When IT Goes Down, the Line Stops: An IT Guide for Manufacturing SMEs

Manufacturing is the most-attacked sector in the world. Not a one-off record either: according to IBM X-Force threat reports, producers have held the top spot for several years in a row, and roughly a quarter of all incidents land on this sector. The reason is straightforward. When a line stops, every minute is money, so the odds of paying a ransom are high — and attackers know it.

Türkiye is no different. Data from Kaspersky’s ICS CERT team consistently ranks the country among the top regions for attacks on industrial control systems. Yet most mid-sized producers in organized industrial zones (OSB) shrug it off with “we’re small, who’d bother with us?” and prepare for nothing. For automated scanners trawling the internet for open ports, there is no small or large. If you have a door open to the outside, you’re already a target.

In manufacturing, “IT” isn’t just the office PC

A production business runs two separate worlds, and many owners think they’re the same thing.

• The IT side: ERP, e-invoicing, accounting, email, file server, the CAD/technical drawing archive.
• The OT side: PLCs on the line, SCADA screens, CNC machines, barcode and labeling systems.

When both sit on the same network — which, in the field, is usually the case — a malicious email attachment opened in the office can walk all the way to a controller on the line. That’s exactly what happened at one industrial-estate member in 2024: all data encrypted, line down, ransom demanded.

Here’s the heart of it: your most valuable asset is often not the machine itself but the information those machines produce. Mold designs, production recipes, customer orders, price lists. If that information leaks, it lands in a competitor’s hands; if it’s encrypted, you can’t produce.

What does an hour of downtime actually cost?

Nothing kills the “it won’t happen to us” mindset faster than pricing out a stoppage line by line. A fixed number is impossible — every line differs — but you can work out your own figure from these items:

Cost item	What it means
Lost production	Units not made this shift × profit per unit
Idle labor	Wages for staff still on the clock while the line is down
Late delivery	Penalty clauses, canceled orders from contracted buyers
Recovery and ransom	Data recovery, forensics, a possible ransom payment
Reputation and supply chain	A major customer dropping you from their supplier list

When most mid-sized producers run this math, they find a single day of downtime costs more than a year’s security budget. Prevention is always cheap; cleanup is always expensive.

The three entry routes that hit manufacturers most

Attacks tend to come through the same few doors. Knowing which ones lets you spend money in the right place.

1. Internet-facing applications. Per IBM X-Force, about a third of breaches at manufacturers start with an unpatched flaw in an exposed service (remote desktop/RDP, a VPN appliance, a web admin panel). An open RDP is a warehouse with the door left ajar.
2. Stolen passwords. A phishing email dressed as a fake invoice or shipping notice harvests an employee’s password — then on to the mailbox, and from the mailbox to the whole network.
3. Aging OT. If the PC driving a machine still runs Windows 7 or XP, it gets no updates. The owner says “it works, don’t touch it”; that’s precisely what the attacker is counting on.

Where to start — a no-hype priority order

For a workshop on a tight budget, order the list by impact, not by price:

1. Separate OT from IT. Splitting the production network from the office network, logically (VLAN) or physically, is the cheapest and most effective move you can make. Keep a fire in the office from spreading to the line.
2. Backup plus a restore test. The 3-2-1 rule: three copies, two media types, one off-site and immutable. What matters isn’t that a backup exists, but that you can restore from it — test it monthly.
3. Multi-factor authentication (MFA). On email and remote access first. It makes a stolen password useless on its own.
4. Close remote access or put it behind VPN + MFA. RDP exposed straight to the internet is the single most common first mistake.
5. Patching. Even if you can’t keep up with everything, keep internet-facing services current.
6. Monitoring. The line runs 24/7, but if nobody watches the IT side, you usually learn about an attack from the ransom note. EDR or managed monitoring (MDR) closes that gap.

None of these six takes long enough to justify “let’s finish this other project first.” The first three are a few days’ work in most businesses.

Frequently Asked Questions

Is separating the OT and IT networks really necessary?

Yes. On a single flat network, nothing stops malware that infects an office PC from reaching the production line. In most cases the split can be done by defining VLANs on existing managed switches, with no new hardware.

Would a small workshop really be a target?

Yes — because most attacks aren’t aimed at “you.” They scan the internet for exposed vulnerabilities and hit whatever turns up. To an automated scanner, an 8-person workshop and an 800-person factory look the same. And smaller firms, being less defended, are the easier bite.

Is backup alone enough?

Backup is essential but not sufficient on its own. Modern ransomware steals your data first, then encrypts it (double extortion). Even if you restore from backup, your stolen mold design or customer list is already out there. So backup, access control, and monitoring need to be planned together.

Parking IT on the “we’ll look at it if we ever need to” shelf, on the manufacturing side, means leaving a working line to chance. If you’d like to review your line’s real risks together, get in touch — we’ll draw up a plant-specific, no-hype priority plan.

Sources

• IBM X-Force Threat Intelligence Index — manufacturing as the most-targeted sector and internet-facing application vulnerabilities
• Kaspersky ICS CERT — attack trends against industrial control systems in Türkiye