Manufacturing IT and Cybersecurity on the Central Coast: OT/IT, CMMC, and Ransomware in 2026

Most of the manufacturers I work with on the Central Coast and into the South Bay did not set out to build an IT department. They bought a CNC machine, then a second, added an ERP because a customer needed real lead times, brought CAD in house, added a MES to track jobs, and a decade later they have a shop floor full of networked machines, an engineering team sitting on terabytes of irreplaceable models, and a part-time IT person who is really the controls tech on Thursdays. The parts ship. The network mostly holds. Nobody has looked at the whole thing as one system that an attacker sees as one target.

This post is the version of the conversation I have with a Salinas, Gilroy, or South Bay shop owner. The framing is six layers, and the backdrop is a hard fact: across multiple 2025 industry reports, manufacturing is the single most-targeted sector for ransomware, and has been for several years. That is not because manufacturers are careless. It is because a stopped line is the best leverage an extortionist can ask for, and shop-floor technology is genuinely harder to defend than an office full of laptops. The good news is that the highest-impact fixes are structural and do not require replacing a single machine.

Why manufacturing IT is different from generic SMB IT

An insurance office has people, laptops, and a printer. A 40-person machine shop has an office, an engineering team on CAD workstations, a shop floor of CNC mills and lathes with embedded controllers, an ERP and a MES, a CAD/PDM vault, inspection equipment, and often a customer base that includes aerospace, defense, medical, or ag-equipment primes with their own compliance requirements. The office has one regulator. The shop may answer to the DoD through CMMC, to the State Department through ITAR, to ISO 9001 auditors, and to a cyber-insurance underwriter who has read the ransomware statistics.

Concretely, manufacturing IT differs from generic small-business IT in five ways:

• The shop floor is operational technology. Machine controllers, PLCs, and inspection gear are networked computers, often running old, unpatchable operating systems that the machine vendor will not let you touch.
• Uptime is production. A network or server outage is not lost email; it is a stopped line, a missed ship date, and a contract penalty.
• Your IP is the business. CAD models, programs, fixtures, and customer drawings are the crown jewels, and they walk out the door easily if access is not controlled.
• Compliance flows down to you. CMMC, NIST 800-171, and ITAR reach small subcontractors through prime-contractor flow-down, whether or not you think of yourself as a defense shop.
• Legacy and modern coexist. A 15-year-old controller and a brand-new five-axis sit on the same floor and frequently the same network, which is exactly the problem.

The six IT layers a Central Coast manufacturer needs

Layer 1: OT/IT segmentation and the shop-floor network

This is the layer that matters most and the one most shops have never addressed. Operational technology, the machine controllers, PLCs, and inspection systems, should live on a network that is segmented from the office and cannot reach the internet directly. On a flat network, an infected office laptop can reach a CNC controller, the ERP server, and the CAD vault on the same wire, and that is precisely how a ransomware click becomes a stopped line. The reference model here is NIST SP 800-82, the standard for industrial control system security, which is built around segmentation and compensating controls for systems you cannot harden directly.

In practice that means VLANs and firewall rules that separate the shop floor from the office, tightly controlled access for the vendor laptops that service the machines, and engineered, robust Wi-Fi for the handhelds and tablets that the floor actually depends on, because dead spots that kill a barcode scanner cost real throughput. The network design service page covers the shop-floor and segmentation work, and it is usually where we deliver both the biggest security win and the most visible daily improvement.

Layer 2: ERP, MES, and PLM uptime

The ERP schedules and costs the work, the MES tracks it on the floor, and the PLM or PDM system holds the definition of what you build. Whether you run Epicor, Global Shop, JobBOSS, Fishbowl, ProShop, or a Dynamics build, the IT concerns are the same: these systems have to be reachable from the floor and the office, integrated rather than siloed, patched and maintained on a real schedule, and independently backed up. A MES that only the office server can reach is a MES that stops the floor when that server hiccups. Most of the avoidable downtime we see in shops traces back to one of these systems running on an aging server nobody owns.

Layer 3: Engineering data and CAD file management

Your CAD and PDM vault, SolidWorks PDM, Autodesk Vault, or the equivalent, is simultaneously your most valuable asset and your least-protected one. Two problems recur. First, performance: large assemblies opened over a slow or misconfigured link turn a five-second file-open into a five-minute one, and that tax is paid by your highest-cost people all day. Second, protection: the vault is often terabytes of irreplaceable work, and its backup has frequently never been test-restored. We treat the vault as a first-class system, performance-tuned, access-controlled so engineers see what they should, and backed up with restores that are actually verified. The engineering and architecture IT post goes deeper on CAD and large-file workflows.

Layer 4: CMMC 2.0 and NIST 800-171 readiness

If any of your work touches the defense supply chain, this layer is now a live deadline rather than a someday. We dig into the timeline below, but the structural point is that the Cybersecurity Maturity Model Certification requirements flow down from primes to subcontractors, and the IT work behind them, access control, MFA, encryption, logging, and a written security program aligned to NIST SP 800-171, is substantial. Shops that start when they see the clause in a contract are already behind. The vCIO service is where we map your environment to the controls and build a realistic remediation plan.

Layer 5: Cybersecurity for the shop floor

Given that manufacturing is the top ransomware target, the security stack is not optional. What we run for shops:

• Segmentation first — the OT/IT separation from Layer 1 is itself the highest-value security control.
• EDR on everything that can run it — office endpoints, engineering workstations, and servers. Legacy controllers that cannot get an agent are protected by isolation instead.
• MFA on every account — Microsoft 365, ERP, MES, PLM, VPN, and the bank.
• Monitored email security, because supplier-payment fraud and phishing are the common entry points.
• Identity hardening and named accounts, with Conditional Access and no shared logins. See the identity hardening post.
• 24/7 monitored detection and response, because the intrusion that becomes a stopped line happens off-hours by design.

The cybersecurity service page covers the engineering approach, and the 2026 ransomware post walks the attack chain that ends on your floor.

Layer 6: Backup and continuity

The systems that have to survive a bad day: the ERP and MES databases, the CAD/PDM vault, inspection and quality records, and email. Independent, tested backup of each, plus the CAD vault treated as the priority it is. The vendor backs up their platform for their resilience, not your bad import or your compromised admin. And continuity means PG&E: the Central Coast sits under the Public Safety Power Shutoff program, and a shop that loses power loses the network, the servers, the phones, and any machine mid-cycle. UPS on the server and network gear, a clean-shutdown plan, and generator capacity sized to the operation are the baseline. The PSPS continuity plan post and the backup and disaster recovery service page cover the playbook.

CMMC 2.0: the clock is already running

This deserves its own section because the timeline is real and recent, and a lot of small shops still believe CMMC is a future problem. It is not. The 48 CFR final rule that brings CMMC into defense contracts was published in September 2025, and the phased rollout began on November 10, 2025. Here is what matters for a Central Coast subcontractor:

• Phase 1 (began November 10, 2025): Level 1 or Level 2 self-assessment requirements appear in many new DoD contracts. The DoD estimates this reaches a large majority of the defense industrial base.
• Phase 2 (November 10, 2026): third-party Level 2 certification is required for contractors who handle Controlled Unclassified Information. A self-assessment is no longer enough at this tier.
• Phase 3 (November 10, 2027): Level 3 assessments phase in for the most sensitive work.
• Flow-down is mandatory. Primes must flow the appropriate level down to every subcontractor handling Federal Contract Information or CUI. If you make a part for a part for a weapons system, this reaches you.
• Misrepresentation has teeth. Certification must be maintained for the life of the contract, and false claims about your status carry False Claims Act exposure.

The practical reading for a small shop: do not wait for the clause to surprise you. Find out now whether you handle FCI or CUI, get a gap assessment against NIST SP 800-171, and build the remediation into your budget over the next several quarters rather than in a panic when a renewal lands. The controls, MFA, encryption, access control, logging, and a written System Security Plan, are achievable for a small manufacturer with the right help, but they take time to implement and document properly.

The threats hitting Central Coast manufacturers right now

Production-halting ransomware

The headline threat. An attacker gets in through a phished credential or an exposed remote-access service, moves laterally across a flat network, and encrypts the servers that run the floor, timing it for a weekend so it is discovered Monday at startup. The leverage is your downtime. The defense is segmentation, EDR, monitored email, identity hardening, and 24/7 detection that catches the lateral movement first.

Legacy controller exposure

The unpatched Windows XP or 7 box driving a CNC or an inspection cell is a permanent soft target. You usually cannot patch or replace it without the machine vendor, and you should not have to: isolation on a segmented OT network with controlled access is the right control, and it lets a working machine keep working safely.

Supplier and customer payment fraud

Business email compromise aimed at your AP and AR. A spoofed or compromised email changes banking details on a supplier invoice, or redirects a customer's payment. Monitored email, MFA, and a verify-by-phone rule for any banking change shut it down.

IP theft on departure

A departing engineer with lingering VPN and vault access copies the project archive on the way out. Named accounts, same-day offboarding, and export monitoring are the controls. If you cannot confirm every former engineer's access is closed, that is where we would start.

Office and shop-floor IT baseline

• Microsoft 365 Business Premium for office and engineering staff, with shop-floor and kiosk users on the appropriate lower-cost licensing. EDR, MDM, and identity hardening included. See the Microsoft 365 settings post.
• Business-class internet with documented SLA and cellular failover, so the floor and the office do not go dark on a single fiber cut.
• Segmented network with real firewalls separating office, OT, and guest, plus engineered shop-floor Wi-Fi.
• Properly specced engineering workstations and a tuned CAD vault, not consumer PCs fighting large assemblies.
• UPS on servers and network gear and a documented PSPS plan.
• Tested backups of ERP, MES, and the CAD/PDM vault.

The full program lives on the managed IT services page, and the engineering and A/E IT page covers the CAD side in depth for shops with a heavy design function.

What we steer manufacturers away from

• A flat network where the office and the machines share one segment. The single most common serious risk on a shop floor.
• Legacy controllers exposed to the internet for "remote support." Isolate and broker that access instead.
• A CAD vault backup nobody has test-restored. An untested backup of your most valuable asset is a guess.
• Shared logins on the floor or in the office. No audit trail, no offboarding, a CMMC and insurance finding.
• Treating CMMC as a future problem. The flow-down clock started in November 2025.
• Approving supplier banking changes by email. Every change gets a phone call.
• One overloaded server running ERP, the vault, and the domain with no redundancy and no monitoring.

A realistic budget for a Central Coast machine shop

Numbers for a representative 40-person shop, roughly 25 office and engineering users plus shop-floor and kiosk accounts, running an ERP, a MES, and a CAD/PDM vault. Monthly, all-in, excluding CMMC remediation, which is a separate project:

• Microsoft 365 (Business Premium for office/engineering, lower tiers for floor): $700–$1,000
• MDR / managed security: 25 core users × $25 = $625, plus OT monitoring
• Managed IT (help desk, patching, backup, identity, server care): 25 users × $150–$200 = $3,750–$5,000
• OT/shop-floor monitoring and segmentation management: $500–$1,500
• Connectivity + failover: $400–$800
• Managed firewalls and segmentation: $400–$800
• Tested backup (ERP, MES, CAD vault, Microsoft 365): $400–$900

Total monthly IT spend lands roughly between $7,000 and $11,500 per month for a 40-person shop, before hardware and before CMMC remediation. The biggest mover is the per-user managed IT line. For comparison: industry reporting puts the median manufacturing ransomware breach around half a million dollars once downtime and recovery are counted, and a single missed aerospace or medical ship date can cost a contract. The IT budget is a fraction of one bad incident.

Where this fits

• The manufacturing and industrial IT service page, for the full Ghosxt program.
• The engineering and architecture IT page and the engineering IT post, for the CAD and PLM side.
• The cybersecurity service page, for the underlying security stack.
• The network design service page, for OT/IT segmentation and shop-floor Wi-Fi.
• The backup and disaster recovery service page, for the continuity layer.
• The 2026 ransomware post, for the attacker side.
• The PSPS continuity plan, for fire-season power loss.

We support manufacturers across Salinas, Gilroy, Hollister, Watsonville, San Jose, and the rest of the Central Coast and South Bay.

FAQs about IT for manufacturers

We're a small shop, not a prime defense contractor. Does CMMC really apply to us?

If you handle Federal Contract Information or Controlled Unclassified Information anywhere in a defense supply chain, even as a third- or fourth-tier subcontractor making a bracket or a machined part, CMMC requirements flow down to you. The 48 CFR final rule that took effect in late 2025 makes that flow-down mandatory. Phase 1, which began November 10, 2025, brings Level 1 or Level 2 self-assessment requirements into many new contracts, and Phase 2, on November 10, 2026, brings third-party Level 2 certification for contractors who handle CUI. The honest answer for most Central Coast shops is: read your contracts and your customers' flow-down clauses now, because the smaller you are, the more likely you are to be caught flat-footed. Misrepresenting your status carries False Claims Act exposure, so this is not a box to guess at.

Our CNC machines run Windows XP or Windows 7. We can't patch or replace them. What do we do?

You isolate them. Legacy machine controllers that cannot be patched are the single most common serious risk we find on a shop floor, and the answer is not to replace a working machine, it is to put it on a segmented operational-technology network that cannot reach the internet or the office, with tightly controlled access for the one vendor laptop that needs it. NIST SP 800-82, the standard for industrial control system security, is built around exactly this: compensating controls and segmentation for systems you cannot harden directly. A flat network where an XP controller sits next to the accounting PC means one phishing click can reach the machine that makes your parts. Segmentation is the control that lets a 15-year-old controller keep running safely.

Why is manufacturing the number-one ransomware target?

Because the economics favor the attacker. Manufacturing has been the most-targeted sector for ransomware for several years running across multiple industry reports, and the reasons are structural: downtime tolerance is near zero because a stopped line means missed customer ship dates and contract penalties, legacy operational technology is hard to patch, networks are often flat, and shops have historically under-invested in security relative to the value at risk. An attacker who can halt production knows you are under intense pressure to pay. The defense is the same stack that protects any high-value target, but applied with OT in mind: segmentation, EDR on everything that can run it, monitored email, identity hardening, and 24/7 detection that catches the intrusion before it reaches the floor.

Our ERP and MES are hosted by the vendor. Do we still need our own backup?

Yes. Hosted and SaaS vendors back up their platform for their own resilience, not for your accidental deletion, a bad data import, or a compromised admin account. If someone corrupts a bill of materials or an attacker deletes production records, the vendor restores the platform, not your specific data, and rarely on the timeline a stopped line demands. Independent backup of your ERP and MES exports, your Microsoft 365, and especially your CAD and PDM vault is a separate control. The CAD vault matters most: it is often terabytes of irreplaceable engineering work, and we routinely find shops whose vault backup has never once been test-restored.

An engineer left and still had VPN access to the PLM and CAD vault. How bad is that?

Bad, and common. Your CAD models, fixtures, programs, and customer drawings are the company's intellectual property, and a departing engineer with lingering VPN and vault access can copy the entire project archive on the way out. We have been called in after exactly this. The fix is named accounts, no shared logins, a documented same-day offboarding checklist that revokes VPN and PLM access the moment employment ends, and monitoring that flags a large vault export before it becomes a problem. If you cannot say with certainty that every former engineer's access is closed, that is the first assessment we would run.

Is our shop-floor firewall enough cybersecurity for a manufacturer?

No. A firewall at the internet edge does nothing about the flat network behind it, where an infected office laptop can reach a CNC controller, the ERP server, and the CAD vault on the same wire. Modern manufacturing security is segmentation plus identity: an operational-technology network separated from the office, MFA on every account, EDR on every device that can run it, monitored email security, and 24/7 detection and response. The edge firewall is one control among many, and on a flat shop network it is the one that gives the most false comfort.

Prefer to talk first? Email sales@ghosxt.com or call (831) 204-0501.