Cybersecurity Checklist for Small Manufacturers & Machine Shops

Manufacturers get attacked for two reasons: downtime pays (ransomware against production schedules) and access sells (you're a supply-chain stepping stone into bigger customers). If you supply defense primes, CMMC compliance now decides whether you can even bid. This checklist covers the shop-floor reality.

The threats that actually hit small manufacturers

Production-halting ransomware

When the ERP, scheduling, or CAD server encrypts, machines idle and delivery penalties accrue — attackers price ransoms against your downtime cost.

Supply-chain pivot attacks

Attackers compromise small suppliers to reach their customers — making your security posture part of your customers' risk reviews.

Unsegmented OT/shop-floor machines

CNC controllers and PLCs running ancient Windows can't be patched; on a flat network they're permanent footholds.

How many of these boxes can you actually check?

Find out in 3 minutes. CyberGrade grades your security posture A+ through F and shows your top risks — free, no email required to start.

Get Your Free Security Grade

The checklist

1.Segment shop-floor machines from the office network

an afternoon

Un-patchable CNC/PLC controllers are a given; reachable ones are a choice. Segmentation contains the legacy problem.

2.Back up ERP, CAD/CAM, and job files daily with an offline copy

an afternoon

Ransom pricing is downtime pricing — an offline backup collapses both.

3.Turn on MFA for email, ERP, and remote access

quick win

Remote-access credentials are the top manufacturing entry point, especially since remote support became normal.

4.Replace shared operator logins with individual accounts

an afternoon

Shared logins mean no accountability and no clean offboarding — both matter more as shops digitize.

5.Inventory every device with an IP address, including the old ones

an afternoon

You can't segment or monitor what you haven't listed; shop floors always have forgotten endpoints.

6.Vet and restrict vendor remote-access (machine OEMs, IT support)

ongoing

OEM remote maintenance accounts are standing backdoors unless they're time-limited and logged.

7.If you touch defense work: gap-assess against CMMC Level 1/2

ongoing

DoD contracts now flow through CMMC certification; primes are pushing requirements to every sub on the drawing.

8.Drill the 'ERP is down' scenario once a year

an afternoon

Knowing how to run the floor on paper for two days converts a catastrophe into an inconvenience.

Frequently asked questions

Why would attackers target a 20-person machine shop?

Downtime and access. Your ransom price is set by your delivery penalties, and your VPN credentials are a stepping stone into every larger customer that trusts your emails and attachments. Small manufacturers are attacked because of who they supply, not despite their size.

What is CMMC and does it apply to me?

The Cybersecurity Maturity Model Certification is the DoD's supplier security standard. If defense work touches your shop — even as a tier-3 sub machining one part — primes will increasingly require certification at Level 1 (basic) or Level 2 (for controlled unclassified information). Bidding eligibility, not fines, is the enforcement.

Our machines run Windows XP. What can we possibly do?

Segment, don't upgrade. Legacy controllers are normal in manufacturing; the fix is isolating them on their own network with no internet access and no path to office systems, then monitoring the boundary. Perfect patching isn't achievable; containment is.

How many of these boxes can you actually check?

Find out in 3 minutes. CyberGrade grades your security posture A+ through F and shows your top risks — free, no email required to start.

Get Your Free Security Grade