42 Days: How Long Ransomware Hides in Industrial Networks Before Detection
Dragos, one of the most respected firms in industrial cybersecurity, published a statistic that should be on the wall of every food plant IT and operations meeting: when ransomware hits an industrial environment, the average dwell time before detection is 42 days.
Forty-two days. Six weeks of attackers moving around in the network before anyone knows they’re there.
But organizations that actually know what’s on their production network and how it behaves contained incidents in an average of 5 days. That is not a small difference. That is the difference between a disruption you recover from in a week and one that makes the news, triggers an FDA inquiry, and costs you a major retail account.
The Gap Is Visibility, Not Technology
The organizations with 5-day containment times did not necessarily have more sophisticated tools. They had something more fundamental: they knew what was on their network and what normal looked like. That made abnormal detectable.
Most food and beverage operations I visit can tell you exactly what’s connected on the business side. Workstations, servers, printers — it’s all inventoried and monitored. But ask about the production network and things get less clear. They know the major systems — the ERP, the SCADA, the HMI workstations. But the full picture of what’s talking to what, when, and why? That’s usually a gap.
That gap is exactly where attackers spend their 42 days.
What OT Network Visibility Actually Looks Like
This is not about a fancy dashboard or a SOC with blinking lights. OT network visibility in practice means three things:
- Asset inventory: You know what every device on your production network is, who manages it, and what it’s supposed to be doing. Not just the servers and workstations — the PLCs, HMIs, sensors, cameras, and anything else that has an IP address.
- Baseline behavior: You understand what normal traffic on that network looks like. Which devices communicate with each other, on what schedule, using what protocols. This baseline is what makes anomalies visible.
- Alerting on change: When something deviates from that baseline — a new device appears, a PLC starts communicating with a server it never talked to before, an unusual volume of data leaves the network — someone gets a notification and investigates.
None of this is glamorous work. It’s documentation, network mapping, and process. But it’s the unglamorous work that turns 42-day dwell times into 5-day containments.
The Food & Beverage Exposure
Food and beverage manufacturers have a specific risk profile that makes OT network visibility especially important. The IT/OT boundary is often blurry — ERP systems talk to production systems, quality data flows from the line to business intelligence dashboards, and remote access for maintenance vendors connects directly to plant floor equipment. Each of those integrations is a potential entry point.
Food manufacturers are also increasingly attractive targets because of the production pressure they operate under. A ransomware actor who encrypts systems at a food plant on a Thursday afternoon before a major retailer delivery on Friday knows exactly what leverage they have.
The question worth asking honestly: if an attacker were moving through your production network right now, would your team see it? And if not, what would it take to change that answer?
NBIT helps food and beverage manufacturers build OT network visibility through proper segmentation, asset inventory, and monitoring. Schedule a discovery call to discuss your environment.