Latest Manufacturing Cybersecurity Research Studies

Is your Smart Factory actually secure, or just connected? 🛡️🏭 Our recent paper "Manufacturing Cybersecurity from Threat to Action: A Taxonomy-Guided Decision Support Framework" (JIM) takes a very hands-on an applied take on the complexity of protecting process, machines, and parts. This fruitful collaboration was led by Habibor Rahman with Rocco Cassandro, Mohammed Shafae, and Thorsten Wuest While the transition to #Industry40 and #Industry50 offers unparalleled efficiency, it also expands the "attack surface" of the modern factory. Most existing #cybersecurity models are either too abstract for the shop floor or too technical for strategic management. What makes this work different? Unlike traditional surveys, this paper provides a taxonomy-guided decision support framework. We didn't stop at listing the threats; we built a bridge from Threat Detection to Actionable Defense. Key Highlights:  ✅ Applied Taxonomy: A comprehensive classification of cyber-physical threats specific to manufacturing environments. ✅ Decision Support: A structured methodology for CTOs and Plant Managers to prioritize security investments based on risk. ✅ Resilience-First: Focusing not just on "stopping" attacks, but on maintaining operational continuity during an incident. As we move toward more decentralized, autonomous manufacturing networks, cybersecurity cannot be an afterthought—it must be the foundation and part of the decision making. Collaboration is key to securing our industrial future. I’d love to hear from colleagues in CyberSecurity, #SmartManufacturing, and #DigitalTwins—how are you addressing the 'human-in-the-loop' security challenge? #SmartManufacturing #Cybersecurity #Industry50 #ResearchImpact #USC #MCEC #DigitalTransformation #IIoT CESMII CyManII | Cybersecurity Manufacturing Innovation Institute National Science Foundation (NSF) Citation: Rahman, H., Cassandro, R., Wuest, T. & Shafae, M. (2025). Manufacturing Cybersecurity from Threat to Action: A Taxonomy-Guided Decision Support Framework. Journal of Intelligent Manufacturing,  DOI 10.1007/s10845-025-02719-w Link to full paper in the comments:

We originally created this fact sheet to answer a question we kept hearing from industrial security leaders: “How do real attacks map to the controls we are being asked to implement?” At the time, most guidance was abstract. Frameworks without incidents. Controls without context. So we mapped real industrial cyber attacks directly to MITRE ATT&CK for ICS techniques and IEC 62443 controls. That is why this has become one of our most shared and downloaded resources. It replaces theory with evidence. Real incidents. Real operational impact. What makes this update timely is not history. It is relevance. The latest version includes recent state-aligned cyber activity targeting energy and critical infrastructure in Poland, as well as attempted intrusions against the Danish energy sector. These were not disruptive attacks. That is the point. They reflect persistent OT-focused cyber pressure shaping risk and resilience decisions today. If you are responsible for assessing cyber risk in industrial organizations, this is a valuable resource for you. Access Full Complimentary Research Here: https://lnkd.in/dAArmhKi

The attack surface of OT environments just got exponentially more complex, and here's the math that should terrify every industrial cybersecurity professional New research reveals that modern OT environments now face a 1:40 human to identity ratio with AI integration, creating factorial attack path growth where just 10 identities generate 3.6 MILLION possible attack paths. But here's what's really keeping me up at night: 95% of breaches now involve identity based attack paths that span from corporate IT directly into critical control systems. I just analyzed the latest State of Attack Path Management data, and the convergence reality is stark. Attackers are chaining vulnerabilities across IT/OT boundaries in ways we've never seen before. Picture this: compromised maintenance laptop credentials → misconfigured certificate templates → lateral movement through poorly segmented HMI systems → direct access to industrial controllers running Modbus, DNP3, or EtherNet/IP protocols. The traditional approach of treating OT vulnerabilities as isolated risks is fundamentally broken. While 75% of exposures are dead ends, the 25% that create exploitable paths into operational systems can cascade into complete production shutdown or safety system compromise. Here's where AI becomes a game changer for OT defense: ✅ AI algorithms can map complex interdependencies between IT identities and OT systems that span multiple industrial protocols ✅ Simulate attack scenarios specific to SCADA networks and industrial control architectures ✅ Detect anomalous lateral movement patterns indicating attackers navigating from corporate networks into critical control systems ✅ Identify network segmentation chokepoints where IT/OT convergence creates the highest risk exposure The asymmetric advantage is real: while attackers operate with incomplete information about our OT environments, AI gives defenders full visibility into identity relationships and attack paths before they're exploited. For OT security teams dealing with production schedules, safety considerations, and resource constraints, this predictive capability isn't just helpful, it's absolutely critical. We can finally prioritize which vulnerabilities actually threaten operational continuity versus theoretical risks. Bottom line: defenders need to start thinking in graphs, not lists, because that's exactly how attackers are already operating across our converged IT/OT environments. What attack path scenarios are you seeing in your OT environments? The complexity is only accelerating. #OTCybersecurity #IndustrialSecurity #AttackPathMapping #ITOT #CyberPhysicalSystems

The 2025 Honeywell Cyber Threat Report reveals a stark reality: the industrial sector is facing a cybersecurity reckoning. Cyberattacks on operational technology (OT) environments have intensified—ransomware surged 46% in six months, while attacks on water systems, transportation networks, and manufacturing plants have caused real-world disruptions. Threat actors are no longer simply infiltrating; they are interrupting critical services and endangering safety and continuity. One notable trend is the rise in USB-based malware and credential-stealing Trojans like Win32.Worm.Ramnit, which surged 3,000% in frequency. In parallel, over 1,800 distinct threats were detected through Honeywell’s Secure Media Exchange (SMX), with alarming infiltration routes observed across removable media, remote access exploits, and compromised credentials. What’s driving this escalation? • Legacy systems with limited security controls remain widely deployed. • Converged IT/OT environments increase the attack surface. • Regulatory pressure, such as the SEC’s cybersecurity disclosure rule, is raising the stakes for leadership teams. The implication is clear: defending the industrial enterprise requires more than traditional cybersecurity postures. It demands a shift toward cyber resilience—a proactive, integrated approach that embeds security into the DNA of operations. At a minimum, organizations must act on five imperatives: 1. Adopt Zero Trust principles—no device, user, or process should be implicitly trusted. 2. Implement strict segmentation between IT and OT networks. 3. Elevate threat visibility with continuous monitoring, detection, and response tools. 4. Enforce multi-factor authentication and access governance. 5. Ensure secure USB/media handling and endpoint control at every entry point. This is not a technology problem alone—it is an operational and leadership mandate. Every breach is now a business risk. Boards, CISOs, and plant leaders must align around a single objective: operational continuity through cyber integrity. Honeywell remains committed to advancing industrial cyber maturity through our ecosystem of threat detection, monitoring, and managed response capabilities. But securing the future will require collective effort—from regulators, vendors, operators, and industry consortia. As the report concludes, it’s not a matter of if your OT environment will be targeted. The question is—will you be ready?

2024 State of ICS/OT Cybersecurity. Since 2017, the annual State of #ICS / #OT #Cybersecurity survey has offered key insights and benchmarks for #industrial #cybersecurity programs worldwide. This year’s report continues that tradition. Based on inputs from over 530 professionals across multiple #critical #infrastructure sectors, it provides actionable guidance as to how organizations can manage industrial cyber risk effectively. The SANS 2024 State of ICS/OT Cybersecurity report is structured around the SANS Five #ICS #Cybersecurity #Critical #Controls, offering practical insights applicable to ICS/OT programs regardless of size, budget, or sector. As industrial environments evolve, driven by increased #threats, #regulatory requirements, and IT–OT #integration, the need for a resilient and #adaptive #security #posture is more critical than ever. • Slightly cloudy—26% of respondents are now utilizing #cloud #technologies for ICS/OT applications, marking a significant (+15%) increase from previous years. • Workforce growing pains—51% of respondents do not hold any ICS/OT-specific certifications, indicating a #critical need for access to enhanced training and #certification #programs. • Incident response “haves and have-nots”—56% of organizations have a dedicated ICS/OT #incident #response plan, though 28% still lack such a plan. • MFA for (almost) everyone—75% of respondents have implemented #multifactor #authentication (#MFA) for remote access to industrial sites, showing steady improvement in securing #access #points. • Limited AI adoption—Only 10% of respondents are currently using #AI in their ICS/OT #security #strategies, though interest is growing. • Standards and intel lead maturity—Throughout the report, one thing is clear: the more organizations use both industry-adopted standards and ICS-specific #threat #intelligence, the more mature their overall cyber capabilities are. Centro de Investigación de Ciberseguridad IoT - IIoT

The Dragos, Inc. Year in Review report is here — and I did a quick gist of it. The key points are: The 2026 OT/ICS threat landscape confirms something many of us in the field have been sensing for a while: A clear shift from access to physical impact. Here are some of the most important takeaways from the report and the visual summary : 1️⃣ Adversaries are actively mapping control loops Attackers are no longer just gaining footholds — they are studying engineering workstations, configuration files, and alarm data to understand how physical processes operate. This removes the last barrier between cyber intrusion and real-world disruption. 2️⃣ The “division of labor” attack model is accelerating impact timelines Initial access brokers are handing environments to ICS-focused teams, compressing timelines from compromise to operational impact from weeks to days. 3️⃣ From disclosure to exploit in ~24 days Adversaries are operationalizing vulnerabilities faster than defenders can patch — highlighting the growing industrial defense gap. 4️⃣ The visibility problem remains massive Fewer than 10% of OT networks have sufficient monitoring, meaning many organizations still cannot detect attack techniques used even a decade ago. 5️⃣ Ransomware is often NOT just IT — it’s operational impact Many incidents labeled “IT ransomware” actually disrupt SCADA systems and engineering workstations, affecting operations directly. 6️⃣ Internet exposure continues to be a major risk A large portion of assessments still find external connectivity issues across manufacturing, oil & gas, and electric sectors — reinforcing the need for defensible architectures. 7️⃣ New threat groups show growing maturity Groups like AZURITE, PYROXENE, and SYLVANITE demonstrate increased capability in OT reconnaissance, supply-chain compromise, and large-scale initial access operations. What this means for defenders The fundamentals still win: ✔️ Asset visibility ✔️ Network monitoring ✔️ Segmentation ✔️ Secure remote access ✔️ Incident response readiness The report reinforces that OT cybersecurity is not just a technical challenge — it’s a prioritization challenge. Overall takeaway: We are entering a phase where adversaries are preparing for operational effects at scale. The gap between adversary capability and defender visibility is widening — and closing it requires sustained investment and leadership focus. Report Link: https://lnkd.in/g37fjMUP If you work in critical infrastructure, this report is worth your time. Curious — which finding resonated most with your environment? #OTSecurity #ICS #CyberSecurity #CriticalInfrastructure #IEC62443 #Dragos #IndustrialCyber

Anatomy of 100+Cybersecurity Incidents in Industrial Operations: A Research Study With Recommendations For Strengthening Defenses in OT/ICS by Rockwell Automation A brief extract from the report "This study was commissioned to develop and share instructive insights around actual OT/ICS cybersecurity attack activity. We know it’s imperative to prioritize the protection of OT systems, invest in advanced cybersecurity technologies, and raise awareness among industrial leaders. These insights should help defenders better understand the true nature of the battleground they face, and support taking more urgent action to improve defenses." 💡 Topics covered ⚙ Introduction & Research Methodology ⚙ Primary Research Findings ⚙ Tracking OT Cybersecurity Incidents ⚙ Understanding OT Implications ⚙ Critical Infrastructure Impacts ⚙ An Energy Sector Case Study ⚙ IT Dominates Point of Entry ⚙ Profiling Threat Actors ⚙ Digging Deeper into Attack Personas ⚙ Spear Phishing Tops Access Techniques ⚙ Once Inside, OT Attackers Aim to Control & Disrupt ⚙ Additional Attack Implications ⚙ Reflections and Recommendations -xx- Follow John Kingsley and press 🔔 to get instant notifications for such insightfull information. OT SECURITY PROFESSIONALS #IEC62443 #otcybersecurity       #cybersecurity #infosec #IACS #stride #securityprofessionals #threatmodeling #informationsecurity #itsecurity #networksecurity #productsecurity #hardwaresecurity #embeddedsecurity #securitybydesign ISA Bangalore ISA SAFETY AND SECURITY DIVISION Industrial Cybersecurity Hub Puneet Tambi Shiv Kataria Manjunath Hiregange Abhay Kottur Marcel Rick-Cen Praveen Singh Prabh Nair Prashanth AC Danielle J. Daniel Ehrenreich Teodosio Gutiérrez