Live threats, compliance deadlines, and field notes from our audits — written for operators, not auditors.
Threat Intelligence
The vulnerabilities and active exploits our team is tracking this week, ranked by real-world impact on manufacturing environments.
An unauthenticated remote code execution flaw in a widely deployed endpoint management agent, already seen exploited against mid-sized manufacturers running unpatched agents on the shop floor.
An authentication bypass in a popular SSL-VPN appliance used by SMEs for remote plant access, allowing attackers to reach internal ERP and SCADA segments without valid credentials.
Hardcoded and weak default credentials on a common line of industrial PLCs still deployed across auto-component and engineering-goods plants, enabling unauthorized configuration changes.
A SQL injection vulnerability in a widely used third-party ERP add-on module, letting an attacker with network access dump vendor, payroll, and pricing data undetected.
Internet-facing CCTV recorders shipped with unchanged default logins continue to be scanned and compromised en masse, often used as a pivot point into the wider office network.
A commodity phishing kit impersonating logistics and customs-clearance invoices is circulating specifically against Indian export-oriented manufacturers this quarter.
Illustrative summary based on our current tracking — ask us for a tailored exposure check against your specific systems.
Compliance Calendar
Key dates for ISO 27001 certification cycles and DPDP Act compliance that manufacturing SMEs should be planning around.
The DPDP Act 2023's rules are being phased in, with graded compliance timelines for consent management, breach notification, and data fiduciary obligations. Manufacturers processing worker biometrics or customer data should not wait for the final deadline to start.
Every certified organization must pass a surveillance audit in each of the two years following initial certification, or risk suspension of the certificate. We recommend starting internal review 8–10 weeks before the scheduled date.
Full ISMS recertification is required every three years. Plants that treat this as a fresh certification — rather than a renewal — consistently pass with fewer nonconformities.
Annex A and clause 9.2 expect a documented internal audit program; most SMEs run this quarterly across rotating control domains rather than all at once before the external audit.
Once finalized rules take effect, significant personal data breaches will need to be reported to the Data Protection Board within a strict window — having an incident response plan ready in advance is not optional.
Dates reflect typical certification-cycle cadence and the current state of DPDP rulemaking; we'll confirm exact dates that apply to your certificate and data operations on a call.
This Week
What's happening in the wider security and compliance world, filtered for relevance to manufacturers.
Draft rules under India's DPDP Act continue to work through public consultation, with data fiduciaries expected to move on consent notices and grievance mechanisms well ahead of formal enforcement.
Policy WatchIndustry reporting continues to show manufacturing near the top of ransomware target lists, largely due to low tolerance for production downtime and inconsistent patching on legacy shop-floor systems.
Industry ReportOrganizations still certified against the 2013 version of ISO 27001 are past the transition deadline; certificates not upgraded to the 2022 revision are no longer valid for new business tenders requiring the standard.
Standards BodyA growing share of incidents affecting SMEs originate through a compromised vendor or logistics partner's portal rather than a direct attack, underscoring the need for vendor risk assessment as part of ISMS scope.
Threat ReportRecent advisories continue to flag targeted phishing — often disguised as invoices, shipping documents, or statutory notices — as the most common way attackers first get into Indian mid-market networks.
CERT-InCyber insurance underwriters are increasingly requiring evidence of basic controls — MFA, patch cadence, backup testing — before renewing or pricing policies, mirroring what an ISO 27001 audit already checks.
Insurance DeskCurated summary, refreshed periodically — not a live feed. Ask us on WhatsApp for the full source links behind any item.
Latest Articles
Tap any topic to read the full breakdown.
Resources
Select checklists and templates are available to clients as part of an active engagement. Reach out via the contact page for access.
Yes — we run tailored workshops on secure development practices, incident response tabletop exercises, and compliance awareness.
We refresh this section on a rolling basis based on what we're actually seeing in client engagements and public advisories. For a live, systemwide check against your exact software versions, ask us for a free security health check.
Our advisory desk answers scoped questions within one business day.