Security

What Does the Rise of RansomOps Mean for Manufacturers?

To defend themselves against RansomOps, experts recommend air-gapped backups, operational technology visibility in security operations center workflows and machine identity management.

Nathan Eddy

Nathan Eddy works as an independent filmmaker and journalist based in Berlin, specializing in architecture, business technology and healthcare IT. He is a graduate of Northwestern University’s Medill School of Journalism.

RansomOps is the next evolution of ransomware, and it’s hitting manufacturers hardest in their supply chains. Gaps in IT and operational technology (OT) integration have opened new opportunities for attackers, and the risks keep growing.

A single compromised controller can halt entire production lines because it may be composed of expensive machines running outdated software riddled with vulnerabilities. And too often, manufacturers are reluctant to pause operations for fear of downtime, leaving systems even more exposed.

These highly coordinated attacks are accelerating fast. In fact, 93% of manufacturing organizations reported a ransomware attack in the past year. Of that amount, 53% of backup attempts were successful, according to a Sophos 2024 report that surveyed 5,000 IT and cybersecurity leaders.

To detect damage and respond to threats before they are irreversible, IT leaders are adopting integrated defenses including immutable air-gapped backups, OT visibility in security operations center (SOC) workflows and machine identity management. Here’s what businesses need to know.

Click the banner below to harness the essentials for manufacturing's industry 4.0.

Deploy Immutable Backups With Air-Gapped Storage

Immutable, air-gapped backups are becoming a critical line of defense for manufacturers facing RansomOps threats. These not only target production systems but also backup environments.

By ensuring that recovery points cannot be altered or encrypted during an attack, solutions such as Rubrik Zero Trust Data Security and Veeam Hardened Repositories help organizations restore operations quickly and with minimal loss.

EXPLORE: CDW's manufacturing solutions and services.

“There’s two ways to air-gap,” says Frank Dickson, group vice president for security and trust at IDC. “You can air-gap the device, which is the easiest way to keep things from being breached, because they’re not open to the internet at all.”

However, older equipment can’t be secured entirely, so disconnecting it is the only option. The other approach focuses on rapid recovery.

Attackers are smart. One of the first things they’ll do is attack the backups.”

Frank Dickson Group Vice President for Security and Trust, IDC

“Attackers are smart. One of the first things they’ll do is attack the backups,” Dickson says.

By maintaining immutable, isolated backups, organizations can prevent attackers from wiping out their recovery data, making it possible to reinstall their operating systems and restore other critical systems in minutes.

“While this doesn’t stop the initial breach, it dramatically reduces downtime and limits the operational and financial damage,” Dickson says.

Build OT Visibility Into SOC Workflows

Building OT visibility into SOC workflows is critical for defending manufacturing environments.

SOCs excel at monitoring standardized IT systems such as PCs, Microsoft Office and corporate networks, but struggle when faced with the thousands of highly specialized devices in industrial settings.

“Manufacturing is full of unique and bespoke tools,” Dickson says. “The SOC may be able to interpret connectivity or concerns, but the challenge is what they can do about it.”

In OT environments, availability often outranks confidentiality or integrity on the priority scale. Shutting down equipment can cause catastrophic damage, making immediate, informed responses essential.

While SOCs can integrate OT signals and flag anomalies, the investigation and remediation must be handled by teams with intimate knowledge of each device’s function and operational context.

“Integrating a signal into the SOC so they can be aware is a good idea,” Dickson explains. “But the OT environment is going to have to do the investigations, detections and any sort of remediation.”

Apply Machine Identity Management for Device Trust

Machine identity management can improve device trust in industrial environments, largely by enforcing the principle of least privilege.

This approach ensures that only individuals with a legitimate need (plant managers or equipment operators, for example) can access specific devices.

“By tightly controlling access, organizations can drastically reduce the potential for malicious activity or accidental changes,” Dickson explains.

FIND OUT: The most overlooked step of identity access management.

The authentication process also confirms a user’s identity and authorization to define exactly what actions that user can perform.

For example, an operator might have permission to change a device’s operating speed, while a technician could be limited to viewing operational data.

“The more refined you get, the more secure you get,” Dickson says. This fine-grained permissioning makes it harder for bad actors to escalate privileges and gain control over critical equipment.

Machine identity management applies the same security philosophy as network microsegmentation, but instead of isolating systems through network architecture, it uses identity-based controls to create secure boundaries around device access.

“The fewer people that have permissions to access that equipment, the harder it is for bad actors to escalate privilege to get access to that device,” Dickson says.

KEEP READING: What's top of mind for manufacturing CISOs in 2025?

matejmo / getty images