The math is simple for ransomware actors: target sectors where downtime equals disaster. The world’s largest companies lose approximately 11 percent of their annual revenue, to unplanned production pauses, creating the perfect leverage for attackers who know industrial leaders will pay to restore critical operations.
3 Tips to Improve Uptime Protection
- Integrate the industrial automation stack and networking equipment with comprehensive monitoring tools.
- Create dashboards that speak the same language and bridge the divide between IT and OT.
- Ensure every device is protected with a zero-trust network architecture.
As a result, ransomware is more often targeting sectors such as construction, manufacturing, healthcare, food production and energy. Attacks are up almost 50 percent quarter-on-quarter across these industries with no signs of reprieve, according to a report from Honeywell.
Unfortunately, leaders are playing into the hands of hackers by not closing legacy vulnerabilities, using best practice monitoring or effectively integrating the worlds of IT and OT. Let’s explore how companies can and should strike the right balance between achieving uptime and safeguarding their ecosystems against this growing threat.
Industry’s Uptime Trap
We all know the adage that time is money, and this is particularly true for industrial operations. Industries such as manufacturing, construction and healthcare rely on uptime to produce goods, build infrastructure and literally keep people alive. It’s tough to think of more time-sensitive and service-critical operations, which is precisely why ransomware groups pounce.
They know that downtime, those periods when production grinds to a halt, is much more than just a temporary inconvenience. These interruptions translate to lost production, decreased efficiency and substantial costs. It’s for this reason ransomware is skyrocketing with approximately 2,500 attacks documented in the first quarter of this year, equal to 40 percent of all attacks recorded in 2024.
These sectors are therefore much more likely to pay the ransom to get operations back online as quickly as possible. It’s this “uptime trap” that’s fueling hacker attention and big payouts.
Fixing Legacy Problems
Uptime hacks often find success because of persistent issues that attackers exploit and defenders overlook. Let’s start with the legacy problem — much of the machinery powering production is from last decade rather than last year. This hardware was built during an era when it was assumed that all devices on the network were legitimate and trusted, physical security (air-gapping) prevented unauthorized access and extra protection measures like encryption were therefore unnecessary. However, when these systems connect to modern networks, protocols such as Modbus and Profinet become potential attack vectors because they’re vulnerable by design.
Legacy industrial protocols lack authentication, encryption and session integrity, allowing malicious packets to be used while appearing legitimate. Intruders use these breaches to change control values, shut down systems, spoof sensor data or trigger unsafe conditions.
Integration between the old and new systems proves challenging because production and operations teams are typically not equipped, tool-wise, to analyze their OT network traffic. Why? Because their stack’s main objective is to keep production metrics under control, but nearly no industrial controls system out there can supervise networking or server equipment running critical applications used for production.
This brings us to another point of tension – the rapid convergence between IT and OT. Traditionally, IT focused on securing data and providing connectivity across the enterprise – excluding production systems — while OT managed the uptime of industrial processes often with little coordination or visibility from IT.
This functional separation was effective when these environments operated as separate entities, but this is no longer the case as information flows back and forth between industrial systems and enterprise networks. As a result, things are getting increasingly complex on the modern factory floor due to the IT/OT divide, and this gap is the backdoor hackers use because they know it’s a gray area for many organizations.
Finally, keeping an eye on the many types of equipment from different vendors can also prove difficult in Industry 4.0. Admins need to simultaneously oversee CNC machines, robotic assembly systems and quality control stations, for example. Achieving this insight isn’t only vital for monitoring the environment’s performance but also for predicting production maintenance and potential security weaknesses before they become problems.
How to Block Ransomware Pathways
The good news is that these are attack vectors that teams can close to simultaneously protect uptime and block classic ransomware pathways.
For starters, integrating the industrial automation stack and networking equipment with comprehensive monitoring tools can help interpret data from legacy machinery and alert teams whenever it operates outside of norms. This applies to flagging both cyberattacks and unusual status reports.
An aerospace manufacturer we worked with experienced this after detecting abnormal Modbus traffic patterns during an evening shift. An investigation revealed a misconfigured PLC from earlier maintenance work — something that would have caused 24 hours of production downtime if not detected early.
This kind of unified visibility also goes a long way to preventing finger-pointing between IT and OT. Going forward, dashboards that speak the same language and bridge the internal divide are non-negotiable — tracking network performance and security metrics for IT, as well as monitoring production equipment and operational parameters for OT.
Thankfully, the gap between the two is closing. Research from this month indicates that CISO responsibility for OT security has tripled since 2022 with 80 percent planning to move OT cybersecurity under the CISO’s purview within 12 months. This mandate creates much-needed and long-awaited cultural alignment from the top down.
Additionally, when integrating different machinery and devices from across the fragmented vendor landscape, teams must ensure there are no weak links. Don’t give ransomware an inch by ensuring every device is as well-protected as possible with a zero-trust network architecture. This is further strengthened by micro-segmenting equipment by manufacturer, implementing best practices for device authentication, and maintaining continuous behavioral monitoring across all equipment types.
Hackers know that uptime is the heart of output. Therefore, unmonitored devices or disconnected ecosystems are like blood in the water – they’re essentially assets asking for attack and ransom. The onus is now on leaders to respond in kind. Either integrate best practice oversight into every aspect of your endpoints and operations, or hand bad actors the keys to your production lines.
