Articles, assessments, events, vulnerability notices, and legislative updates for manufacturers. From STACK's team and the organizations we follow closely.
STACK is a Michigan company. We're based in Livonia, and the manufacturers we work with are our neighbors. Michigan's manufacturing sector is one of the most consequential in the country, and it's increasingly in the crosshairs of cybercriminals who understand that a production halt is more painful than a data leak.
Sponsoring the MMA Operations Conference isn't a marketing exercise for us. It's an extension of the work we already do. We show up where Michigan manufacturers are because that's where the conversations about operational resilience, compliance pressure, and emerging threats actually happen. We want to be part of those conversations before a problem arrives, not after.
STACK brings national-scale expertise in managed security and compliance to a Michigan market that deserves the same level of protection as any enterprise. This resource hub is part of that commitment.
Updated quarterly. This section reflects current threat intelligence from the FBI's Internet Crime Complaint Center (IC3), IBM X-Force, Verizon DBIR, Bitsight, and Dragos.
Manufacturing accounted for 27.7% of all cyberattacks observed by IBM X-Force in 2025, more than any other industry. Ransomware accounts for 47% of manufacturing breaches. The average total cost runs between $1.8 million and $5 million per incident.
IT and OT are converging, and that expands the attack surface. Dragos reported that 70% of ICS environments already had external connections from OEMs, IT networks, or the internet to OT, and a joint April 2026 advisory warned that Iran-affiliated actors were targeting internet-facing Rockwell Automation/Allen-Bradley PLCs across U.S. critical infrastructure. Poor segmentation makes the production floor far more reachable once OT systems are exposed to enterprise or internet-connected networks.
Business Email Compromise cost U.S. organizations over $3 billion in 2025. Attackers compromise vendor email accounts, intercept payment instructions, and redirect wire transfers. The FBI also reported more than 22,000 AI-enabled scam complaints and about $893 million in losses, showing how generative AI is amplifying phishing, invoice fraud, and BEC at scale.
STACK's gap analysis evaluates your current controls against the frameworks that matter for manufacturers, including NIST 800-171, CMMC, and your contractual obligations. You get a clear report and a practical remediation plan.
Cybersecurity requirements aren't just coming from inside the industry. Legislation, regulation, and contractual obligations are stacking up.
The regulatory environment around cybersecurity is moving faster than most manufacturers' compliance programs. CMMC is the most visible requirement for DoD contractors, but it isn't the only one. State privacy laws, federal incident reporting obligations, SEC disclosure rules, and prime contractor flow-down requirements are all creating new demands on manufacturers across the country.
The challenge isn't that any one requirement is unmanageable. It's that the requirements are multiplying simultaneously, often with overlapping but not identical scopes.
The legislative calendar reflects the most significant current and upcoming requirements. This section is updated as new rules are finalized.
CMMC moves cybersecurity from self-attestation to third-party verification. If you're in the DoD supply chain and haven't started your gap analysis, the clock is running.
Public companies must report material cybersecurity incidents on Form 8-K within four business days. The SEC launched its Cyber and Emerging Technologies Unit (CETU) in February 2025 to enforce compliance.
DoD contractors and their supply chains are required to certify cybersecurity controls. Level 2 requires all 110 NIST SP 800-171 controls and third-party assessment for most contracts involving CUI.
New CCPA regulations took effect January 1, 2026, adding cybersecurity audit requirements and expanded risk assessments. Manufacturers operating across multiple states need to map which laws apply.
CIRCIA will require covered entities to report significant cyber incidents within 72 hours and ransomware payments within 24 hours. The CISA final rulemaking is expected May 2026. Build the workflow now.
Many large primes are including cybersecurity requirements directly in subcontract agreements. These requirements arrive through contracts, not rulemaking, which means they can appear with less warning.
Articles, assessments, legislation updates, tech tips, events, and funding opportunities from STACK and the organizations we follow closely.
Explore how rapidly evolving AI and cybersecurity regulations across the U.S. and EU are increasing accountability for businesses.
Automation Alley's foreword to the Integr8 2026 playbook, examining how AI is reshaping design and production across the manufacturing sector.
Annual Verizon Data Breach Investigations Report. Breaks down data breaches by method, industry, and size, providing valuable insight into the manufacturing threat landscape.
The FBI's annual cybercrime report. In 2025, reported losses surpassed $20 billion nationally. Michigan reported $381 million in losses.
A complete reference of CMMC terms and definitions as defined by the Cyber AB for defense contractors.
The Manufacturing Extension Partnership's self-assessment tool designed for small and mid-sized manufacturers benchmarking their security posture.
CISA's framework for protecting operational technology and industrial control systems in manufacturing environments.
Led by the University of Michigan, the MDRC offers up to $75K in cost-share funds for technical assistance for Michigan manufacturers entering the DoD energy storage and battery supply chain.
A defense manufacturer achieves CMMC compliance by addressing security gaps and modernizing its IT environment. The transformation strengthens cybersecurity while supporting long-term growth and operational stability.
A growing patchwork of state & federal level requirements affect how manufacturers collect and handle employee and customer data.
Michigan's statewide cybersecurity strategy names advanced manufacturing and mobility as one of five priority domains.
Michigan businesses hit by ransomware, phishing, BEC, or network intrusions should contact MC3 at mc3@michigan.gov or 877-MI-CYBER. After hours: 517-241-8000.
Competitive funding from Michigan Works! to train, develop, and retain employees. Eligible training includes Industry 4.0, lean, cybersecurity awareness, and more.
Up to $100,000 in matching funds from the GEM initiative for Michigan manufacturers in mobility and transportation sectors. Requires fewer than 500 employees and 10%+ mobility revenue.
Up to $75K in cost-share technical assistance for Michigan manufacturers entering the DoD energy storage and battery supply chain.
A federally funded, reimbursable pass-through grant program aimed at improving cybersecurity posture for state and local government organizations in Michigan.
Unauthorized physical access is a cybersecurity issue. Learn how tailgating exposes your facility and your network, and what you can do about it.
Routers, firewalls, and VPN gateways past their manufacturer support date are actively exploited. A February 2026 joint advisory from CISA, FBI, and the UK's NCSC urges immediate action.
The Michigan Manufacturers Association's annual conference for operational leaders. April 23 at The Lansing Center. STACK is a top-tier sponsor.
Do you know if your company is secure against cyber threats? Do you have the right security policies, tools, and practices in place to protect your data, reputation, and productivity? If you're not sure, it's time for a cybersecurity risk assessment (CSRA). STACK Cybersecurity's CSRA will meticulously identify and evaluate vulnerabilities and risks within your IT environment. We'll assess your network, systems, applications, and devices, and provide you a detailed report and action plan to improve your security posture. Don't wait until it's too late.