The Business Case for Attack Surface Management in Manufacturing
Table of contents
Manufacturing has been the most targeted sector for ransomware for four consecutive years. The Dragos 2026 OT/ICS Cybersecurity Report makes the manufacturing threat picture clear: 119 ransomware groups actively targeting industrial organisations in 2025, a 49% year-on-year surge, and manufacturing accounting for more than two-thirds of all victims. Average ransomware dwell time in OT environments reached 42 days. For organisations with strong visibility, that number dropped to five.
The problem is rarely visibility. Most external attack surface management tools are good at finding things — exposed assets, misconfigured cloud resources, forgotten endpoints. The harder challenge is connecting that discovery to operational outcomes that a CISO, CFO, or board member can evaluate.
Manufacturing makes this harder than most sectors. Production networks connect legacy ICS and SCADA systems, IoT sensors, remote access infrastructure, and cloud applications across multiple facilities. Not all exposures carry equal risk to operations. When attack surface management treats a misconfigured temperature sensor the same as an exposed human-machine interface, security teams lose credibility in budget conversations — even when everyone in the room agrees that external visibility is essential.
This is the gap that matters: not between what you can see and what you can’t, but between what you discover and what you actually improve.
Why manufacturing’s attack surface is structurally different
The IT/OT convergence that has driven Industry 4.0 adoption also eliminated the isolation that made industrial environments relatively safe from external attack. Systems that were designed to run in air-gapped environments are now connected to networks those systems were never built to handle.
According to Forescout’s 2024 Threat Report, the number of threat actors targeting manufacturing increased 71% between 2023 and 2024 — the second highest jump of any sector. Separately, Bitsight research found that between 2024 and Q1 2025, manufacturing saw a 71% surge in threat actor activity with 29 distinct groups actively targeting the sector.
The structural reasons are well understood. Many facilities rely on legacy ICS and SCADA platforms that lack modern security controls. Remote access infrastructure — VPN appliances, remote desktop services, engineering workstations — is frequently internet-exposed and inadequately monitored. 65% of OT environments had insecure remote access conditions in 2024, and one in four penetration tests of industrial environments finds default credentials in use.
These are not software vulnerabilities waiting for a patch. They are configuration and visibility gaps — exactly what external attack surface management is designed to surface.
Why do traditional ASM metrics fail manufacturing security teams
Most attack surface management programmes measure inputs rather than outcomes. Assets discovered. Changes detected. Alerts generated. Each metric trends upward, which creates an impression of progress that falls apart the moment a manufacturing leader asks what got fixed.
The problem is that discovery activity and risk reduction are not the same thing. Alert backlogs grow while known exposures in production networks persist for months. Asset ownership remains unclear across facilities. Critical industrial systems stay vulnerable while teams work through queues of low-priority findings.
Three outcome metrics give a clearer picture of whether external attack surface management is actually reducing manufacturing risk.
- Mean time to ownership for production-critical systems. Manufacturing environments span multiple facilities with complex accountability structures. Industrial assets frequently lack clear owners, especially during shift changes, equipment upgrades, or facility expansions. Tracking how quickly discovered assets get assigned to a responsible team — and how quickly that team acts — tells you whether ASM findings are converting to security improvements or sitting in a queue.
- Reduction in unauthenticated endpoints that can change production state. Not all connected devices carry equal operational risk. A manufacturing environment with extensive IoT sensor networks but few unprotected control system interfaces is substantially safer than one with fewer devices but open access to critical endpoints. Measuring this distinction focuses remediation effort on what actually matters to production continuity.
- Production system recovery time after ownership changes. Manufacturing operations experience frequent personnel changes, equipment transfers, and facility restructuring. These transitions create ownership gaps that leave critical systems exposed. Tracking how quickly systems regain security oversight after ownership disruption tells you whether ASM processes are keeping pace with operational realities — or falling behind them.
Building the business case: what leadership actually needs to hear
Security teams often lose manufacturing budget conversations because they frame ASM in security terms rather than operational ones. The business case that lands with a CFO or board is built around production continuity, regulatory exposure, and supply chain risk — not asset counts or alert volumes.
- Production continuity. Ransomware attacks on manufacturing cause direct revenue loss through production downtime. According to Claroty research, ransomware has cost the manufacturing sector an estimated $17 billion in downtime over the last seven years. External attack surface management identifies exposed industrial control systems before attackers exploit them — the intervention cost is orders of magnitude lower than incident response and recovery.
- Supply chain and customer risk. Manufacturing organisations increasingly face cybersecurity requirements from customers and partners as part of contract qualification. Demonstrating a mature external attack surface management programme provides concrete evidence of security controls — supporting contract renewals and new customer acquisition in sectors where cyber due diligence is now standard.
- Regulatory pressure. The EU’s NIS2 Directive, effective October 2024, requires essential-service operators including manufacturers to implement robust risk management and incident reporting. Frameworks like IEC 62443 and the NIST Cybersecurity Framework for manufacturing both emphasise continuous monitoring and vulnerability management of industrial assets. External attack surface visibility provides a foundation for demonstrating compliance with these requirements.
- Cyber insurance. Insurers are increasingly requiring documented ASM programmes as part of underwriting assessments for manufacturing organisations. Organisations that can demonstrate continuous monitoring of their external perimeter are better positioned in renewal negotiations — both on coverage terms and premium rates.
What good manufacturing ASM looks like in practice
The transition from reactive discovery to proactive risk reduction follows a consistent pattern across manufacturing environments.
In the early stages, the priority is establishing a complete and accurate external asset inventory — across all manufacturing domains, cloud resources, remote access infrastructure, and OT-facing systems. For most manufacturers, this first pass surfaces exposures that internal scanning missed entirely: forgotten subdomains, third-party integrations with excessive permissions, industrial systems with internet-facing management interfaces.
The second phase connects discovered assets to facility owners and operational context. An exposed engineering workstation in a critical production facility carries different urgency than the same finding in a decommissioned plant. Risk ranking that reflects production criticality — not just technical severity scores — is what allows security teams to make decisions that manufacturing leadership can understand and act on.
Ongoing operations require integrating ASM findings into existing manufacturing change management and incident response processes. Alerts about high-risk production system changes need to reach the right people quickly enough to matter. The value of external attack surface management compounds over time as those processes mature.
How CybelAngel supports manufacturing attack surface management
CybelAngel’s Attack Surface Management module provides continuous outside-in scanning of your manufacturing organisation’s external perimeter — identifying exposed industrial systems, misconfigured cloud infrastructure, and vulnerable remote access points before attackers reach them.
Our Credential Intelligence module monitors dark web sources and underground forums for compromised credentials linked to your manufacturing domains and your third-party suppliers. Credential-based attacks are consistently among the most common initial access vectors in manufacturing ransomware incidents — early detection gives security teams the window to act before those credentials are used.
Dark Web Monitoring tracks mentions of your organisation, your facilities, and your industrial data across sources that internal security operations can’t reach. Stolen operational data, exposed supplier contracts, and early signs of targeting all appear in these channels before an attack materialises.
For manufacturing organisations managing complex supply chains, our Third-Party Risk Assessment capabilities give you visibility into the external security posture of your suppliers and partners — the route attackers most commonly use to reach well-defended primary targets.
Our REACT team handles threat remediation from initial detection through complete resolution, reducing the workload on manufacturing security teams while ensuring faster response to operational threats.
FAQs
Manufacturing organisations have a low tolerance for downtime, which makes them more likely to pay ransoms quickly. Many also rely on legacy ICS and SCADA systems that lack modern security controls, and remote access infrastructure that is frequently internet-exposed. According to Dragos, manufacturing has accounted for more than two-thirds of all industrial ransomware victims in recent years.
IT attack surface management focuses on internet-facing systems — web applications, cloud infrastructure, domains, and network services. OT attack surface management extends that visibility to industrial control systems, SCADA platforms, engineering workstations, and operational technology that can affect physical production processes. In manufacturing environments, the convergence of IT and OT means both layers need to be continuously monitored.
The most credible ROI case for manufacturing ASM is built around avoided production downtime, compliance cost reduction, and supply chain risk management — not security metrics alone. Tracking outcome-based measures such as mean time to ownership for critical systems and reduction in unauthenticated production endpoints gives leadership concrete evidence of improving security posture over time.
Start with external-facing industrial control systems, remote access infrastructure, and internet-exposed management interfaces, these are the entry points that ransomware operators and threat actors most commonly exploit. Default credentials and unpatched VPN appliances are consistently identified as primary initial access vectors in manufacturing incidents.
CybelAngel provides an outside-in view of your manufacturing organisation’s attack surface — the same perspective an attacker has. This surfaces exposures that internal scanning misses: forgotten assets, third-party integrations, shadow IT, and industrial systems with unexpected internet exposure. Internal scanning tells you about systems you already know about. External scanning tells you what attackers can see.
For a broader view of the threat landscape facing manufacturing organisations, read our Aerospace & Defense Cyber Threat Landscape report or get in touch with our REACT team to discuss your specific environment.
About the author
