Cyber readiness · Engineering & manufacturing
Cyber readiness for engineering and manufacturing.
Manufacturing has been the most-attacked industry in the world four years running. Here is why precision-engineering and M&E SMEs are targeted, the real cases, and the marks a prime contractor will ask you to hold.
Why manufacturing is the world’s most-attacked sector.
Engineering, precision manufacturing and M&E/built-environment firms sit at the intersection of everything attackers want: high-value intellectual property (designs, drawings, proprietary processes), tight production schedules that make ransomware extortion unusually effective, ageing OT/ICS equipment that cannot easily be patched, and long supplier chains with primes (MNCs, government agencies, larger contractors) that now push cybersecurity requirements down to every subcontractor. CSA's own data names manufacturing SMEs (not just large firms) as among the most-affected by ransomware in Singapore, and IBM X-Force has independently found manufacturing to be the single most-attacked industry worldwide for four years running, with Asia-Pacific manufacturing hit even harder than the global average. Buyers have noticed: primes and MNCs increasingly require a recognised cybersecurity mark before they will even shortlist a subcontractor, turning certification-readiness from a nice-to-have into a tender qualifier.
Government-linked and MNC primes are starting to cascade cybersecurity requirements down their supply chains. CSA has stated it is assessing whether organisations handling sensitive data should be required to hold a Cyber Essentials/Cyber Trust mark before they can bid for government contracts, and larger buyers already reference the national scheme directly in vendor requirements and RFP scoring criteria. For precision engineering and M&E firms that depend on a small number of large contracts (aerospace, semiconductor, defence-adjacent, or public-sector infrastructure work), failing to hold a recognised mark can mean automatic disqualification from a tender rather than a competitive disadvantage.
Real cases, not scare stories.
Every case below was publicly reported by a named source, and the Singapore ones by the regulator itself. Checked July 2026.
- Singapore 2022
Meiji Seika (Singapore) listed by LockBit 3.0 ransomware group
Meiji Seika (Singapore) Pte Ltd, a Singapore food/confectionery manufacturer, the first overseas operation of Japan's Meiji Co., Ltd.
In late August 2022 the LockBit 3.0 ransomware group listed Meiji Seika's Singapore subsidiary on its dark-web leak site, claiming to have stolen data (discovery/listing reported around 29-31 August 2022). Meiji publicly confirmed one of its Singapore subsidiaries had been infected with ransomware, reported the incident to Singapore authorities, and continued manufacturing and sales while investigating. Public reporting confirms the listing and the compromise; it does NOT quantify the data stolen or confirm what, if anything, was encrypted.
What it cost. A confirmed ransomware compromise of a Singapore food-manufacturing subsidiary by a major ransomware-as-a-service group. Useful as a named, publicly reported example that manufacturers in Singapore are on the target list of top-tier ransomware gangs. Do NOT claim the attack was specifically aimed at stealing intellectual property. No source ties this particular incident to IP theft; that framing was the researcher's addition and has been removed.
Why it matters to you. Singapore case: directly on-market.
Source: The Tech Outlook and Tellerreport (Sep 2022); RedPacket Security LockBit 3.0 victim listing (MEIJI.COM.SG); Breachsense breach record (discovery 31 Aug 2022). Meiji's own confirmation was reported in Japanese/SG press.
- Singapore 2022
CSA: retail and manufacturing SMEs were the most-affected ransomware victims in Singapore in 2022
Singapore SMEs in the manufacturing and retail sectors (sector-level; no company named)
CSA reported 132 ransomware cases to it in 2022 (down slightly from 137 in 2021). CSA stated the cases affected mostly SMEs from sectors such as manufacturing and retail, because these firms hold valuable data and intellectual property that criminals seek to monetise, and often lack dedicated resources to counter cyber threats. This is a first-party statement from Singapore's national cyber agency.
What it cost. The single most defensible Singapore-specific, SME-specific sector statistic for this page: CSA itself names manufacturing SMEs (not just large firms) as among the most-affected ransomware victims. IMPORTANT CORRECTION: this SME-manufacturing framing is accurate ONLY for the 2022 data. In the later Singapore Cyber Landscape 2024/2025 report, CSA named MNCs and listed firms (not SMEs) as the prime manufacturing targets, and found SMEs were disproportionately hit in professional services, not manufacturing. Any 'SMEs in manufacturing per CSA' claim must be anchored to 2022, not presented as a continuing 2024 finding.
Why it matters to you. Singapore national-agency first-party data: strongest sector claim on the page.
Source: Cyber Security Agency of Singapore, Singapore Cyber Landscape 2022 / CSA ransomware reporting, as reported by Frontier Enterprise and Computer Weekly (2023).
- Singapore 2024
Singapore commodities trading firm loses US$42.3 million to a business email compromise scam
An unnamed Singapore-based commodities trading firm (supply-chain-adjacent trader, not a manufacturer)
On 15 July 2024 the firm received an email appearing to come from a genuine supplier, sent from a near-identical spoofed domain, asking that a pending payment go to a new bank account in Timor-Leste. The firm wired US$42.3 million on 19 July and discovered the fraud on 23 July when the real supplier said it had not been paid. Singapore Police, via INTERPOL's I-GRIP stop-payment mechanism and cooperation with Timor-Leste authorities, intercepted the bulk of the funds; over US$40-41 million was recovered in total and seven suspects were arrested in Timor-Leste.
What it cost. One of the largest publicly confirmed BEC recoveries tied to a Singapore firm, confirmed by INTERPOL's own press release. Illustrates how attackers exploit supplier-payment workflows common to manufacturing and trading firms with overseas supply chains. Correctly and explicitly labelled as an adjacent trading case, NOT a manufacturer: keep that label on the page.
Why it matters to you. Singapore case (adjacent sector, clearly labelled).
Source: INTERPOL press release (interpol.int, Aug 2024); The Record by Recorded Future News; The Hacker News; Infosecurity Magazine (2024).
- International 2024 data, reported in the 2025 X-Force Threat Intelligence Index
IBM X-Force: manufacturing was the most-attacked industry worldwide for a fourth consecutive year (2024 data)
Global manufacturing sector; Asia-Pacific manufacturing specifically (IBM X-Force incident-response caseload)
In the 2025 edition of IBM's X-Force Threat Intelligence Index (covering 2024 data), manufacturing was the most-attacked industry worldwide for the fourth year running, at roughly 26% of incidents X-Force responded to globally. In the Asia-Pacific region, manufacturing was the top-targeted sector at 40% of incidents, ahead of finance and insurance (16%) and transportation (11%). IBM attributes manufacturers' exposure to their low tolerance for downtime and reliance on legacy/OT systems.
What it cost. Shows manufacturing-sector risk is a structural, multi-year global and regional trend, not a Singapore-only artefact, with APAC hit harder than the global average. Must be labelled clearly as a global/regional statistic from IBM's own IR caseload, NOT a Singapore figure. Note: IBM's newer 2026 edition (2025 data) updates this to a fifth consecutive year at 27.7%, so phrase the claim as 'as of the 2025 report / 2024 data' rather than an open-ended 'currently,' or simply cite the latest edition.
Why it matters to you. Global/regional context: label as such, not Singapore-specific.
Source: IBM X-Force Threat Intelligence Index, 2025 edition (2024 data), ibm.com; APAC 40/16/11 breakdown reported via Manila Standard (2025).
- International 2024 data, reported in the 2025 Verizon DBIR
Verizon DBIR: espionage-motivated breaches in manufacturing rose sharply (to 20%)
Global manufacturing sector (Verizon DBIR incident dataset)
Verizon's 2025 Data Breach Investigations Report found espionage-motivated breaches in the manufacturing sector jumped to about 20%, up from roughly 3% the prior year, a nearly sixfold rise. Verizon's own press release confirms an 'alarming rise in espionage-motivated attacks in the Manufacturing and Healthcare sectors.' The 20%/3% figures are reported consistently across coverage of the DBIR.
What it cost. A real, named, dated statistic supporting the IP/design-theft concern relevant to precision engineering and OEM/ODM firms that hold client drawings, specs and proprietary processes. Label as a global DBIR statistic. CAUTION: the accompanying '87% of manufacturing threat actors are financially motivated' sub-figure could not be independently confirmed to a quotable public line in this fact-check: treat it as needing a direct citation to the full DBIR before publishing, or drop it and keep only the 20%/3%/sixfold espionage figures.
Why it matters to you. Global context: label as such.
Source: Verizon 2025 Data Breach Investigations Report and Verizon press release (verizon.com/about/news, Apr 2025); trade-press coverage 2025.
Ransomware can encrypt your business data and demand payment for its return. Reliable, tested backups are the most effective safeguard.
Ransomware lock up all your files, then ask you pay to get them back. Pay also might not return. Got proper backup? You just restore and carry on. No drama.
What you actually need to protect.
- Engineering drawings, CAD files, and proprietary process/manufacturing specifications (the core IP an espionage-motivated attacker or a departing employee/competitor would want)
- Client and OEM confidential data: many precision engineering and M&E firms hold client-owned designs under strict confidentiality/NDA terms that flow down from the prime contractor
- OT/ICS and production-line systems (PLCs, SCADA, CNC controllers): often older equipment that cannot be patched like standard IT and is highly sensitive to any downtime
- Finance and payment workflows: invoice and supplier bank-detail approval processes are the direct target of business email compromise scams that redirect payments
- Email accounts of staff who handle supplier correspondence and payment approvals: the entry point for BEC
- Employee and HR personal data (NRIC, payroll, medical/insurance records) subject to the PDPA regardless of company size
- Backup and recovery systems for production and design-file servers, so a ransomware encryption event does not force a ransom decision
Where to start.
Start with Cyber Essentials: it targets exactly the baseline cyber-hygiene gaps (unpatched systems, weak access control, no tested backups, phishing/BEC exposure) that CSA's own data shows are hitting manufacturing SMEs hardest, and it now includes specific OT/IT-convergence guidance (expanded April 2025) that is directly relevant to any firm running production-line or CNC equipment. Firms that supply into aerospace, semiconductor, defence-adjacent, or larger MNC/government supply chains, where a prime contractor is likely to reference the national scheme in vendor due-diligence or RFP scoring, should plan to progress to Cyber Trust for the deeper, risk-tiered assessment, since Cyber Trust's OT guidance now explicitly covers scenarios like a vendor's infected laptop compromising the OT network. Firms that also handle sizeable volumes of customer or employee personal data (e.g. larger M&E contractors with extensive HR/payroll systems) should consider Data Protection Essentials alongside Cyber Essentials, since PDPA obligations apply regardless of certification status. ISO 27001 is worth flagging as a longer-term option for firms bidding into multinational or overseas supply chains that specifically ask for it, but it is a heavier lift and not the right first step for most SMEs in this sector.
Talk it through with a consultantThe rules that apply to you
- Personal Data Protection Act (PDPA): enforced by PDPC; applies to any employee, customer, or supplier personal data an engineering/manufacturing SME holds, regardless of size
- CSA Cyber Essentials mark: baseline cyber-hygiene certification for SMEs, expanded in April 2025 to cover cloud security, AI, and operational technology (OT)
- CSA Cyber Trust mark: advanced, risk-tiered certification for larger or more digitalised organisations, including OT-specific risk-scenario guidance
- IMDA Data Protection Trustmark (DPTM) / Data Protection Essentials (DPE): data-governance certification increasingly referenced in vendor and partner due-diligence
- CSA's stated consideration of mandating cybersecurity marks as a precondition for government contract bidding for organisations handling sensitive data (policy direction flagged by CSA, not yet a hard mandate as of this writing; should be phrased as 'CSA is assessing,' not as settled law)
Questions from engineering owners
We're a small precision engineering shop with under 20 staff. Are we really a ransomware target, or is that just large manufacturers?
CSA's own data says otherwise: of the ransomware incidents reported to CSA, the organisations most affected were specifically SMEs in the manufacturing and retail sectors, not just large MNCs. Attackers often prefer smaller firms precisely because they assume (often correctly) that cyber defences are weaker, while the operational cost of downtime is still high enough to make paying a ransom look like the cheaper option.
Our production equipment (CNC machines, PLCs) is old and can't run modern security software. What can we actually do?
This is a recognised, common problem: CSA's own Cyber Essentials and Cyber Trust guidance (expanded in 2025 specifically for OT) acknowledges that operational technology has longer investment cycles than IT and may not support things like strong password controls. The recommended approach is compensating controls: network segmentation to isolate OT from IT and the internet, strict physical access restrictions, and controls on any vendor laptop or USB device that connects to the OT network, rather than trying to force modern endpoint software onto legacy equipment.
We deal mostly with drawings and specs, not customer credit card data. Does data protection law even apply to us?
Yes. The PDPA applies to the personal data you hold about employees, job applicants, and any individual contacts at customers or suppliers (names, NRIC numbers, contact details, payroll and medical records for staff, etc.); it is not limited to consumer-facing businesses. Separately, your engineering drawings and process IP are not covered by the PDPA (they're not personal data) but they are exactly the kind of asset that espionage-motivated attackers target, per Verizon's 2025 Data Breach Investigations Report finding a sharp rise in espionage-driven manufacturing breaches.
A prime contractor / MNC customer is now asking if we have a cybersecurity certification before they'll renew our contract. What's the fastest credible option?
Cyber Essentials is designed to be the fast, credible baseline answer to exactly this kind of vendor due-diligence question: it's scoped for SMEs and covers the fundamentals a buyer is usually checking for (patching, access control, backups, phishing resilience). If your customer's own requirements reference the CSA national scheme specifically, or if you're supplying into a more regulated chain (aerospace, semiconductor, government-linked infrastructure), Cyber Trust is the more thorough answer and increasingly what larger buyers expect from suppliers with real cyber risk exposure.
Get audit-ready before a client asks.
A 30-minute chat, no obligation, and a straight answer on which mark your sector actually needs first.