Manufacturing SMEs: what you need to know about cyber risks

As cybercriminals become more sophisticated, the risks specific to manufacturing SMEs are growing. From legacy systems to the convergence of IT and OT, understanding the unique cyber challenges is crucial for protecting your business. In this article, I'll explore the specific cyber risks facing manufacturing SMEs and offer insights and recommendations to help you stay one step ahead of potential threats.

Imagine your production line grinding to a halt, not because of a mechanical fault, but because of a cyberattack. For manufacturing SMEs embracing Industry 4.0, this isn't a vague possibility. It's a growing risk.

My hands-on experience in manufacturing began on an engineering production line as a student, but my cybersecurity work, spanning research labs and complex organisations, has given me insight into the risks faced by digitally transforming industries. With Jaguar Land Rover hitting the headlines recently for all the wrong reasons, I felt inspired to do some research into what the specific risks are for manufacturing companies in 2025.

Why is the cyber risk to manufacturing on the rise?

"Industry 4.0" is the strategy aspired to or being adopted across the manufacturing sector and other types of industry. There are various definitions out there, but they all point to what is more generally referred to as digital transformation. In manufacturing, this is the adoption and integration of new Operational Technologies (OT) into production facilities and throughout operations. This includes sensors, controllers, robotics, cloud computing, data collection and analytics, AI, and machine learning. 

In a nutshell, it is all about linking the digital with the physical, as it has come to be known and it creates a whole new cyber "attack surface" for manufacturing. This is on top of the more general cyber risks businesses face. I summarised the most common business cyber risks in my article "Why SMEs are in the sights of cyber criminals (and what you can do)" and will not repeat them here.

Who's attacking you and why?

Most cyber-attacks are carried out for financial gain by criminal groups. Your information can be sold on the black market or stolen and returned to you only once a ransom has been paid. In the worst-case scenario, you could be facing both.

Another type of attack group is the hostile nation-state which aims to disrupt the legitimate business of its adversaries. In an era of heightened political tension, there could be attempts to disrupt your business, among many.

Vulnerabilities specific to manufacturing

Whatever your manufacturing business, even if you are a small manufacturing plant with limited but critical automation, there are four specific vulnerabilities you should be aware of in addition to the more general vulnerabilities applicable to business in general.

• Legacy OT systems

  Many SMEs use older machinery and control systems (like SCADA or PLCs) that lack modern security features. These systems often run unsupported operating systems, making them easy targets for attackers who scan for such vulnerabilities.

• Expanded attack surface

  The adoption of IoT, cloud platforms, AI, and robotics introduces a web of interconnected devices. Each new sensor or smart machine becomes a potential entry point.

• Convergence

  Merging traditional IT systems with OT environments blurs boundaries and increases complexity. This allows attackers who breach the business network, via phishing, for example, to access critical production systems.

• Third-party and supply chain risks

  You may have heard about government concerns with Huawei comms equipment a few years ago. Manufacturing equipment sourced from foreign vendors, especially in geopolitically sensitive contexts, may contain backdoors (a sneaky way of gaining access to systems) which could be used to impact production equipment. Also, some automation platforms include cloud-based monitoring or remote diagnostics features. If hosted or controlled from overseas, this can pose risks to operational control. As unlikely as it may sound, it is something to be aware of.

Five practical steps you can take

It goes without saying that you should aim to implement good security practices across your organisation. Use something like the NCSC's Cyber Essentials if you do not know where to start. There are other more comprehensive standards to follow if you have the expertise to do so. 

In relation to the vulnerabilities specific to manufacturing, there are some things to prioritise.

1. Segment your OT from your internet-connected business network if you can. This may not be possible if you are already adopting Industry 4.0 principles but risk is mitigated if you apply the other recommendations.
2. Create an inventory of OT and record the software status of each. Where available, ensure all software is in support and security updates have been applied, including where applicable the firmware used on production equipment.
3. Review your third-party suppliers and decide what degree of trust you can place in them. Untrusted suppliers should be avoided but that is not always possible, in which case the other recommendations become more important.
4. Do some resilience planning to ensure you are ready should the worst happen. This includes incident response plans to outline what immediate steps you would take should your systems be attacked. Keep it simple but these plans should form part of broader business continuity and disaster recovery plans.  
5. Provide cyber awareness training to staff in critical production support roles. These are the people who are most likely to stop incidents before they turn into disasters. NCSC has some resources you can use. 

Would you like help with any of this? CyberSolver offers advice, guidance solutions that are low-cost and focus on what really matters. Why not arrange a free 30-minute call to help you decide what to do next?