Podcast: Why is manufacturing such a huge target for cyberattacks?

Jen Szkatulski is lead cyber resilience adviser at cybersecurity training company Immersive Labs. She has previously served as an attacker, defender, and adviser at various organizations, including the National Security Agency and IBM. 

In February, Szkatulski led a workshop for cybersecurity in the manufacturing industry, covering topics such as supply chain risks, business ecosystems, financial impacts of attacks, and overall safety issues when preparing for such incidents.    

Szkatulski joined Smart Industry’s Sarah Mattalian on the podcast to expand on some her workshop materials, getting into specifics of how attacks occur on the supply chain side and ways companies can prepare for attacks, even gaming out an attack scenario.  

Below is a partial transcript of this Great Question podcast: 

Sarah Mattalian: Regarding supply chain attacks, can you kind of describe the technical details of how those occur? For example, how are attackers kind of getting access to manufacturing systems through supplier networks, for example.  

Jen Szkatulski: So again, getting access to credentials, there are a lot of credentials for sale on the dark web for manufacturing companies especially. And once an attacker has some information on how to get into a system, it doesn't matter if it's the ultimate goal target manufacturing company for that attacker. If they can get anywhere in that supply chain, if it's a downstream supplier, they can wreak havoc on an organization upstream. So vendors, suppliers, third party software providers can be a really rich environment for compromise across the whole supply chain. I want you to think of it this way as well.   

See also: Workshop confronts manufacturing execs with the big stakes that ride on proper cybersecurity protocols 

A supply chain attack doesn't have to be a device or stop a disruption in in a vendor. It can be software that you use in your organization that is widespread, so a library, some software that is used in your environment, a lot of other environments. If there's a vulnerability there, that is something that's in your system and you have to know where it is. Are you vulnerable? And you also have to understand that even if you're not vulnerable, your vendors might be vulnerable. And if you have connections to their systems, understanding how that might affect you can be really important. So the supplier network, that whole ecosystem essentially is so fragile at times. unless you're able to understand how you fit in that ecosystem and how to fortify it.  

SM: Got it, thanks for that answer. Now that we've kind of talked about all of the threats that manufacturers are facing, let's talk about what they can do to kind of mitigate the risks of these attacks. So I wanted to ask, what are some protocols that you recommend and what might be some challenges for companies when implementing them?  

JS: This is my favorite part because this is what I do for a living and I love being able to help organizations. It's one to say you should be very scared and worried, you know, everything is, everyone's trying to attack you, but that's not the case, especially if you are aware of how you can respond to that.    

Podcast: Easier-to-accomplish automation projects that bring real ROI 

So things that people can do, organizations can do is number one, shift their mindset from static plans to continuous readiness model. So preparing, I really love to focus on how to know where you are now, benchmark, where are you, if there's an attack today, What do you have in place to support you to respond to that? And then understanding where those challenges are and improve. What skills do you need to get from where you are now to a better place? Benchmark, know where you are, improve, and then really understand where you are after that improvement. Maybe you've done some exercising, maybe you've done some skill development on your teams.  

Know where you are after that and make that continuous. So it's not static. It's not, oh, we're done now. We have all the documentation in place. We're good. It's continuous. We know where we are now. We know how to get better. Now we know where we are, now we know how to get better. So it's shifting that mindset and along that process, You'll be updating your documentation. You'll be updating your technology, your people, your processes. That really is how it comes down to it.    

See also: Ransomware attacks set new records in 2025, hitting manufacturing the hardest 

If I can add one thing, because I think this is really important. A lot of organizations think that responding to cyber attacks or any cyber issues are for the cyber and IT teams. They are definitely involved in that. but it is the whole business that should be involved in that benchmark, prove / improve process. It is really a business-wide HR communications, the operators on the devices, the analysts, writing code, everyone in the organization, anyone receiving e-mail that needs to be aware of phishing emails, it's the whole of the business that really is responsible for that and that shift in mindset. 

See also: Industries need cyber insurance more than ever, but the rules are tightening   

SM: Got it. And so when companies are trying to kind of involve the whole of business, how do you recommend they navigate preparing for responses across all of these different teams? For example, are there ways to improve communication across company teams when they're crafting these protocols?  

Podcast: Why data collection is worth the time, effort and expense 

JS: Absolutely. My favorite way to do that is through exercising, tabletop exercises, crisis simulations, but not just at the incident response level. TTX is tabletop exercises at the incident team level, but also at the executive leadership team level, the C-suite level, the board level, incorporating them, really understanding that that response is going to incorporate all of those. Exercising is a great way to understand where your challenges are and where your strengths are. That is how you can make sure you have the right protocols, the right documentation in place, what needs to be updated, and who needs to be involved. Exercising is one of the best ways to eliminate that.