IT Support for Manufacturing Companies
Most IT providers treat your shop floor like an office. They're not the same. Get matched with an MSP that understands ERP systems, OT/IT network segmentation, CMMC compliance, and what production downtime actually costs.
Why Manufacturing IT Is Different
Manufacturers run two separate technology environments. Most IT providers only understand one of them.
OT/IT Convergence
PLCs, SCADA systems, and CNC machines run on operational technology networks that can't tolerate standard IT patching cycles. One wrong update can halt a production line.
ERP as the Nervous System
Your ERP connects purchasing, production scheduling, inventory, and shipping. If it goes down, everything stops. Your IT provider needs to understand its dependencies deeply.
CMMC for Defense Suppliers
If you're a DoD contractor or subcontractor handling CUI, CMMC Level 2 certification is now a contract requirement — not optional. Most general IT firms can't guide you through it.
Uptime Is Revenue
A mid-size manufacturer losing $50K/hour during downtime needs a different IT strategy than a professional services firm. Redundancy, tested failover, and rapid response are non-negotiable.
Supply Chain Cyber Risk
Manufacturers are increasingly targeted through supplier portals, EDI connections, and vendor VPN access. Your IT provider needs a supplier access policy — not just a firewall.
Regulatory Patchwork
Depending on your sector: ITAR (defense), FDA 21 CFR Part 11 (medical devices), NIST 800-171 (CUI), ISO 27001 (enterprise customers). Each has specific IT requirements your MSP needs to know.
Common Manufacturing ERPs — What Your IT Provider Needs to Know
The wrong MSP will treat your ERP like any other application. The right one will understand its dependencies before touching anything.
| ERP System | Typical Users | Infrastructure Requirements | Key IT Considerations |
|---|---|---|---|
| SAP S/4HANA | Mid-market to enterprise, 200+ employees | HANA in-memory DB, high-RAM servers or SAP-certified cloud | SAP Basis admin required; patching must align with SAP maintenance windows; RISE or GROW hosted options shift some IT burden to SAP |
| Epicor Kinetic | Discrete, jobshop, make-to-order (50–500 employees) | SQL Server, on-prem or Epicor cloud | Epicor upgrades break customizations; SQL maintenance plans critical; cloud migration path increasingly common |
| Infor CloudSuite Industrial | Industrial manufacturing, mixed-mode | Multi-tenant SaaS or on-prem | Integration with Infor ION middleware; API connections to shop floor; Mongoose framework customizations |
| SYSPRO | Smaller manufacturers, distribution (20–200 employees) | SQL Server, Windows Server | On-prem common; SYSPRO Cloud ERP available; SQL backups and version compatibility require attention |
| JobBOSS² | Job shops, fabricators (10–100 employees) | SQL Server (cloud or on-prem) | Simple infrastructure; key risk is SQL backup failure; often integrated with CAD/CAM and nesting software |
| Microsoft Dynamics 365 | Growing manufacturers needing ERP + CRM | Azure SaaS — minimal on-prem infrastructure | Microsoft 365 integration makes IT management simpler; Power Platform customizations can create shadow IT risk |
| Oracle NetSuite | Multi-location, fast-growing manufacturers | Cloud SaaS — no on-prem servers | IT focus shifts to integrations (EDI, 3PL, WMS), SSO, and user access management rather than infrastructure |
OT/IT Network Segmentation: The Purdue Model Explained
Your shop floor network should be physically or logically separated from your business network. Here's the architecture your MSP should know.
Level 4–5 — Business Network
Email, ERP, file servers, Microsoft 365, HR systems. Standard IT patching and security policies apply here.
Level 3 — Manufacturing Operations
MES (Manufacturing Execution System), production scheduling, batch management. Bridges IT and shop floor.
Level 2 — Supervisory Control
SCADA, HMI systems, historian servers. Long change cycles — software may be years old and can't be patched like business systems.
Level 1 — Control Systems
PLCs, DCS controllers, motion controllers. These run the actual machines. Changes require engineering involvement, not just IT approval.
Level 0 — Physical Process
Sensors, actuators, drives, robots, CNC machines. Physical layer — IT has no direct role but network connectivity affects safety.
What to ask your IT provider: "Can you describe how you'd segment our OT and IT networks? What firewall platform would you use between the DMZ and Level 3? How do you handle engineering workstations that need access to both networks?" If they say they treat it like a regular office network, find another provider.
CMMC Compliance for Defense Manufacturers DoD Required
If your company touches the defense supply chain and handles CUI, your IT provider is part of your compliance posture — whether they know it or not.
| CMMC Level | Who Needs It | Control Requirements | IT Provider Role |
|---|---|---|---|
| Level 1 — Foundational | All DoD contractors handling FCI (Federal Contract Information) | 17 practices from FAR 52.204-21 — basic cyber hygiene | Annual self-assessment; MSP helps implement and document basic controls |
| Level 2 — Advanced | Contractors handling CUI — most primes and subcontractors | 110 practices aligned to NIST SP 800-171 | Third-party C3PAO assessment required every 3 years; MSP must understand System Security Plan (SSP) and Plan of Action & Milestones (POA&M) |
| Level 3 — Expert | Critical programs, highest CUI sensitivity | 110+ practices from NIST SP 800-172 | DIBCAC (government) assessment; very small subset of contractors; MSP needs deep federal compliance experience |
The CUI Scoping Problem
The hardest part of CMMC isn't implementing controls — it's correctly scoping which systems touch CUI. Your MSP needs to help you identify your CUI boundary: which endpoints, servers, cloud services, and communication channels handle controlled data. Everything in scope must meet the control requirements. Everything out of scope must be demonstrably isolated. Most manufacturers underestimate their CUI footprint.
Questions to Ask a Manufacturing MSP
Use these to separate providers who've done this from providers who think they can figure it out on your dime.
On OT/IT Security
- Have you performed an OT network assessment before?
- What industrial firewalls have you deployed? (Fortinet FortiGate, Cisco IE series, Claroty, Dragos)
- How do you handle engineering workstations with OT access?
- How do you monitor OT network traffic without disrupting operations?
On ERP Support
- Which ERPs have you managed in production environments?
- How do you coordinate SQL maintenance with our ERP vendor?
- What's your process for ERP version upgrades?
- Have you performed an ERP DR test with a manufacturer before?
On CMMC / Compliance
- Have you helped a manufacturer achieve CMMC Level 2?
- Can you help us build our System Security Plan (SSP)?
- How do you handle CUI scoping across cloud and on-prem systems?
- Are you a Registered Practitioner Organization (RPO)?
Red Flags in Manufacturing IT Proposals
Watch for these in any proposal or discovery call with an IT provider.
- No mention of OT — If they don't ask about your shop floor, they've never worked with a manufacturer.
- Standard patching SLAs applied to everything — OT devices have different (often vendor-controlled) patching requirements. A patch-everything approach will break production systems.
- No ERP-specific experience — Generic "we support SQL Server" is not the same as understanding ERP failover, upgrade sequencing, and backup verification.
- CMMC treated as a checkbox — CMMC is a continuous compliance program, not a one-time audit. Be skeptical of any provider who says they can get you certified in 30 days.
- Backup without tested recovery — Backups don't matter if they've never been tested against your ERP. Ask specifically: "When did you last restore this ERP in a test environment?"
- No mention of vendor access controls — Supplier VPNs and EDI connections are a major attack surface. If your MSP isn't asking about third-party access, that's a gap.
Get Matched With a Manufacturing IT Provider
Tell us about your operation. We'll match you with MSPs who have documented manufacturing experience — not generalists who'll learn on your production line.