How much more proof do you need that cybersecurity should be essential to your plant?

If it seems Smart Industry is “flooding the zone” with cybersecurity content these days, there’s a reason: We feel the obligation to write that evidence keeps cropping up that 2026 might be worse than 2025 (which set records for ransomware) when it comes to the proliferation of data attacks against manufacturing. Ransomware especially is the top reason that plant IT and OT must, as Captain James T. Kirk would order, go to red alert and raise the shields.

Switch to “Law & Order” references. If we were prosecuting a case, colleague Sarah Mattalian is our attorney, providing evidence lately here, here, and here of the threat of manufacturing data theft.

Downloadable e-handbook: Cybersecurity

Automotive manufacturers, as Sarah wrote, are listening: A new study by ABB Robotics showed automakers see cybersecurity as their top concern (95% of them, to be exact, or close to all), even over tried-and-true preoccupations such as controlling costs and newer ones such as AI adoption and flexible manufacturing.

That seems like perhaps close to a first among a large sector of manufacturing. And the supplier network, vulnerable to cyberattack itself, is enormous among carmakers.

A workshop with ongoing lessons on cybersecurity in manufacturing

Sarah’s piece on a workshop for manufacturing executives put on by the Digital Manufacturing and Cybersecurity Institute, known as MxD, and training company Immersive Labs is noteworthy in that Smart Industry will feature Jen Szkatulski, Immersive’s lead cyber resilience adviser, on a follow-up episode of Great Question: A Manufacturing Podcast coming up next month. So, stay tuned for that.

I’ll step up, too, as lead prosecutor to offer another nugget, this one courtesy of Bitdefender, vendor of a cybersecurity software suite that shields devices from viruses, malware, phishing attacks and, yes, ransomware.

Crystal Ball 2026: AI-driven cyberattacks are coming. Here’s how to prepare now

In a March 24 release, the cybersoftware company said it found that the U.S. construction industry continues to come under ransomware assault in 2026, followed closely behind by manufacturing. Construction has suffered 82 known assaults already in 2026, compared to 80 on manufacturing. Other prominent targets this year are the technology (73 known ransomware attacks) and health care (72) industries, according to Bitdefender.

The interesting insight, too, from Bitdefender is it analyzed the activity of dozens of ransomware groups executing campaigns against U.S.-based organizations and found that 53 such groups claimed U.S.-based victims in January and February alone. (We don’t write a lot at Smart Industry about the “perps” themselves, just their data hacks, which can cause billions in losses at manufacturers and weeks of downtime costing in the millions.)

See also: AI is exposing a massive data problem in the supply chain

These top ransomware groups include (for what it's worth to our manufacturing IT and OT audience) Qilin, Akira, Clop, INC Ransom, Play, DragonForce, and Sinobi. These groups, Bitdefender notes, have attacked a range of U.S.-based small to midsize enterprises. Often, it's smaller companies that have more porous defenses against cyberattacks, so they are the most vulnerable.

Curious trend: Ransomware payouts declined to start 2026

“Despite victims in these industries consistently being targeted in past quarters, it’s important to note that collected ransom payments are declining,” Bitdefender also writes in its report. A note from our own coverage: MxD and Immersive Labs’ workshop gamed out scenarios where the last recourse for manufacturing attendees was paying out the ransom.

This trend of decreasing ransom payouts may be attributed to a combination of factors, Bitdefender advised. “There is increased pressure on organizations to follow the guidance needed to maintain their cyber insurance and adhere to the regulations governing operations in their specific industry,” according to their report.

See also: Industries need cyber insurance more than ever, but the rules are tightening

“Another factor could be an increase in awareness of best practices for incident response”—that was the whole point of the MxD and Immersive Labs workshop—"and reporting within private-sector communities. Advisory publications and other releases from leading U.S. authorities like CISA, the FBI, and the NSA have likely helped,” Bitdefender added.

As for what ransomware perpetrators are focusing on? Identity-first attacks, the cybersoftware company offered. The attackers are prioritizing credential theft over more active means of attack such as exploitation.

Here’s some in-the-weeds stuff: The threat actor can steal credentials using a method like collecting browser session tokens, Bitdefender noted, taking this route over brute forcing a system to gain entry helps the threat actor to evade prompt detection. Ensure that tokens such as cookies and OAuth keys on login pages are encrypted, Bitdefender advised, and secure them by linking them to approved, registered devices. This can create a barrier that deters threat actors.