equally important. A good cybersecurity policy typically defines key assets, known vulnerabilities and likely threats, as well as how the business will respond to and recover from an incident, and be regularly reviewed and updated. It also has to work in practice. “If your incident response plan exists only as a document in a system you’re locked out of, it’s effectively useless when you need it most,” said Appleby. “Critical procedures should be readily available offline, understood by key staff and tested in advance.”
Bosch
With highly significant attacks rising by 50 per cent year-on-year, the National Cyber Security Centre (NCSC) is pushing for passkeys and enhanced multi-factor authentication (MFA) as a more secure alternative to passwords. It also encourages organisations to adopt a “zero trust” approach, where no user or device is assumed to be secure and access is tightly controlled.
“Our collective exposure is growing at an alarming pace,” said Richard Horne, head of the NCSC. “The best way to defend against these attacks is for organisations to make themselves as hard a target as possible. That demands urgency from every business leader.”
That urgency isn’t always there. Cybersecurity is still often treated as a cost centre rather than a contributor to performance. “That’s the challenge,” said Grace Lim. “The conversation changes when you attach cybersecurity to something that drives value like machine monitoring, process improvement or operational efficiency. It shifts from ‘this costs money’ to ‘this protects, or even improves, the bottom line’.”
- 500 senior manufacturing professionals surveyed on behalf of ESET
