When Manufacturing Stops: Why German Engineering Is Targeted by OT Attacks

6 min. read

119 ransomware groups are targeting industrial organizations in 2025 – an increase of 49 percent. In 81 percent of OT environments, segmentation towards IT is insufficient. German mechanical engineering is in the crosshairs and most companies don’t know it.

Key Takeaways

49 percent more ransomware groups: Dragos tracked 119 ransomware groups targeting industrial organizations in 2025 – up from 80 the year before.
81 percent without sufficient segmentation: in four out of five assessed OT environments, there is no clean separation between the IT and OT networks (Dragos OT Cybersecurity Report 2026).
More than two-thirds from manufacturing: manufacturing accounts for the majority of all OT ransomware victims worldwide.
119 new vulnerabilities per day: the BSI’s 2025 situation report notes a 24 percent increase in newly discovered vulnerabilities per day.
88 percent without external help: the VDMA Industrial Security 2025 study shows that almost nine out of ten industrial companies manage OT security purely in-house.

The new quality of the threat

Ransomware against industrial companies is not new. What is new is the precision with which attackers operate. The Dragos OT Cybersecurity Report 2026, published on February 17, 2026, documents a qualitative leap: attackers actively map how control systems work. They understand where commands originate, how they propagate through the plant and where physical effects can be triggered.

That is a fundamental difference to classic ransomware. Encrypting office PCs cripples email traffic. Manipulating a control system can bring production lines to a halt, sabotage quality processes and, in the worst case, cause physical damage to machines and personnel.

The numbers underline the scale: 119 different ransomware groups targeted industrial organizations in 2025 – a 49 percent increase over 2024. 3,300 organizations worldwide were affected. More than two-thirds of all victims come from manufacturing. For German mechanical engineering, seen globally as a technology leader, this is a direct threat.

Dragos OT Report 2026

119

Ransomware groups targeting industrial organizations

+49 %

Increase over 2024

81 %

without sufficient IT/OT segmentation

Source: Dragos OT Cybersecurity Year in Review, February 2026

Why mechanical engineering is especially vulnerable

German mechanical engineering has a structural security problem. Production equipment is designed for longevity. A milling machine runs 15 to 20 years, its control software often just as long. Updates are risky because they can interrupt production processes. Patches get postponed, because no one wants to stop a running line for a software update.

The result: OT networks running on outdated operating systems, communicating with protocols that were never designed for the internet, maintained by IT departments trained for office IT. The VDMA Industrial Security 2025 study (together with Fraunhofer AISEC) quantifies the problem: 88 percent of surveyed industrial companies manage OT security purely in-house – without external specialists.

That sounds like self-reliance, but is often overload. OT security requires a different skill set from IT security. A firewall administrator cannot automatically assess the security of a SCADA installation. The protocols are different (Modbus, OPC UA instead of TCP/IP), priorities are different (availability before confidentiality), and the consequences of a mistake are different (production outage instead of a data leak).

On top of that there is regulatory uncertainty. The VDMA study shows that 30 percent of surveyed SMEs are unsure whether they fall under the requirements of the CRA (Cyber Resilience Act) and NIS2. This uncertainty leads to passivity – and passivity is the most dangerous strategy in the current threat landscape.

“The threat landscape reached a new level of maturity in 2025. Attackers are mapping how control systems work – where commands originate, how they propagate and where physical effects can be triggered. Industrial organizations massively underestimate the reach of ransomware in OT environments because they still treat the topic as a pure IT problem.”
Robert M. Lee, CEO and co-founder of Dragos (OT Cybersecurity Report, February 2026), translated

Three new threat groups focused on OT

The Dragos report identifies three new threat groups that specifically attacked critical infrastructure for the first time in 2025. These groups differ from classic ransomware actors in their methodical approach: they move undetected through OT networks for weeks, map control loops and collect information about physical processes before they strike.

For German production companies, this is relevant because Germany is prominently represented in the geodata of exposed OT systems. The combination of connected Industrie 4.0 infrastructure, a high degree of automation and partly outdated security concepts makes the location attractive for attackers looking to achieve physical effects.

Another finding from the Dragos report highlights the operational weakness: in 82 percent of the assessed organizations, there are no clear criteria for when an operational anomaly should trigger a cyber investigation. That means: even when an attack is running, affected companies may not recognize it – because no one has defined what counts as suspicious behavior in the production environment in the first place.

The BSI perspective: 119 new vulnerabilities per day

The Federal Office for Information Security confirms the threat landscape in its 2025 annual report. On average, 119 new vulnerabilities in IT systems were made public per day during the reporting period – up 24 percent over the previous year. The BSI explicitly names energy generation and vehicle production as high-risk areas.

BSI President Claudia Plattner sums up the situation in a single sentence: every institution or person reachable from the internet is, in principle, under threat. For production companies that are increasingly connecting their plants, this statement is not an abstract warning. It describes everyday operations.

According to the BSI, Russian actors are actively attacking the IT infrastructure of German companies, municipalities and private individuals. The geopolitical dimension increases the pressure on companies that previously assumed they were not interesting enough for state-motivated attackers. In broad-scale attacks, it is no longer just the large corporations that are hit.

The convergence of IT and OT as a security risk

Industrie 4.0 has merged the once hermetically separated worlds of IT and OT. Predictive maintenance needs production data in the cloud. AI-based quality control requires image streams from cameras on the line to the data center. Supply chain optimization links ERP systems with machine controls. Every one of these connections is a potential entry point.

The problem is not the connectivity itself – it delivers real productivity gains. The problem is how it is implemented. In many companies, the connections between IT and OT were created ad hoc: a VPN tunnel here, a file share there, a remote desktop connection for the external maintenance technician. Each of these connections was pragmatic on its own. Taken together, they form a network that no security architect would have designed.

Continental experienced in 2022 how quickly an IT attack can hit the entire value chain. Even though the production facilities were not directly affected, the incident showed how vulnerable connected industrial companies are. Since then, the topic has gained weight in boardrooms – but operational implementation lags behind the insight.

One particularly critical aspect: remote maintenance access. Many machine manufacturers offer remote maintenance over the internet. These accesses often run over proprietary protocols that are neither monitored by the IT team nor understood by the OT team. A compromised remote maintenance access gives an attacker direct access to control technology – past the entire security perimeter.

The solution is not isolation, but controlled opening. Zero Trust principles, which have become standard in the IT world, have to be applied to OT environments. Every connection is authenticated, every data flow inspected, every access logged. That requires investment in technology and know-how – but the alternative is an attack surface that grows with every new Industrie 4.0 initiative.

Five immediate measures for production companies

1. Enforce IT/OT segmentation: the production network must be physically or logically separated from the office network. A firewall between the segments is the minimum. Better: a demilitarized zone (DMZ) with controlled handover points for the data that has to flow between both worlds.

2. Establish anomaly detection: define what normal behavior in the production environment looks like. Every deviation – unexpected connections, unusual protocols, access at unusual times – has to trigger an investigation. Tools like Nozomi Networks, Claroty or Dragos Platform offer OT-specific anomaly detection.

3. Build an asset inventory: you can’t protect what you don’t know. Many companies don’t have a complete overview of all connected devices in their production. A current asset inventory with firmware versions, network connections and patch status is the foundation of any OT security strategy.

4. Develop an incident response plan for OT: the IT incident response plan does not apply to OT. When a production facility is attacked, different priorities apply: human safety first, then plant protection, then data backup. Every production company needs a separate OT incident response plan that is aligned with plant operations.

5. Create regulatory clarity: check whether the company falls under NIS2 or the Cyber Resilience Act. When in doubt, assume yes – the definition of affected sectors is deliberately broad. It is better to start compliance measures pre-emptively now than to retrofit later under time pressure.

Conclusion

The threat landscape for German mechanical engineering is serious, but not hopeless. The measures are known, the tools available, the regulatory requirements defined. What is missing is execution. 81 percent without sufficient segmentation, 88 percent without external OT security expertise, 30 percent unsure about their own regulatory obligations – these are not technical problems. They are management decisions that are not being made.

The Dragos report 2026 shows: attackers have upgraded. They understand production facilities better than many of the companies that run them. Anyone who does not close this gap risks not just data loss, but production downtime. In German mechanical engineering, where delivery reliability and quality are the most important differentiators, a single successful OT attack can be an existential threat.

Frequently Asked Questions

What is the difference between IT security and OT security?

IT security protects data and business processes. The priority is confidentiality. OT security protects physical processes and equipment. The priority is availability. A ransomware attack on IT cripples email. An attack on OT can stop production lines or damage machines.

How do I know if my company falls under NIS2?

NIS2 covers companies in 18 defined sectors with at least 50 employees or 10 million euros in annual turnover. Mechanical engineering falls under “manufacturing” and thus into the scope. When in doubt, legal advice with NIS2 expertise should be engaged.

What does OT segmentation cost?

For a typical mid-market company with one to two production sites, costs range between 50,000 and 200,000 euros for hardware, implementation and initial configuration. Ongoing operating costs for monitoring and maintenance come on top. The alternative – a production outage through an OT attack – costs a multiple of that.

Can I cover OT security with my existing IT team?

Basic measures yes – asset inventory, network segmentation, patch management. For specialized tasks such as OT penetration testing, SCADA security assessments or incident response in production environments, most companies need external expertise. The VDMA study shows that 88 percent work internally – that does not mean it is optimal.

Which OT security tools are suitable for the Mittelstand?

For network monitoring: Nozomi Networks Guardian or Claroty CTD as passive monitoring solutions. For asset management: Langner OT-Base or SecurityBridge for SAP environments. For segmentation: industrial firewalls from Fortinet (FortiGate Rugged) or Palo Alto (PA-Series Rugged). The entry point should be network monitoring – it reveals the biggest risks without operational intervention.