TL;DR

  • Manufacturing is a top ransomware target — The Australian manufacturing sector faces frequent ransomware attacks due to high downtime costs and operational dependence on industrial systems. The ASD's Annual Cyber Threat Report 2024–2025 identifies manufacturing among the most targeted sectors.
  • OT/IT convergence creates new vulnerabilities — Industry 4.0, smart factories, and IoT-connected production lines have expanded the attack surface. Legacy industrial equipment with no built-in security is now networked, creating pathways for attackers to reach production systems.
  • The average data breach costs AUD $4.26 million — IBM Cost of a Data Breach Report 2024, but manufacturing breaches often involve production downtime, lost orders, and equipment damage that multiply the cost.
  • Critical infrastructure obligations apply — Larger manufacturers may fall under the Security of Critical Infrastructure Act 2018 (SOCI Act) if they supply essential goods or services, bringing mandatory risk management and incident reporting requirements.

Why Manufacturing Businesses Are Cybersecurity Targets

Australian manufacturers contribute approximately AUD $120 billion annually to the economy and employ over 850,000 people across food and beverage processing, metal fabrication, machinery and equipment manufacturing, chemical production, and advanced manufacturing. This economic footprint, combined with increasingly connected production environments, makes manufacturing an attractive target for cybercriminals. The Australian Signals Directorate's Annual Cyber Threat Report 2024–2025 consistently ranks manufacturing among the top five most targeted sectors, with ransomware accounting for the majority of incidents.​‌‌​​​‌‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​

‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​‌‍​‌‌​​‌‌​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌

Manufacturing presents a uniquely complex cybersecurity challenge because it spans two distinct technology environments: corporate IT networks (email, financial systems, ERP, employee data) and operational technology (OT) on the factory floor (PLCs, CNC machines, robotics, industrial IoT). These environments were historically isolated from each other — air-gapped for safety and reliability — but Industry 4.0 initiatives have driven integration: MES (Manufacturing Execution Systems) connecting ERP to production lines, remote monitoring and predictive maintenance, and cloud-based quality management systems. This IT-OT convergence improves operational efficiency but also creates pathways for attackers who compromise the corporate network to laterally move into production systems.

A cybersecurity incident in a manufacturing environment is not just a data breach — it is an operational disruption. Ransomware that encrypts ERP systems prevents order processing and shipping. Ransomware that reaches OT systems can shut down production lines, cause equipment damage by manipulating machine parameters, and create safety hazards. The 2021 JBS Foods ransomware attack — which disrupted meat processing operations in Australia and globally — demonstrated how a single incident can impact supply chains, production capacity, and food security. JBS paid an AUD $14 million ransom to restore operations, highlighting the difficult trade-off manufacturers face when production is at stake.​‌‌​​​‌‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​‌‍​‌‌​​‌‌​‍​‌‌​​​​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌​​‌‌‌

The Top 3 Cybersecurity Threats for Manufacturing

1. Ransomware Targeting Production Systems

Ransomware is the defining cyber threat for Australian manufacturers. Attackers understand that manufacturers have low tolerance for downtime — halted production means missed delivery deadlines, standing charges for idle equipment, lost perishable inventory in food processing, and contractual penalties. The ASD's 2024–2025 Threat Report documents multiple ransomware incidents affecting Australian manufacturers, with attackers specifically targeting industrial environments. Modern ransomware families like LockBit, BlackCat (ALPHV), and Conti have published materials specifically targeting manufacturing companies, and some variants include functionality to attack industrial control systems.

The IT-OT convergence means that a phishing email compromising a corporate laptop can become a pathway to OT systems. Once inside the production environment, attackers can encrypt PLC logic, disable safety interlocks, or manipulate machine parameters — potentially causing equipment damage or creating unsafe operating conditions. The Cyber Security Act 2024 introduces mandatory ransomware payment reporting from 30 May 2025 for entities with turnover above AUD $3 million — meaning that a manufacturer's decision to pay or not pay ransom must be reported to the ASD within 72 hours, adding regulatory complexity to an already difficult operational decision.

2. Supply Chain and Third-Party Software Vulnerabilities

Manufacturers rely heavily on specialised software and equipment vendors: ERP systems (SAP, Oracle, Pronto Xi, MYOB Advanced), MES platforms, SCADA/HMI software (Wonderware, Ignition, Citect), CAD/CAM systems, industrial IoT platforms, and machine builders' proprietary controllers. Each vendor represents a potential supply chain attack vector. The 2023 MoveIT transfer vulnerability demonstrated how a single compromised file transfer software vendor could cascade across thousands of organisations, including Australian manufacturers through their IT service providers or software supply chains.

Legacy OT equipment presents particular challenges. Many CNC machines, injection moulding systems, and industrial controllers shipped with Windows 7 Embedded or XP Embedded — operating systems that are now end-of-life and unsupported. These systems often cannot be patched without affecting machine functionality, and they cannot be replaced without capital expenditure. They may have hardcoded passwords, exposed VNC or RDP services for remote maintenance by machine vendors, and no native security controls. When these systems are connected to the network for Industry 4.0 integration, they become high-risk entry points.

3. Intellectual Property Theft and Espionage

Australian manufacturers increasingly compete on innovation — advanced materials, proprietary manufacturing processes, specialised product designs, and automation know-how. This intellectual property is valuable to foreign competitors and state-sponsored actors seeking to accelerate their own industrial capabilities. The exfiltration of CAD files, process formulations, or production methodologies can cause long-term commercial harm. Insider threats — both malicious insiders and negligent employees — pose a significant risk. A departing engineer taking proprietary designs to a competitor, or a supplier inadvertently exposing sensitive specifications through unauthorised cloud storage, can erode competitive advantage.

For manufacturers in the defence supply chain, the risks are even higher. The Defence Export Controls regime regulates the transfer of defence and strategic goods technology, and cybersecurity failures that result in exfiltration of controlled technical data can trigger both regulatory penalties and national security implications. The Defence Industry Security Program (DISP) — see section below — imposes specific cybersecurity obligations on defence contractors.

Compliance Requirements for Manufacturing

Australian manufacturers face a layered compliance environment. The complexity scales with company size, industry sector, and customer base:

Security of Critical Infrastructure Act 2018 (SOCI Act) Manufacturing assets may be captured as critical infrastructure under the SOCI Act if they produce or supply essential goods (food, beverages, medical supplies, chemicals, etc.) or if they are part of critical supply chains. The Act establishes a positive security obligation for operators to maintain and implement risk management programmes addressing cybersecurity hazards. Since the 2022 amendments, operators of "critical infrastructure assets of national significance" may be subject to enhanced obligations including government assistance directions and mandatory incident reporting. The ASD maintains a register of critical infrastructure assets, and manufacturers should confirm whether their facilities are captured.

Cyber Security Act 2024 (Cth) Enacted in November 2024, the Cyber Security Act introduces mandatory ransomware payment reporting (effective 30 May 2025) for entities with annual turnover above AUD $3 million. Manufacturers in this bracket must report to the ASD within 72 hours of making or having made a ransom payment. The Act also enables the National Cyber Security Coordinator to request information and issue directions following significant cyber incidents.

Privacy Act 1988 (Cth) and Australian Privacy Principles (APPs) Manufacturers that hold employee personal information, customer records, or supplier data must comply with the Privacy Act and APPs. The Notifiable Data Breach (NDB) scheme requires notification to the OAIC and affected individuals of eligible data breaches. The Privacy and Other Legislation Amendment Act 2024 (effective 11 December 2024) strengthened enforcement: civil penalties can now reach AUD $50 million for serious or repeated breaches. Note: the small business exemption ($3M turnover threshold) does not apply if the business handles sensitive personal information — which catches many manufacturers with health and safety records or employee medical information.

Work Health and Safety (WHS) Legislation State and territory WHS laws impose a primary duty of care on manufacturers to ensure worker safety. A cybersecurity incident that causes equipment malfunction, uncontrolled machine operation, or loss of safety systems could breach WHS obligations. Safe Work Australia has issued guidance on cybersecurity as a WHS risk, and regulators increasingly expect cyber risk to be integrated into safety management systems — particularly where safety instrumented systems (SIS) are networked.

Defence Industry Security Program (DISP) For manufacturers in the defence supply chain — even as sub-tier suppliers — DISP imposes specific cybersecurity requirements. DISP membership is mandatory for all defence industry participants, and the DISP Cyber Security Guidelines map closely to the ASD Essential Eight and ISO 27001. Defence primes are increasingly requiring DISP compliance or certification from their suppliers, creating a cascading compliance expectation through the supply chain.

ASD Essential Eight While not legally mandated, the ASD's Essential Eight mitigation strategies are the de facto baseline for Australian government procurement and are increasingly expected by major customers and insurers. For manufacturers, the Essential Eight must be adapted for OT environments — requiring close coordination between IT security teams and plant engineers.

The lilMONSTER Security Checklist for Manufacturing

These controls address the unique risk profile of manufacturers where corporate IT and operational technology intersect:

  1. Network segmentation between IT and OT — strict separation — Separate corporate networks from production systems. Use unidirectional gateways (data diodes) or DMZs for any necessary communication between ERP and MES/SCADA. Never allow direct internet access from PLC networks. Implement jump servers with MFA for remote machine vendor access.

  2. Inventory all OT assets and firmware versions — You cannot secure what you cannot see. Build a comprehensive register of all PLCs, HMIs, industrial PCs, CNC controllers, robotics systems, and industrial IoT devices. Track firmware versions, known vulnerabilities, patch feasibility, and end-of-life dates. Prioritise remediation for assets that are internet-exposed or safety-critical.

  3. Patch internet-facing systems within 48 hours — VPN concentrators, remote access gateways, and ERP servers with internet exposure are the highest-risk initial access vectors. Apply critical security patches within 24 hours; other patches within 48 hours. For OT assets that cannot be patched without production disruption, implement compensating controls (network segmentation, application allow-listing, restricted access).

  4. MFA for all remote access — including vendors and machine builders — Attackers frequently compromise legitimate remote access credentials. Require multi-factor authentication for VPN, RDP, SSH, and any vendor remote support platforms. Use hardware security keys or phishing-resistant MFA where possible. Rotating contractor and vendor credentials quarterly reduces exposure.

  5. Offline, immutable backups for IT and OT configurations — Back up both corporate data (ERP, CAD files, financial systems) and OT configurations (PLC logic, HMI projects, CNC parameters). Store at least one backup copy offline or in immutable storage that ransomware cannot reach. Test restoration quarterly — including restoration of PLC logic to test equipment. Many manufacturers discover their OT backups are incomplete only after a ransomware incident.

  6. Application allow-listing for OT and engineering workstations — Traditional antivirus is often ineffective on legacy OT systems. Implement application allow-listing (formerly called whitelisting) so that only pre-approved executables can run on HMIs, engineering workstations, and industrial PCs. This prevents unauthorised malware from executing even if initial access is achieved.

  7. Vendor and supply chain security review — Assess the cybersecurity posture of machine builders, OT integrators, and software vendors. Require security clauses in contracts specifying notification obligations, liability for breaches originating from vendor systems, and minimum security standards. Review the security of any cloud-based MES, quality management, or predictive maintenance platforms before deployment.

  8. Incident response plan with OT-specific playbooks — Standard incident response plans assume you can "isolate affected systems" — but in a manufacturing environment, shutting down a production line may not be operationally feasible. Document OT-specific procedures: manual fallback modes, safe machine shutdown sequences, and communication protocols with production managers. Conduct tabletop exercises annually involving both IT and operations teams.

How Much Does Cybersecurity Cost for a Manufacturing Business?

Cybersecurity investment scales with operational complexity, but a breach costs far more.

Spend What it covers
AUD $8,000–25,000/year SME essentials: MFA, endpoint detection, network segmentation review, annual training, backup verification
AUD $25,000–100,000/year Mid-tier: managed security monitoring (SIEM/SOC), vulnerability management, OT asset inventory, quarterly phishing simulations
AUD $100,000–400,000/year Enterprise: dedicated OT security assessment, industrial firewall deployment, 24/7 SOC with OT expertise, DISP or SOCI Act compliance programme

Cost of a breach for a manufacturer:

  • Average Australian data breach: AUD $4.26 million (IBM, 2024)
  • Production downtime: $10,000–500,000 per day depending on facility size and product margins
  • Lost orders and contract penalties: potentially millions for just-in-time supply chains
  • Equipment damage from unsafe operation: potentially hundreds of thousands in repair costs
  • WHS regulatory action: fines up to $10 million for corporations under model WHS laws if a cyber incident causes worker injury

Cyber liability insurance for manufacturers typically costs AUD $5,000–30,000/year depending on revenue, industry sector, and security posture. Insurers increasingly require evidence of OT security controls — network segmentation, MFA, and tested backups — as conditions of coverage, particularly for manufacturers with significant OT footprints.

FAQ

A foundational cybersecurity programme for a small-to-medium Australian manufacturer typically starts at AUD $10,000–30,000 per year, covering network segmentation between IT and OT, multi-factor authentication for all remote access, endpoint protection, encrypted backups, and annual staff training. Managed security services (MSSP) with OT expertise typically run AUD $30,000–100,000/year depending on operational complexity. An OT-specific security assessment — covering PLCs, HMIs, and industrial networks — costs AUD $15,000–60,000 per engagement. For context, a single day of unplanned production downtime can cost AUD $10,000–500,000 in lost margin alone, before equipment damage, lost orders, and regulatory costs.

The greatest cybersecurity risk for Australian manufacturers is ransomware that bridges the IT-OT boundary — compromising corporate systems through phishing, then moving laterally into production control systems. A successful attack can shut down production lines, damage equipment, and manipulate safety-critical systems. The ASD's Annual Cyber Threat Report 2024–2025 identifies manufacturing as a high-priority target. Legacy OT systems with unpatchable vulnerabilities, combined with increasing IT-OT convergence for Industry 4.0 initiatives, create a vulnerable attack surface. The 2021 JBS Foods ransomware attack demonstrated the operational impact possible on Australian manufacturing.

ISO 27001 is not legally mandated for most manufacturers, but it is increasingly expected by major customers, particularly in defence, aerospace, medical devices, and automotive supply chains. For defence contractors, DISP compliance is mandatory and aligns closely with ISO 27001 and the ASD Essential Eight. Some manufacturers choose IEC 62443 — the international standard for industrial automation and control systems security — as a complement or alternative to ISO 27001. lilMONSTER can assess which framework or combination best fits your operational environment and customer requirements.

Annual penetration testing is recommended for manufacturers, with separate scopes for corporate IT and operational technology. IT penetration testing should be conducted annually and after major system changes. OT security assessments require specialised expertise: they typically involve vulnerability scanning of industrial devices, configuration review of PLCs and HMIs, and testing of network segmentation between IT and OT. OT assessments should be scheduled carefully to avoid disrupting production — many organisations schedule them during planned maintenance shutdowns. DISP and SOCI Act risk management programmes should include regular testing of cybersecurity controls.

If a manufacturer suffers a significant cyber incident, multiple obligations may be triggered: (1) Report to the ASD under SOCI Act if the facility is a critical infrastructure asset — reporting is mandatory for assets of national significance and may be mandatory for other assets. (2) Notify the OAIC under the Notifiable Data Breach scheme if personal information was accessed. (3) Report ransom payments to the ASD within 72 hours (for manufacturers with turnover >$3M, from 30 May 2025) under the Cyber Security Act 2024. (4) Notify WHS regulators if the incident created a safety risk or resulted in worker injury. (5) Engage with shareholders and ASX if the incident is material to listed entities. (6) Notify defence customers if controlled technical data was affected — DISP requirements may apply. Failure to report under SOCI Act can attract significant civil penalties.

References

[1] Australian Signals Directorate (ASD), "Annual Cyber Threat Report 2024–2025," Australian Government, 2025. [Online]. Available: https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/annual-cyber-threat-report-2024-2025

[2] IBM Security, "Cost of a Data Breach Report 2024," IBM Corporation, Jul. 2024. [Online]. Available: https://www.ibm.com/reports/data-breach

[3] Australian Government, "Security of Critical Infrastructure Act 2018 (Cth)," Federal Register of Legislation, 2024. [Online]. Available: https://www.legislation.gov.au/

[4] Australian Government, "Cyber Security Act 2024 (Cth)," Federal Register of Legislation, Nov. 2024. [Online]. Available: https://www.legislation.gov.au/

[5] Department of Defence, "Defence Industry Security Program (DISP)," Australian Government, 2024. [Online]. Available: https://www.defence.gov.au/

[6] Safe Work Australia, "Cybersecurity and Work Health and Safety," Safe Work Australia, 2024. [Online]. Available: https://www.safeworkaustralia.gov.au/

[7] Australian Cyber Security Centre (ACSC), "Essential Eight Mitigation Strategies," Australian Government, 2024. [Online]. Available: https://www.cyber.gov.au/publications/essential-eight-mitigation-strategies

[8] Deloitte, "Manufacturing Industry 4.0: Cybersecurity Challenges," Deloitte Insights, 2024. [Online]. Available: https://www2.deloitte.com/

[9] Tenable, "2024 Threat Landscape Report: Operational Technology," Tenable, 2024. [Online]. Available: https://www.tenable.com/

[10] Australian Industry Group, "Cybersecurity for Manufacturers — A Practical Guide," Ai Group, 2024. [Online]. Available: https://www.aigroup.com.au/

Need help securing your Manufacturing business? Book a free consultation with lilMONSTER — Australia's no-BS cybersecurity team for SMBs.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation