Manufacturers have spent a decade wiring up their plants for speed, visibility, and efficiency, only to discover that attackers followed the same cables. Cyber resilience is no longer about preventing every breach, but about containing damage and keeping production running when compromise becomes inevitable.
Manufacturing has always been quicker than most sectors to invest in new technology. Automation, industrial networking, cloud connectivity, and remote access have delivered undeniable gains in productivity and insight, but they have also reshaped the industry’s exposure to cyber risk. As Martin Riley, CTO at Bridewell explains, this transformation has quietly collapsed the separation that once existed between enterprise IT and operational technology. “Manufacturing historically has been much more fast paced at investing and moving their technology forward,” he says. “One of the downsides is it has generally been much more closely coupled with enterprise systems, so as they move towards cloud, IoT and digitisation, they are increasing the attack surface.”
That expanding surface is no longer theoretical. Riley points out that connectivity has created new opportunities for cyber criminals to reach far deeper into industrial environments than was previously possible. “It’s fundamentally leaving opportunities for attackers to infiltrate organisations and hold them to ransom in one way or another,” he says. “Whether that’s traditional ransomware or disruption of processes and data, the leverage now sits much closer to operations.” The risk is not simply financial loss, but operational paralysis.
In some sectors, the threat goes further still. Riley notes that manufacturing tied to strategic supply chains is increasingly exposed to nation state activity, particularly where industrial capability intersects with energy, renewables, or advanced production. “There are areas where we’re seeing nation state activity aligned with government strategies,” he says. “Over the last five years, as countries have pivoted industrial priorities, we’ve seen espionage increase in those sectors.” For manufacturers, cyber risk is no longer just an IT issue. It is a strategic one.
When IT and OT stop being separate
Historically, cybersecurity conversations focused on enterprise systems because that was where most attacks began. Email compromise, exposed VPNs, and internet-facing services provided obvious entry points, while factory systems remained relatively isolated. Riley agrees that this was once the dominant pattern but argues that it no longer reflects reality. “If you go back three to five years, enterprise was the primary way in,” he says. “But as OT and IoT become more accessible, and as remote access for engineers and suppliers increases, that risk is now spread across both areas.”
This shift has profound implications for how manufacturers think about defence. The modern factory is not a closed system but an ecosystem of vendors, integrators, cloud platforms, analytics tools, and remote operators. Each connection is a productivity enabler, but also a potential pathway for attackers if it is not properly governed. Riley stresses that the issue is not that connectivity is wrong, but that it changes the assumptions security teams can rely on.
There is also a tendency for manufacturers to place too much trust in device-level security improvements. While PLC vendors and automation suppliers have strengthened authentication and access controls, the underlying industrial protocols remain largely unchanged. “Most ICS protocols still transmit in clear text,” Riley says. “Most of them have no encryption.” That reality limits how much protection individual devices can provide without broader architectural controls.
As a result, Riley argues that cybersecurity in manufacturing must be treated as a system design problem rather than a product selection exercise. “It’s fundamentally a when, not an if,” he says. “So, the question becomes how do we lessen the damage, how do we detect issues as early as possible, and how do we keep operations running.” That mindset marks a shift from prevention alone to resilience by design.
Why perimeter security is no longer enough
For years, perimeter defence was the default strategy. Secure the edge of the network and trust everything inside. Riley describes this as the castle-and-moat model, one that no longer holds up under modern operating conditions. “That wall has eroded,” he says. “We’ve removed many boundaries. Engineers need remote access, suppliers need access, cloud platforms need connectivity. Controlling everything at a single network boundary becomes far harder.”
The challenge is not simply who is allowed in, but what they can reach once access is granted. Riley emphasises that manufacturers often underestimate lateral movement within their environments. “Only giving access to what’s needed can be done at the perimeter,” he says. “But once something is inside, is onward access restricted, monitored, and controlled?” In many cases, the answer is no.
This is where segmentation and internal monitoring become critical. Systems sitting in DMZs or semi-trusted zones are often capable of running enterprise-grade security tooling, yet manufacturers are reluctant to deploy it for fear of disruption. Riley argues this caution is misplaced. “There’s no reason you can’t deploy additional tooling in those zones,” he says. “Many EDR tools are very good at anomaly detection, and in manufacturing there is a clear pattern of normal behaviour.”
That predictability is strength manufacturers rarely exploit. Production systems behave consistently, which makes deviation easier to spot if the right visibility exists. Anomaly detection is therefore not a futuristic capability, but a practical way of identifying early-stage compromise. “It’s about spotting changes in variance,” Riley says. “Things that simply shouldn’t be happening.” In a sector where uptime is paramount, early detection often determines whether an incident becomes a disruption or a disaster.
Cyber resilience means availability first
The industry has increasingly shifted its language from cybersecurity to cyber resilience, a change that Riley believes reflects operational reality more than marketing. “Resilience is about the ability to withstand and recover,” he says. “In manufacturing, the primary goal is availability. Everything else supports that.” From this perspective, cybersecurity is not an abstract risk management exercise, but a discipline focused on keeping production moving.
Recovery, however, is where many organisations fall short. Riley points to high-profile incidents where companies struggled not because they lacked security tools, but because they lacked understanding of their own environments. “Not knowing what talks to what, or what depends on what, becomes critical during an incident,” he says. “You need to know the minimum viable operation required to keep running. Without that clarity, isolation decisions are delayed or avoided, often worsening the impact.”
The problem compounds in large, distributed manufacturing estates where plants vary in age, technology, and connectivity. Asset visibility remains a foundational weakness. “I have not yet come across an organisation that fully understands its assets,” Riley says. “Knowing what you’ve got and what’s connected is extremely difficult in OT. Despite being one of the most basic controls, asset management is often deprioritised in favour of perimeter tools or response capabilities.”
Regulation adds another layer of complexity. As more organisations fall under critical infrastructure frameworks, cyber maturity becomes mandatory rather than optional. Riley sees regulation as a double-edged sword. “It drives improvement,” he says. “But it can also turn security into a compliance exercise rather than a business enabler.” The difference, he argues, comes down to leadership and culture rather than frameworks themselves.
AI changes both sides of the equation
Artificial intelligence is accelerating both attack and defence, but not always in the ways manufacturers expect. Riley is clear that many successful attacks still rely on human and process failure rather than technical sophistication. “The human is the flaw,” he says. “Processes fail before technology does. AI simply makes exploitation faster, more convincing, and harder to spot.”
Deepfakes, voice synthesis, and automated phishing have lowered the barrier for impersonation. “It takes minutes now to create convincing attacks,” Riley says. “Technology alone won’t stop that if processes are weak. Zero trust architectures help, but they cannot compensate for poor identity verification or rushed decision-making under pressure.”
On the defensive side, AI’s most effective role in OT remains anomaly detection rather than autonomous response. “Industrial processes rarely change,” Riley says. “That makes them ideal for identifying abnormal behaviour.” However, he issues a blunt warning: if attackers are interacting with control processes, they have likely been present for months. “If it’s reached that point, it’s been around far too long.”
That insight reframes investment priorities. Early detection higher up the stack, combined with strong segmentation and response planning, delivers far more value than attempting to automate reactions at the control layer. Generative AI can assist with investigation and context, but Riley is unequivocal about automation in OT. “You would never want AI taking actions in an operational environment,” he says. “The risk is simply too high.”
Building resilience without slowing the business
Riley’s advice to manufacturers is grounded in pragmatism rather than perfection. Manufacturing is already accustomed to continuous improvement, and cybersecurity should follow the same pattern. “Look at your key business initiatives,” he says. “Understand what is most valuable to them and ensure security is part of that conversation early. Cyber resilience should enable transformation, not sit in opposition to it.”
He also cautions against chasing absolute models such as full zero trust across IT and OT. “It’s extremely expensive and never ending,” he says. “It must be proportionate. Applying strong controls where they deliver the most impact, while maintaining operational flexibility, is more realistic and more effective.”
Ultimately, Riley returns to a simple but uncomfortable truth. The factory is now part of the internet, whether manufacturers like it or not. The question is no longer how to keep attackers out at all costs, but how to limit damage and keep production running when defences fail. For manufacturers that accept that reality and design accordingly, cyber resilience becomes not a constraint, but a competitive advantage.
