In February, Bridgeall was proud to take centre stage at a CeeD event dedicated to cybersecurity in manufacturing, held at Heriot-Watt University’s striking Robotarium building. The full-room audience, drawn from manufacturing businesses across Scotland and beyond, included some of the country’s most recognisable names: Star Refrigeration, Chivas Brothers, and Edrington were among those represented, alongside many others with a shared interest in how the sector’s growing cyber threat is changing the way industrial organisations need to think about security.

A Fitting Venue for a Timely Topic

The Robotarium is Heriot-Watt’s flagship facility for robotics and autonomous systems research, and it provided a fittingly forward-looking backdrop for a discussion about the future of industrial cybersecurity. The convergence of traditional manufacturing with modern digital technology was not just our topic, it was visible everywhere in the building around us.

Manufacturing: The Most Targeted Sector

The presentation opened with a stark reality check: manufacturing is now the most targeted sector globally for cyber attacks, a position it has held for four consecutive years. To bring this home, we led with the September 2025 ransomware attack on Jaguar Land Rover, which caused a multi-day production shutdown across multiple UK plants and an estimated £1.9 billion in losses, widely described as the most economically damaging cyber event in UK history. Crucially, the attack did not target factory equipment directly; it entered through a compromised business application and spread from there.

This point proved central to the conversation throughout the session: in manufacturing, IT security and Operational Technology (OT) security are inseparable. Legacy equipment designed decades ago for reliability, not connectivity, is increasingly being linked to modern networks to enable real-time analytics, remote monitoring, and predictive maintenance. The efficiency gains are real,  but so are the risks.

Practical Guidance from NCSC, CISA and the CAF

A key theme of the presentation was that manufacturers do not have to navigate this alone, established frameworks exist to guide them. We walked through the eight principles published jointly by the NCSC, CISA, and FBI in January 2026 for combating cyber risks in OT environments, and explored the NCSC’s Cyber Assessment Framework (CAF) v4.0, which organises effective cybersecurity around four objectives:

  • Objective A – Know your Environment
  • Objective B – Protect Proportionately
  • Objective C – Detect Early
  • Objective D – Respond and Recover

Alongside the frameworks, we discussed the practical realities that make OT security genuinely hard: patching is difficult when production lines cannot tolerate downtime; standard vulnerability scanning tools can crash industrial devices; and there is a persistent skills gap between engineers who understand the machinery and IT professionals who understand cyber threats.

Compliance as Competitive Advantage

One message that clearly resonated with the audience was the commercial case for getting security right. Cyber Essentials, Cyber Essentials Plus, and ISO 27001 are no longer just ‘nice to have’  they are increasingly mandated in public sector tenders, expected across private sector supply chains, and actively rewarded by cyber insurers through reduced premiums. With NIS2 expanding its scope to include manufacturing, and the UK developing its own equivalent, the regulatory direction of travel is clear.

A Room Ready to Act

The energy in the room was tangible. Questions ranged from how to approach legacy equipment without disrupting production, through to how smaller manufacturers can make the business case for investment to their boards. The conversation continued long after the formal presentation ended, with delegates exchanging experiences and exploring next steps.

Events like this are exactly why Bridgeall engages with industry communities such as CeeD. Cybersecurity in manufacturing is not a problem that can be solved with a single product or a single conversation, but it can absolutely be managed with the right partner, the right framework, and a willingness to start.