Threat actors are systematically mining open-source and social-media platforms to build targeting profiles of manufacturing facilities, forcing industrial security leaders to overhaul physical and cyber defenses simultaneously. The convergence of IT and operational technology (OT) networks has eliminated the air-gap assumptions that once defined plant perimeter security, and recent incident data confirm that adversaries are exploiting the seam with increasing precision.
Background
IBM's X-Force Threat Intelligence Index ranked manufacturing as the top targeted industry for three consecutive years. The 2025 edition confirmed that manufacturing drew more cyberattacks than any other sector globally, surpassing finance, healthcare, and energy. The volume of disclosed weaknesses within industrial control systems has grown sharply: Cyble's Annual Threat Landscape Report counted 2,451 ICS vulnerability disclosures across 152 vendors in 2025, nearly double the 1,690 recorded across 103 vendors in 2024.
Geopolitical tensions have accelerated the threat. The ENISA Threat Landscape 2025 report, analyzing nearly 4,900 cybersecurity incidents, found that OT threats now represent 18.2% of all identified threat categories. Hacktivist activity driven by the Israel-Iran conflict engaged 74 threat groups, while India-Pakistan tensions generated 1.5 million intrusion attempts. State-aligned actors are no longer limiting themselves to espionage. According to Dragos's 9th Annual Year in Review, 2025 marked a clear escalation in industrial cyber activity, with specialized threat groups moving beyond reconnaissance to mapping control loops and understanding physical processes at a granular level.
Details
Social engineering has become the primary vector connecting open-source intelligence to plant-floor compromise. Attackers conduct reconnaissance on manufacturing employees through social media and corporate websites, then use that data to craft AI-driven spear-phishing emails tailored to specific operators, according to security researchers. By early 2025, over 80% of social engineering attacks leveraged artificial intelligence, according to ENISA-a fundamental shift in attack methodology. Generative AI crafts highly personalized phishing emails that reference specific equipment names or recent maintenance work, while voice deepfakes enable vishing attacks impersonating managers.
One documented technique involves recruitment-themed social engineering. Dragos tracked threat group Pyroxene using fake social media profiles to cultivate manufacturing targets before deploying tailored malware that established stealth backdoors, with the group assessed as overlapping with IRGC-aligned espionage activity sanctioned by the U.S. government.
Remote access remains the most heavily exploited entry point. Claroty, reviewing open-source intelligence across more than 200 attacks tied to over 20 threat actors in 2025, found that 82% of verified incidents used VNC protocols to gain access to OT environments. Two-thirds of those incidents resulted in compromised HMI or SCADA systems, and 40% of all attacks targeted manufacturing, water or wastewater, or power generation facilities.
Inside the perimeter, insider risk compounds the external threat picture. Mandiant's M-Trends 2026 report found that insider threat accounted for 6% of all initial infection vectors across industries in 2025, rising to 14% specifically in cloud environment compromises. Malicious and negligent insider activity continues to drive a significant portion of OT cyber risk, with human error identified as the largest contributor to industrial incidents-a reality amplified by legacy equipment and growing digital interdependencies.
Defensive adoption lags considerably. The SANS Institute 2025 ICS/OT Cybersecurity survey found that only 13% of organizations have fully implemented advanced controls such as session recording or ICS/OT-aware access, even as unauthorized external access accounted for half of all reported incidents. Just 14% of respondents felt fully prepared for emerging threats, though organizations that involved frontline technicians in exercises were nearly 1.7 times more likely to report strong readiness.
Zero-trust architecture is emerging as the structural response. The Cloud Security Alliance notes that remote vendor access continues to be one of the leading causes of industrial breaches, and a mature zero-trust approach ties each session to an individual identity with time-bound, context-specific access to only the systems and ports required-directly countering the lateral movement risks exposed by shared VPN credentials. The U.S. Department of Defense formalized this direction in November 2025, publishing OT-specific zero-trust guidance comprising 105 activities and capability outcomes, including 84 classified as minimum target levels, across seven pillars: users, devices, applications and workloads, data, networks, automation, and visibility.
On the regulatory front, the EU's NIS2 Directive, in force since October 2024, extends mandatory cybersecurity obligations to manufacturers of critical products, while NIST CSF 2.0, released in 2024, explicitly expands OT scope and adds a board-level governance function. The SANS survey found that 58% of respondents reported having at least one facility subject to mandatory cybersecurity compliance requirements, with 26% of that group reporting a possible violation from an audit or self-report.
Outlook
Regulatory convergence around zero trust, IEC 62443, and NIS2 is expected to accelerate capital allocation toward OT-specific identity and segmentation controls through 2026 and 2027. SANS data show that asset visibility, threat detection, and secure remote access lead both current deployments and planned investments for 2026-2027. Plant operators that fail to integrate social-media threat intelligence into their physical security protocols risk leaving a reconnaissance gap that adversaries are already exploiting.
