The defense industrial base's cyber threat surface used to be cleanly separable. The information technology side — laptops, email, ERP, design files — was where most attacks landed. The operational technology side — programmable logic controllers, CNC machines, robotic cells — was largely air-gapped and largely ignored. That separation is gone. In 2025 and 2026, ransomware actors, state-affiliated APTs, and opportunistic criminal groups have all begun routinely pivoting from IT to OT, with consequences that no longer stop at the data exfiltration boundary. A 2026 incident at a Tier-2 turbine supplier in the southeast United States — disclosed in March via a CISA Joint Cybersecurity Advisory — halted shipments to two major engine primes for nearly three weeks and exposed how thin the OT defensive posture had become across the supplier base.
Cyber-physical convergence is no longer a futurist phrase. It is the operating condition of the defense industrial base, and the regulatory and operational responses are still catching up.
What Changed: From IT to OT
Three structural changes have driven the IT-to-OT pivot.
1. Industry 4.0 Connectivity
Manufacturers connected their PLCs, robotic cells, and shop-floor MES systems to corporate networks to enable predictive maintenance, real-time analytics, and remote troubleshooting. The business case is real. The security implications were under-managed. A Mandiant report in 2024 documented a 30% increase in OT-touching incidents in the defense industrial base alone (Mandiant M-Trends, 2024).
2. Vendor Remote Access
Most CNC, robotics, and PLC vendors offer remote access for diagnostics. These connections — VPNs, Teamviewer-like sessions, vendor-managed cellular gateways — represent persistent third-party access into OT environments. CISA has repeatedly highlighted vendor remote access as a top-five OT attack vector (CISA Industrial Control Systems, 2025).
3. The Tier-2/Tier-3 Investment Gap
Cybersecurity investment in the defense industrial base scales with revenue and contract size. Tier-1 primes have CISOs, SOCs, and OT-specific monitoring. Tier-2 and Tier-3 suppliers — often family-owned or PE-owned mid-market manufacturers — frequently have neither. The 2024 NDIA cyber readiness survey found that 41% of Tier-2/Tier-3 DIB suppliers did not have OT-specific cybersecurity controls in place (NDIA, 2024).
The March 2026 Turbine Supplier Incident
The CISA Joint Advisory issued in March 2026 — co-signed by the FBI and NSA — described an incident in which an APT actor exploited an internet-facing vendor remote access connection to pivot from a Tier-2 supplier's IT network into its OT environment. The attacker manipulated CNC controller setpoints, causing dimensional drift in machined parts that propagated through quality control until pattern-matched against acceptance data. Shipments were halted, the supplier recalled three months of production, and two engine primes incurred multi-week delivery delays (CISA Joint Advisory, 2026).
The incident is significant not because it was sophisticated — it was not — but because it illustrated how cheap and how disruptive an OT-touching attack on a single Tier-2 supplier can be.
Where CMMC 2.0 Helps and Where It Doesn't
CMMC 2.0, with Level 2 assessments now required across most CUI-handling DIB suppliers, has substantially raised the IT cybersecurity floor across the base. NIST SP 800-171 controls — the foundation of CMMC Level 2 — cover access control, configuration management, incident response, and protective measures that, when implemented, materially reduce attack surfaces (CMMC PMO, 2025).
CMMC 2.0 is not, however, an OT cybersecurity framework. Its controls assume an IT context: laptops, file servers, email. The OT-specific controls in NIST SP 800-82 — segmentation, dedicated industrial firewalls, OT-specific logging — are not part of CMMC Level 2. The result is a defense industrial base that is meaningfully harder to attack at the IT layer but still soft at the OT layer.
Segmentation Reality vs. Theory
Network segmentation is widely cited as the OT defense playbook. In practice, segmentation is harder than its proponents acknowledge. Legacy PLCs do not tolerate the latency of modern firewalls. Vendor remote access requires bidirectional paths through the segmentation boundary. Engineering workstations need to write code to PLCs and pull data into IT-side analytics. The 'industrial DMZ' architecture — described in ISA/IEC 62443 — provides a defensible target state, but reaching it is a multi-year, capital-intensive project that most mid-market manufacturers cannot finance from a single quarter's cash flow (NIST SP 800-82r3, 2023).
What DIB Suppliers Should Do Now
Inventory OT assets as ruthlessly as IT assets: you cannot defend what you cannot see. A surprising number of Tier-2 and Tier-3 manufacturers have no current OT asset inventory. Dragos, Claroty, and Nozomi all offer scoped baselines.
Disconnect or gate vendor remote access: vendor-managed cellular gateways and persistent VPNs are the single highest-value target for attackers. Move to just-in-time, monitored access only.
Adopt OT-specific monitoring: endpoint detection on a Windows engineering workstation does not detect a malicious PLC ladder logic edit. OT-specific monitoring is a different product category, not an EDR feature.
Pre-fund segmentation pragmatically: the ideal-state industrial DMZ is multi-year. Most suppliers can dramatically improve posture in 90 days with east-west firewalls between cell controllers and shop-floor LANs.
Treat CMMC 2.0 as a floor, not a ceiling: compliance with NIST 800-171 will reduce the IT attack surface meaningfully. It will not prevent the next OT-touching incident. Defense primes are increasingly contractually requiring OT-specific controls in Tier-2 flowdown.
Cyber Insurance and the Risk Transfer Problem
Cyber insurance has become a material operational consideration for defense suppliers. Premiums have risen sharply since 2022, with OT-touching coverage often carrying explicit exclusions for state-affiliated actors. Tier-2 and Tier-3 DIB suppliers are increasingly finding that the cyber insurance they relied on to underwrite ransomware and incident response no longer covers the threat scenarios they actually face. The Federal Insurance Office's 2024 report on cyber insurance gaps in critical infrastructure highlighted defense industrial base suppliers as a notable underwriting concern (U.S. Department of the Treasury, 2024).
The implication is that risk transfer through insurance — a standard part of any Tier-2 manufacturer's financial planning — is no longer fully available for the threats that matter most. Self-insurance, captive structures, and federally backstopped pools are all being explored, but none is yet a fully operational alternative.
Dual-Use OT and Supply Chain Provenance
A separate concern is the increasing dual-use nature of the OT supply chain itself. Programmable logic controllers from Siemens, Rockwell, ABB, and Schneider Electric serve both commercial manufacturing and critical defense supplier operations. Firmware updates that ship globally also ship to defense facilities. The compromise of an OT vendor — as occurred in the 2023 ABB ransomware incident — creates downstream exposure across customers regardless of sector.
CISA's Hardware Bill of Materials initiatives and the broader push for SBOM/HBOM transparency are beginning to address provenance, but adoption remains uneven. The Defense Industrial Base Cybersecurity Strategy published in 2024 explicitly called for HBOM transparency as a tier-down contractual requirement, but the pace of supplier adoption depends on how quickly primes flow that requirement down to Tier-2 and Tier-3 (Office of the DoD CIO, 2024).
The Ransomware-as-a-Service Industry
The 2025–2026 ransomware threat landscape is meaningfully different from the 2021 environment. Ransomware-as-a-Service operators have professionalized affiliate programs, developed industry-specific playbooks, and increasingly target Tier-2 manufacturing suppliers whose insurance posture and operational continuity demands generate predictable ransom payments. Recent FBI and CISA Joint Cybersecurity Advisories have documented multiple ransomware groups specifically targeting U.S. defense industrial base suppliers (FBI Internet Crime Complaint Center, 2025).
The economics of ransomware against mid-market manufacturers are favorable for the attackers. Production loss costs typically exceed ransom demands by a wide margin, creating predictable payment incentives. The defensive response — better backups, segmentation, incident response, and tabletop exercises — is well known but inconsistently implemented across the supplier base. CMMC 2.0 helps; it does not solve.
When Cyber Becomes Kinetic
The defense industrial base has reached the moment where a cyber incident at a single Tier-2 supplier can pause an engine line, slip a missile delivery, or compromise a flight-test schedule. The convergence of IT and OT is not a future risk. It is the operating condition of the present. The CMMC 2.0 baseline has done meaningful work to harden the IT surface. The next two years will be defined by whether the same industrial energy is brought to bear on the OT surface — by DCSA, by CISA, by the primes that flow contract requirements down, and most of all by the Tier-2 and Tier-3 suppliers whose CNC controllers and PLCs now sit on the front line of a contest that did not exist when the equipment was installed. The factory floor is now a cyber target. The defense of it has only just begun.


