OT systems in particular have been in use in German production halls for a very long time. This makes them vulnerable to cyberattacks, even if they are kept operational through updates, backups and external checks. A new survey by Sophos shows that in almost half of all 211 companies surveyed, the critical systems have already been in use for five to ten years.
The control systems in German production halls are real long-distance runners. In just under half of all 211 companies surveyed (48.8%), the critical systems have already been in use for five to ten years. In companies with 250 to 999 employees, the figure is even slightly more than half. The systems are even older - over ten years - at 11.4 % of those surveyed. Their mechanical reliability is a quality feature, but a growing problem from a cyber security perspective.
"Production systems are robustly built and often run reliably for decades. However, this longevity also harbours risks in times of growing cyber threats," explains Michael Veit, security expert at Sophos. "What was once designed as an isolated system is now often networked and therefore vulnerable to attack."
The smallest software changes can throw production out of balance
Most companies actively maintain their systems. 82.5 % carry out regular updates to close weak points and keep the systems running. Only a vanishingly small proportion of 0.5% do without this completely.
However, this important routine is not without side effects: For more than three quarters of respondents, software or security updates have led to unplanned production downtime in the last three years. One in four companies (24.6%) even experienced multiple shutdowns, while a further 52.6% confirmed at least occasional interruptions. The reason: in production, many systems interlock with millimetre precision. Even small software changes can lead to interfaces no longer functioning smoothly, processes stalling or machines coming to a temporary standstill.
This highlights a central dilemma: measures to increase security can jeopardise availability.
The top strategies against cyberattacks and technical failures
Companies use various strategies to arm themselves against cyberattacks and technical failures. They most frequently resort to professional vulnerability analyses and penetration tests by external security experts - 54% use these services regularly. In second place are special backup strategies for production systems (51.2%). Unlike office IT, this is not just about data, but also about system configurations and machine parameters.
Targeted employee training follows in third place (46.4%); an important component, as many incidents are caused by human error, be it an insecure USB stick or a carelessly opened email attachment. In addition, 38.9% of companies rely on security centres (SOC/SIEM) that continuously monitor system activities and raise the alarm in the event of irregularities. 37% have segmented their networks so that critical production areas are separated from the rest of the company network. This prevents attackers from accessing production from the company network.
External support also plays an important role: 37.9% of companies are supported by specialised service providers in protecting their systems. Almost a third also regularly rehearse emergencies with emergency drills.
Modernisation of OT systems remains unavoidable
Many companies have now recognised a weak point that was often overlooked in the past: their partners in the supply chain. More than half of those surveyed (57.3%) have now formulated contractual cyber security requirements for suppliers, and a third have done so at least partially. 8.5% are planning corresponding agreements.
Almost two thirds (64.9%) of companies follow the principle of "contracts are good, controls are better". They regularly check the IT security of their suppliers, and a further 19.4% at least occasionally. However, 12.3% do not carry out such checks at all - thus opening the door to potential attackers.
"In the long term, there is no way around modernising the production landscape," emphasises Michael Veit. "It is crucial that companies are aware of the current technical status and consistently implement security routines. Those who plan ahead and modernise step by step can secure their production against modern threats in the long term without sacrificing the stability that defines German production quality."
Sophos recommends five measures for more cyber security in production:
- Regular updates: they close security gaps and are an essential building block, even if they are sometimes prone to failure.
- Establish a backup strategy: Regularly back up production data and machine parameters - preferably separately from the production network.
- Train employees: Many attacks start with people. Training sensitises employees to the most important sources of danger.
- Check the supply chain: Suppliers are part of your own security network. Contracts and regular checks create reliability.
- Interlinking IT and production: Security can only be achieved together. Regular coordination helps to recognise risks at an early stage.
The survey was conducted in July and August 2025 by techconsult on behalf of Sophos. A total of 211 production companies in Germany were surveyed.
