Essential Eight Implementation for a Manufacturing Company

This case study represents a typical engagement scenario based on common challenges we address for Melbourne manufacturing businesses. Client details have been generalised to protect confidentiality.

What was the situation?

A precision manufacturing company in Dandenong with 60 staff operated across a corporate office and an adjacent factory floor. The business ran CNC machines, inventory management systems, and an ERP platform that coordinated production scheduling, purchasing, and dispatch.

The company had identified a Victorian Government supply contract that would increase annual revenue by 25%. The tender requirements specified that suppliers must demonstrate Essential Eight Maturity Level Two — a condition increasingly common in government procurement.

The company had no formal cybersecurity framework, no prior security assessment, and no dedicated IT security staff. Their technology environment had grown organically over fifteen years with minimal security oversight. They were starting from Maturity Level Zero with a six-month deadline to reach Level Two.

What did the baseline assessment reveal?

Our Essential Eight assessment confirmed Maturity Level Zero across all eight strategies, with significant gaps:

• Flat network — Corporate IT systems (email, accounting, HR) and operational technology (CNC controllers, inventory scanners, production scheduling) shared the same network segment. A compromised office workstation could reach factory floor systems directly.
• Universal admin rights — Every user account had local administrator privileges, meaning any compromised account could install software, modify system settings, and move laterally across the network.
• No patching process — Windows updates were deferred indefinitely on production-adjacent PCs to avoid disrupting manufacturing operations. Some machines were running builds over two years behind current patches.
• No MFA — Email, VPN, and the ERP system all used password-only authentication. Several staff reused the same password across multiple systems.
• No application control — Any executable could run on any machine, including PCs connected to CNC controllers.
• Unrestricted macros — Microsoft Office macros were enabled without restriction across all workstations.
• Backup gaps — The ERP database was backed up nightly, but no other systems had formal backup procedures. A full restore had never been tested.

Reaching Maturity Level Two from this starting point in six months was ambitious but achievable with a structured programme.

How did we deliver the six-month uplift programme?

Manufacturing environments require careful implementation to avoid disrupting production. We worked closely with the production manager to schedule changes around shift patterns and planned the programme in three phases:

Phase 1: Foundation (months one and two)

Network segmentation. We redesigned the network to separate corporate IT from operational technology. VLANs and firewall rules ensured corporate workstations could not directly reach factory floor systems. Only the ERP server maintained controlled connectivity to both zones through specific, monitored ports.

Identity and access controls. MFA was deployed on Microsoft 365, VPN, and the ERP system. All user accounts had administrative privileges removed. Dedicated admin accounts were created for IT management tasks, each requiring MFA and used only when elevated access was needed. Privileged access was logged and reviewed monthly.

Backup and recovery. Backup procedures were established for the ERP database, file shares, email, and production system configurations. Backups were stored both locally and in Azure Blob Storage for disaster recovery. Full restore tests were completed successfully for all critical systems.

Phase 2: Hardening (months three and four)

Automated patch management. Corporate workstations received patches on standard ACSC-recommended timeframes. Production-adjacent PCs followed a staggered two-week cycle, tested on a non-critical machine before wider deployment. Third-party applications — browsers, PDF readers, Java — were included in the patching scope, addressing a gap that many organisations miss.

Application control. This is the most challenging Essential Eight strategy, particularly in manufacturing. We implemented application control on all workstations and the six PCs connected to CNC controllers. Only approved applications — manufacturing software, Windows system processes, and authorised business applications — could execute. New software required approval through a change management process.

Microsoft Office macro hardening. Macros from the internet were blocked. Internal macros used by the accounting and production teams were signed and whitelisted. Unsigned macros were blocked across all other workstations.

User application hardening. Browsers were configured to block Flash, Java, and web advertisements. Email clients were hardened to prevent automatic execution of content. These controls reduced the attack surface available through common user-facing applications.

Phase 3: Maturity and documentation (months five and six)

Maturity Level Two validation. We conducted a formal reassessment against the ACSC maturity model, confirming Level Two across all eight strategies. Gap findings from the initial assessment were verified as remediated. Evidence packages were compiled for each strategy.

Incident response plan. A comprehensive plan was documented covering scenarios specific to manufacturing: ransomware affecting production systems, ERP compromise, supply chain data breach, and IT-to-OT lateral movement. A tabletop exercise was conducted with the general manager, production manager, and office manager.

Ongoing management transition. With controls in place, we transitioned to ongoing managed IT support to maintain the maturity level. This included continuous patching, configuration drift monitoring, quarterly maturity reviews, and helpdesk support for the team.

What were the results?

The company met the government tender deadline and achieved their strategic objectives:

• Essential Eight Maturity Level Two achieved across all eight strategies within the six-month target
• Government contract won — The compliance evidence package was submitted with the tender and accepted. The contract represented a 25% increase in annual revenue.
• Competitive differentiator established — The company now references Essential Eight Maturity Level Two in all tenders and client proposals. They have won two additional contracts where competitors without demonstrable cybersecurity maturity were excluded.
• Production continuity maintained — The staggered implementation approach and manufacturing-aware scheduling caused zero unplanned production downtime across the entire six-month programme.
• Ongoing compliance secured — Managed IT support ensures patching, monitoring, and configuration management continue. Quarterly maturity reviews confirm the Level Two rating is maintained, not just achieved once and allowed to drift.