Workflow Templates for Manufacturing: Manufacturing Cybersecurity Checklist

OT Network Segmentation Review

Verify Purdue Model OT/IT segmentation

Walk the network diagram against the Purdue reference model — Level 4 (enterprise/ERP) through Level 0 (sensors/actuators). Confirm the DMZ between Level 3 (MES) and Level 3.5 enforces deny-by-default with explicit allow rules. Common gap: a Windchill or SolidWorks PDM server straddling Level 3 and Level 4 with no jump host.

Audit firewall rules between MES and SCADA

Pull the rule set on the OT firewall (Fortinet, Palo Alto, or Cisco ISA). Flag any-any rules, rules without a documented owner, and unused rules older than 12 months. Cross-reference against IEC 62443 zone-and-conduit definitions for the plant.

Confirm patch status on HMIs and engineering workstations

Pull the WSUS or Ivanti report for HMIs (Wonderware, FactoryTalk View, Ignition) and engineering workstations running RSLogix, Studio 5000, TIA Portal, or Mastercam. OT patching follows vendor-approved baselines — never push enterprise patches to a control system without the vendor's compatibility matrix.

Test OT network IDS coverage

Confirm the passive monitoring tool (Claroty, Dragos, or Nozomi) sees traffic on every span port and that asset inventory matches the actual machine list. A drifted SPAN port that hasn't seen Modbus traffic in 30 days is a sign of a missed cell.

Validate PLC firmware against vendor advisories

Compare installed firmware on Allen-Bradley, Siemens, Mitsubishi, and Omron PLCs against the latest CISA ICS-CERT advisories and vendor PSIRTs. Document risk acceptance for any PLC that cannot be patched without a production stoppage.

Open remediation tickets for segmentation gaps

For each gap identified in the segmentation audit, open a ticket with the asset owner and a target close date. Tag tickets with the affected Purdue level and reference the IEC 62443 zone so the remediation maps to the formal architecture document.

Plant Floor Access Control

Review domain accounts for terminated production staff

Pull the HRIS termination report (UKG, ADP, or Paycom) for the past 90 days and reconcile against Active Directory and the MES user list. Common gotcha: a temp or contractor terminated through staffing-agency systems whose AD account never got disabled.

Enforce MFA on vendor remote access

Every integrator and OEM remote-support session — Fanuc, Haas, Rockwell, machine builders dialing in for diagnostics — must come through a brokered jump host (BeyondTrust, CyberArk, or Claroty SRA) with MFA. No site-to-site VPN tunnels with shared service accounts.

Audit shared HMI operator station logins

Generic operator logins are common on the floor for shift practicality. Verify that each shared account is scoped to read-mostly HMI screens and that PLC program changes still require a named engineer login. Record the compensating control in the QMS.

Verify role-based access in the MES

Pull the role matrix from Plex, Epicor Kinetic, or Tulip. Confirm production operators cannot edit routers or BOMs, that quality cannot release a hold without a QE role, and that no user holds both buyer and AP-approver roles in the ERP.

Rotate engineering workstation passwords

Rotate local admin passwords on engineering workstations and CMM PCs through LAPS or a privileged-access vault. Hard-coded vendor default passwords on CMM controllers (Hexagon, Zeiss) are a recurring finding in third-party audits.

Production Data and IP Protection

Confirm encryption of CAD and PLM repositories

Verify at-rest encryption on the SolidWorks PDM, Windchill, or Teamcenter vault and TLS on the client connections. ITAR-controlled technical data requires US-person access controls and audit logging — confirm the export-control flag on each restricted project.

Verify backup integrity for MES and ERP databases

Check the last 30 days of backup logs for the MES and ERP. Verify offsite or immutable copies (Veeam hardened repo, Rubrik, or air-gapped tape) — ransomware playbooks routinely target the backup server first.

Review DLP rules for ITAR-controlled technical data

Confirm DLP rules (Microsoft Purview, Forcepoint, or Symantec) block egress of files tagged with ITAR or EAR classifications to personal email, USB, and unsanctioned cloud. Coordinate with the empowered official on any new classifications since last quarter.

Test restore of a PLC program backup

Pick one PLC at random and restore its program from backup to a test rack. A backup that has never been restored is not a backup. Document the restore time as a recovery KPI for the IR plan.

Confirm handling of supplier NDA data

Customer prints and supplier CMRT submissions often arrive under NDA. Verify storage location is access-controlled, retention matches the NDA term, and contractor laptops do not retain local copies after engagement end.

Incident Response Readiness

Review IR plan against IEC 62443 and NIST 800-82

Cross-walk the current IR plan against IEC 62443-2-1 and NIST SP 800-82 Rev 3. Confirm the plan distinguishes between IT-only events (email phishing) and OT-impacting events (PLC unavailable, line stopped) — they need different escalation paths and different recovery KPIs.

Run a ransomware tabletop exercise

Simulate ransomware on the MES with the plant manager, IT, OT, EHS, and quality in the room. Force the team to decide whether to keep the line running on paper travelers, when to call the cyber-insurance carrier, and how to reach customers if email is offline.

Update the IR playbook with tabletop findings

For each gap surfaced, assign an owner, a target close date, and a verification method. Re-issue the updated playbook to the IR distribution list and confirm acknowledgment.

Confirm IR roles across IT, OT, and EHS

An OT incident can become an EHS event fast — a stuck PLC on a press, a runaway batch, a leaking valve. Confirm the EHS manager is in the IR call tree and that the plant manager has authority to stop production without IT sign-off.

Validate the out-of-band communication plan

Test the alternate communication channel (Signal group, printed phone tree, or a Teams tenant on a separate identity provider) assuming corporate email and the primary VoIP are down. The contact list is only useful if it lives somewhere the attacker cannot reach.

Document lessons learned from prior incidents

Pull the past quarter's IR tickets — even minor ones (failed phishing click-throughs, single-host malware). Capture systemic findings in an A3 and assign each to a CAR with effectiveness verification, not just a retraining note.

Physical and Equipment Security

Audit physical access to MDF and control panels

Walk the MDF, IDFs, and main control panels with the maintenance lead. Locked doors, no propped-open conditions, and badge readers logging entry. Control panels with the key left in the lock are a chronic finding in the food and metals plants.

Verify USB lockdown on HMIs and laptops

Confirm USB mass-storage is blocked or whitelisted on HMIs, engineering workstations, and CMM PCs. Maintenance techs routinely need USB for vendor program loads — define an approved-device process rather than leaving the port open.

Check tamper seals on PLC enclosures

Walk every PLC enclosure on the floor. Verify tamper seals are intact, the keyswitch is in RUN (not REMOTE), and no unauthorized Ethernet or serial cables are spliced in. Any broken seal triggers a program comparison against the master backup.

Review visitor logging at plant entry

Pull the visitor log for the past quarter. Every visitor escorted, every contractor signed in, every vendor laptop scanned at the gate. ITAR or AS9100 sites have additional citizenship-attestation requirements at sign-in.

Confirm camera coverage of shipping and IT closets

Verify cameras cover shipping/receiving docks, the IT closet, and the engineering area. Confirm 90-day retention on the NVR and that the NVR itself sits on a segmented camera VLAN, not the production network.