The Risks to Manufacturing from AI-Driven Cyberattacks

Risks to safety and production line uptime create direct and regulatory drivers in manufacturing, so CEOs and boards should expect continuous and granular reporting on OT and supply chain cyber risks. Board members and executives need OT asset visibility and cyber supply chain due diligence for internal and external reporting. Risk-based asset inventory, network segmentation, change and patch control, prioritized remediations, tabletop exercises, and compliance to controls standards, including NIST SP 800-82 and ISA/IEC 62443, should be basic components of any manufacturer’s cyber and physical risk management program.

 

How AI and cybersecurity risk are reshaping manufacturing — what leaders must do now

Manufacturers run the machines, robots, control systems, and supplier networks that make the modern world go. That also makes them a priority target for attackers. Successful cyberattacks can stop production lines, damage physical equipment, steal blueprints and business data, interrupt suppliers, and create safety hazards for workers and the public. Artificial intelligence and new regulations or industry standards are making big changes in manufacturing. AI is accelerating and scaling automated attacks. Generative AI models can support both defensive and offensive actions, including attacker TTPs. Governments and industry are raising expectations for how companies must address security risk, in part because many categories of manufacturing are often on “critical infrastructure” lists. Below, I explain the specific risks and attackers interested in manufacturing. I review real incidents for lessons learned, regulatory and standards drivers you should know, and concrete, prioritized actions for plants or enterprises to do today. I include citations so you can check the sources and dig deeper.

 

Why manufacturing is an attractive target right now

Manufacturing combines three assets companies want: Intellectual property and design data. Operational technology (OT) networks that control machinery and processes. Complex supplier networks that bring physical parts or digital data and software into operations. Attackers target any of those for financial gain, political goals, or industrial sabotage. Ransomware and supply chain attacks have repeatedly shown they can halt production for days or weeks and cause tens of millions of dollars in recovery costs. 2019 Norsk Hydro, 2021 JBS, and Kaseya supply-chain incidents are just some examples of how fast operations and supply chains can be disrupted.

 

How AI specifically changes the threat picture for manufacturers

  • Faster reconnaissance and exploit development. Attackers can use AI to scan internet-facing devices and code repositories for OT and ICS environments, find misconfigurations or known vulnerabilities in configurations and firmware. Attackers can use AI-assisted code generators to produce exploit code or social engineering phishing text in large volumes. This compresses the time defenders have to patch or contain vulnerabilities.
  • Smarter social engineering and business email compromise (BEC). Generative models can be used to create spearphishing and invoice fraud more convincingly than before. Generative models can craft text and voice messages that more closely mimic suppliers, executives or maintenance vendors, with contextual details or knowledge pulled from previous breaches or public sources. This raises the risk of fraudulent wire transfer or fake change-of-bank scams. Unauthorized work orders are also a risk for construction or physical maintenance projects.
  • Automated fraud and counterfeit components. Attackers use AI to create fake supplier certificates, counterfeit parts imagery, or falsified test data to mask substandard or compromised components. For manufacturers with complex multi-tier supplier networks, this creates product quality and safety risks that extend far beyond IT systems.
  • Weaponized ML against detection systems. Attackers can use adversarial ML techniques to evade detection by anomaly-detection systems. Attackers can also poison data used by customer predictive maintenance and quality-control models. That could cause safety and operational risks at customer locations if undetected.

 

OT and ICS (Industrial Control Systems) risks are not theoretical — they threaten safety and production

Operational technology and industrial control systems are now a widely accepted target for attackers. Operational technology was designed and built for reliability and stability in a pre-Internet environment. Malware like Triton (Trisis) shows attackers have the potential to intentionally disable safety instrumented systems and cause dangerous, even life-threatening situations. Ransomware forcing a plant into manual operations mode or a full shutdown is not a theoretical risk: Norsk Hydro, JBS, and Honda had operations uptime interrupted in recent years. For manufacturers, an IT compromise is also an OT and safety issue, because networks and trust boundaries are frequently not cleanly separated.

 

Supply chain and third-party risk are central to manufacturing

Manufacturers have vital dependencies on software vendors, equipment vendors, managed service providers, and distributors. A single compromised supplier can impact many factories, as SolarWinds and Kaseya showed. Software supply chain attacks are a significant risk because they can give attackers a trusted foothold inside multiple customers’ networks all at once. That means vendor risk management, secure update practices, and contractual security requirements are core defenses, not optional best practices.

 

Standards and legal drivers you need on your radar

  • NIST guidance for industrial control systems. The NIST SP 800-82 ICS Guide and the NIST Manufacturing Profile help manufacturers align IT and OT security controls and design a risk-based set of defenses. I recommend using these publications as a practical, results-oriented roadmap for ICS security.
  • ISA/IEC 62443. This globally accepted set of standards provides a common set of controls and a risk-based methodology to help manufacturers secure industrial automation and control systems. This series of standards provides practical concepts like zones, conduits, and defense-in-depth for OT environments.
  • CISA and sector guidance. The U.S. Cybersecurity and Infrastructure Security Agency publishes manufacturing-focused guidance and sector playbooks that are practical for owners and operators. CISA advisories and guidelines should be followed, and recommended mitigations implemented as soon as practical.
  • EU NIS2 and regional laws. Europe’s NIS2 directive raises significant new obligations for cybersecurity, incident reporting, and supply chain security for key sectors, including some types of manufacturing. National implementation varies, so manufacturers operating in Europe need to map national obligations in each country they operate.
  • Disclosure and governance rules. Public companies are subject to SEC rules requiring the timely disclosure of material cyber incidents and the annual reporting of governance and risk management practices. These rules are also now being widely referenced by investors and supply chains.

 

Real incidents to learn from

  • Norsk Hydro, 2019. Wide-scale manual operations and months of recovery after a ransomware incident that forced physical downtime. An example of the business impact when IT security fails, and a broad IT compromise reaches OT.
  • JBS, 2021. Ransomware attack on a global meat processing company. Disrupted production at facilities around the world, which led to emergency government engagement. This and Kaseya show risks to critical food supply chains.
  • Honda, 2020. Cyber incident halts production at multiple manufacturing plants. An example of how automakers are also vulnerable to attacks that interrupt manufacturing lines.
  • Triton/Trisis, 2017. Malware designed to reconfigure safety systems to bypass or alter behavior. An example of a worst-case type of outcome: attackers who are seeking to cause physical harm by targeting industrial safety controls.
  • Kaseya and SolarWinds supply chain incidents. Software supply chain attacks show that a single breach can give attackers trusted persistence in many customers’ networks. Lesson: the security of vendors and secure software development and update processes matter more than many realize. 

 

Practical, prioritized actions manufacturers should take now

Below are concrete, results-oriented steps you can start now, ordered so that limited budgets should focus on the highest impact items first.

  1. Build an authoritative asset inventory for IT and OT. Know every controller, HMI, PLC, sensor, server, and 3rd-party service connection. If you cannot protect it, you cannot manage it. Use the inventory for segmentation planning and risk scoring.
  2. Segment networks and enforce zones and conduits. Separate corporate IT and OT networks, and within OT, create zones for safety-critical systems. Implement strict access controls and monitored gateways between zones. ISA/IEC 62443 and NIST SP 800-82 recommend these patterns.
  3. Patch management and change control for OT-aware environments. Patch windows for ICS are different than those in IT. Implement carefully tested change processes, virtual patching where appropriate, and compensating controls. Ensure patches do not break production while vulnerabilities are still mitigated.
  4. Harden remote access and vendor connections. Multi-factor authentication (MFA), just-in-time VPN access, jump hosts, and strong logging requirements for any remote vendor or maintenance access. Vendor connections must be treated like any untrusted external connection.
  5. Backup, recovery, and manual-fallback plans. Regularly test backups, and plan for safe manual operations if digital controls are unavailable. Norsk Hydro and other examples showed that manual fallback procedures are essential and worth the expense for continuity.
  6. Threat detection and OT-focused monitoring. IDS/IDS for industrial protocols, network traffic analysis tuned for OT, and endpoint detection for engineering workstations and production ICS servers. Shorter dwell time means less operational loss.
  7. Supply chain security program. Inventory of critical suppliers, secure software development practices, and signed SBOMs required when possible, and contractually enforce rapid vulnerability disclosure and patch windows. Supplier compromise can quickly become your incident.
  8. Tabletop exercises that include AI and OT scenarios. Practice incidents that combine ransomware, deepfaked vendor requests, and safety-system tampering. Exercises should include operations, safety, legal, communications, and execs to exercise decision paths in advance.
  9. Align governance and reporting to board-level risk metrics. Clear metrics like mean time to detect, mean time to respond, percent of critical assets segmented, and supply chain risk ratings. Cybersecurity should be part of operational KPIs and capital planning.
  10. Adopt appropriate standards for proof and compliance. NIST CSF, NIST SP 800-82, and ISA/IEC 62443 are common and authoritative standards for controls and practices. EU companies and those doing business in Europe need to map out NIS2 and national law requirements. Regulators and customers expect alignment with such frameworks.

 

How to prioritize limited budgets

  1. Protect safety and production continuity first. Controls that prevent unsafe conditions or keep critical lines running have the highest business value.
  2. Harden remote access and vendor controls. Many attacks start with third-party or compromised maintenance credentials.
  3. Invest in detection and recovery. A smaller set of high-quality detection tools plus tested backups and playbooks often beats a broad set of weaker, poorly configured controls.
  4. Reduce attack surface through segmentation and asset retirement. Fewer exposed devices and code means fewer entry points.

 

What boards and executives should demand 

  • A clear asset map and risk register for OT and the supply chain.
  • Evidence of tested incident response and manual fallback plans.
  • A supplier security program with contractual SLAs (Service Level Agreements) for patching and breach notification.
  • Regular executive briefings with measurable KPIs and tabletop exercise outcomes.
  • A plan to comply with mandatory disclosure rules if your company is public. The SEC’s rules on incident disclosure and board governance mean material incidents have immediate financial reporting obligations and penalties.

The SEC’s rules on incident disclosure and board governance mean material incidents have immediate financial reporting implications.

 

Final takeaway

Manufacturing is at the intersection of cyber risk and physical operations. AI magnifies risk: both the scale of attacks and their subtlety. AI makes attacks more numerous, automated, and more convincing, including for supply chain and product integrity. The best defense is also practical: know what you have and where, segment networks, manage remote and vendor access, test backups and manual fallbacks, and ensure cyber risk is measured and governed at the board level. Standards like NIST SP 800-82, CISA guidance, and a view of supplier security as a business operations priority should be core components of any manufacturer’s cyber and physical risk management program. Learn from Norsk Hydro, JBS, Honda, Triton, SolarWinds, Kaseya – those incidents are blueprints of what to avoid.

To successfully approach managing risk in the age of AI, manufacturers should incorporate reasonable security into their risk strategy.

 

Establish reasonable security through duty of care.

With HALOCK, organizations can establish a legally defensible security and risk program through Duty of Care Risk Analysis (DoCRA). This balanced approach provides a methodology to achieve reasonable security as the regulations require.

 

 

Review Your Security and Risk Posture

 

 

Read more AI Risk Insights

 

Be Our Guest at FutureCon Chicago 2026

Enjoy breakfast and lunch while connecting with colleagues and industry executives.

Session: Why AI Can’t Fix Your Cyber Risk (and Might Be Making It Worse)

Speaker: Chris Cronin, ISO 27001 Auditor |  Partner, HALOCK and Reasonable Risk  |  Board Chair, The DoCRA Council

DATE: Thursday, January 29, 2026

WHERE: Live In Person | Virtual | Hybrid @ Chicago Marriott Oak Brook

CREDITS: Earn up to 10 CPE Credits

RSVP here