OT/SCADA Security for Small Manufacturers: A Pragmatic Assessment Playbook

Why this matters now

Five numbers frame the problem. In 2025, manufacturing was the single most-targeted sector globally, with ransomware attacks against the sector up 61 percent year over year (Sophos State of Ransomware in Manufacturing and Production 2025). Dragos tracked 119 ransomware groups hitting more than 3,300 industrial organizations, nearly double the 2024 count. The average recovery cost for a manufacturing victim, excluding any ransom payment, was $1.3 million. The average operational disruption was 24 days before full restoration. Across European manufacturers, 80 percent operate critical OT systems with known unpatched vulnerabilities, and fewer than 10 percent of OT networks worldwide have meaningful monitoring in place.

The Sensata Technologies ransomware attack on April 6, 2025 is a concrete reference point. Sensata makes sensors and controls for the automotive, aerospace, and manufacturing sectors. Attackers held network access for more than a week (March 28 through April 6) before the encryption fired. The incident impacted shipping, receiving, manufacturing production, and support functions. Sensitive data was exfiltrated. Sensata is a $4 billion company with a dedicated security team. The attack still ran for nine days inside its network and disrupted production. A small manufacturer with no in-house security function will not detect faster and will not recover faster. They will recover slower.

The good news in the same dataset: 58 percent of manufacturers fully recover within one week, up from 44 percent the previous year, and organizations that maintained offline backups reduced recovery costs by 44 percent compared to those that paid the ransom. Recovery is possible. The practices that make it possible are mostly things a small manufacturer can put in place before an incident, not after.

What "small manufacturer" means here

We use the term to mean a 20-to-300-employee shop with on-premises production equipment, an IT person or two (often shared with general business IT), and no dedicated OT cybersecurity function. The shop floor typically runs PLCs from one or two vendors (Allen-Bradley, Siemens, Mitsubishi, Omron), HMIs from the same vendors or third parties, and a SCADA or MES layer that aggregates production data. There is usually a remote-access path for vendor support, a wireless network somewhere, and a recently-installed connection to a cloud analytics product because someone said it would help with OEE.

This profile covers most of the manufacturing victims in the 2025 incident dataset. It is also the profile that benefits most from a pragmatic assessment, because the gaps are consistent across shops and the fixes are mostly procedural rather than capital-intensive.

The threat surface, in concrete CVE terms

The threats facing this profile are not abstract. CISA published advisories in 2025 covering the exact PLC and HMI families small manufacturers run. A non-exhaustive sample, as a forcing function for the inventory step below:

Three observations. First, every one of these affects equipment a small manufacturer is likely running today. Second, none of these requires a nation-state attacker; an authenticated user on the engineering network is the typical precondition. Third, patches exist for all of them, and the shops we assess have applied none. The gap between disclosure and deployment is the attack window, and in 2025 it averaged months.

Two attack patterns documented in the 2025 OT incident data are worth naming explicitly. Living- off-the-Land techniques use legitimate engineering tools and vendor remote-access platforms to avoid detection while maintaining persistent access. Safety-system-disabling attacks place Safety Instrumented Systems in program mode to prevent trips during unsafe conditions, then threaten to trigger emergency shutdowns or leak proprietary process recipes as the extortion lever. Both patterns assume the attacker has already entered the OT network and is now operating inside it. The defensive question is not "how do we keep them out" so much as "how do we detect them once they are in, and how do we recover when they fire."

The assessment playbook

Five phases, sequenced. Each phase aligns to a section of NIST SP 800-82 Rev. 3 and the IEC 62443 Security Level 2 (SL-2) target most manufacturers should aim for. SL-2 means protection against intentional attacks with low resources. It is the realistic target for a small manufacturer; SL-3 and SL-4 are appropriate for high-consequence facilities and require capital investment most small shops cannot justify.

Phase 1: asset inventory and zone mapping (NIST 800-82 / IEC 62443-2-1)

Walk the floor with the operations lead. Document every device with an IP address or a serial connection: PLCs, HMIs, engineering workstations, SCADA servers, historians, network switches, wireless access points, cameras, and anything connected to the office network. For each, capture make, model, firmware version, network address, and the function it serves. Group devices into zones (production cell A, production cell B, engineering, business IT, vendor remote access) and map the conduits between zones. This is the IEC 62443 zone-and-conduit model. The output is a single diagram an operator can read in two minutes. Most small manufacturers have never produced this diagram, and producing it surfaces unauthorized connections every time.

Typical findings at this phase: an HMI with a vendor-default password and an unknown firmware revision, a wireless access point intended for visitor traffic that bridges to the production VLAN, an engineering workstation that has not been updated since 2019 because "it works," and a vendor remote-access tunnel that no one remembers authorizing.

Phase 2: vulnerability and patch posture review

For each device in the inventory, check published CISA advisories for the make and firmware version. CISA released hundreds of ICS advisories in 2025 covering the major OT vendors. Most small manufacturers are running at least one device with a high-severity advisory and no patch applied. Document the gap. For each gap, decide one of three things: patch (preferred where the vendor supports it without breaking certified configurations), compensating control (network isolation, monitoring), or accept-and-document (rare, only when the device is end-of-life and scheduled for replacement). The output is a one-page patch-status sheet per zone.

Phase 3: network segmentation and remote access review

Verify the conduits between zones from Phase 1 actually enforce what the diagram says. The Purdue Model is the textbook reference, but for a small shop the practical question is simpler: can a workstation in business IT directly reach a PLC on the shop floor? If yes, that is a finding. Can a vendor remote-access tunnel reach anything beyond the specific device the vendor services? If yes, that is a finding. Is the wireless network segregated from the production network at Layer 2 and Layer 3? If not, that is a finding.

The most common compensating control we recommend is a unidirectional gateway between the OT and IT networks for read-only data flows (production metrics to dashboards) and a deliberately slow, audited path for the rare write flows (recipe pushes, firmware updates). Capital cost is modest. Implementation difficulty is procedural rather than technical.

Phase 4: detection and response readiness

Determine what events are logged, where the logs go, who reads them, and what would trigger an alert. The Dragos 2026 dataset shows 30 percent of OT incidents were first noticed because someone observed "something seemed wrong" in operations rather than because of a security alert. That ratio is unacceptable. The minimum bar for a small manufacturer is: every PLC and HMI forwards syslog to a central collector, the collector has a dashboard and at least three alerting rules (failed-login burst, after-hours engineering-workstation activity, unexpected firmware-write commands), and someone is named as the on-call recipient.

For incident response, the playbook should specify: who has authority to take production offline, who notifies whom in what order, where the offline backups live and how to restore them, and what the manual-fallback procedure is for the most critical production line. The 24 percent of organizations that recovered within one week in the 2025 dataset had this written down. The rest discovered they did not, mid-incident, while production was idle.

Phase 5: governance and roadmap

Compile the findings from Phases 1 through 4 into a written roadmap with three time horizons: this quarter (highest-severity gaps with low-complexity fixes), this fiscal year (segmentation and detection investments), and this strategic window (vendor consolidation, end-of-life replacements, formal IEC 62443 SL-2 certification if pursued). Assign an owner to each item and a quarterly review cadence. The output is a four-to-six page document the operations lead can hand to ownership and to insurers.

For organizations bidding on federal manufacturing contracts, this phase also produces the artifact set required for Cybersecurity Maturity Model Certification (CMMC) Level 2, which is becoming the de facto floor for Department of Defense supply-chain awards. CMMC requirements have driven unprecedented demand for cyber-capable Service-Disabled Veteran-Owned Small Businesses since FY24, and the alignment between SL-2 and CMMC L2 substantially overlaps.

A worked example

Consider a 120-employee precision-machining shop in the Midwest, running 14 CNCs, 8 Allen-Bradley PLCs, a Wonderware SCADA layer, and a recently-added cloud OEE dashboard. The IT environment is Microsoft 365 with one IT generalist who also handles the office network.

A one-week assessment on this configuration would produce, in our experience, between 15 and 30 findings. The top six, ranked by typical severity:

1. The OEE dashboard cloud connector polls the Wonderware historian over a credential set with full SCADA-write permissions. The cloud vendor only needs read. Severity: critical. Fix: scope the credential to read-only on a defined view; estimated effort, half a day.
2. Two of the eight PLCs are on a firmware version with a published CISA advisory. One is a Rockwell Micro850 affected by CVE-2025-13823. Severity: high. Fix: schedule a patch window or apply a network-isolation compensating control; effort, one to two days plus production-coordination time.
3. The vendor remote-access tunnel for the SCADA system terminates inside the production VLAN with no jump-host. Severity: high. Fix: introduce a jump-host with logged session recording, scope the tunnel to only the SCADA server; effort, one week of network and procedural work.
4. The visitor wireless and the production wireless share a controller and a VLAN-trunk uplink. Severity: medium-to-high. Fix: separate physical SSIDs onto distinct VLANs with explicit allow-rules; effort, half a day.
5. No central log collection. PLC events live on the PLC; HMI events live on the HMI; nothing is forwarded. Severity: medium. Fix: deploy an open-source collector, write three alerting rules, name an on-call recipient; effort, two days plus an ongoing review cadence.
6. Backup procedure has never been tested with a full restore. Severity: medium until needed, then high. Fix: schedule a quarterly tabletop and an annual full-restore drill; effort, one day per quarter.

The total external-spend cost of fixing all six is in the low five figures over a quarter. The cost of the first incident if these are not fixed, against the 2025 industry average of $1.3 million in non-ransom recovery costs, is materially larger than that.

Five things you can do this month

Before any external assessment, five actions reduce the surface materially:

• Walk the floor with a notebook. Write down every device with a network connection or a USB port. If the list is longer than you remembered, that is the first finding.
• Change every default password on every PLC, HMI, and engineering workstation. Document the new ones in a password manager that the right people can access. The 2025 incident data shows default credentials remain among the top initial-access vectors.
• Verify your offline backups. Pick one file from a backup, restore it to a test location, confirm it works. If it does not, you do not have backups; you have hopes.
• List every remote-access path into the OT network. Vendor tunnels, contractor laptops, support TeamViewer sessions, RDP from the office. Decide which ones still need to exist. Disable the rest.
• Name an on-call recipient for OT alerts and write down the escalation path on a single page. When something fires at 3am, this page is what saves the production line.

These five actions take a week of distributed effort. They do not replace an assessment. They do close the most-common attack paths we see in shops that have never been reviewed.

When this assessment is worth buying

If your shop floor produces parts on a deadline, runs equipment that costs more than $50,000 per machine, accepts work for federal customers, or carries cyber insurance with OT coverage, the assessment is worth buying. The cost of a one-week engagement is materially less than the cost of the first incident. If the manufacturing operation is small enough that 24 days of downtime is survivable from cash reserves, the priority order may shift toward backup verification and remote-access cleanup first, then a formal assessment within the year.

Contact jon@virtuscybersecurity.com with a brief description of your facility and we can scope a remote-walkthrough or on-site engagement. As an SDVOSB, we are positioned for federal manufacturing supply-chain work specifically. For broader technology strategy or fractional-CTO advisory beyond the security scope, see sandhillscto.com.

References and further reading

• Sophos, "The State of Ransomware in Manufacturing and Production 2025."
• Dragos, "OT Cybersecurity Year in Review 2026."
• NIST SP 800-82 Rev. 3, "Guide to Operational Technology (OT) Security."
• IEC 62443 series, "Industrial Automation and Control Systems Security."
• CISA ICS Advisories: cisa.gov/news-events/ics-advisories (the canonical source for all CVEs cited above).
• Sensata Technologies incident notice, April 2025: sensata.com/incident-notice.
• CMMC v2 Level 2 requirements: dodcio.defense.gov/CMMC.