Why is manufacturing such a heavy phishing target?

Three reasons: production downtime is intolerable so ransom payment likelihood is higher, the IT/OT boundary is often weak so a phishing-acquired IT credential can pivot to PLCs and HMIs faster than expected and AP/vendor invoice flows are high-volume which makes BEC fraud lucrative. The Verizon DBIR consistently lists manufacturing among the heaviest-attacked verticals.

Does NERC CIP require phishing training for utilities?

NERC CIP-004 requires cybersecurity awareness for personnel with authorized electronic or unescorted physical access to BES Cyber Systems, with reinforcement at least every 15 calendar months. The standard does not name 'phishing simulation' specifically, but registered entities consistently use simulation evidence to demonstrate the awareness program is effective during audit and Regional Entity auditors increasingly ask for it.

How do you run phishing simulation for shop-floor workers without email?

Many manufacturers run the email-based program against the office and engineering workforce, then layer on classroom or kiosk-based awareness for shop-floor workers without primary email accounts. SMS phishing simulation can reach workers who use mobile devices for shift scheduling or HR self-service. Vishing simulation reaches workers who answer plant phones.

What's the most damaging phishing scenario for manufacturers?

Two compete for the title: vendor invoice fraud (BEC) at the AP function, which produces direct dollar losses regularly and credential theft from IT, engineering or remote-access users that opens the path to ransomware and OT disruption. Public manufacturing ransomware incidents have included multi-week production outages and nine-figure losses.

How often should manufacturers run phishing simulations?

Monthly across the email-using workforce is the cadence most well-run programs land on. Engineering and IT cohorts often receive an additional layer of harder, OT-relevant simulations (vendor PLC update lures, remote-access password resets) on a quarterly basis.

Manufacturing and OT Phishing Risks: A CISA-Aligned Program

By The Bait & Phish Team
Manufacturing, OT, CISA

The most expensive ransomware incidents on public record have been manufacturers and utilities. Three weeks of unplanned downtime at a discrete manufacturer wipes out a year of operating margin; a multi-day outage at a plant feeding a JIT supply chain ripples to customers in dollars and to the rest of the industry in headlines. Attackers know the math, and the entry vector is overwhelmingly the same: a phishing email landing in an office worker's inbox, a credential captured, a remote-access pivot and a ransomware payload that finds the IT/OT seam and exploits it.

This post is for the manufacturing CISO, the plant IT manager, the OT cybersecurity engineer, the utility CIP coordinator and the operations VP who has been told the next ransomware incident is a question of when. It walks through the threat model unique to industrial environments, how the regulatory and guidance frame applies, what works on a phishing program for a workforce split between knowledge workers and shop-floor staff and where the documentation needs to land.

The threat model unique to industrial environments

Production downtime is leverage. Ransomware operators know a manufacturer cannot tolerate a multi-day outage. The willingness to pay shows up in the targeting effort.
The IT/OT boundary is often weaker than the architecture diagram suggests. Engineering workstations dual-homed across networks, vendor remote access, jump servers with shared credentials, flat-network legacy plants - the phishing-to-OT path is shorter than most plant managers want to acknowledge.
AP and vendor flows are high volume. A manufacturer pays hundreds of vendors a month with constantly changing payment instructions. Vendor invoice fraud (BEC) is a quiet, recurring loss source that rarely makes headlines but consistently shows up in fraud reports.
Engineering staff are high-privilege phishing targets. Controls engineers, automation engineers and process engineers hold credentials that can reach historians, HMIs and engineering workstations. Lures impersonating PLC vendor update notices or maintenance contractor portals work.
Workforce composition is uneven. Most plants have a small fraction of users with primary email accounts and a much larger fraction of shop-floor workers without one. The phishing program covers the first group; awareness for the second needs a different delivery mechanism.

The Verizon DBIR has called out manufacturing year after year as a heavily-attacked sector. CISA's joint advisories with the FBI and NSA have specifically named ransomware crews active against critical-infrastructure manufacturers and the energy sector.

The regulatory and guidance frame

NERC CIP-004 - for registered entities in the bulk electric system. Requires cybersecurity awareness for personnel with electronic or unescorted physical access to BES Cyber Systems, reinforced at least every 15 calendar months. Auditors look for evidence the program is effective; phishing simulation is the standard evidence.
TSA Pipeline / Rail / Aviation Security Directives - for operators in regulated transportation; require cybersecurity training and incident reporting.
CISA Cross-Sector Cybersecurity Performance Goals (CPGs) - voluntary baseline that names workforce training and recurring phishing-resistant practices.
NIST Cybersecurity Framework 2.0 - Awareness and Training (PR.AT) function category; the de facto language used by manufacturing customer audits.
ISO/IEC 27001 and 27019 - required by many large manufacturing customers for vendor onboarding.
Defense Industrial Base (DIB) - CMMC and DFARS 252.204-7012 - for primes and subs handling CUI; security awareness training is required.
Cyber insurance - see our 2026 renewal post for the questionnaire that has become standard.

Manufacturers without federal regulatory pressure typically still face customer audits - automotive OEMs, aerospace primes and large retail customers all push security training requirements down the supply chain. The buyer audit is often more stringent than any regulator.

Templates that land in industrial environments

Vendor invoice and payment-change lures - the AP-fraud bread-and-butter. Targets accounts payable.
PLC vendor update notices - Siemens, Rockwell, Schneider, Emerson firmware-update lures. Targets controls and automation engineers.
Remote-access password resets - VPN, Citrix, vendor portal credential prompts. Targets IT, engineering and remote-access users.
ERP password expiration - SAP, Oracle, Infor, Plex prompts. Targets office workforce.
Customer / OEM portal lures - Ariba, Coupa, customer-supplier portal credential prompts. Targets sales, customer service and AR.
HR/payroll BEC during open enrollment - direct deposit changes targeting the office workforce.
Logistics and freight - bill-of-lading, broker and 3PL lures targeting shipping and traffic.
Safety and environmental - fake OSHA, EPA or audit-finding letters targeting EHS staff.

Mix difficulty: easy templates for baseline measurement of the broader office workforce, regular for cadence, hard scenarios specifically aimed at engineering, IT admin and treasury cohorts. Multi-channel coverage - SMS smishing reaching mobile-device users on the floor, voice vishing impersonating a vendor field engineer - closes the gaps the email program leaves open.

Cohort design for plant environments

One blanket campaign for everyone produces unhelpful aggregate numbers. Segment:

Office and corporate - finance, AP, AR, sales, customer service, HR. Email-based monthly cadence.
Engineering - controls, automation, design, quality. Email-based monthly cadence plus quarterly hard-difficulty OT-relevant simulations.
IT and OT operations - system administrators, ICS support, plant IT. Monthly plus quarterly remote-access / vendor-impersonation simulations.
Plant management - plant managers, supervisors, production planning. Monthly.
Executive and treasury - separate hard-difficulty whaling and BEC track.
Shop-floor (no primary email) - classroom or kiosk-based awareness; SMS-based simulation if mobile self-service is in use.

Where auto-assigned training matters most

The single highest-leverage feature in a manufacturing phishing program is what happens between the moment a user clicks and the moment they are remediated. Manual follow-up does not scale across multiple plants and shifts. Auto-assigned just-in-time training the moment a user fails a simulation closes the loop, produces audit evidence and survives both customer audit and cyber-insurance review.

OT-specific awareness content

Generic phishing training does not cover the OT-specific behaviors engineers and operators need:

Verify firmware-update notices through known vendor channels, not from email links
Use jump servers and audited remote-access paths even under time pressure
Treat USB media as untrusted; sanitize through a dedicated kiosk
Report suspected phishing through the established channel before forwarding
Coordinate with IT before responding to "emergency" vendor escalations

A modular training library that includes OT-specific lessons alongside the generic SAT content is what mature programs deploy.

Documentation that survives audit

Campaign log: dates, target population, template category, difficulty
Click and reporting rate trend over 24 months by cohort
Training completion rate per campaign with median time-to-completion
Coverage report: % of email-using headcount, with rationale for non-email cohorts
Multi-channel evidence: SMS or voice campaign reports
Written security awareness policy approved by management
Board / executive reporting cadence and sample report
For NERC CIP entities: 15-month reinforcement evidence and BES-Cyber-System-access-personnel training records

Customer-driven program pressure

For most manufacturers, the strongest forcing function is the customer audit, not the federal regulator. Automotive OEMs require TISAX-aligned controls from suppliers. Aerospace primes flow CMMC and NIST 800-171 down their supply chain. Large retail customers run their own vendor security questionnaires that increasingly ask about phishing simulation by name. Pharma customers running clinical trials expect GxP-aware controls including awareness training.

The pattern across all of these is the same: the customer asks for documented evidence of a continuous awareness program with phishing simulation, click-rate trend and training completion data. A manufacturer that can produce the packet in a week passes the audit; one that has to assemble it loses time and sometimes loses contracts. This is the practical reason most manufacturers move to a continuous program: the cost of the program is small relative to the cost of failing a customer audit.

Mistakes specific to manufacturing

Excluding plants because they're "operational, not corporate." Plant business offices are routine BEC targets and belong in the program.
Excluding engineers because they're "technical." Vendor-impersonation lures aimed at engineers are the highest-leverage entry path to OT. They need targeted simulation, not exemption.
Calling the awareness training "the program." Without measured behavior change via simulation, the LMS module is documentation theatre.
One global cadence. AP and treasury need higher-frequency, higher-difficulty simulation than the rest of the office workforce.

Where Bait & Phish fits

Bait & Phish has been running phishing simulation and security awareness training programs for discrete manufacturers, process manufacturers, food & beverage producers, utilities, oil & gas operators and DIB primes and subs for more than 15 years. The platform supports the cadence, cohort segmentation and documentation industrial environments need: monthly multi-channel campaigns (email, SMS, voice), manufacturing-realistic template categories, auto-assigned just-in-time training, role-segmented reporting and one-click exports for customer audit, NERC CIP review and cyber-insurance renewal.

Start a free trial covering up to 25 users - typically the IT, engineering and AP cohorts - or talk to us about pricing for full plant or enterprise coverage. Plan structure is on the pricing page. For more on documentation flow into your insurance renewal, see what cyber insurers ask about phishing training.

This post is informational and does not constitute legal, regulatory or compliance advice. Specific obligations vary by sector, jurisdiction and customer requirements; consult counsel and your compliance team.

Related industry guides

25feb