Fast Facts
Manufacturing ransomware attacks surged 56% in 2025 to 1,466 incidents — and the threat model has changed fundamentally. Attackers are no longer pivoting from IT to OT. Since at least March 2026, Iranian-affiliated APT actors have been hitting internet-connected PLCs directly, manipulating HMI displays and SCADA data without touching the corporate IT network. The factory floor is now the primary entry point. Every manufacturer still treating OT security as an IT problem is operating on an outdated threat map.
📎 Connected Analysis
In our previous analysis of the ServiceNow–Armis $7.8B acquisition, we showed why industrial networks are blind to thousands of connected OT devices. This article explains why that blindness is now being weaponised — and what attackers do the moment they find an untracked PLC facing the internet.
The old playbook for industrial cyberattacks assumed a sequence: breach the IT network, move laterally, eventually reach operational technology. That sequence has collapsed. Industrial cyberattacks are targeting factory floors directly in 2026 — not as the destination after an IT breach, but as the initial point of entry. Since March 2026, U.S. cybersecurity agencies have warned of an Iranian-affiliated APT group accessing internet-connected Rockwell Automation Allen-Bradley PLCs directly, using legitimate configuration software to manipulate HMI displays and SCADA data without any prior IT network compromise.
This is structurally different from everything the industrial security industry spent the last decade preparing for.
| Metric | Value | Description |
|---|
| Manufacturing ransomware surge | 56% | Increased from 937 to 1,466 incidents in 2025 |
| Industrial access credentials (dark web) | Up to $70K | Highest observed price for OT system access |
| Access transfer time | ~30 seconds | Time to resell compromised access (M-Trends 2026) |
| Average ransom demand (Europe) | $1.16M | Manufacturing sector, Q3 2025 |
The Direct-to-PLC Attack and What It Changes
The Rockwell PLC incidents documented by CISA agencies follow a pattern that bypasses every IT-centric security control entirely. Adversaries used leased overseas infrastructure and legitimate Rockwell configuration software — Studio 5000 Logix Designer — to establish accepted connections directly to internet-facing CompactLogix and Micro850 devices. No phishing email. No corporate network breach. Just an exposed PLC with a direct internet connection and the knowledge of how to talk to it.
According to Industrial Cyber’s coverage of the CISA advisory, the affected sectors included government services, water and wastewater systems, and energy infrastructure. Some victims experienced operational disruption and financial loss. The attackers didn’t need ransomware. They just needed to manipulate what the operators could see — changing what HMI screens displayed while the actual process state diverged from the readings. An operator trusting their display was flying blind.
A PLC that never appeared in any asset inventory, connected directly to the internet, accepting connections from legitimate-looking software — that is the attack surface the CISA advisory confirmed is being actively exploited. You cannot protect what you have not discovered.
The Economic Logic Driving the Shift to Direct Factory Attacks
Attackers go where the leverage is. Manufacturing has it in abundance. According to Check Point’s Manufacturing Threat Landscape 2026 report, manufacturing alone accounted for roughly 50% of all ransomware hits globally in 2025. The reason isn’t that factories are technically easier to breach — it’s that production downtime costs millions per day, which means the ransom-to-disruption ratio is extraordinarily favorable for attackers.
“Attackers know that critical infrastructure providers are measured in their uptime or service availability; so, once a device is compromised, the attackers have the luxury of mapping out and planning a very targeted attack rather than just being opportunistic.”— Jeff Macre, Principal OT Security Researcher, via SecurityWeek Cyber Insights 2026
Industrial access credentials are now a traded commodity. Dark web marketplaces are selling credentials for industrial systems at $4,000 to $70,000 per set — priced based on the operational value of what they unlock. A credential that grants access to a water treatment plant’s SCADA system commands a premium because the disruption potential commands a premium. This is a market for operational leverage, not data theft.
⚠ Fiction — Illustrative Scenario
A production manager at a cement plant in Kano notices his HMI screens showing normal kiln temperatures while a quality alert that should have triggered fifteen minutes ago has not appeared. He assumes a display lag. It isn’t. An attacker accessed the plant’s internet-connected PLC four days earlier using credentials purchased for $8,500 on a dark web forum. The SCADA display has been showing cached readings since then. The actual kiln temperature is 40 degrees above safe operating range. By the time anyone checks the physical sensors, the refractory lining has sustained damage that will take three weeks to repair. The ransom note arrives six hours later.
The M-Trends 2026 report adds another dimension: compromised access can now be transferred between threat actors in under 30 seconds. This means initial access brokers — specialists who breach and sell entry points — can operate at industrial scale. A single compromised OT credential doesn’t just enable one attacker. It’s an asset that can be sold, resold, and activated by a separate ransomware affiliate with no connection to the original breach. The botnet-to-ransomware pipeline increasingly runs through the same industrial IoT infrastructure.
What Emerging Market Factories Face That Western Manufacturers Don’t
Industrial facilities in Nigeria, Ghana, Kenya, and Southeast Asia operate with a specific compounding risk. OT networks in these markets are often less segmented, less monitored, and more likely to have internet-facing devices that were connected informally during maintenance or remote access configurations. Simultaneously, the security team resources to detect and respond to a direct PLC attack are proportionally smaller.
European manufacturers absorbing 72% of industrial ransomware attacks in Q3 2025 doesn’t mean African manufacturers are safer — it means they’re underreported. An attack that disrupts a $2M annual revenue cement plant in Kano doesn’t make the threat intelligence feeds that document disruptions at automotive suppliers in Germany. The threat is global. The documentation isn’t. The OT cybersecurity convergence pattern in the acquisitions market reflects awareness of exactly this gap — visibility tools designed for OT environments matter more, not less, in markets where informal network growth has outpaced security architecture.
💡 Analyst’s Note
By Daniel Ikechukwu
Strategic Impact
The direct-to-PLC attack model documented in the CISA advisory invalidates the foundational assumption of most industrial security architectures — that protecting the IT-OT boundary is sufficient. If attackers can reach OT devices without crossing that boundary, perimeter-focused security investments are protecting the wrong layer. The 56% manufacturing ransomware surge and the $70,000 credential market are symptoms of the same structural shift: the production floor has become the primary target, not the secondary one.
Stop / Start / Watch
- STOP assuming internet-facing OT devices are either nonexistent or secured. Conduct a passive network discovery audit specifically targeting PLCs, HMIs, and SCADA gateways with direct internet connectivity. The CISA advisory found compromised devices that victim organizations didn’t know were exposed.
- START treating OT asset visibility as a prerequisite for any other security investment. You cannot segment, patch, or monitor devices you haven’t discovered. Agentless, passive network discovery specifically targeting PLCs, HMIs, and SCADA gateways is the foundational step — everything else builds on it.
- WATCH the cyber insurance market through Q2 and Q3 2026. Insurers are already tightening underwriting requirements for manufacturers with poor OT security postures. Premium increases and coverage exclusions for unpatched OT devices are arriving faster than most manufacturers’ procurement cycles can respond. That pressure will become a forcing function for security investment where board-level concern hasn’t been.
ROI Outlook
The ROI case for OT security investment in 2026 is straightforward: average European manufacturing ransom demands reached $1.16 million in Q3 2025 — more than double the previous year — before accounting for production downtime costs that can run millions per day. An OT visibility and segmentation program for a mid-size manufacturing facility typically costs $150,000–$400,000 to implement. Against a single incident at current ransom levels, the payback is immediate. Against avoided downtime over a three-year horizon, the ROI is not debatable.
Frequently Asked Questions
What changed about industrial cyberattacks in 2026?
Attackers have moved from using IT networks as the entry point for reaching OT systems to attacking OT devices directly. Since March 2026, documented cases show Iranian-affiliated APT actors accessing internet-connected PLCs using legitimate configuration software — bypassing corporate IT networks entirely. This invalidates security architectures built around IT-OT boundary protection as the primary defense.
How did the manufacturing ransomware numbers change in 2025?
Manufacturing ransomware incidents rose 56% year-over-year in 2025, from 937 to 1,466 documented cases, according to Check Point’s Manufacturing Threat Landscape 2026 report. Manufacturing accounted for roughly 50% of all global ransomware hits. Average ransom demands in European manufacturing reached $1.16 million in Q3 2025 — more than double the prior year.
What are industrial access credentials and why are they valuable to attackers?
Industrial access credentials are usernames, passwords, and configuration access keys for OT systems — PLCs, SCADA platforms, HMIs, and remote access gateways. On dark web markets, these credentials sell for $4,000 to $70,000 per set, priced based on the operational value of what they unlock. High-value targets like water treatment or energy infrastructure command premium prices because the disruption potential — and therefore ransom leverage — is higher.
What is a direct PLC attack and how does it work?
A direct PLC attack accesses a programmable logic controller that has internet connectivity without first breaching the corporate IT network. In the documented 2026 cases, adversaries used legitimate Rockwell Automation configuration software (Studio 5000 Logix Designer) to establish accepted connections to exposed CompactLogix and Micro850 devices. They then manipulated HMI display data and SCADA readings — causing operators to see false readings while the actual process state diverged.
Does this threat apply to manufacturers in Africa and emerging markets?
Yes, and the exposure is often higher. Industrial facilities in Nigeria, Ghana, Kenya, and Southeast Asia frequently have OT networks with informal internet connectivity established during maintenance or remote access configurations — and fewer resources to detect or respond to a direct OT attack. The threat intelligence data underrepresents these markets because incidents are less frequently reported and documented, not because they occur less frequently.
What should procurement teams require from OT security vendors given this threat shift?
Three requirements have become non-negotiable: (1) agentless OT asset discovery that finds internet-facing PLCs, HMIs, and SCADA gateways without requiring device modification — you cannot protect what you haven’t found; (2) network traffic monitoring at the OT layer specifically, not just at the IT-OT boundary; (3) documented response capability for direct OT device compromise scenarios — vendors whose playbooks only address IT-pivot attacks are not prepared for the current threat model.
The Attack Has Moved to Your Production Floor
We track the OT threat shifts, industrial IoT security gaps, and cyber risk economics that factory operators and security teams need before the next advisory lands in their inbox.
