When the production line stops without warning – how industrial companies prepare for cyberattacks

Manufacturing systems are optimised for functionality. In an ideal situation, production lines run at full capacity around the clock, all year round. However, the geopolitical situation has changed the operating environment. The new ideal is security that ensures uninterrupted operations.

It is an ordinary day. Lights of the production line are flashing, sensors are reporting steady readings, and customer deliveries are progressing on schedule. Then, suddenly –systems go dark. The controls stop responding and the line comes to a halt. Alarms begin to sound. It becomes evident that this is not a run-of-the-mill power outage or simple equipment failure, but a malicious cyberattack.

In that moment, the entire company – production capacity, supply chains, reputation – hangs on a single question: how can the company present itself as trustworthy to key stakeholders in a situation where no one yet knows what has really happened?

Three types of cyber crises – and why the manufacturing industry is a particularly high-risk zone

The impact of cyber crises on a company’s operations varies. In simplified terms, their severity can be divided according to how they affect the company’s ability to operate.

1. SaaS and technology sector crises: when service disruption stops the business
   In online business, a cyber crisis is existential: if the online service stops or is destroyed, the entire business branch effectively ceases to exist. The consequences are direct, fast, and financially severe, but typically limited to the digital domain.
   
2. Organisations without critical ICT dependence: emphasised reputational and governance risks
   An attack on systems does not immediately stop core operations, but the reputational risk is significant. The experience may prove expensive quickly as customer inquiries, statements, investigations, and notices begin to mount. In a worst-case scenario, a cyber crisis can also significantly affect the business itself.
   
3. Manufacturing crises: two attack vectors – IT and OT
   In manufacturing, a cyber crisis can impact both IT systems (data, orders, documents, emails, servers) and operational technology systems, aka OT (production control, automation, sensors, production lines, SCADA, and PLCs).

If the attack extends to production equipment, the consequences are tangible: production stops, supply chains are delayed, and financial losses mount quickly. In addition, a cyberattack may target the systems embedded in the products being manufactured, such as remote machine control or fleet management solutions. Beyond digital effects, the crisis may cause physical disruptions that extend throughout the entire value chain.

Real-life examples of what a cyber crisis looks like in the everyday life of an industrial company

In industrial environments, IT and OT are interconnected through various dependencies. When one is attacked, there are usually disruptions in the operations of the other. If both environments are disrupted at the same time, production tends to grind to a halt quickly – sometimes within a matter of seconds.

Below are three anonymous real-life crisis scenarios:

1. An automation line stops in the middle of production
   A mid-sized industrial company notices that its production control system is not responding. The initial assumption is that a software update has failed. It is only after some time it’s discovered that the issue is ransomware spreading from control room workstations all the way to the line’s PLC controls. Robots freeze mid-motion, and there are no backup systems or in-house capabilities for manual operation. As a result, deliveries are delayed, transports are cancelled, customers push for more information, and system vendors start calling because their own environments are showing similar symptoms.
   
2. Deliberately manipulated false information spreads among customers before the company can tell the truth
   An attacker breaches the company’s communications systems and sends customers a notice stating that the factory has “suspended production due to a cybersecurity issue.” This is not true, but the damage has already been done. The company is thrown into panic mode: who should be informed first? How can the correct situational picture be established? Who will believe the truth as the false message reached people first?
   
3. A disruption in the process control system creates a safety risk
   In the test hall of an industrial facility, the system controlling the automation becomes unstable in the middle of a critical process. Sensors provide conflicting data, causing the system to interpret the situation incorrectly and trigger automatic safety shutdowns several times in succession. The technical root cause becomes clear later: the system has been meddled with. In the middle of the situation, however, the most important question is how to communicate about the incident to personnel and authorities in a way that prevents panic and preserves trust.

Simulations are the most powerful tool for crisis preparedness in manufacturing

Today, many organisations understand that crises cannot be managed with a slide deck that is opened only when the production line has stopped and the warning lights are flashing. Managing a crisis requires a clear preparedness model, but its execution must also be ingrained in muscle memory. Crisis management and crisis communications must be practiced, tested, and made into a natural part of everyday leadership.

H72 is a model developed by Netprofile for managing cyber crises. It works in all cyber crises regardless of industry, because its core is not the technical environment but how the organisation is lead through uncertainty. H72 helps organisations act quickly and consistently precisely when speed and clarity matter most – whether the disruption originates in IT, OT, or the interface between.

The H72 model includes three complementary components: 1) cyber crisis management auditing, 2) a cyber crisis management model, and 3) the H72 simulation. Far from being an added extra, the simulation is often the most important phase of securing preparedness – it is the point where the model transforms into true operational capability.

In manufacturing, the stakes in a cyber crisis are especially high because attackers have two critical routes in: IT and OT. An attack targeting either one is a serious and costly risk to business continuity. Simulations help model in concrete terms:

• how to communicate when facts are scarce
• how leadership makes decisions under pressure
• how production, logistics, and customer care are kept under control
• how the organisation remains unified even when everything around it is in turmoil

The simulation offers organisations a tactile experience of what a crisis truly feels like. It is an exercise that reveals surprising dependencies, quiet assumptions, and real risks – before they are tested in real life.

Is your production line prepared for crisis situations? It should be. Practice yields immediate improvements to resilience. Get in touch.