OT/IT Cybersecurity | Ransomware Protection | IT Support for Manufacturers Salt Lake City
Introduction
The production floor goes quiet on Friday afternoon before a long weekend. The ERP is idle. Your IT staff is reduced or off entirely. SAP, your SCADA systems, and your network are running without active monitoring. This is the window ransomware operators have studied and optimized for. A 2025 Semperis study found that 52% of ransomware attacks occur on holidays or weekends — not because attackers take weekdays off, but because they specifically target periods when your defenses are at their lowest. For a manufacturer, this is not an abstract risk. Ransomware that encrypts your ERP during a holiday weekend means your production line cannot start Tuesday morning.
The 72-Hour Window Attackers Exploit
The Semperis research identified a 72-hour window — roughly Friday afternoon through Tuesday morning — during which 78% of organizations reduce their security staffing. That reduction creates a gap that ransomware operators specifically target.
The average time for ransomware to encrypt a network is measured in hours. An attack that begins Friday night and goes undetected until Tuesday morning has had more than 60 hours to propagate across your production systems, ERP, file servers, and backups. The longer it runs undetected, the more complete the encryption — and the more costly the recovery.
For a manufacturer, the cost calculation is immediate and concrete. Every hour of production downtime has a real dollar value. A two-day recovery means two days of lost output, delayed orders, and potential customer penalties. A two-week recovery — which is not uncommon in unplanned ransomware scenarios — can be existential for a mid-sized manufacturer.
What Ransomware Looks Like on the Production Floor
When ransomware hits a manufacturing operation, the impact is not limited to the IT environment:
- ERP systems — SAP, Epicor, Oracle, Dynamics 365 — become inaccessible. Production orders cannot be pulled. Scheduling halts.
- CAD files and engineering documentation may be encrypted or exfiltrated.
- Quality management system records become unavailable.
- If the attack reaches OT networks, SCADA systems and production equipment may be affected directly.
- Customer and supplier communication systems go down, compounding the operational disruption.
Ransomware groups that target manufacturers often conduct reconnaissance for weeks or months before deploying the payload — ensuring they've mapped the network, located the backups, and timed the attack for maximum impact.
Reactive vs. Proactive: The Model That Determines Your Recovery Time
Most manufacturers operate on a reactive IT model: systems run, something breaks, someone calls IT. That model has always had gaps — but with ransomware, the gap is catastrophic. By the time the on-call IT contact is reached at 9 AM on a holiday Monday, the encryption has been running for 36 hours.
A proactive model means your systems are monitored continuously — including Friday nights, holidays, and long weekends. Behavioral monitoring tools detect unusual activity: unexpected file encryption, lateral movement across network segments, unusual authentication attempts. When the system flags that behavior at 2 AM Saturday, an automated response or an on-call alert can contain the attack before it completes.
This is the core value proposition of managed IT for manufacturing: your production systems are protected 24/7, not just during business hours.
Specific Controls That Reduce Ransomware Risk in Manufacturing
Immutable, Tested Backups of Production Data
Backups of your ERP data, CAD files, and production documentation should be maintained in an immutable format — meaning ransomware cannot encrypt or delete them. Backups should be stored offsite or in a secure cloud environment, and they should be tested regularly to confirm they can actually be restored within your recovery time objective. A backup that has never been restored is a backup you cannot count on.
Network Segmentation Between IT and OT
One of the most effective controls for manufacturers is network segmentation that separates your IT environment (ERP, email, file servers) from your OT environment (SCADA, PLCs, production equipment). Segmentation limits the blast radius of a ransomware attack — if the IT network is compromised, segmentation prevents the attack from reaching production equipment, and vice versa.
Endpoint Detection and Response (EDR) on All Systems
Traditional antivirus does not detect modern ransomware before it encrypts. EDR tools monitor system behavior, flagging and responding to encryption activity, unusual process execution, and lateral movement in real time. EDR should be deployed on all workstations, servers, and where possible, on OT network monitoring points.
Documented Incident Response Plan
Know before the attack happens: Who gets called? In what order? Who has authority to take systems offline to contain spread? Who handles customer and supplier communication? Who manages the SCADA systems if production equipment is affected? A documented incident response plan means your team executes a rehearsed procedure instead of improvising under pressure at 3 AM on a holiday.
Frequently Asked Questions
Q: Our production environment uses legacy SCADA systems that can't be easily updated. Does that increase our ransomware risk?
Yes, significantly. Legacy OT systems often cannot run modern security tools, cannot be patched regularly, and were not designed with network security in mind. Network segmentation is the most practical control for these environments — isolate the OT network from the IT network so that a ransomware compromise in one does not automatically propagate to the other. An IT provider with OT/IT convergence experience can help design appropriate segmentation.
Q: We back up our ERP data nightly to a local server. Is that sufficient?
Local backup provides a foundation but has a critical vulnerability: ransomware often targets backup files specifically before deploying the payload. If your backup server is on the same network as your ERP and connected systems, it may be encrypted along with everything else. Best practice is offsite or cloud backup with immutable storage (where the ransomware cannot delete or overwrite backup files), combined with regular restore testing.
Q: How do we justify the cost of 24/7 monitoring to leadership?
Frame it as downtime insurance. Calculate your hourly production output value and multiply by a realistic recovery timeline for an unplanned ransomware event — typically 48 to 336 hours (2 to 14 days) for unprepared organizations. Compare that number to the annual cost of managed security monitoring. For most manufacturers, the math is straightforward. Uptime is non-negotiable, and 24/7 monitoring is the mechanism that protects it.
Don't Let a Long Weekend Become Your Worst Week of the Year
We work with Salt Lake City manufacturers to protect production systems and reduce operational downtime. If you want to assess your ransomware exposure, review your backup and recovery posture, or put 24/7 monitoring in place before the next holiday weekend, let's talk.
