In August 2025, attackers exploited a vulnerability in a third-party supplier's software, moved laterally into a major automotive manufacturer's core production systems, and deployed ransomware that halted manufacturing across three countries for five weeks. The UK Cyber Monitoring Centre would later call it the most economically damaging cyber incident in British history — an estimated £1.9 billion in damage, with more than 5,000 businesses in the supply chain affected.
It wasn't a sophisticated, novel attack. It was a third-party identity with more access than it should have had, moving laterally because nothing stopped it once it was inside.
Manufacturing has been the most ransomware-targeted sector for four consecutive years, with attacks rising sharply as factory floors connect to corporate networks and the cloud. The core problem is structural: OT and IoT systems run on fragmented identity frameworks, frequently relying on weak or default credentials, with no consistent way to authenticate a device or a vendor session the way modern IT environments can. State-aligned threat actors have explicitly shifted tactics toward identity abuse, remote connectivity, and trusted third-party relationships — the seams between IT and OT — rather than attacking control networks head-on.
Whiteswan already governs this exact risk for real manufacturing operations. Rockman Industries (Hero Group) eliminated VPN dependency with a secure, time-bound, approval-based access model, gaining complete visibility into vendor and internal activity through real-time monitoring and session recording — precisely the third-party access discipline that would have changed the outcome of the incident above. MG Contractors used Whiteswan's identity discovery to find and govern every existing identity on its endpoints, significantly reducing its attack surface through more granular access control.
Endpoint agents bring command-line and on-prem infrastructure under governance — including the legacy, "uptime first" systems industrial environments are reluctant to touch but can no longer leave ungoverned. Vendor and third-party sessions are time-bound and approval-based by default, replacing the standing VPN access that turns one compromised supplier into a multi-country production halt. Every privileged session is recorded and auditable, the same discipline that gave Rockman the visibility it needed. And as manufacturers bring AI agents into predictive maintenance, quality systems, or supply chain automation, the same engine governs those agents at the protocol level — before they become the next ungoverned identity an attacker finds first.
See how one engine governs every identity in your estate.
Contact →See how Whiteswan decides, in-line, at the moment of action.
See how it works →