What manufacturers risk when they try to patch everything

Manufacturers face an average of 6,000 IoT malware cyberattacks per week. It’s an alarming number, and the industry has overtaken finance and insurance as the sector most targeted by attackers. Conventional cybersecurity advice in response to this wave has been consistent: Patch your systems, update your software, close every vulnerability.

But attacks are accelerating, and attack vectors have multiplied with the ubiquity of manufacturers’ cyber assets, such as industrial internet of things (IIoT) and OT devices and equipment.

See also: ‘Legacy’ cyber risk: How to prepare OT for system updates

What they need now is a strategy that manages exposure across all their connected systems at scale, because the “patch-everything” approach has become increasingly impractical.

The reality on the production floor looks nothing like the clean IT environments from where traditional security advice originates. Manufacturers are running decades-old SCADA systems, PLCs, and industrial control systems that cannot be patched without taking the line down.

Some of this equipment predates modern security concepts entirely and may crash if you so much as run an active security scan against it. When a plant runs on razor-thin margins and unplanned downtime cascades through the entire supply chain, telling a plant manager to “just patch everything” isn’t so much advice as it is fantasy.

Even with newer assets and connected sensors that can be patched, the math doesn’t work at the scale that manufacturers now deploy these tools. There also are thousands of assets, each with vulnerabilities, new CVEs published constantly, and security and IT teams are stretched thin.

See also: With MFT use growing among manufacturers, new findings see critical cybersecurity gaps

If you tried to patch everything as vulnerabilities were discovered, you’d spend all your time patching and none of your time producing. And you still wouldn’t be secure, because the next vulnerability would be published before you finished with the last batch.

Not all vulnerabilities are created equal

Threat actors aren’t trying to exploit every vulnerability in your environment. They’re going after the ones that give them the best return on effort, looking for easy entry points that lead to high-value targets.

These threat actors are smart about following patterns and trends, targeting specific types of cyber assets that reliably get them what they want (whether that’s ransomware payment, intellectual property, or operational disruption).

See also: OT cybersecurity case study: Flaws found and fixed in widely used industrial network devices

The recent Johnson Controls breach illustrates this perfectly. The attackers didn’t need to exploit every possible vulnerability in the company’s systems. They found a way in, moved laterally through the network, and extracted 27 terabytes of data.

The company faced $27 million in costs and resisted paying a $51 million ransom. All of that happened not because Johnson Controls failed to patch every single system, but because the attackers found a path through the defenses to something valuable.

The smarter approach is risk prioritization

Instead of the impossible task of patching everything, manufacturers need to focus on understanding their acute, actual risk. This starts with knowing what you have. You can’t protect what you can’t see, and most manufacturers still have limited visibility into all the heterogeneous cyber assets scattered across their operations.

A strategy of passive monitoring and comprehensive asset identification gives you that inventory without disrupting legacy equipment or production schedules.

Once you know what you have, you can then assess which systems and vulnerabilities pose the greatest risk. This isn’t guesswork, as attacker behavior usually follows predictable patterns. Certain systems, if compromised, give attackers pathways to your most critical operations, while others are dead ends.

See also: Zero-trust cybersecurity for increasingly interconnected OT

Prioritizing based on real-world attacker behavior and potential business impact means you’re making strategic decisions about where to invest your limited security resources.

This risk assessment shouldn’t stop at your own four walls. Manufacturers need to evaluate exposure from third-party vendors and supply chain partners, since attackers increasingly use trusted business relationships as entry points.

A compromised supplier with access to your connected devices and systems can be just as dangerous as a vulnerability in your own infrastructure.

Network segmentation becomes critical in this model. If you cannot patch legacy OT systems without unacceptable downtime, you wall them off. You put tight access controls around industrial control systems and SCADA environments.

Even when an attacker compromises an endpoint, they won’t be able to move laterally to take over production systems. Micro-segmentation limits the blast radius of any successful attack.

E-handbook: Cybersecurity

When you establish a baseline of normal assets and network behavior, continuous monitoring can quickly flag unusual activities that signal a potential threat. Threats that slip through other defenses get caught by anomaly detection.

Prevention matters, but perfect prevention is impossible, which is why you need a solid incident response plan that accounts for both IT and OT systems and enables you to respond quickly when something goes wrong.

The right mindset for an imperfect world

Manufacturers need to let go of the idea that perfect security is achievable (or even desirable). The goal isn’t to eliminate every vulnerability, but to make your organization a harder target than the next manufacturer down the road.

When you prioritize the vulnerabilities that matter most, segment your networks to contain breaches, and monitor for the attacks you’re most likely to face, you are achieving practical security that works within the strict operational constraints of the industry.

See also: New report sees surge in OT cybersecurity awareness among manufacturers

Manufacturing has always excelled at optimizing processes and allocating resources efficiently. Cybersecurity should be no different. Those 6,000 attacks per week are only going to increase, and you can’t patch your way out of that problem.

But you can be strategic, realistic, and effective in how you defend your operations. Stop trying to patch everything so you can start protecting what matters most.