You don’t need to look far to see the next industrial crisis brewing. It’s not on the factory floor, and it’s not a supply issue with raw materials or labor. It’s hidden in the lines of code running your production systems, the vendor portals you log into every morning, and the networks that tie your business to everyone else’s.

For years, state-sponsored spies from China, Russia, Iran, and North Korea have targeted Western critical infrastructure. They’ve mapped power grids, probed water systems, and slipped into government networks. They do it to gather intelligence and prepare for a future conflict that will not be fought with tanks and guns, but across the networks that are the arteries of society.
The criminals have watched and learned.

The same tradecraft that spies use to prepare for war has become the blueprint for criminal enterprise. Cybercriminals realized that critical infrastructure and supply chains are as vulnerable as they are lucrative. These are the new “big game hunters.” They stalk hospitals, cities, factories, and distributors. They don’t want your trade secrets; they want your money. And they’re willing to shut down your entire operation to get it.

Devastation in Dallas

In my book, “Spies, Lies, and Cybercrime,” I write about one of the most devastating ransomware attacks in recent memory—the Royal Ransomware assault on the City of Dallas.

It began like a ghost story. One morning in May 2023, 911 dispatchers in Dallas came to work, sat down at their computers, and found black screens with a single image: a white chess piece, the king. Beneath it, the word Royal. Then a note printed itself out on office printers across the city.

“Most likely what happened,” it read, “was that you decided to save some money on your security infrastructure.”

Royal had slipped into the city’s systems weeks earlier, probably through a stolen account purchased on the Dark Web. They moved like spies—quietly mapping networks, exfiltrating data, and planting malware. When they finally pulled the trigger, they locked down numerous digital systems Dallas relied on: 911, police, fire, utilities, even the public library.

For five weeks, Dallas struggled to recover. Over a terabyte of data was stolen, including sensitive information from tens of thousands of residents. The final bill to clean up the mess? More than $8.5 million.

Royal wasn’t a government operation. They weren’t spies working for a hostile power. They were criminals running a business that runs on infiltration, destruction, and extortion. If a city like Dallas can fall to a cybercrime syndicate, imagine what happens when the same tactics strike a manufacturing supply chain.

Why Target Foundries?

Factories, foundries, and logistics companies have quietly become some of the most tempting targets in cybercrime. Not because they hold massive stores of personal data, but because they sit at the heart of everything.

The supply chain is the backbone of industry, built from a web of interdependent systems, vendors, and digital connections. That web is efficient, but it’s also exposed. One compromised supplier can bring a dozen companies to their knees.

Think of a metal casting company that feeds parts to multiple automakers. One breach could halt production across multiple plants. When a ransomware gang locks up a key supplier, it doesn’t just freeze one company but ripples outward, disrupting everything downstream. Leverage, urgency, and pressure situations are how cybercriminals get paid.

Big game hunter cyberattacks are never random. Criminals perform reconnaissance to identify weak links in cybersecurity. This might be a smaller partner with weaker defenses but valuable connections. Criminals know that in a world where every machine, shipment, and transaction is digitally managed, a few lines of malicious code can do more damage than a truckload of bad steel.
Therefore, the question isn’t whether industrial companies will be targeted, but when, and how ready they’ll be when it happens.
“Spies, Lies, and Cybercrime” debuts my P.A.I.D. framework for cybersecurity—Preparation, Assess, Investigate and Decide. It’s a simple, human way to think about cybersecurity as a leadership discipline that is informed by robust technology, training, and spy hunting.

P.A.I.D

Preparation is the most important part. And it starts long before an attack. The organizations that recover fastest from ransomware are the ones that already have a plan. They know who’s in charge when systems go down. They know how to isolate a network, who to call, and where to find clean backups.

Preparation also means knowing your data: what’s critical, where it lives, and who can access it. In the FBI, we called that compartmentalization or “need to know.” James Bond called it “for your eyes only.” Only those who truly need access get it. The fewer people who hold the keys, the fewer doors the attackers can pick.

Assess is next. Every company should routinely evaluate its digital posture. That means penetration testing, vulnerability scans, and regular reviews of access privileges. Assessing doesn’t stop at your own walls. Your suppliers, vendors, and partners are all potential attack paths. Ask questions. Demand proof of their cybersecurity hygiene. If you wouldn’t trust a supplier’s quality control with your product, don’t trust their security with your data.

Investigate means taking immediate action when you assess a threat. Build a culture that doesn’t ignore the small things: a strange login, a glitch in the system, a process that suddenly slows down. Most successful cyberattacks aren’t fast and furious; they’re quiet and methodical. In Dallas, Royal Ransomware spent almost a month inside city systems before triggering their attack. We investigators call that “dwell time.”

The best companies are the ones that shorten an attacker’s infiltration. That’s where extended detection and response (XDR) can be a savior. It’s an approach that uses machine learning and artificial intelligence to watch over every corner of your network including endpoints, servers, firewalls, and email. It learns what normal looks like, so it can sound the alarm when something’s off.
Decide is the last step. When you detect an attack, you don’t have time for endless meetings. You decide with alacrity. Do you shut down systems? Isolate the network? Contact law enforcement? Notify partners? The biggest mistake most organizations make isn’t that they’re compromised, but that they hesitate.

Think Like a Spy Hunter

The truth is that cybersecurity isn’t a one-time investment. It’s a process that mirrors how spies operate and how we spy hunters think. You prepare for the terrain, assess the environment, investigate the movement, and decide to strike back without hesitation. 
Industrial companies already understand risk in the physical world: safety protocols, redundancy, preventive maintenance. The same mindset applies digitally. You can’t bolt security onto a system after it’s built any more than you can weld a crack in a mold that’s already in use and expect it to hold. Security must be intrinsically designed into the infrastructure, updated constantly, and tested often.

That includes everything from strong firewalls and multi-factor authentication to segmenting critical systems from everyday networks. It means using cloud backups that are isolated from live systems, so ransomware can’t encrypt them. It means training employees until cybersecurity awareness becomes second nature, because the front line in this war isn’t your server; it’s the person clicking on an email.

When I worked undercover for the FBI, chasing one of the most damaging spies in American history, I learned that the most dangerous threat isn’t the one that kicks in the door. It’s the one that moves quietly, gains your trust, and blends into the background.
Cybercriminals operate the same way. They move through your systems disguised as you—using your passwords, your connections, your trusted relationships. They exploit the trust that keeps your supply chain running. That’s why defending against them requires the same mindset we used to catch spies. Discipline, observation, patience, and a willingness to act when something doesn’t look right.

The Royal Ransomware attack on Dallas should be a warning to every industrial leader: If it can happen to a major city with hundreds of IT staff, it can happen to anyone. And if your company is part of a supply chain, you don’t just risk your own data, you risk the others that share space on your digital island.