The cyber threat is everywhere. Criminal enterprises and foreign state actors aren’t just attacking IT systems to steal data or make ransomware demands. They’re directly going after operational technology (OT), including industrial control systems (ICS).
More than half (30 of 55) of cybersecurity incidents self-reported to the U.S. Securities and Exchange Commission by companies in 2024 were direct attacks on an OT target, according to the Honeywell 2025 Cyber Threat Report.
Assaults on OT can be more challenging to fend off than attacks on IT, said Michael Tanji, director of cybersecurity for MxD, the National Center for Cybersecurity in Manufacturing as designated by the U.S. Department of Defense. “OT is vulnerable to cyber threats just like IT is, but the problem is exacerbated by the nature of OT,” he said. “There is an expectation with IT that you’re going to update software or apply patches several times a year and replace things every three to four years. But OT devices are expected to last a decade or more, and upgrading them is difficult if it is possible at all.”
Tanji explained that while manufacturers expect their IT systems to have state-of-the-art cybersecurity measures when purchased, they have a different perspective about OT. “The market demands high-quality products that work reliably over long periods of time,” he said. “Manufacturers don’t ask for high-quality products that work reliably over long periods of time and are invulnerable to security issues.” This will have to change.
Here’s another aspect of OT that puts manufacturers in the danger zone: In the digital age, factory floors, supply chains, and distribution networks are interconnected. This multiplies their vulnerability because there are so many points of entry.
So, when an attack occurs, a targeted company may have to shut down operations across departments and functions to regain control of systems. This appears to be what happened recently when hackers in the United Kingdom attacked JLR, which manufactures Jaguar and Land Rover vehicles. The company suddenly had to pull the plug on assembly lines in the United Kingdom and elsewhere.
Government oversight programs for the defense industry such as Cybersecurity Maturity Model Certification (CMMC) 2.0 are putting companies on notice about their responsibilities. But in the end, Tanji said, organizations must prioritize investments in cybersecurity for their own protection or face the consequences.
“Manufacturing consists of a handful of large firms that can afford to invest in cybersecurity technology and personnel, and thousands of firms that cannot make such investments, don’t think the problems pertain to them, or are simply ignorant about all of this,” Tanji said. “We don’t have a plan for getting manufacturers from a compliant state to a secure one.”
We asked Tanji five questions about the threat landscape facing OT. (Answers have been edited for space.)
What are the three things all companies should be doing now to protect OT?
MT: First, every cybersecurity effort should start with an inventory of assets. This addresses the first principle of security: Know what you’re protecting.
Second, to the greatest extent you can, isolate and segment your OT networks so that threats cannot jump from IT to OT environments, and if they get in one part of the network they cannot get to any others.
And third, develop an OT-specific response plan. You can throw up all the defenses you like, but you’re not going to catch everything. So when things go sideways you don’t want to come up with solutions on the fly. Develop a plan on how to deal with the incident when you have time to think and are not under pressure.
Manufacturers are focused on artificial intelligence (AI). Is AI playing a role in the threat to ICS in OT environments?
MT: Cyber threat actors are primarily using generative AI, in the form of large language models (LLMs), to automate, scale, and accelerate all phases of the attack life cycle. By doing so they’re lowering the barrier to entry for less-skilled perpetrators and making the impact of hacks more significant.
AI can analyze vast amounts of publicly available data (LinkedIn, company websites, press releases) to craft highly effective spear-phishing emails. These AI models are being used to quickly parse through technical documentation, security advisories, and code bases to identify unpatched vulnerabilities in specific, common OT hardware like programmable logic controllers (PLCs) and human-machine interfaces (HMIs), as well as software. AI systems also are being developed that can automatically scan a compromised network, map its architecture, and determine the optimal path to reach a high-value target (like a critical production cell).
How about proactive responses from companies. Can AI help with vulnerability identification and reconnaissance mitigation?
MT: LLMs trained on large datasets of code, documentation, and vulnerability patterns are increasingly being integrated into application security testing processes. More to the point, AI defense systems can identify vulnerabilities and determine their severity based on an OT context. For example, a vulnerability in an old, isolated HMI that is essential for safety might be given a higher priority than a highly ranked vulnerability in a non-critical server.
AI-driven systems can also continuously scan and profile OT networks to identify every connected device, map their communication paths, and determine their business criticality. Again: You can’t protect what you can’t see, and AI makes this foundational step both comprehensive and continuous.
Once companies have done vulnerability assessments, what should the next steps be?
MT: AI/machine learning models trained on industrial protocols (e.g., Modbus, DNP3, etc.) can understand the content and context of commands, detecting subtle, targeted attacks, such as a PLC receiving a command to change a setpoint at an abnormal time or an engineering workstation communicating with a device it never has before.
By analyzing sensor data, historical data, and network traffic, AI can establish the normal physical behavior of a process (e.g., a motor’s typical vibration, temperature, and cycle time). If a cyberattack attempts to manipulate the physical process, AI can flag the physical anomaly as a security event, even if the network packet itself looks “valid.”
What other AI safeguards can companies adopt to protect operations?
MT: AI-powered SOAR (security orchestration, automation, and response) platforms can automate incident response for companies with limited cybersecurity staff. If AI detects a confirmed ransomware signature on an endpoint, it can automatically create an incident ticket, isolate the affected device from the network to prevent lateral movement, and notify the security team with a full investigative summary within seconds.
After an incident, AI can correlate data from disparate sources (firewall logs, process data, endpoint security, ICS server logs) to reconstruct the full sequence of an attack. This drastically cuts down the time required for human analysts to understand how the attack happened and where the threat actors got in, accelerating the recovery process.
Visit the MxD Virtual Training Center for information on cybersecurity workforce training resources.