Workshop confronts manufacturing execs with the big stakes that ride on proper cybersecurity protocols

A recent cybersecurity workshop gave manufacturers from across several industries a forum to express real-world concerns about threats—especially ransomware—and how to gird themselves and their staffs and which protocols to put in place for when attacks do occur. 

Hosted by the Digital Manufacturing and Cybersecurity Institute (MxD) in partnership with cybersecurity training company Immersive Labs, the forum gave the gathered manufacturing stakeholders a chance to discuss cyberattacks and run through mock cyber drills. 

See also: Ransomware attacks set new records in 2025, hitting manufacturing the hardest 

The Cybersecurity Incident Response Workshop, held Feb. 11-12 at MxD headquarters in Chicago and attended by Smart Industry's Sarah Mattalian, covered topics such as supply chain risks, business ecosystems, financial impacts of attacks, and overall safety issues when preparing for such incidents. 

One fact overshadowed the proceedings in Chicago: Manufacturers were hit the hardest by ransomware attacks last year, with a 58% year-over-year increase in victims, according to one study. 

The workshop, which included a series of crisis simulations and crisis management labs for attendees, was run by Jen Szkatulski, lead cyber resilience adviser at Immersive. Szkatulski presented attendees with crisis scenarios and explored how different personnel within their organizations would be impacted by attacks.  

“In a real-world event, we are all first-responders,” she told attendees.  

The labs that attendees completed, which were provided by Immersive, covered topics of business continuity, Mitre Att&ck frameworks, and OT fundamentals. During and after the labs, group discussions took place where attendees—which included manufacturing CEOs and CFOs and other cybersecurity stakeholders—debated strategies they would use before, during, and after attacks. 

For example, during a critical supplier shutdown exercise, attendees first took inventory of how long they could sustain operations with the given details of the hypothetical situation. They discussed the status of backup supplies that could be activated, coordination with other suppliers and legal teams, and whether alternate systems were already in place. 

See also: Crystal Ball 2026: AI-driven cyberattacks are coming. Here’s how to prepare now 

Mainly, attendees said they needed to know whom to involve during a security breach and critical supplier shutdown, and the proper trigger point to “assemble the Avengers” such as higher-ups, legal teams, and alternative suppliers. 

The executives also expressed concerns about remote workers and susceptibility to attacks, emphasizing they cannot check the security of individuals 24/7 and agreed that policies were needed for incident reporting within manufacturing organizations. 

Have a plan in place, know who will respond and how 

Attendees agreed that "resilience"—meaning an organization's ability to anticipate, withstand, recover from, and adapt to cyberattacks and data breaches—should be baked into proactive measures, and they came up with mock incident response plans in breakout teams. 

One team at the workshop came up with three steps: 

• Isolate impacted devices from the network. 
• Review protocols and triggers prior to the incident. 
• Work with teams such as legal, compliance, incident command, communications and executives. 

Attendees also discussed when to involve executive leadership during a cyberattack. When working across teams within a company, they noted that getting people to understand the true impact of an incident often is difficult and it's tricky to know who to involve and when.  

Szkatulski recommended that attendees “know what you need to know ahead of time,” to scrutinize company mission statements and focus on tying their organizations’ goals in those statements to incident response. 

See also: Industries need cyber insurance more than ever, but the rules are tightening 

Other topics discussed at the workshop included installing plans for both physical security and business continuity. 

For physical security, considerations included device and machine recovery; identifying which physical and mechanical processes are at risk in an attack; potential malicious employees; and the availability of third-party contractors. 

For business, they asked: Who has the plan? Is there a backup location ready? Is the response archived?

Most attendees stressed that they already have incident teams in place, but that they’re unsure when to involve other company personnel during an incident, particularly when ransom is demanded from intruders into their systems. Questions revolved around what factors should be considered during a response to a ransomware demand. 

“If you’re in a crisis, it’s too late to plan,” Szkatulski said. 

Cybersecurity roundup: Dragos on Q3 ransomware, Kiteworks on 'legacy' web form exposure

Workshop attendees also were presented with a quiz on what to do during a ransomware attack—and zero attendees chose the option to pay the ransom as the very first step in the process.

They agreed that considering the level of classification of data compromised, whether there were backups of the data, how severe the consequences would be if the attacker made their organization’s data public, and negotiating with the threat actor through a “breach council” were all steps to be taken before considering paying any attacker.