Remote access for equipment vendors, historian connections to the corporate network, and ERP integrations have been added over time without a consistent security architecture, leaving paths into production that nobody documented.
Batch traceability data, CIP validation logs and temperature records are generated by control systems. If those records are altered or unavailable, recall scope widens and audit positions weaken, which moves OT security out of engineering and into compliance.
An accurate asset inventory and a verified OT/IT boundary are the right first steps. Full zone and conduit architecture, with target security levels, follows once the baseline is understood.
OT cybersecurity in Australian food manufacturing gets less attention than it deserves. The focus tends to land on IT systems, email, corporate networks and business applications, while the control systems running production lines, CIP circuits and cold chain equipment are left with whatever network arrangement was put in place when they were installed. That arrangement is often not what most people would consider secure. Metromotion Controls is a control systems integrator based in Mount Waverley that designs and commissions control systems for food and beverage manufacturers across Melbourne, Victoria and Australia, and this guide sets out the standards, the food-sector specifics and a worked example in the practitioner voice used on site.
This post is the food-sector companion to our general guide on OT network security for Australian manufacturing, which covers the segmentation architecture, the Purdue model and secure remote access in depth. Here the focus is narrower: what changes when the plant makes food, where the regulatory pressure comes from, and how the standards apply to records integrity, recall exposure and production continuity. It supports our OT networks service and the broader food and beverage automation work that connects plant data to business systems.
The risk is not theoretical. Food and beverage businesses worldwide have been forced to halt production by ransomware that reached or isolated OT systems. The impact extends past downtime. When a control system is compromised, the integrity of the food-safety records and traceability data that regulators and retailers rely on is also in question, which widens recall scope and weakens audit positions.
Most food manufacturing sites did not set out to build an insecure OT network. The exposure developed incrementally, one reasonable decision at a time:
The pattern is the same one described in the general OT network security guide: connectivity was added under time pressure and rarely reviewed afterwards. What is specific to food is what sits behind those paths, namely the systems that produce the records a recall depends on.
General OT security guidance applies in full. Food manufacturing then adds characteristics that change how the controls should be prioritised.
FSANZ record integrity. Food Standards Australia New Zealand sets the Food Standards Code, which requires food businesses to keep accurate records and to be able to trace product one step forward and one step back. Batch records, CIP validation logs and temperature records are all generated by control systems. If the control system is compromised, the integrity and availability of those records is in question, which is a regulatory and food-safety problem, not just an operational one. The data integrity concern is the same one that drives MES and SCADA integration in food plants: the records have to be trustworthy at the point they are captured.
Recall exposure. Traceability data exists so that a recall can be scoped tightly to the affected product. If that data is encrypted, altered or simply unavailable during an incident, the safe response is to widen the recall rather than narrow it, because you cannot prove which product is unaffected. A security incident that touches the traceability chain therefore multiplies the cost of any subsequent quality event.
Production continuity and cold chain. Food production is continuous or tightly scheduled, and in-process product spoils. When ransomware or a control-system failure halts a line, the cost goes beyond deferred output. In-process product can be destroyed, the cold chain can break, and delivery windows to retailers who penalise short supply can be missed. Availability is already the priority in OT, and in food the cost of losing it is higher and faster.
Hygiene-related network zones. Food plants are often divided into hygiene zones. Those zones sometimes correspond to network segments and sometimes do not. Understanding the relationship between physical hygiene zones and network architecture matters when defining the OT security model, because the natural process boundaries can become useful zone boundaries.
High OEM machine count. Food processing sites typically have many machines from different OEMs, each with its own connectivity requirements. Managing vendor access across that many machines, each potentially with a different remote-access mechanism, creates complexity that is hard to govern informally and easy to lose track of.
Three reference frameworks carry most of the weight, and they fit together rather than compete. The architecture is common to all OT; the food-sector emphasis is on protecting the assets that generate records and on keeping production available.
ISA/IEC 62443 is the international series for the security of industrial automation and control systems, developed by the ISA99 committee and the IEC. It defines the zones-and-conduits model and the SL 1 to SL 4 security levels, and it sets requirements across asset owners, integrators and product suppliers. The series is published through the IEC and described by ISA as the ISA/IEC 62443 series. It is the primary standard most Australian food sites should design to.
NIST SP 800-82 is the Guide to Operational Technology (OT) Security from the US National Institute of Standards and Technology. Revision 3 broadened its scope from industrial control systems to operational technology generally and aligns with the NIST Cybersecurity Framework. It covers risk management, network architecture, patching constraints and a large catalogue of controls tailored to OT, and it is freely downloadable, which makes it a practical companion to the paid IEC series.
The ACSC Essential Eight is the Australian baseline, covered in the Australian-context section below. It is the strategy set most Australian organisations are measured against, and it maps usefully onto the IT-like assets in a plant.
| Standard | What it provides | Food-sector relevance |
|---|---|---|
| ISA/IEC 62443 | Zones, conduits, security levels SL 1 to SL 4, role requirements | Primary OT security reference; frames how records-generating zones are protected |
| NIST SP 800-82 Rev 3 | Detailed OT control catalogue, risk-based guidance | Free, detailed companion; risk-based patching for validated CIP and process control |
| ACSC Essential Eight | Baseline mitigation strategies for IT-like assets | Australian baseline for HMIs, engineering stations and backups |
| FSANZ Food Standards Code | Records accuracy and traceability obligations | Why record integrity is a compliance issue as well as an engineering one |
The architectural detail of zones, conduits and the Purdue model is set out fully in the general OT network security guide. This post does not repeat it. What follows is how the model lands on a food plant.
ISA/IEC 62443 is built around three ideas that translate directly to food manufacturing.
A zone is a grouping of assets that share a security requirement, such as the controllers and HMIs of one process area or the systems that hold batch and traceability records. A conduit is a controlled communication path between zones, such as the link from the SCADA gateway up to MES, or the historian feed to ERP. Each zone is assigned a target security level from SL 1 (protection against casual or coincidental misuse) to SL 4 (protection against a sophisticated, well-resourced and motivated attacker).
| Concept | What it means | Applied to a food site |
|---|---|---|
| Zone | A group of assets with similar security requirements | Process-area PLCs and HMIs; the records and historian zone; CIP control |
| Conduit | A controlled path between zones | Firewall-enforced link from SCADA gateway to MES; historian feed to ERP |
| Security level | A rating of how strong the controls at a boundary need to be | Higher target on the zone that holds traceability and batch records |
The practical effect is that every flow in and out of the control system has to be named and justified, including the historian-to-ERP feed that quality reporting depends on, and every OEM remote-access path. A flow that nobody can name is a flow that should not exist. For food sites, the zone that holds batch records, CIP validation logs and traceability data usually warrants a higher target security level than a general process area, because the consequence of tampering there is regulatory as well as operational. The discipline of PLC, SCADA and HMI engineering carries through here, because the same systems that run the process also capture the records.
The following figures are illustrative engineering values for a fictional mid-sized dairy plant, used to show how the model is applied. They are not measurements from any Metromotion Controls project or named client. Consider a site with a raw-milk intake area, a pasteurisation and process area, a CIP system shared across both, a packaging hall, a central historian feeding batch and traceability records, and a requirement to push production data to a corporate ERP and a cloud quality dashboard.
A typical zone-and-conduit design for that plant might look like this:
| Zone | Purdue level | Contents | Target SL |
|---|---|---|---|
| Intake and process | 1 to 2 | Process PLCs, HMIs, drives, instruments | SL 2 |
| CIP control | 1 to 2 | CIP PLC, valves, conductivity and temperature instruments | SL 3 |
| Packaging | 1 to 2 | Packaging PLCs, line HMIs, labellers | SL 2 |
| Records and supervisory | 3 | SCADA gateway, historian, batch and traceability records, engineering workstation | SL 3 |
| OT/IT DMZ | 3.5 | Reverse proxy, MQTT broker, historian replica, remote-access broker | SL 3 |
| Enterprise IT | 4 to 5 | ERP, quality dashboard, internet | Out of OT scope |
The conduits between those zones are then defined explicitly. For example, the SCADA gateway polls the process and CIP PLCs over the control protocol through a firewall rule that permits only the gateway host and only the required ports. The historian replicates to a copy in the demilitarised zone, and the MQTT broker there receives published data from the gateway, with sessions always originating in OT and terminating in the demilitarised zone, never the reverse. The ERP reads from the historian replica and the cloud dashboard subscribes to the broker, both pulling from the demilitarised zone, so no enterprise system addresses an OT asset directly. Vendor and engineering remote sessions terminate at the remote-access broker in the demilitarised zone behind multi-factor authentication, brokered onward to a specific asset only for the duration of an authorised session.
Two food-specific points stand out in this example. The CIP control zone is given a higher target level (SL 3) than a general process area because a CIP cycle that is altered or skipped is a direct food-safety hazard, and the same logic that governs CIP automation in hygienic processing applies to its security. The records and supervisory zone also sits at SL 3, because that is where batch genealogy and traceability data live, and that data is what a recall depends on. A typical first engagement on a brownfield dairy site would not build all of this at once; it would inventory the assets, verify the OT/IT boundary, and then raise the CIP and records zones first.
Most food sites cannot do everything at once, so the question is which controls to apply first. A simple decision approach ranks each zone and conduit by consequence and exposure.
Where a zone scores high on both consequence and exposure, it is the first to harden. In practice that usually means the records zone and any conduit carrying remote vendor access, because those combine high consequence with the connectivity that makes them reachable. Low-consequence, low-exposure zones can wait. This same risk-based logic is what NIST SP 800-82 recommends for patch prioritisation: protect by exposure and consequence rather than trying to treat everything equally. For sites planning a wider modernisation, security scoping fits naturally into automation upgrade planning.
Two outcomes matter most in food: the records have to be trustworthy, and the line has to keep running. Several controls serve both.
Tamper-evidence and backup of records. Batch records, CIP validation logs and traceability data should be replicated to the demilitarised zone and backed up off the OT network on a schedule, with the backups tested by restore. A current, verified backup is what turns a ransomware incident into a recovery rather than a rebuild, and it is what lets quality demonstrate which records are intact. Backups of PLC programs, SCADA projects and recipes belong in the same regime, because recovering a CIP recipe or a process program is part of restoring production.
Segmentation around the records zone. Because the records zone carries the highest consequence, it benefits most from tight conduits. The historian feed to ERP should be one direction of initiation, OT pushing to the demilitarised zone, with the ERP reading from a replica rather than reaching into OT. That keeps the corporate network, the most common entry point, away from the data that a recall depends on.
Managed remote access. Remote access is where the largest number of real sites fail, and on a multi-OEM food site the number of standing vendor paths is the recurring weak point. All remote access should route through a managed broker or jump host in the OT/IT demilitarised zone, behind multi-factor authentication, with each session authorised, time-limited, attributable to a named person and logged. Vendor access should be granted per session and revoked when the task is done, rather than left as a permanent VPN that nobody reviews. The detailed pattern is in the general OT network security guide; the food-specific point is that the OEM count makes disciplined brokering more valuable, not less.
Recovery planning tied to product. A recovery plan for a food plant should state how long the site can run, or must stop, if a given system is lost, and what happens to in-process product. That ties the security position to cold chain and spoilage, which is the language quality and operations teams use. Recovery planning is part of an ongoing support relationship rather than a one-off exercise.
For Australian manufacturers, the Australian Cyber Security Centre at cyber.gov.au is the primary national source of guidance, and the Essential Eight is the baseline most organisations are measured against. The Essential Eight is a set of eight mitigation strategies: application control, patch applications, configure Microsoft Office macro settings, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, and regular backups.
The Essential Eight was written primarily for Windows-based IT, so applying it to a food plant needs judgement. Several strategies map directly:
The two patching strategies are where literal application breaks down, because forced operating-system and application patching can break a validated control system or a CIP recipe. For those, the risk-based OT patch approach in NIST SP 800-82 takes over: maintain an accurate asset inventory, prioritise by exposure and consequence, test before applying, patch in planned maintenance windows, and use tighter segmentation and monitoring as compensating controls where a device cannot be patched. The sound model is to treat the Essential Eight as the baseline for the IT-like assets in the plant, then layer the OT-specific controls from ISA/IEC 62443 and NIST SP 800-82 on top for the control system itself. The ACSC also publishes guidance aimed specifically at operational technology, which should be read alongside the Essential Eight rather than as a substitute.
On the food-safety side, Food Standards Australia New Zealand sets the records and traceability obligations that make data integrity a compliance matter. There is no FSANZ cyber control to certify against, but the requirement to keep accurate records and trace product is what connects a security incident to a recall. Keeping the OT security position consistent with these obligations is what moves the conversation from engineering into quality and management, where the budget for it usually sits.
Most serious OT security gaps on food sites are architectural rather than a missing tool. The recurring ones are worth naming so they can be designed out:
A methodical first pass starts narrow. Build the asset inventory, including every OEM machine, then verify that OT and IT are genuinely separated at the switch and firewall level. Those two steps expose the most significant gaps without major capital, and they set up the segmentation and remote-access work that follows. This early scoping is the same approach used across our systems integration work where security is in scope.
OT cybersecurity for food manufacturing is achievable without disrupting operations when the work is sequenced sensibly. The architecture is the common OT model: map the plant, draw ISA/IEC 62443 zones with target security levels, define every conduit explicitly, route all remote access through a controlled broker with multi-factor authentication, and patch on a risk basis with compensating controls where patching is not possible. What food adds is the priority order. Protect the zones that generate batch, CIP and traceability records, because those govern recall scope and FSANZ record obligations, and protect production continuity, because spoiled product and broken cold chain make downtime expensive and fast. The ACSC Essential Eight gives the baseline for the IT-like assets, and NIST SP 800-82 supplies the detailed OT control catalogue. The result is a network that supports modern reporting and integration while keeping the records and the control system reachable only through paths that are named, justified and monitored. If you can share your site layout, OEM machine mix and current network arrangement, Metromotion Controls can work through a segmentation and remote-access design that fits the plant.
The standards and figures referenced above are general industry and regulator sources, cited so the technical claims can be checked against the originals. The worked example uses illustrative engineering values and is not a Metromotion Controls measurement.
Tommy Kim writes for Metromotion Controls, a Melbourne control systems integrator delivering PLC, SCADA, controls integration and commissioning for food, beverage, dairy and FMCG manufacturers across Australia.
Food Standards Australia New Zealand does not mandate specific cybersecurity controls in the Food Standards Code. It does require that food businesses keep accurate records and be able to trace product one step forward and one step back, which depends on data that control systems generate. A compromised control system can undermine both the accuracy and the availability of that data, so OT security becomes a food-safety and compliance issue even though it is not named as a cyber control. Industry frameworks such as ISA/IEC 62443 are increasingly referenced in customer contracts, retailer audits and cyber insurance requirements, so the practical pressure to demonstrate a security position is real even where the regulation is indirect.
Food sites typically run a mix of older control equipment, many machines from different OEMs each with its own connectivity, standing vendor remote-access arrangements, and increasing integration with corporate ERP and quality systems. Each of those connections is a potential entry point if it is not managed. Food plants also run continuous or tightly scheduled production where downtime spoils product and breaks cold chain, so ransomware that halts a line carries an immediate cost beyond the IT recovery. The combination of high connectivity, a large and varied asset base, and low tolerance for downtime is what raises the exposure relative to a simpler plant.
ISA/IEC 62443 defines a zone and conduit model for industrial control system security. Applied to a food plant, it groups assets that share a security requirement into zones, such as the controllers and HMIs of one process area, and treats every communication path between zones as a conduit with explicit controls. Each zone is given a target security level from SL 1 to SL 4. The value is that every flow into and out of the control system has to be named and justified, including the historian feed to ERP and every vendor remote-access path. Most food sites apply the framework pragmatically, drawing the zones onto the existing plant rather than rebuilding the network, and tightening the highest-risk conduits first.
In an office, ransomware mainly costs data and recovery time. In a food plant it can stop production directly when it reaches OT, and even when it stays in IT it can halt the systems that authorise dispatch, print labels or hold batch records. Stopped production means spoiled in-process product, broken cold chain and missed delivery windows to retailers who penalise short supply. If batch or traceability records are encrypted or thrown into doubt, the safe response is often to widen recall scope rather than narrow it, because you cannot prove which product is unaffected. The downtime cost and the recall exposure together are why production continuity, not just data confidentiality, drives the security case in food manufacturing.
The architecture is the same. Zones, conduits, a verified OT/IT boundary, managed remote access and risk-based patching apply to any plant, and our general guide on OT network security for Australian manufacturing covers the segmentation design in detail. What changes in food manufacturing is the consequence model. The assets you most need to protect are the ones that generate food-safety and traceability records, the downtime tolerance is lower because product spoils, and the compliance audience includes quality and FSANZ obligations rather than only engineering. This post layers those food-sector specifics onto the general model rather than repeating it.
The Essential Eight, published by the Australian Cyber Security Centre, is a baseline of eight mitigation strategies written mainly for Windows-based IT. Several map cleanly onto a food plant: restricting administrative privileges, multi-factor authentication on remote and administrative access, application control on the Windows HMIs and engineering workstations, and regular backups of PLC programs, SCADA projects and recipe and configuration data. The two patching strategies have to be adapted rather than applied literally, because forcing operating-system or application patches can break a validated control system or a CIP recipe. The sound approach treats the Essential Eight as the baseline for the IT-like assets in the plant, then layers the OT-specific controls from ISA/IEC 62443 and NIST SP 800-82 on top for the control system itself.
OT network design, industrial Ethernet, secure remote access and SCADA server connectivity.
OEE, downtime, historian and production reporting systems built from reliable plant signals.
Engineering support for production faults, diagnostics, minor works and long-term controls reliability.
Automation, traceability, CIP, SCADA and production data for Australian food and beverage plants.
IEC 62443 zones and conduits, the Purdue model, segmentation, secure remote access and the ACSC Essential Eight in an OT context.
A practical OT network security guide for Australian manufacturers: IEC 62443 zones and conduits, the Purdue model, segmentation, secure remote access, OT patch constraints, and the ACSC Essential Eight applied to plant networks.
Key point
OT networks need their own security model
Published 9 May 2026
OEE is useful but routinely over-trusted. This guide covers what OEE leaves out by design, where it distorts on multi-SKU Australian food and beverage lines, why cross-line comparisons fail, and the one limitation that is actually fixable: the signal layer between the machine and the dashboard.
Key point
OEE measures how efficiently a line ran, not whether it made the right thing
Published 9 May 2026
A practical ISA-88 batch control guide for Australian food and beverage manufacturers, covering when you need it, the physical, procedural and recipe models, phase states, FSANZ traceability, platform choice and brownfield migration.
Key point
ISA-88 gives batch control a consistent structure
Published 9 May 2026
Map out scope, delivery approach and what to have ready before the first conversation. Answer a few questions and Metromotion Controls returns a tailored scoping brief on screen.