Manufacturing Cybersecurity Checklist

Walk the network diagram against the Purdue reference model — Level 4 (enterprise/ERP) through Level 0 (sensors/actuators). Confirm the DMZ between Level 3 (MES) and Level 3.5 enforces deny-by-default with explicit allow rules. Common gap: a Windchill or SolidWorks PDM server straddling Level 3 and Level 4 with no jump host.

Pull the rule set on the OT firewall (Fortinet, Palo Alto, or Cisco ISA). Flag any-any rules, rules without a documented owner, and unused rules older than 12 months. Cross-reference against IEC 62443 zone-and-conduit definitions for the plant.

Pull the WSUS or Ivanti report for HMIs (Wonderware, FactoryTalk View, Ignition) and engineering workstations running RSLogix, Studio 5000, TIA Portal, or Mastercam. OT patching follows vendor-approved baselines — never push enterprise patches to a control system without the vendor's compatibility matrix.

Confirm the passive monitoring tool (Claroty, Dragos, or Nozomi) sees traffic on every span port and that asset inventory matches the actual machine list. A drifted SPAN port that hasn't seen Modbus traffic in 30 days is a sign of a missed cell.

Compare installed firmware on Allen-Bradley, Siemens, Mitsubishi, and Omron PLCs against the latest CISA ICS-CERT advisories and vendor PSIRTs. Document risk acceptance for any PLC that cannot be patched without a production stoppage.

Pull the HRIS termination report (UKG, ADP, or Paycom) for the past 90 days and reconcile against Active Directory and the MES user list. Common gotcha: a temp or contractor terminated through staffing-agency systems whose AD account never got disabled.

Every integrator and OEM remote-support session — Fanuc, Haas, Rockwell, machine builders dialing in for diagnostics — must come through a brokered jump host (BeyondTrust, CyberArk, or Claroty SRA) with MFA. No site-to-site VPN tunnels with shared service accounts.

Generic operator logins are common on the floor for shift practicality. Verify that each shared account is scoped to read-mostly HMI screens and that PLC program changes still require a named engineer login. Record the compensating control in the QMS.

Pull the role matrix from Plex, Epicor Kinetic, or Tulip. Confirm production operators cannot edit routers or BOMs, that quality cannot release a hold without a QE role, and that no user holds both buyer and AP-approver roles in the ERP.

Verify at-rest encryption on the SolidWorks PDM, Windchill, or Teamcenter vault and TLS on the client connections. ITAR-controlled technical data requires US-person access controls and audit logging — confirm the export-control flag on each restricted project.

Check the last 30 days of backup logs for the MES and ERP. Verify offsite or immutable copies (Veeam hardened repo, Rubrik, or air-gapped tape) — ransomware playbooks routinely target the backup server first.

Confirm DLP rules (Microsoft Purview, Forcepoint, or Symantec) block egress of files tagged with ITAR or EAR classifications to personal email, USB, and unsanctioned cloud. Coordinate with the empowered official on any new classifications since last quarter.

Pick one PLC at random and restore its program from backup to a test rack. A backup that has never been restored is not a backup. Document the restore time as a recovery KPI for the IR plan.

Cross-walk the current IR plan against IEC 62443-2-1 and NIST SP 800-82 Rev 3. Confirm the plan distinguishes between IT-only events (email phishing) and OT-impacting events (PLC unavailable, line stopped) — they need different escalation paths and different recovery KPIs.

Simulate ransomware on the MES with the plant manager, IT, OT, EHS, and quality in the room. Force the team to decide whether to keep the line running on paper travelers, when to call the cyber-insurance carrier, and how to reach customers if email is offline.

For each gap surfaced, assign an owner, a target close date, and a verification method. Re-issue the updated playbook to the IR distribution list and confirm acknowledgment.

An OT incident can become an EHS event fast — a stuck PLC on a press, a runaway batch, a leaking valve. Confirm the EHS manager is in the IR call tree and that the plant manager has authority to stop production without IT sign-off.

Test the alternate communication channel (Signal group, printed phone tree, or a Teams tenant on a separate identity provider) assuming corporate email and the primary VoIP are down. The contact list is only useful if it lives somewhere the attacker cannot reach.

Walk the MDF, IDFs, and main control panels with the maintenance lead. Locked doors, no propped-open conditions, and badge readers logging entry. Control panels with the key left in the lock are a chronic finding in the food and metals plants.

Confirm USB mass-storage is blocked or whitelisted on HMIs, engineering workstations, and CMM PCs. Maintenance techs routinely need USB for vendor program loads — define an approved-device process rather than leaving the port open.

Walk every PLC enclosure on the floor. Verify tamper seals are intact, the keyswitch is in RUN (not REMOTE), and no unauthorized Ethernet or serial cables are spliced in. Any broken seal triggers a program comparison against the master backup.

Pull the visitor log for the past quarter. Every visitor escorted, every contractor signed in, every vendor laptop scanned at the gate. ITAR or AS9100 sites have additional citizenship-attestation requirements at sign-in.