And manufacturers' unwillingness to publicise attacks is masking the size of the problem, it adds.
In 2005, car manufacturer Daimler Chrysler proved an exception to that rule and revealed that the Zotob worm had halted production at 13 US plants for almost an hour.
David Robinson, Norman UK country manager, said process control systems had traditionally been isolated and proprietary, but that was changing, with 42% of manufacturing systems having some form of external connection.
"Demand for real-time reporting and greater visibility has led to increased standardisation of technology frameworks and a greater number of connections to other IT systems internally and externally."
The problem, said Robinson, was that security within manufacturing companies' process control systems had not kept pace with these changes.
"These systems do not typically fall under the responsibility of company IT departments and consequently have little or no protection against malware threats, with operating system security patches not kept up to date."
Robinson said the US led the way in recognising the need to protect process control systems, but the UK's Centre for the Protection of National Infrastructure had published guidelines since it was formed last year.
The CPNI recommends a multi-layer approach to security rather than relying on any single supplier, security system, or malware detection technique.