Skip to content
OT Cybersecurity for Australian Food Manufacturers: What the Standards Actually Require engineering guide from Metromotion Controls
Industrial Data & IIoT · MAY 2026 · Updated JUNE 2026 · 11 min read

OT Cybersecurity for Australian Food Manufacturers: What the Standards Actually Require

Key points

Key points
1

Food sites have accumulated connectivity they did not plan for

Vendor remote access, historian connections and ERP integrations were added over time without a consistent security architecture, leaving undocumented paths into production.

2

Record integrity and recall exposure make OT security a food-safety issue

Batch traceability, CIP validation logs and temperature records come from control systems. If those records are altered or unavailable, recall scope widens and audit positions weaken.

3

Start with the asset inventory and the OT/IT boundary

ISA/IEC 62443 and NIST SP 800-82 give the framework, but the first steps are an accurate asset inventory and a verified OT/IT boundary. Zones and target security levels follow once the baseline is understood.

OT security planning in food manufacturing tends to focus on IT systems, while the control systems running production lines, CIP circuits and cold chain equipment keep whatever network arrangement was put in place when they were installed. Metromotion Controls is a control systems integrator based in Mount Waverley that designs and commissions control systems for food and beverage manufacturers across Melbourne, Victoria and Australia, and this guide covers what changes when the plant makes food: where the regulatory pressure comes from, and how the standards apply to record integrity, recall exposure and production continuity.

This post is the food-sector companion to our guide on OT network security for Australian manufacturing, which covers the segmentation architecture, the Purdue model and secure remote access in depth. It supports our OT networks service and the broader food and beverage automation work.

The risk is not theoretical. Food and beverage businesses worldwide have been forced to halt production by ransomware that reached or isolated OT systems. When a control system is compromised, the integrity of the food-safety records and traceability data that regulators and retailers rely on is also in question, which widens recall scope and weakens audit positions.

How food sites accumulated their exposure

Most food manufacturing sites did not set out to build an insecure OT network; the exposure accumulated one reasonable decision at a time. OEM remote access was set up for commissioning, sometimes permanently and often without documentation, and many of those connections are still open with credentials nobody can attribute to a person. Historian and ERP integrations created paths between the corporate network and OT. Flat networks were inherited from older installations, and recipe, label and quality systems that need data from both sides ended up dual-homed and trusted by both, which quietly removes the boundary.

What is specific to food is what sits behind those paths: the systems that produce the records a recall depends on.

Why food manufacturing changes the priorities

FSANZ record integrity. Food Standards Australia New Zealand sets the Food Standards Code, which requires food businesses to keep accurate records and to trace product one step back and one step forward. Batch records, CIP validation logs and temperature records are generated by control systems, so a compromised control system puts those records in question. That is a regulatory problem, not just an operational one, and it is the same concern that drives MES and SCADA integration in food plants: records have to be trustworthy at the point they are captured.

Recall exposure. Traceability data exists so a recall can be scoped tightly. If that data is encrypted, altered or unavailable during an incident, the safe response is to widen the recall, because the business cannot prove which product is unaffected.

Production continuity and cold chain. Food production is continuous or tightly scheduled, and in-process product spoils. A halted line destroys work in progress, breaks the cold chain and misses delivery windows with retailers who penalise short supply. Availability is already the OT priority; in food the cost of losing it arrives faster.

Hygiene zones and OEM count. Hygiene zones sometimes correspond to network segments, and the natural process boundaries can become useful security zone boundaries. Food sites also run many machines from different OEMs, each with its own connectivity, which makes vendor access hard to govern informally.

The frameworks, applied to food

Three references carry most of the weight, and they fit together rather than compete. ISA/IEC 62443, published through the IEC and described by ISA, defines the zone-and-conduit model and the SL 1 to SL 4 security levels, and is the primary standard to design to. NIST SP 800-82 Rev 3, the Guide to Operational Technology (OT) Security, is the free, detailed control catalogue, including the risk-based patching approach that matters on validated plant. The ACSC Essential Eight is the Australian baseline for the IT-like assets, covered below.

The architectural detail, Purdue levels, conduit design and secure remote access, is set out in the OT network security guide and is not repeated here. The food-specific decision is where the higher protection belongs. A zone groups assets with a shared security requirement, a conduit is a controlled path between zones, and each zone gets a target security level from SL 1 (casual misuse) to SL 4 (well-resourced attacker). On a food plant, the zones holding batch and traceability records and the CIP control warrant higher targets than a general process area, because the consequence of tampering there is regulatory as well as operational. Every flow in and out of the control system has to be named and justified, including the historian-to-ERP feed and every OEM remote-access path. The discipline of PLC, SCADA and HMI engineering carries through here, because the systems that run the process also capture the records.

A worked example: scoping a mid-sized dairy plant

The values below are illustrative, for a fictional mid-sized dairy plant, not any Metromotion Controls project or named client. Consider a site with raw-milk intake, a pasteurisation and process area, a shared CIP system, a packaging hall, a central historian holding batch and traceability records, and a requirement to push production data to a corporate ERP and a cloud quality dashboard.

ZonePurdue levelContentsTarget SL
Intake and process1 to 2Process PLCs, HMIs, drives, instrumentsSL 2
CIP control1 to 2CIP PLC, valves, conductivity and temperature instrumentsSL 3
Packaging1 to 2Packaging PLCs, line HMIs, labellersSL 2
Records and supervisory3SCADA gateway, historian, batch and traceability records, engineering workstationSL 3
OT/IT DMZ3.5Reverse proxy, MQTT broker, historian replica, remote-access brokerSL 3
Enterprise IT4 to 5ERP, quality dashboard, internetOut of OT scope

The conduits follow the standard pattern: the SCADA gateway alone polls the PLCs through tight firewall rules, data leaves OT by replication into the demilitarised zone where the ERP and the dashboard read it, and all vendor and engineering sessions terminate at a brokered, multi-factor access point in the demilitarised zone rather than reaching an OT asset directly.

Two food-specific calls stand out. CIP control carries a higher target (SL 3) than a general process area because a CIP cycle that is altered or skipped is a direct food-safety hazard, the same logic that governs CIP automation in hygienic processing. The records and supervisory zone also sits at SL 3 because batch genealogy and traceability data live there, and that data is what a recall depends on. A first engagement on a brownfield dairy site would not build all of this at once; it would inventory the assets, verify the OT/IT boundary, then raise the CIP and records zones first.

Deciding where to start

Most food sites cannot do everything at once. Rank each zone and conduit by consequence and exposure:

  • Consequence to food safety and traceability. CIP control, the records and historian zone, and anything that authorises dispatch or prints labels rank highest.
  • Consequence to production continuity. Continuous process areas and shared utilities rank above intermittent ones, because a stop spoils product.
  • Exposure. Anything with a standing remote-access path, an internet route or a dual-homed bridge to IT ranks highest regardless of consequence, because exposure is what an attacker actually uses.

Zones that score high on both consequence and exposure come first. In practice that means the records zone and any conduit carrying vendor access. The same risk logic applies to patching under NIST SP 800-82: protect by exposure and consequence rather than treating everything equally. For sites planning wider modernisation, security scoping fits naturally into automation upgrade planning and the upgrade work itself.

Protecting records and keeping the line running

Two outcomes matter most in food: the records have to be trustworthy, and the line has to keep running. Four controls serve both.

Backup and tamper-evidence for records. Batch records, CIP validation logs and traceability data should replicate to the demilitarised zone and back up off the OT network, with restores tested. PLC programs, SCADA projects and recipes belong in the same regime, because recovering a CIP recipe is part of restoring production. A current, verified backup turns a ransomware incident into a recovery rather than a rebuild, and lets quality demonstrate which records are intact.

Tight conduits around the records zone. The historian feed should be OT pushing to the demilitarised zone, with the ERP reading a replica rather than reaching into OT. That keeps the corporate network, the most common entry point, away from the data a recall depends on.

Brokered vendor access. Every remote session should be brokered, authorised per session, time-limited, attributable to a named person and logged, then revoked when the task is done. The detailed pattern is in the network security guide; the food-specific point is volume. The more OEMs on site, the more valuable disciplined brokering becomes.

Recovery planning tied to product. State how long the site can run, or must stop, if a given system is lost, and what happens to in-process product. That ties the security position to cold chain and spoilage, the language quality and operations teams use, and it belongs in an ongoing support relationship rather than a one-off exercise.

The Australian context: Essential Eight and FSANZ

The Australian Cyber Security Centre is the primary national source of guidance, and the Essential Eight is the baseline most Australian organisations are measured against. It was written for Windows-based IT, so on a food plant it applies cleanly to the IT-like assets: multi-factor authentication and restricted administrative privileges on engineering workstations and vendor access, application control on HMIs, and regular backups of programs, recipes and records. The two patching strategies are where literal application breaks down, because forced patching can break a validated control system or a CIP recipe. There the risk-based approach in NIST SP 800-82 takes over, with segmentation and monitoring as compensating controls for what cannot be patched. The full Essential Eight mapping for plant networks is in the OT network security guide.

There is no FSANZ cyber control to certify against, but the obligation to keep accurate records and trace product is what connects a security incident to a recall. Framing OT security in those terms moves the conversation from engineering into quality and management, where the budget for it usually sits.

Common gaps on food sites

  • OEM machines missing from the asset inventory. Without a complete inventory, neither patching nor segmentation can be prioritised, and on a multi-OEM food site the OEM machines are usually the gaps.
  • Standing vendor remote access. OEM VPNs left open after the work is done are the most common entry path in real incidents, and food sites accumulate many of them.
  • The records zone treated as just another process area. Batch genealogy, CIP validation logs and traceability data carry regulatory consequence and warrant a higher target level and their own backup regime.
  • No backups of recipes and OT artefacts. A current, tested backup of every PLC program, SCADA project, recipe and the traceability data is what limits recall scope and shortens recovery.
  • Security owned by engineering alone. Without quality and compliance involved, the records and recall angle is missed and the funding case is weaker.

A methodical first pass starts narrow: build the asset inventory including every OEM machine, then verify that OT and IT are genuinely separated at the switch and firewall level. Those two steps expose the most significant gaps without major capital, and they are the same early scoping we apply across systems integration work where security is in scope.

Bringing it together

The architecture for a food plant is the common OT model: zones with target security levels, explicitly defined conduits, brokered remote access and risk-based patching. What food adds is the priority order. Protect the zones that generate batch, CIP and traceability records, because those govern recall scope and FSANZ obligations, and protect production continuity, because spoiled product and a broken cold chain make downtime expensive and fast. If you can share your site layout, OEM machine mix and current network arrangement, Metromotion Controls can work through a segmentation and remote-access design that fits the plant.

References

The standards referenced above are general industry and regulator sources, cited so the technical claims can be checked against the originals. The worked example uses illustrative engineering values and is not a Metromotion Controls measurement.

About the author

Tommy Kim writes for Metromotion Controls, a Melbourne control systems integrator delivering PLC, SCADA, controls integration and commissioning for food, beverage, dairy and FMCG manufacturers across Australia.

Share:LinkedInX
Next step

Planning work in Industrial Data & IIoT?

Map out scope, delivery approach and what to have ready before the first conversation. Answer a few questions and Metromotion Controls returns a tailored scoping brief on screen.