Freely available open-source code and reusable attack playbooks are accelerating threats to operational technology (OT) environments across manufacturing. Threat actors now leverage the same dual-use tools that engineers rely on to automate and innovate, compressing the window between vulnerability disclosure and active exploitation to days.
Background
The convergence of information technology and OT networks has transformed the manufacturing plant floor into a contested cyber-physical domain. Rapid IT-OT convergence, widespread IIoT deployments, and geopolitical tensions combine to expand attack surfaces and raise the potential for safety-critical disruptions, according to OT security analysts. With 75% of OT attacks starting as an IT breach, organizations must focus on securing the entire converged IT-OT network, according to Dragos research. The dual-use character of open-source tooling sits at the center of this problem: platforms originally developed for network diagnostics, protocol analysis, or automation scripting can be repurposed by threat actors with minimal modification to probe industrial control systems (ICS), manipulate SCADA setpoints, or exfiltrate process data.
Between 2024 and the first quarter of 2025, manufacturing saw a 71% surge in threat actor activity, with 29 distinct groups targeting the sector, according to Bitsight TRACE, which named manufacturing the most targeted industry in its 2025 State of the Underground report. The European Union Agency for Cybersecurity (ENISA) reinforced that picture: its 2025 Threat Landscape report, analyzing nearly 4,900 cybersecurity incidents, found that operational technology threats now represent 18.2% of all identified threat categories - a significant shift toward targeting industrial and critical systems.
The proliferation of open-source repositories has measurably lowered barriers to entry for adversaries. Cybercriminals increasingly exploit vulnerabilities in open-source package repositories, with the risk of tainted or malicious code entering enterprise environments growing, especially when due diligence is lacking, according to Bitsight. ENISA separately documented over 42,595 new vulnerabilities disclosed during a recent 12-month period, a 27% increase, with critical vulnerabilities weaponized within days of disclosure.
Details
Concrete incident data shows how unsophisticated methods, combined with accessible tools, succeed at scale. Industrial cybersecurity firm Claroty reviewed open-source intelligence for more than 200 attacks tied to over 20 different threat actors that occurred during 2025, which led to the successful compromise of a cyber-physical system environment in one of 20 critical sectors. In 82% of the 2025 verified incidents studied by Claroty, attackers gained initial access by using VNC - a widely available remote-connectivity tool - rather than novel zero-day exploits. Two-thirds of those incidents led to HMI or SCADA systems being compromised.
Ransomware-as-a-Service (RaaS) operations have further commoditized the threat. Ransomware surged across the manufacturing sector in 2025, rising 56% year over year to 1,466 incidents and accounting for roughly half of all global attacks, according to Check Point Research, which attributed the spike to vulnerable legacy OT systems, complex supply chains, and the rapid scaling of affiliate-driven RaaS models. In 2025, supply chain attacks nearly doubled, rising from 154 incidents in 2024 to 297. Dragos separately tracked 119 ransomware groups targeting industrial organizations in 2025, up from 80 in 2024, and reported an average dwell time of 42 days for ransomware in OT environments - a figure it partly attributed to OT assets such as engineering workstations being misclassified as IT systems.
In June 2025, a hacktivist group calling itself Infrastructure Destruction Squad debuted VoltRuptor, an ICS-specific malware package offering multi-protocol support, persistence capabilities, and anti-forensics features, according to ENISA. The group successfully compromised an Italian smart building automation company on June 30, 2025, demonstrating that purpose-built, open-source-derived ICS attack tooling has moved from proof-of-concept to operational deployment.
On the software supply chain front, CISA released updated draft SBOM (Software Bill of Materials) minimum-element guidance in 2025, expanding required fields to include component hashes, license data, and build-time generation context - a direct response to the inadequacy of earlier checklist-based approaches. Research on open-source ecosystems indicates that only about 0.56% of popular GitHub repositories contain SBOMs created in accordance with formal security or compliance policies, according to a large-scale study of GitHub repositories, underscoring the gap between guidance and practice.
In Europe, 80% of manufacturers continue to operate critical OT systems with known vulnerabilities, making exploitation both feasible and repeatable, according to Check Point Research. Average ransom demands in European manufacturing reached $1.16 million in Q3 2025, more than double the previous year, according to Security MEA. IBM X-Force assessments of OT-relevant CVEs in H1 2025 found that 90% of the top-mentioned vulnerabilities had been actively exploited, and 70% had been exploited by advanced persistent threat groups.
Industry bodies and security researchers are urging facilities to treat SBOM management as an operational discipline rather than a compliance exercise. CISA's updated Cross-Sector Cybersecurity Performance Goals, released in December 2025, emphasize network segmentation, zero-trust principles, and lateral movement mitigation as core security objectives. For legacy OT environments where retrofitting modern authentication is impractical, security practitioners recommend identity-aware gateways, strict jump-host access, micro-segmentation, and protocol allow-lists as compensating controls. Automated software composition analysis to flag outdated or vulnerable open-source components at ingestion - rather than after deployment - is now considered a foundational step before any open-source library enters a production control network.
Outlook
The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) is set to take full effect in May 2026 with 72-hour reporting windows, introducing a compliance dimension that will compel manufacturers to accelerate incident detection and escalation capabilities. Analysts expect adversaries to respond to tightening law-enforcement pressure by further decentralizing RaaS operations and shifting toward extortion-only tactics that threaten production disruption without encryption. Organizations deploying unified security solutions across IT and OT environments achieved a 93% reduction in cyber incidents, according to Fortinet research - a data point that underscores the business case for integrated, governance-driven security architectures over fragmented, tool-specific defenses.
