Ransomware on the Plant Floor: A Manufacturing CISO's First 24 Hours

In the first 24 hours of an OT ransomware attack, a manufacturing CISO should confirm the incident and convene a team that includes plant operations and safety, contain it by severing the IT/OT boundary, report to CERT-In within six hours, decide production line by line with operations, then scope the spread and begin staged recovery from clean backups. 

Manufacturing has been the most-targeted industry for cyberattacks for four consecutive years, drawing 26% of all documented ransomware incidents. For a manufacturing CISO, the question is not whether an attack reaches the plant floor, but what happens in the hours after it does. The instinct is to run the IT incident plan. On operational technology, that instinct is wrong. 

Why is OT ransomware different from IT ransomware? 

An IT breach costs data and time. An OT breach can stop production and, in the wrong circumstances, threaten safety. That difference shapes every decision in the first 24 hours. 

Operational technology cannot be treated like a server estate. PLCs, HMIs and SCADA systems are often old, cannot run security agents, and cannot simply be isolated and rebooted while a line is running. Recovery is physical, not a restore from an image. 

The attack path matters too. More than 70% of OT attacks reach the plant through the IT network, which makes the IT/OT boundary the first place to contain. 

The first 24 hours: an OT ransomware playbook 

The response runs as a sequence, not a panic. The hardest moment is not technical. It is the production decision: whether to halt a line, run it in a degraded or manual mode, or keep it running while a zone is contained. That call belongs to operations and safety leaders, informed by security, which is why they must be in the room from the first hour. 

Two points hold the sequence together. Report early: CERT-In requires organisations in India to report a cyber incident within six hours of noticing it. And preserve evidence before recovering: a wiped system cannot be investigated, and insurers will ask for it. 

What you should not do 

Three mistakes turn a contained incident into a crisis. 

Do not treat the plant like the office. Isolating OT without operations in the room can stop a line more abruptly, and less safely, than the ransomware would have. 

Do not wipe and rebuild in haste. Evidence lost in the first hours cannot be recovered for investigators or insurers. 

Do not decide on the ransom alone. Payment is a legal, financial and board matter, never an operational reflex. 

How do you prepare before it happens? 

The first 24 hours go well only when the work was done before them. Three preparations matter most. Segment the network so IT and OT are separated, and divide the plant into zones that can be isolated independently. Keep tested, offline backups of OT configurations and golden images. And write an OT-specific incident response plan, then rehearse it with operations and safety rather than as an IT tabletop. This is where most manufacturers are exposed: only 14% feel fully prepared for current OT threats, and only a quarter test their incident response plan. A plan first read during an attack is not a plan. 

Ransomware on the plant floor is an operations event with a security cause. The manufacturers that come through it well are the ones that planned the first 24 hours before they needed them. 

Proactive Data Systems helps manufacturers segment IT and OT, harden the plant floor and prepare OT incident response, and holds Cisco Preferred Partner status under the Cisco 360 Partner Program for Security. 

Request an OT security and incident-readiness review of your plants.