While everyone's counting ransomware victims and debating patch schedules, CISA quietly added manufacturing execution system vulnerabilities to their Known Exploited Vulnerabilities (KEVs) catalog this week.
Specifically, DELMIA Apriso - one of the most deployed MES platforms in aerospace and automotive.
You may remember I wrote about this a few weeks ago, and was accused of speculation.
Anyway, this isn't another IT breach story. This is confirmation that adversaries have pivoted to the layer that actually controls physical production. The carefully maintained separation between IT and OT? It's been bridged - by design and by compromise.
The Layer Everyone Overlooks
Let me explain what MES/MOM systems actually do, because most executives fundamentally misunderstand their exposure. Your ERP says "make 10,000 widgets by Friday." Your PLCs control the actual machines - conveyor speeds, temperature setpoints, valve positions.
The MES sits between them, translating business orders into production sequences. It tells operators which job to run next, tracks inventory through the plant, manages quality data, coordinates material handling. Modern MES systems aren't just databases - they're the operational brain of your factory.
Here's the critical blind spot for most traditional security models: that MES has tentacles in both worlds. It pulls from ERP (IT network) and pushes to SCADA (OT network). It's dual-homed by design. Your carefully segmented networks? The MES was designed to bridge them - that's literally its job.
Most executives believe their OT is protected because their PLCs are segregated behind firewalls. What's often overlooked is that the MES has become the perfect pivot point - trusted by both networks, critical to operations, and exposed through multiple attack vectors that traditional IT/OT security models weren't designed to address.
The Pattern We Can't Ignore
Connect these dots:
- 701 manufacturing organizations hit by Qilin ransomware group alone in 2025
- DELMIA Apriso vulnerabilities now under active exploitation
- Ribbon Communications operated with Chinese APT inside their infrastructure for 9 months
- npm supply chain attacks specifically targeting developer workstations
- Swedish power grid operator infiltrated for months before discovery
They're not stealing credit card numbers. The evidence suggests they're mapping production dependencies. They're learning how supply chains interconnect. They're understanding which systems, when disrupted, cause maximum cascade failures.
That 9-month dwell time at Ribbon? That's not reconnaissance. That's infrastructure familiarization. When adversaries spend months inside infrastructure without taking immediate action, we must consider they're learning how targets operate normally so they know exactly how to break them when strategic objectives align.
Why MES Compromise Hits Different
When ransomware hits your IT network, you lose access to files. Annoying, expensive, but manageable. When ransomware hits your MES, you lose the ability to:
- Sequence production orders (which job runs on which line?)
- Track work-in-process inventory (where are the parts?)
- Coordinate with supply chain (what do we need when?)
- Manage quality records (is this batch good?)
- Generate work instructions (how do we build this?)
Real world impact: Ford can't build F-150s not because Ford gets hit, but because one aluminum supplier's MES gets locked and suddenly Ford has no idea which alloy batches meet specifications for door panels versus frame rails. The production line stops not from direct attack, but from uncertainty.
The Scenario We Must Prepare For
Your incident response plan likely assumes you'll detect, contain, and recover. But consider this scenario: What if adversaries have been inside your MES for months, learning your production patterns, understanding your supply chain dependencies, and waiting for maximum impact?
The 9-month dwell time at Ribbon Communications proves this isn't a 48-hour smash-and-grab. The Swedish grid operator only discovered Everest because the attackers announced their presence. How many organizations are operating with similar compromise, unaware?
You can't afford to assume it hasn't already happened to you.
Your MES touches everything:
- It knows your supplier dependencies
- It contains your production recipes
- It manages your quality thresholds
- It coordinates your safety systems
- It schedules your maintenance windows
An adversary with months inside that system knows your operation better than your newest plant manager.
What Persistent MES Access Enables
Forget ransomware. Here's what persistent MES access gives sophisticated adversaries:
Production Manipulation - Change recipe parameters slightly. Produce 100,000 units with 5% less tensile strength. The PLCs execute perfectly. The defect won't show up until products fail in the field.
Supply Chain Cascades - Manipulate inventory data. Make the system think you have materials you don't. Orders release, production starts, then stops when materials don't exist. But you've already told suppliers to pause deliveries based on false inventory levels.
Quality Control Bypass - Modify acceptance criteria temporarily. Bad products pass inspection. Change it back. No audit trail shows the window when standards dropped. Recalled products months later, nobody knows why quality systems "failed."
Safety System Confusion - MES coordinates between safety instrumented systems and production control. Introduce latency. Create conflicting commands. Safety systems work perfectly in isolation but fail during complex operational scenarios.
Operating Under Assumption of Compromise
The prudent approach isn't asking "are we compromised?" but rather "how do we operate if we are?" Start validating:
Can production continue without MES? Not degraded. Absent. Can your operators run production with paper travelers? Do they know the sequences? Can they calculate material requirements manually?
Do operators remember how to operate? Your operators follow digital work instructions. If those screens go dark, can they build from memory? From paper prints? Do those prints even exist? Are they current?
Can you coordinate suppliers via phone? Your supply chain runs on EDI through your MES. If that stops, can you call suppliers? Do you have their phone numbers? Not their salesperson - their production scheduler. Can you transmit requirements, confirm deliveries, manage changes without any digital systems?
Have you tested MES isolation? Everyone tests backup power. Nobody tests running production with MES completely isolated. Not degraded - gone. Can your plant produce anything without it?
The Strategic Reality Check
The Department of Energy analysis I reviewed last month identified "Phase 1 intrusions detected in 70% of assessed infrastructure." That's not future tense. That's past tense. The intrusions already happened. We're discovering them now.
Your MES vendor's security updates? They're critical, but insufficient if attackers have achieved persistence. Modern adversaries don't need to exploit new vulnerabilities when they've already established themselves as legitimate users in your systems.
Every developer workstation with access to your MES represents an entry point. Every browser-based interface opens attack surface. Every integration with cloud services, remote support, or third-party analytics creates vulnerability. That digital transformation everyone celebrated? It transformed your air gap into swiss cheese.
Your Next Move
The question isn't whether your manufacturing execution layer is compromised - it's whether you're prepared to operate under that assumption. The organizations that will maintain production aren't those with perfect security, but those with tested manual fallbacks.
Here's your action framework:
- Hunt, Don't Wait - Assume compromise. Hunt for persistence in your MES. Look for impossible logins, unusual data exports, modified recipes that were changed back.
- Test Manual Operations - This weekend, try building product without MES. You'll fail. Document why. Fix it. Test again.
- Create Physical Fallbacks - Print current recipes. Document tribal knowledge. Create paper-based production travelers. Yes, paper. Adversaries can't ransomware paper.
- Map True Dependencies - Not the architecture diagram. The actual dependencies. What breaks when MES stops? Be specific. "Building 3 Line 2 cannot determine aluminum alloy without MES query" specific.
- Establish Out-of-Band Coordination - Supplier phone trees. Customer notification procedures. Logistics coordination. All without email, EDI, or digital communication.
The New Reality
In 2024, we debated IT/OT convergence strategies. In 2025, adversaries have made those debates irrelevant - they're operating across both domains while we're still discussing governance models.
Your MES is the bridge between business systems and physical production. That bridge is almost certainly being surveilled, if not already crossed. The activation window approaches.
Will you be the executive who prepared for this reality, or the one explaining why production stopped despite all your security investments?
The Swedish grid operator got lucky - their adversaries announced themselves. Ribbon Communications got lucky - they found the intrusion before damage.
But luck isn't a strategy. And CISA just confirmed the threat is active and immediate.
🌊
Author Bio
River Caudle is the founder of River Risk Partners, an industrial automation consulting firm focused on helping critical infrastructure organizations achieve Industrial Independence - operational control over their OT infrastructure. With over 20 years of experience in industrial automation and network engineering, River specializes in bridging the gap between operations reality and security requirements in high-consequence industries.