Manufacturing IT used to be a clear story: the corporate side ran Windows and email, the factory floor ran a separate world of PLCs and SCADA systems, and the two rarely talked. That world ended a decade ago. The factory floor sensors now report to cloud platforms, the ERP integrates with shop-floor data collection, and the IT and OT (operational technology) sides have to be managed as one network — with the same security posture, the same patching disciplines, and the same incident response plans.
This post is for the operations manager or owner of a Melbourne manufacturer (food processing, plastics, packaging, fabrication, automotive components, anything where production hardware sits on a network) thinking through what their IT and OT setup needs to look like in 2026.
What’s specifically different about manufacturing IT
Compared to a generic SME, manufacturing IT carries three structural challenges:
1. Long-lived industrial hardware. A welding cell, a conveyor controller, a CNC machine, a labelling line — these often have 10-20 year operational lifespans. The control system on the back of them might be Windows 7, Windows XP, or some embedded Linux that hasn’t seen a vendor update in five years. Replacing it costs tens or hundreds of thousands. Patching it isn’t always supported. The IT/OT security strategy has to account for unpatchable systems on the network.
2. Production downtime is more expensive than IT downtime. A 30-minute helpdesk delay for an office worker is annoying. A 30-minute conveyor outage at a food processor is hundreds of cartons of product written off, plus downstream missed truck departures. The risk-tolerance maths is different — and many MSPs without manufacturing experience underestimate this.
3. The OT side has its own vendors and protocols. Modbus, OPC-UA, EtherNet/IP, ProfiNet. Industrial automation vendors (Rockwell, Siemens, Schneider, Mitsubishi) speak languages your average MSP technician doesn’t. Coordinating security work between the IT MSP and the OT integrator is its own discipline.
The OT/IT convergence problem in practice
Most Melbourne manufacturers we work with are somewhere on this journey:
- Stage 1: The OT and IT networks are physically separate. Old, but still secure-ish. Most under-50-staff manufacturers are here.
- Stage 2: One or two OT systems are connected to the IT network “just for the SCADA dashboard” or “just for remote access during commissioning”. The connection is usually undocumented and the firewall rules permissive.
- Stage 3: OT and IT are deeply integrated. Production data flows to the ERP. SCADA dashboards on Power BI. Remote diagnostics from the equipment vendor. This is where most modern Melbourne manufacturers want to be — but the security implications are significant.
The risk is the half-finished journey. A factory that’s at “Stage 2 by accident” — connections made over years for various reasons, never documented, never reviewed, never security-tested — has the worst of both worlds.
The security baseline for a Melbourne manufacturer in 2026
The minimum standard, in our experience:
- Network segmentation. OT and IT on separate VLANs at minimum, with documented firewall rules between them. Each connection between the two has a documented business reason and an owner.
- Asset inventory. Every piece of hardware on every network — IT, OT, IoT — with vendor, model, firmware version, network address, and risk classification. Most manufacturers don’t have this and find out the hard way during an incident.
- Patch policy that handles unpatchable assets. The CNC controller on Windows 7 isn’t getting patched. The compensating controls (network isolation, application allowlisting on adjacent systems, monitoring) need to be explicit and reviewed.
- Endpoint detection and response on the IT side, plus dedicated OT monitoring (Claroty, Nozomi, Dragos, or equivalent OT-specific tooling) on the OT side
- Backup of every system that matters. The ERP. The SCADA configuration. The PLC programs. The recipe data. The quality control logs. Most manufacturers back up the ERP and assume the rest is “the vendor’s problem”.
- Incident response plan that names production-floor decision-makers. If ransomware hits at 4am Sunday, who decides whether to keep production running on offline backup or shut down?
The ransomware problem for manufacturers specifically
Manufacturers are disproportionately targeted by ransomware in 2026. Three reasons: the production downtime cost makes the business more likely to pay; the OT-side vulnerabilities are often unpatched; the supply chain pressure means insurance companies, customers, and auditors are all asking about cyber posture.
The ASD Essential Eight is genuinely hard for manufacturers because of the unpatchable OT systems. We typically aim for Essential Eight Maturity Level 2 on the IT side, with compensating controls documented for the OT systems that can’t reach Level 2 directly. See our managed security for how we structure this.
Backup and recovery considerations
For a manufacturer, recovery time objective (RTO) is usually constrained by production scheduling. “We need to be back up by Monday morning” isn’t aspirational — it’s the difference between meeting customer commitments and not. Backup and disaster recovery for a manufacturer needs to cover ERP, file shares, M365, SCADA configurations, PLC programs, and recipe data. Test restores need to include the OT-side artefacts, not just the office-side ones.
Our endpoint security service covers the IT-side endpoints; we partner with OT-specialised vendors for the production-floor monitoring side.
Should you hire internally or use an MSP?
Most Melbourne manufacturers under 200 staff use an MSP for IT and engage the OT integrator (the company that installed the line) for OT-specific work. The MSP needs to understand the OT/IT boundary and have an incident playbook that includes coordinating with the OT integrator on a 4am Sunday.
Our managed IT services Melbourne service includes manufacturing-specific configuration during onboarding — VLAN review, OT/IT boundary documentation, integration risk register.
What to do next
If your factory has connections between IT and OT that nobody can fully document, that’s the priority. A two-day discovery to map every cross-boundary connection, document the business reason, and rationalise the firewall rules will pay for itself the first time it stops a production-disrupting incident.
Book a factory-floor walk-through — we’ll spend a day on site, review the IT/OT boundary, and send a written gap report. No commitment to engage further.
