Phishing cost in manufacturing: vendor BEC, production downtime, and the OT pivot

Manufacturing phishing breach cost sits at $5.08M average per IBM 2025, materially above the cross-sector mean of $4.88M. The drivers are different from healthcare or finance. Per-record cost is only $168 because manufacturing data per record carries lower regulatory liability than PHI or PCI. The total figure is driven instead by two structural factors: vendor BEC wire-fraud succeeds at scale because manufacturing supplier chains contain dozens to hundreds of vendor relationships per facility, and production-downtime cost dominates the disruption line whenever a phishing-initiated ransomware event reaches factory-floor systems.

The sector also faces an unusual operational-technology pivot risk that does not exist in services-sector phishing analysis. A successful phishing attack against a manufacturing IT environment can pivot into the OT environment that controls factory-floor equipment. The Norsk Hydro 2019 case (LockerGoga ransomware delivered via phishing, $70M+ damage primarily through aluminium-production disruption) and the Colonial Pipeline 2021 case (DarkSide ransomware, $4.4M ransom paid, downstream fuel-supply disruption across the US East Coast) are the canonical references. Both involved a phishing-initiated IT compromise that pivoted to OT impact. The OT-pivot cost line is the single largest variance between manufacturing breach modelling and services-sector breach modelling.[IBM 2025 manufacturing cohort + Norsk Hydro 2019 disclosure + Colonial Pipeline 2021 disclosure]

The single largest dollar-loss category in manufacturing phishing is vendor BEC: the variant of business email compromise where the attacker spoofs or compromises a known supplier mailbox and redirects an invoice payment. The category dominates manufacturing loss for three structural reasons.

First, the volume of legitimate vendor payments is high. A typical mid-market manufacturer processes hundreds of vendor invoices per month from dozens of distinct suppliers; a large manufacturer can process thousands of invoices monthly across hundreds of suppliers. The high baseline volume of legitimate vendor-payment transactions creates a high-noise environment where a single fraudulent invoice with redirected banking details is hard to spot. The accounts-payable team's job is to process invoices quickly, not to perform forensic verification on every one.

Second, the supplier relationships are frequently long-lived but loosely-secured. A supplier mailbox compromise upstream of the manufacturer is invisible to the manufacturer's own security controls. The compromised supplier sends what appears to be a routine invoice from a known address; the manufacturer has no signal that the supplier's mailbox has been taken over. The attacker can sit inside the supplier's mailbox for weeks observing payment-cycle timing before triggering the fraudulent invoice.

Third, the wire-fraud recovery rate is unfavourable. By the time the manufacturer's accounts-payable team or the supplier discovers the fraud, the funds have typically already cleared and been moved through mule accounts. Manufacturing-sector wire-fraud recovery rates run approximately 25 to 35 percent gross, in line with the broader BEC recovery picture. The single highest-leverage control (see /by-attack/bec) is an out-of-band confirmation procedure on any banking-detail change, applied to every supplier regardless of payment size.[IBM 2025 + IC3 2024 vendor-BEC category + ACFE 2024 occupational-fraud report]

The OT-pivot path is the manufacturing phishing risk that has no parallel in other sectors. The pattern works as follows. A phishing email lands in the IT environment, the recipient clicks, the attacker establishes initial access on the IT side. The attacker then enumerates the environment looking for paths from IT to OT, which in many manufacturing facilities are surprisingly direct because the historical air-gap between IT and OT has eroded as plant operators have integrated production systems with corporate ERP, MES, and analytics platforms.

Once the attacker has reached OT, the options are several. Ransomware deployment against OT systems takes production offline directly. Selective destruction of OT control logic (the TRITON / TRISIS pattern, 2017) targets safety-instrumented systems. Encryption of plant historian and recipe databases (the LockerGoga pattern at Norsk Hydro) makes resuming production technically possible but operationally difficult because the operators no longer know what recipe or batch was in progress. Each variant has produced 9-figure damage in published cases.

The defender remediation is structural: network segmentation between IT and OT, with strictly-controlled flows through identified gateway systems; OT-specific endpoint detection and response (Claroty, Dragos, Nozomi-class); and a clear incident-response playbook for OT-impact events that is distinct from the IT-incident playbook. Many mid-market and small manufacturers have not deployed these controls and remain exposed to direct pivot from a phishing click to a production halt within hours.[Dragos 2024 ICS year-in-review + CISA ICS advisories 2023-2025 + Norsk Hydro public disclosure]

The production-downtime line is the largest variance from services-sector breach modelling. Per-hour downtime cost ranges widely from $5K (small mid-market manufacturer) to $8M (semiconductor fab) and the aggregate-during-event downtime cost can dominate the total event-cost line.[IBM 2025 manufacturing cohort + Dragos 2024 industry impact analysis]

For manufacturers in the US defence-industrial base, the regulatory layer adds Cybersecurity Maturity Model Certification (CMMC) and International Traffic in Arms Regulations (ITAR) compliance requirements on top of the general manufacturing baseline. CMMC 2.0, effective in late 2024 with rolling implementation through 2025-2027, requires Level 2 certification for most handlers of Controlled Unclassified Information (CUI). Level 2 maps to NIST SP 800-171 controls and includes mandatory phishing-defence elements: MFA across the workforce, security-awareness training, incident-response capability, and supply-chain risk management.

The CMMC certification process is itself a cost line. Third-party assessment for Level 2 runs approximately $50K to $250K depending on organisation size and existing maturity, with re-assessment every three years. Failure to certify by required dates results in contract ineligibility, which for many defence-industrial-base manufacturers represents existential business risk. The compliance investment is therefore not optional and the post-incident remediation cost includes the work to restore CMMC compliance posture after a phishing-initiated breach.

ITAR violations carry their own enforcement layer with civil penalties up to $1.2M per violation and criminal penalties for wilful violations. A phishing-initiated breach that exposes ITAR-controlled technical data triggers parallel notification and remediation obligations. Defence-industrial-base manufacturers therefore face a triple-stack regulatory exposure (general breach notification + CMMC + ITAR) that mid-market commercial manufacturers do not.[32 CFR Part 170 (CMMC) + 22 CFR Part 120-130 (ITAR) + DoD CMMC AB guidance 2024-2025]

• All industries
• Phishing cost in healthcare
• Phishing cost in financial services
• BEC cost (vendor-impersonation anatomy)
• Callback phishing cost (ransomware pipeline)
• Phishing cost for mid-market
• Abnormal Security cost
• fedrampcost.com (DoD-cloud overlap)
• databreachcost.com
• mdrcost.com