Manufacturing Incident Cost: OT Downtime, Ransomware, and the NotPetya Legacy in 2026
Manufacturing incident cost is the most under-reported of any industry because the dominant exposure is operational rather than data-related. The IBM CODB 2025 industrial-sector mean of $5.56M counts breach math; it does not count production-line downtime, supply-chain disruption, expedited freight, customer make-whole, or the long-tail capital cost of OT (operational technology) hardening. A serious OT-impacting ransomware at a mid-size manufacturer typically costs $20M-$200M when the full operational stack is included, and the cleanest public benchmarks (Norsk Hydro $80M, Clorox $356M sales impact, Maersk $200-$300M direct from NotPetya) make clear that the operational layer is the driver.
OT/IT Convergence: Why Manufacturing Is Different
Modern manufacturing runs on the convergence of information-technology systems (ERP, MES, supply-chain planning) and operational-technology systems (PLCs, SCADA, HMI, robotic controllers, batch-process management). The convergence has produced enormous productivity gains and a correspondingly enormous attack surface. A ransomware operator that lands in the IT estate can frequently traverse to the OT estate via flat networks, dual-homed engineering workstations, vendor remote-access channels, or shared credentials.
When a ransomware reaches OT, the manufacturer faces a binary choice familiar to healthcare ransomware victims: pay the ransom and accept the residual risk, or shut production lines down for the duration of recovery. Recovery time for a manufacturer with no OT-specific backups, no tested OT recovery runbook, and shared IT/OT credentials is measured in weeks, not days. Norsk Hydro 2019 published a transparent post-incident accounting of full recovery taking months and costing approximately $80M.
The cost-of-segmentation arithmetic. An IEC 62443 zones-and-conduits architecture (the canonical OT segmentation reference) typically costs $500K-$5M to implement at a mid-size manufacturer and $200K-$1M annually to maintain. The expected loss-given-incident at the same manufacturer without segmentation is $20M-$200M with high incident probability (industry mean roughly 30% over a 5-year window). The expected-value math favours segmentation by a factor of 5-50x.
Per-Line, Per-Hour Downtime Cost by Manufacturing Type
Per-hour production downtime cost is the central operating metric for manufacturing incident planning. It varies by three orders of magnitude across sub-sectors and is the input to the loss-given-incident calculation. The figures below triangulate disclosed incident data, vendor benchmarking studies, and per-shift contribution-margin estimates from public 10-K filings.
| Manufacturing Type | Per-Hour Downtime Cost | Triangulation Notes |
|---|---|---|
| Auto OEM (finished vehicle assembly) | $1.3M-$2M per line | ~60 vehicles/hr at $30K-$45K contribution margin per vehicle |
| Semiconductor fab | $1M-$3M per fab | 300mm fab leading-edge node; downtime triggers WIP loss |
| Pharma batch (sterile injectable) | $200K-$1M per line | Batch loss + revalidation; aseptic line recovery is multi-day |
| Refinery (petroleum) | $500K-$2M per unit | Per CDU; throughput * crack spread loss |
| Discrete electronics assembly | $50K-$500K per line | Line throughput * unit margin; varies with product mix |
| CPG packaging | $30K-$300K per line | Volume * contribution margin per case |
| Steel mill (continuous casting) | $300K-$1.5M per caster | Restart cost dominates; cold-start can be $5M+ one-time |
| Food processing (meat) | $100K-$500K per plant | Per JBS 2021 disclosed shift-loss math |
Ranges based on public 10-K segment disclosures, IEA refining margins, and vendor downtime-cost benchmarking studies. Specific facility figures vary substantially.
The NotPetya Legacy
NotPetya in June 2017 remains the single most expensive cyber-incident in recorded history, and most of the disclosed cost landed on manufacturers, shippers, and pharmaceutical firms rather than tech or finance. The malware was attributed by the US, UK, and EU to Russian state actors targeting Ukraine; collateral damage to non-Ukrainian organisations was disproportionately industrial.
| Organisation | Disclosed Cost | Notes |
|---|---|---|
| Maersk (shipping) | $200-$300M direct | Plus $1.5B+ in subsequent IT replacement; full Active Directory rebuild from one surviving Ghana DC |
| Merck (pharma) | $1.4B+ resolved | Eight-year insurance dispute; ACE / Chubb war-exclusion case lost on appeal |
| FedEx (TNT Express) | $300M+ | Disclosed in Q1 FY18 results; permanent loss of TNT package volume |
| Mondelez (CPG) | ~$100M direct | Settled 2022 with Zurich after multi-year war-exclusion litigation |
| Saint-Gobain (construction) | €250M+ Q1-Q2 sales impact | Q2 2017 sales drop of approximately €220M |
| Total worldwide (estimate) | $10B+ | Per White House Council of Economic Advisers and various reinsurer estimates |
The legal legacy is as important as the financial damage. The Merck v. ACE/Chubb case (resolved in 2022 in Merck's favour at the New Jersey Superior Court Appellate Division, settled before further appeal) and the Mondelez v. Zurich case (settled 2022) together established that the standard 'hostile or warlike action' exclusion in cyber insurance does not apply to NotPetya-style nation-state collateral damage. Insurers responded with explicit cyber-war exclusion language (Lloyd's mandated exclusions effective April 2023). Manufacturers buying cyber coverage in 2026 should expect explicit war-exclusion language and should negotiate carve-backs for collateral-damage scenarios.
The Critical-Infrastructure Benchmarks
Three 2021-2023 incidents reset baseline expectations on the cost and externality of OT-impacting cyber-attacks: Colonial Pipeline (May 2021), JBS USA (May 2021), and Clorox (August 2023). Each is publicly documented and serves as a cleaner-than-average benchmark.
| Incident | Year | Direct Cost | Operational Impact |
|---|---|---|---|
| Colonial Pipeline | May 2021 | $30M+ (incl $4.4M ransom) | 6-day shutdown; declared national emergency; fuel shortages US Southeast |
| JBS USA | May 2021 | $30-$50M+ (incl $11M ransom) | Multi-day production halt at major US beef plants |
| Clorox | August 2023 | $49M direct + $356M sales impact | Q1 FY24 net sales down 20%; multi-quarter recovery |
| Toyota (Kojima Industries) | Feb 2022 | undisclosed direct | 14 plants down 1 day; ~13,000 vehicles lost; supplier compromise |
| Norsk Hydro (LockerGoga) | Mar 2019 | $80M+ | Most transparent OT-incident disclosure on record; refused to pay ransom |
Sources: CISA incident summaries, public 10-K and 10-Q filings, official press statements.
Cyber Insurance Market for Manufacturers
Cyber insurance for manufacturers in 2026 is meaningfully harder to place than in 2020, particularly for organisations with significant OT exposure. Underwriters now require detailed OT-specific control attestations: network segmentation, no flat IT/OT networks, no shared credentials, MFA on all remote access including vendor access, tested recovery procedures with last-test date, and OT-aware EDR or specialised monitoring. Premium-per-million-of-coverage at mid-size manufacturers has roughly doubled since 2019, and per-event sublimits for ransomware are now standard rather than optional.
The Lloyd's-mandated war-exclusion language effective April 2023 has produced active negotiation around carve-backs. Manufacturers with potential collateral-damage exposure (those operating in or with supply-chain to conflict zones, or with significant Eastern European exposure) are negotiating named-event carve-backs that cost 15-50% of base premium. The arithmetic is straightforward: the marginal premium is small relative to the catastrophic scenario.