Cybersecurity Checklist for Small Manufacturers & Machine Shops
Manufacturers get attacked for two reasons: downtime pays (ransomware against production schedules) and access sells (you're a supply-chain stepping stone into bigger customers). If you supply defense primes, CMMC compliance now decides whether you can even bid. This checklist covers the shop-floor reality.
The threats that actually hit small manufacturers
Production-halting ransomware
When the ERP, scheduling, or CAD server encrypts, machines idle and delivery penalties accrue — attackers price ransoms against your downtime cost.
Supply-chain pivot attacks
Attackers compromise small suppliers to reach their customers — making your security posture part of your customers' risk reviews.
Unsegmented OT/shop-floor machines
CNC controllers and PLCs running ancient Windows can't be patched; on a flat network they're permanent footholds.
How many of these boxes can you actually check?
Find out in 3 minutes. CyberGrade grades your security posture A+ through F and shows your top risks — free, no email required to start.
Get Your Free Security GradeThe checklist
1.Segment shop-floor machines from the office network
an afternoonUn-patchable CNC/PLC controllers are a given; reachable ones are a choice. Segmentation contains the legacy problem.
2.Back up ERP, CAD/CAM, and job files daily with an offline copy
an afternoonRansom pricing is downtime pricing — an offline backup collapses both.
3.Turn on MFA for email, ERP, and remote access
quick winRemote-access credentials are the top manufacturing entry point, especially since remote support became normal.
4.Replace shared operator logins with individual accounts
an afternoonShared logins mean no accountability and no clean offboarding — both matter more as shops digitize.
5.Inventory every device with an IP address, including the old ones
an afternoonYou can't segment or monitor what you haven't listed; shop floors always have forgotten endpoints.
6.Vet and restrict vendor remote-access (machine OEMs, IT support)
ongoingOEM remote maintenance accounts are standing backdoors unless they're time-limited and logged.
7.If you touch defense work: gap-assess against CMMC Level 1/2
ongoingDoD contracts now flow through CMMC certification; primes are pushing requirements to every sub on the drawing.
8.Drill the 'ERP is down' scenario once a year
an afternoonKnowing how to run the floor on paper for two days converts a catastrophe into an inconvenience.
Frequently asked questions
Why would attackers target a 20-person machine shop?
Downtime and access. Your ransom price is set by your delivery penalties, and your VPN credentials are a stepping stone into every larger customer that trusts your emails and attachments. Small manufacturers are attacked because of who they supply, not despite their size.
What is CMMC and does it apply to me?
The Cybersecurity Maturity Model Certification is the DoD's supplier security standard. If defense work touches your shop — even as a tier-3 sub machining one part — primes will increasingly require certification at Level 1 (basic) or Level 2 (for controlled unclassified information). Bidding eligibility, not fines, is the enforcement.
Our machines run Windows XP. What can we possibly do?
Segment, don't upgrade. Legacy controllers are normal in manufacturing; the fix is isolating them on their own network with no internet access and no path to office systems, then monitoring the boundary. Perfect patching isn't achievable; containment is.
How many of these boxes can you actually check?
Find out in 3 minutes. CyberGrade grades your security posture A+ through F and shows your top risks — free, no email required to start.
Get Your Free Security Grade