For the fourth consecutive year, manufacturing is the most targeted industry for cyberattacks1manufacturing is the most targeted industry for cyberattacks, accounting for 26% of all documented incidents in 2025. That statistic alone commands attention. What makes the current threat environment categorically different is the speed and accessibility of the knowledge fueling it.
Automation scripts, CNC configuration frameworks, PLC programming tools, and robotics control interfaces-once the exclusive domain of specialized engineers-are increasingly discussed, shared, and demonstrated on public repositories, forums, and social media platforms. When that open-access technical knowledge intersects with a threat landscape where barrier-to-entry for targeted cyber-physical attacks has dropped significantly, the implications for facility security, intellectual property, and operational continuity are profound.
The Open-Source Diffusion Problem in Smart Manufacturing
Open-source software has driven genuine productivity gains across metalworking and fabrication. It underpins machine monitoring dashboards, automated inspection scripts, MES integrations, and increasingly, AI-assisted quality control systems. The appeal is well-documented: cost efficiency, community-supported development, and the flexibility to tailor solutions to specific production requirements.
But the same openness that enables innovation creates exposure. According to the 2025 Black Duck Open Source Security and Risk Analysis (OSSRA) report2According to the 2025 Black Duck Open Source Security and Risk Analysis (OSSRA) report, 97% of commercial codebases contain open-source components, and the average application includes 911 open-source components. Of those, 64% are transitive dependencies-secondary libraries that most organizations cannot locate or track without automated tooling.
In a manufacturing context, where a single software stack may interface with PLCs, SCADA systems, robotic arms, and enterprise ERP simultaneously, the dependency chain is not an abstraction. It is an operational attack surface.
The Tripwire analysis of open-source risk in industrial settings3The Tripwire analysis of open-source risk in industrial settings underscores how this plays out in practice: the Log4j vulnerability affected numerous industrial applications reliant on this widely used logging library, and the Ripple20 family of vulnerabilities-embedded in a networking stack used across energy, water, and manufacturing-provided attackers with entry points to seize control of industrial devices. Many of the impacted devices were mission-critical, making patching complex and disruptive.
The Viral Knowledge Problem
The risk compounds when technical knowledge about these tools-how they work, where they can be configured, and crucially, where they are vulnerable-circulates publicly on platforms with no governance over who consumes it.
Kaspersky's ICS CERT analysis4Kaspersky's ICS CERT analysis noted that the proliferation of open-source tools for industrial automation has materially reduced the industry-specific expertise required to carry out targeted cyber-physical attacks. Attackers now access publicly available documentation, configuration guides, and vulnerability disclosures that previously demanded deep domain knowledge.
AI amplifies this further. Research from the OpenSSF5Research from the OpenSSF identifies how large language models can rapidly analyze open-source code, identifying exploitable flaws that would previously have required sustained expert effort. The same AI tools generating efficiency gains on the engineering side are being weaponized to accelerate adversarial reconnaissance.
The Threat Landscape: By the Numbers
The scale of the problem in manufacturing is not speculative. Bitsight's 2025 State of the Underground report6Bitsight's 2025 State of the Underground report identified manufacturing as the most targeted industry for the third consecutive year, accounting for 22% of cyberattacks where sector attribution was possible. Between 2024 and Q1 2025, manufacturing saw a 71% surge in threat actor activity, with 29 distinct groups actively targeting the sector.
Check Point's Manufacturing Threat Landscape 2025 report7Check Point's Manufacturing Threat Landscape 2025 report documents the ransomware dimension: attacks against manufacturers rose 56% year-over-year, from 937 incidents in 2024 to 1,466 in 2025. Supply chain attacks nearly doubled over the same period. In Europe, 80% of manufacturers still operate critical OT systems with known vulnerabilities, making exploitation not only feasible but repeatable.
The financial stakes are concrete. According to Siemens data cited in industry reporting, unplanned manufacturing downtime accounts for roughly 11% of annual revenue for Fortune 500 companies6Bitsight's 2025 State of the Underground report-approximately $1.5 trillion worldwide.
Where Security Governance Falls Short
Three structural weaknesses consistently drive manufacturing cyber risk, and all three are exacerbated by ungoverned open-source proliferation.
1. Limited OT Visibility Deloitte and MAPI's Smart Factory research8Deloitte and MAPI's Smart Factory research found that while 90% of manufacturers surveyed reported capabilities to detect cyber events, very few had extended monitoring into OT environments. Fewer than half had performed cybersecurity assessments within the past six months. OT investment decisions are frequently made at the operations level, with limited coordination from corporate security teams.
2. Unmanaged Open-Source Dependency Chains The 2025 OSSRA report2According to the 2025 Black Duck Open Source Security and Risk Analysis (OSSRA) report found that 90% of audited applications contained open-source components more than 10 versions behind the current release, and 79% contained components with no development activity in the last 24 months. In a production environment, those outdated libraries are not theoretical risks-they are documented vulnerabilities awaiting an exploit.
3. Inadequate Employee Training for the Modern Threat Phishing and social engineering account for 23% of manufacturing incidents7Check Point's Manufacturing Threat Landscape 2025 report, and AI-generated lures are increasingly indistinguishable from legitimate communications. Training programs designed for generic phishing scenarios do not adequately prepare shop floor personnel, process engineers, or procurement managers for AI-assisted spear-phishing or deepfake-based social engineering targeting industrial credentials.
This connects directly to the viral knowledge issue. When open-source automation tool configurations are shared across public forums, they provide social engineers with the context needed to craft highly credible, role-specific attacks against targeted personnel.
Building a Security Governance Framework for Open-Source Use
The objective is not to restrict open-source adoption-that would be both impractical and counterproductive. Open-source tooling is embedded in modern smart manufacturing automation and will remain so. The imperative is governance.
As the Open Source Security Foundation has articulated5Research from the OpenSSF, mitigating these threats requires "proactive security practices, automated tools, and industry collaboration"-not the abandonment of open development. The following protocol framework reflects that balance.
Six-Step Security Protocol for Manufacturing Facilities
Step 1 - Establish a Complete OT/IT Asset Inventory Conduct a comprehensive audit of all network-connected assets-PLCs, SCADA systems, IIoT sensors, and edge devices. CISA and the UK NCSC's 2025 joint guidance identifies a definitive OT asset register as foundational to effective incident response.
Step 2 - Generate and Maintain Software Bills of Materials (SBOMs) Mandate SBOMs for all software deployed on the production network, including open-source libraries and third-party modules. An SBOM is the minimum viable instrument for understanding what runs on the shop floor and where exposure exists.
Step 3 - Segment IT and OT Networks Enforce strict network segmentation between enterprise IT and operational technology environments per frameworks such as NIST SP 800-82. Lateral movement between corporate and plant networks ranks among the most consequential attack vectors in smart factory environments-a single unsegmented IoT sensor can serve as a conduit into critical production systems.
Step 4 - Deploy Threat Detection Across Both IT and OT Layers Implement SIEM solutions alongside OT-specific intrusion detection tools capable of monitoring anomalous traffic patterns on both network tiers. Manufacturing systems follow predictable communication baselines; behavioral deviation is a primary early-warning indicator.
Step 5 - Institute Role-Specific Security Training Deliver targeted security awareness training for shop floor operators, engineers, and procurement managers-not just IT staff. Training must cover AI-assisted phishing, credential-harvesting scenarios relevant to industrial settings, and physical access control.
Step 6 - Formalize Open-Source Governance Policies Establish a formal approval and vetting process for any open-source tools or automation scripts introduced into the production environment. Integrate Software Composition Analysis (SCA) tooling into the deployment pipeline and assign ownership of ongoing component monitoring to a designated team.
The Dual-Use Reality of Open Knowledge
The tension at the center of this issue is genuine. The same open technical communities that have accelerated automation in high-mix metal fabrication are the ones that inadvertently lower the barrier for threat actors. That is not an argument for restricting knowledge sharing-it is an argument for building organizational structures to manage the accompanying risk.
Manufacturers that treat security governance as a compliance burden rather than an operational discipline are disproportionately exposed. Those that integrate SBOM management, OT-specific monitoring, and role-appropriate training into standard operating procedures build resilience that compounds over time.
The viral diffusion of technical knowledge about manufacturing tools is not reversing. The governance gap is the variable organizations can close.
FAQ
What is the difference between IT security and OT security in a manufacturing context? IT security addresses enterprise systems-ERP, MES, corporate networks. OT (Operational Technology) security addresses systems that directly control physical processes: PLCs, SCADA, DCS, and industrial IoT devices. In smart factories, IT and OT are increasingly converged, creating a broader attack surface that requires coordinated security strategies across both layers.
Why are open-source tools particularly risky in industrial environments? Open-source tools often carry transitive dependencies-secondary libraries not explicitly selected by the deploying team. When those components contain vulnerabilities, they may go undetected unless automated Software Composition Analysis tooling and SBOMs are in use. In industrial environments, the consequences of undetected vulnerabilities extend beyond data loss to operational disruption, equipment damage, or safety hazards.
What is a Software Bill of Materials (SBOM), and why does it matter for manufacturers? An SBOM is a structured inventory of all software components-including open-source libraries-embedded in an application or system. For manufacturers, SBOMs provide the visibility needed to assess exposure when a new vulnerability is disclosed. CISA has been a leading advocate for SBOM adoption as part of broader software supply chain security requirements.
How should manufacturers handle publicly shared automation scripts or configurations? Any open-source script or configuration pulled from public repositories should pass through a formal vetting process before deployment in the production environment. This includes SCA analysis to detect known vulnerabilities, a review of license terms, and evaluation of whether the source repository is actively maintained. Scripts from unverified sources should not be deployed directly to production systems.
What regulatory frameworks apply to industrial cybersecurity? Key frameworks include the NIST Cybersecurity Framework (CSF 2.0), NIST SP 800-82 for OT environments, IEC 62443 for industrial automation and control systems, and sector-specific guidance from CISA. The EU's NIS2 Directive also imposes cybersecurity obligations on manufacturers operating in or supplying to the European market.
