Manufacturing IT Security Checklist

Network Architecture

• IT and OT networks physically or logically separated
• Demilitarized zone (DMZ) between IT and OT
• PLCs and SCADA systems on isolated network
• Guest WiFi completely separate from production
• No direct internet access from OT network
• VLANs properly configured and documented

OT/ICS Security

• Asset inventory of all OT devices maintained
• Default credentials changed on all PLCs/HMIs
• PLC programming ports disabled when not in use
• Firmware updates applied during maintenance windows
• USB ports disabled on production systems
• OT-specific endpoint protection deployed (where possible)
• Industrial firewall protecting critical systems

ERP/MES Integration Security

• ERP system on separate network segment
• Database connections encrypted
• API access controlled and logged
• Integration points documented and secured
• Vendor remote access controlled (not 24/7)

Access Control & Identity

• Multi-factor authentication on all accounts
• Separate admin accounts for IT staff
• Role-based access to ERP/production systems
• Terminated employee access disabled immediately
• Contractor access time-limited and logged

Backup & Disaster Recovery

• Production system backups (PLC programs, configs)
• ERP database backed up with tested restores
• CAD/CAM files and engineering data protected
• Backup systems isolated (immutable copies)
• Recovery procedures documented and tested
• Manual production procedures documented for IT outage

• Vendor security assessments performed
• Third-party access policies documented
• EDI/supply chain integrations secured
• Vendor remote access controlled and monitored
• Software supply chain risks assessed

• Production continuity plan (manual operations)
• Communication plan for supply chain partners
• OT-aware incident response procedures
• Safety systems isolated from attack surface
• Insurance covers OT/production downtime