Food sites have accumulated connectivity they did not plan for
Vendor remote access, historian connections and ERP integrations were added over time without a consistent security architecture, leaving undocumented paths into production.

Vendor remote access, historian connections and ERP integrations were added over time without a consistent security architecture, leaving undocumented paths into production.
Batch traceability, CIP validation logs and temperature records come from control systems. If those records are altered or unavailable, recall scope widens and audit positions weaken.
ISA/IEC 62443 and NIST SP 800-82 give the framework, but the first steps are an accurate asset inventory and a verified OT/IT boundary. Zones and target security levels follow once the baseline is understood.
OT security planning in food manufacturing tends to focus on IT systems, while the control systems running production lines, CIP circuits and cold chain equipment keep whatever network arrangement was put in place when they were installed. Metromotion Controls is a control systems integrator based in Mount Waverley that designs and commissions control systems for food and beverage manufacturers across Melbourne, Victoria and Australia, and this guide covers what changes when the plant makes food: where the regulatory pressure comes from, and how the standards apply to record integrity, recall exposure and production continuity.
This post is the food-sector companion to our guide on OT network security for Australian manufacturing, which covers the segmentation architecture, the Purdue model and secure remote access in depth. It supports our OT networks service and the broader food and beverage automation work.
The risk is not theoretical. Food and beverage businesses worldwide have been forced to halt production by ransomware that reached or isolated OT systems. When a control system is compromised, the integrity of the food-safety records and traceability data that regulators and retailers rely on is also in question, which widens recall scope and weakens audit positions.
Most food manufacturing sites did not set out to build an insecure OT network; the exposure accumulated one reasonable decision at a time. OEM remote access was set up for commissioning, sometimes permanently and often without documentation, and many of those connections are still open with credentials nobody can attribute to a person. Historian and ERP integrations created paths between the corporate network and OT. Flat networks were inherited from older installations, and recipe, label and quality systems that need data from both sides ended up dual-homed and trusted by both, which quietly removes the boundary.
What is specific to food is what sits behind those paths: the systems that produce the records a recall depends on.
FSANZ record integrity. Food Standards Australia New Zealand sets the Food Standards Code, which requires food businesses to keep accurate records and to trace product one step back and one step forward. Batch records, CIP validation logs and temperature records are generated by control systems, so a compromised control system puts those records in question. That is a regulatory problem, not just an operational one, and it is the same concern that drives MES and SCADA integration in food plants: records have to be trustworthy at the point they are captured.
Recall exposure. Traceability data exists so a recall can be scoped tightly. If that data is encrypted, altered or unavailable during an incident, the safe response is to widen the recall, because the business cannot prove which product is unaffected.
Production continuity and cold chain. Food production is continuous or tightly scheduled, and in-process product spoils. A halted line destroys work in progress, breaks the cold chain and misses delivery windows with retailers who penalise short supply. Availability is already the OT priority; in food the cost of losing it arrives faster.
Hygiene zones and OEM count. Hygiene zones sometimes correspond to network segments, and the natural process boundaries can become useful security zone boundaries. Food sites also run many machines from different OEMs, each with its own connectivity, which makes vendor access hard to govern informally.
Three references carry most of the weight, and they fit together rather than compete. ISA/IEC 62443, published through the IEC and described by ISA, defines the zone-and-conduit model and the SL 1 to SL 4 security levels, and is the primary standard to design to. NIST SP 800-82 Rev 3, the Guide to Operational Technology (OT) Security, is the free, detailed control catalogue, including the risk-based patching approach that matters on validated plant. The ACSC Essential Eight is the Australian baseline for the IT-like assets, covered below.
The architectural detail, Purdue levels, conduit design and secure remote access, is set out in the OT network security guide and is not repeated here. The food-specific decision is where the higher protection belongs. A zone groups assets with a shared security requirement, a conduit is a controlled path between zones, and each zone gets a target security level from SL 1 (casual misuse) to SL 4 (well-resourced attacker). On a food plant, the zones holding batch and traceability records and the CIP control warrant higher targets than a general process area, because the consequence of tampering there is regulatory as well as operational. Every flow in and out of the control system has to be named and justified, including the historian-to-ERP feed and every OEM remote-access path. The discipline of PLC, SCADA and HMI engineering carries through here, because the systems that run the process also capture the records.
The values below are illustrative, for a fictional mid-sized dairy plant, not any Metromotion Controls project or named client. Consider a site with raw-milk intake, a pasteurisation and process area, a shared CIP system, a packaging hall, a central historian holding batch and traceability records, and a requirement to push production data to a corporate ERP and a cloud quality dashboard.
| Zone | Purdue level | Contents | Target SL |
|---|---|---|---|
| Intake and process | 1 to 2 | Process PLCs, HMIs, drives, instruments | SL 2 |
| CIP control | 1 to 2 | CIP PLC, valves, conductivity and temperature instruments | SL 3 |
| Packaging | 1 to 2 | Packaging PLCs, line HMIs, labellers | SL 2 |
| Records and supervisory | 3 | SCADA gateway, historian, batch and traceability records, engineering workstation | SL 3 |
| OT/IT DMZ | 3.5 | Reverse proxy, MQTT broker, historian replica, remote-access broker | SL 3 |
| Enterprise IT | 4 to 5 | ERP, quality dashboard, internet | Out of OT scope |
The conduits follow the standard pattern: the SCADA gateway alone polls the PLCs through tight firewall rules, data leaves OT by replication into the demilitarised zone where the ERP and the dashboard read it, and all vendor and engineering sessions terminate at a brokered, multi-factor access point in the demilitarised zone rather than reaching an OT asset directly.
Two food-specific calls stand out. CIP control carries a higher target (SL 3) than a general process area because a CIP cycle that is altered or skipped is a direct food-safety hazard, the same logic that governs CIP automation in hygienic processing. The records and supervisory zone also sits at SL 3 because batch genealogy and traceability data live there, and that data is what a recall depends on. A first engagement on a brownfield dairy site would not build all of this at once; it would inventory the assets, verify the OT/IT boundary, then raise the CIP and records zones first.
Most food sites cannot do everything at once. Rank each zone and conduit by consequence and exposure:
Zones that score high on both consequence and exposure come first. In practice that means the records zone and any conduit carrying vendor access. The same risk logic applies to patching under NIST SP 800-82: protect by exposure and consequence rather than treating everything equally. For sites planning wider modernisation, security scoping fits naturally into automation upgrade planning and the upgrade work itself.
Two outcomes matter most in food: the records have to be trustworthy, and the line has to keep running. Four controls serve both.
Backup and tamper-evidence for records. Batch records, CIP validation logs and traceability data should replicate to the demilitarised zone and back up off the OT network, with restores tested. PLC programs, SCADA projects and recipes belong in the same regime, because recovering a CIP recipe is part of restoring production. A current, verified backup turns a ransomware incident into a recovery rather than a rebuild, and lets quality demonstrate which records are intact.
Tight conduits around the records zone. The historian feed should be OT pushing to the demilitarised zone, with the ERP reading a replica rather than reaching into OT. That keeps the corporate network, the most common entry point, away from the data a recall depends on.
Brokered vendor access. Every remote session should be brokered, authorised per session, time-limited, attributable to a named person and logged, then revoked when the task is done. The detailed pattern is in the network security guide; the food-specific point is volume. The more OEMs on site, the more valuable disciplined brokering becomes.
Recovery planning tied to product. State how long the site can run, or must stop, if a given system is lost, and what happens to in-process product. That ties the security position to cold chain and spoilage, the language quality and operations teams use, and it belongs in an ongoing support relationship rather than a one-off exercise.
The Australian Cyber Security Centre is the primary national source of guidance, and the Essential Eight is the baseline most Australian organisations are measured against. It was written for Windows-based IT, so on a food plant it applies cleanly to the IT-like assets: multi-factor authentication and restricted administrative privileges on engineering workstations and vendor access, application control on HMIs, and regular backups of programs, recipes and records. The two patching strategies are where literal application breaks down, because forced patching can break a validated control system or a CIP recipe. There the risk-based approach in NIST SP 800-82 takes over, with segmentation and monitoring as compensating controls for what cannot be patched. The full Essential Eight mapping for plant networks is in the OT network security guide.
There is no FSANZ cyber control to certify against, but the obligation to keep accurate records and trace product is what connects a security incident to a recall. Framing OT security in those terms moves the conversation from engineering into quality and management, where the budget for it usually sits.
A methodical first pass starts narrow: build the asset inventory including every OEM machine, then verify that OT and IT are genuinely separated at the switch and firewall level. Those two steps expose the most significant gaps without major capital, and they are the same early scoping we apply across systems integration work where security is in scope.
The architecture for a food plant is the common OT model: zones with target security levels, explicitly defined conduits, brokered remote access and risk-based patching. What food adds is the priority order. Protect the zones that generate batch, CIP and traceability records, because those govern recall scope and FSANZ obligations, and protect production continuity, because spoiled product and a broken cold chain make downtime expensive and fast. If you can share your site layout, OEM machine mix and current network arrangement, Metromotion Controls can work through a segmentation and remote-access design that fits the plant.
The standards referenced above are general industry and regulator sources, cited so the technical claims can be checked against the originals. The worked example uses illustrative engineering values and is not a Metromotion Controls measurement.
Tommy Kim writes for Metromotion Controls, a Melbourne control systems integrator delivering PLC, SCADA, controls integration and commissioning for food, beverage, dairy and FMCG manufacturers across Australia.
OT network design, industrial Ethernet, secure remote access and SCADA server connectivity.
OEE, downtime, historian and production reporting systems built from reliable plant signals.
Engineering support for production faults, diagnostics, minor works and long-term controls reliability.
Automation, traceability, CIP, SCADA and production data for Australian food and beverage plants.

How CIP automation cuts trade waste and chemical cost with endpoint-driven phases, protects chemical tanks, verifies coverage and records audit evidence.
Key point
Endpoint-driven phases cut cost without weakening the clean
Published 9 May 2026

Guide to automation for Australian dairy plants: HTST pasteurisation and divert control, CIP, ISA-88 batch control, 3-A hygienic design and FSANZ traceability.
Key point
Pasteurisation control is a safety function, not a process convenience
Published 9 May 2026

When Ignition fits an Australian food and beverage site: Perspective vs Vision, architecture and redundancy, OT security, and buying Ignition locally.
Key point
Platform fit comes before platform capability
Published 9 May 2026
Map out scope, delivery approach and what to have ready before the first conversation. Answer a few questions and Metromotion Controls returns a tailored scoping brief on screen.