We're a defense subcontractor. Does CMMC Level 2 actually apply to us?

If you hold any DoD contract that includes DFARS 252.204-7012 — and virtually every subcontract does — CMMC L2 applies to your unclassified environment. The CMMC requirement flows down through every tier of the supply chain. Primes are now requiring their subs to achieve CMMC L2 as a contract condition. If your SPRS score shows gaps and you get a breach notification, DoD can suspend your contract pending remediation. CoreRecon's Fortress tier is specifically designed to drive your SPRS score upward and build the SSP artifacts your C3PAO will need to review.

Our shop floor PLCs and CNC machines can't run agents. Can you still monitor OT security?

Yes — CoreRecon uses passive network traffic analysis (NTA) at the IT/OT boundary. Sensors read Modbus, DNP3, EtherNet/IP, and OPC-UA traffic without installing anything on PLCs, CNC controllers, robots, or SCADA historians. Your machines run exactly as they are. The monitoring happens at the network layer — we detect anomalous setpoint commands, unauthorized remote access to HMIs, and unexpected device-to-device communication patterns that indicate a threat actor inside your network.

ITAR regulations apply to us. Does that change what your SOC can and can't touch?

ITAR and EAR compliance affect how we architect your monitoring environment. Controlled technical information (CTI) — CAD files, BOMs, process parameters, tooling specifications — must not be routed through systems outside the U.S. or accessible to foreign nationals. CoreRecon's U.S.-person-only SOC policy is a hard requirement for ITAR-environment clients. We architect your monitoring to operate within ITAR bounds: CTI stays on your premises, log feeds to our SOC contain metadata only (no design files or controlled technical content), and the monitoring boundary respects your export-controlled enclaves.

How does a ransomware attack on our shop floor actually cost money beyond recovery?

Every hour of production downtime in a discrete manufacturing line has a direct $/minute cost — it's the labor of idle workers, lost throughput, contractual delivery penalties, and in some cases perishable work-in-progress that spoils. The Brunswick Corp ransomware in 2024 caused $85M in production losses alone. Beyond downtime: ITAR-regulated data exfil triggers export control violation disclosure to DDTC, CMMC incident reporting to DIBNet, potential False Claims Act exposure if you certify SPRS and didn't protect the data that was stolen, and customer notification obligations that can cost you prime relationships. CoreRecon's downtime-priority IR playbook maps your production cost-per-hour against every response decision — so analysts know to escalate immediately when a shop-floor OT incident could cost $50K/hour and climbing.

We're not in the defense supply chain — just automotive or industrial manufacturing. Is this still relevant?

Yes — and the threat landscape is the same whether you hold a defense contract or not. IBM X-Force data shows manufacturing has been the #1 most-attacked industry for four consecutive years — across all manufacturing, not just defense. Your CAD files, process specifications, and supplier relationships have real market value to nation-state actors. Automotive and industrial manufacturers are increasingly targeted by ransomware groups specifically because their OT/IT convergence creates a direct pathway from corporate email compromise to shop floor control. Texas auto-parts suppliers were hit in 2024 by ransomware waves that disrupted just-in-time delivery to major OEMs. You don't need ITAR to be a target — you just need to have something worth stealing or disrupting.

Security for Texas Manufacturers • CMMC L2 • ITAR • OT/ICS • IP Theft • Ransomware Defense

Manufacturing is the #1 attacked industry in America. Your shop floor is the entry point.

IBM X-Force has named manufacturing the most-attacked industry for four consecutive years. Brunswick Corp lost $85M in production costs from a single ransomware event. Texas auto-parts suppliers were hit by a coordinated ransomware wave disrupting just-in-time delivery to major OEMs. Your CAD files, supplier specs, and production data are worth more on the dark web than your next invoice. Most generalist MSPs can't even see your shop floor.

Get your free $2,500 assessment → Model a breach cost for manufacturing ↗

⚠

CMMC Level 2 flow-down: Active enforcement. Any DoD subcontract — at any tier — carrying DFARS 252.204-7012 must meet CMMC L2 requirements. Primes are now enforcing it as a contract condition. A breach notification with a low SPRS score can suspend your contract and trigger False Claims Act exposure. CoreRecon drives your SPRS posture and builds the SSP artifacts a C3PAO will demand.

Threat Reality — Texas Manufacturers

Three attack vectors.
One SOC team that understands your floor.

Ransomware operators and nation-state espionage groups target manufacturing for two reasons: operational disruption (production downtime = pressure to pay) and IP theft (design specs, process parameters, and supplier data have real buyer value). Texas manufacturing is a priority target because of the defense supply chain and the volume of proprietary production data.

Ransomware + Production Downtime — Brunswick Corp, 2024

Maritime + Recreational Vehicles — $85M in production losses

Brunswick Corp — parent of Mercury Marine and Sea Ray — confirmed $85M in production losses from a ransomware attack that forced plant shutdowns across their manufacturing facilities. The attack targeted OT systems to maximize production disruption and pressure payment. Every hour of downtime in a discrete-mfg line has a direct $/minute cost in labor, throughput, and perishable WIP — making manufacturers uniquely motivated to pay. CoreRecon's downtime-priority IR playbook maps your production cost-per-hour against response decisions so analysts escalate immediately.

IP Theft + Nation-State Espionage — Manufacturing Sector

CAD Files, BOMs, Process Specs — Worth More Than Ransomware

IBM X-Force data confirms the manufacturing sector's unique dual-threat profile: financially-motivated ransomware groups target production capability for extortion, while nation-state actors target proprietary manufacturing data for competitive advantage. CISA and FBI advisories have documented foreign adversaries linked to PRC, Russia, and Iran targeting TX aerospace and automotive supplier specs. ITAR-regulated technical data (controlled technical information / CTI) is the highest-value target for adversaries. Exfiltration followed by publication is the double-extortion pattern applied to IP.

OT/IT Convergence Attack — Shop Floor as Entry Point

Corporate Email → Shop Floor LAN → CNC Controllers

The typical attack path into manufacturing OT: a phishing email compromises a corporate workstation, lateral movement reaches the shop floor LAN (often flat or poorly segmented), and the attacker reaches CNC controllers, PLCs, or MES systems via the same network. Modbus, DNP3, EtherNet/IP, and OPC-UA are increasingly exposed in manufacturing environments — and most generalist MSPs don't know what those protocols are. CoreRecon's IT/OT segmentation review is the first step to breaking this path.

Manufacturing Compliance Landscape

Five frameworks.
One team to manage them all.

Texas manufacturers operating in the defense supply chain carry CMMC L2 obligations that flow down from primes — but even non-defense manufacturers face ITAR, state critical infrastructure requirements, and an increasingly aggressive ransomware regulatory environment. Here's the full landscape.

Framework	Who's in Scope	Key Requirements	Penalty / Consequence	CoreRecon Coverage
CMMC Level 2	Any organization holding a DoD contract with DFARS 252.204-7012; flows down through all subcontract tiers	110+ security practices from NIST SP 800-171; SPRS score must reflect compliance; SSP (System Security Plan) artifacts required for C3PAO audit; POA&M management for gaps; annual self-assessment or third-party certification depending on contract level	Contract suspension pending remediation; False Claims Act exposure if SPRS score misrepresented; loss of prime/sub eligibility	Fortress SPRS posture improvement, SSP artifact development, POA&M management, CMMC practice mapping, quarterly CMMC readiness reviews
NIST SP 800-171	Required for CMMC L2; covers CUI (Controlled Unclassified Information) in non-federal systems	110 controls covering access control, audit accountability, configuration management, identification and authentication, incident response, risk assessment, system and communications protection, and others; every control requires documented implementation evidence	Same as CMMC — the underlying standard; SPRS scoring reflects NIST 800-171 implementation	Fortress Control gap assessment, implementation roadmap, evidence documentation, continuous monitoring for control drift
ITAR / EAR Export Controls	Manufacturers handling defense articles, services, or technical data on the USML or dual-use items on the CCL	DDTC registration, export licensing, access controls on technical data, foreign person access restrictions, ITAR compliance program documentation; EAR for dual-use items; TAA for some arrangements	Civil penalties up to $1M per violation; criminal liability for willful violations; loss of export privileges; debarment from defense contracts	Fortress ITAR enclave architecture, CTI access controls, foreign national access restrictions, DDTC compliance documentation, U.S.-person-only SOC for ITAR environments
CISA ICS Advisory + Cross-Sector CPGs	All critical infrastructure operators including manufacturing; CISA ICS advisories apply to manufacturing OT environments	Reduce attack surface, MFA on remote access, network segmentation between IT and OT, incident reporting to CISA, asset inventory of OT devices; cross-sector CPGs cover manufacturing-specific OT exposure	Non-binding but creates expected standard of care; cited in post-incident enforcement; supply chain requirements from primes now reference CISA CPGs	Fortress OT attack surface reduction, MFA enforcement on remote access, IT/OT segmentation, CISA advisory implementation tracking, ICS monitoring
TX HB 4 / SB 820 (Critical Infrastructure)	Texas manufacturers in critical infrastructure sectors; HB 4 expands cyber incident reporting requirements	TX breach notification law (SB 820) requires notification to TX AG within 48 hours of a breach affecting TX residents; HB 4 references state critical infrastructure protection obligations; ransomware payments to sanctioned entities may trigger additional state reporting	TX AG enforcement; civil liability for delayed notification; state contract implications for critical infrastructure contractors	Sentinel Breach notification documentation, TX AG notification support, incident timeline preservation, ransomware payment legal review support

See all Texas compliance deadlines including CMMC →

OT/ICS Security for Manufacturing

Your shop floor is on the network.
Most MSPs can't see it.

Modern manufacturing runs on OT: PLCs, CNC controllers, industrial robots, MES systems, and SCADA historians connected to the corporate network. Generalist MSPs treat your shop floor like an office LAN. CoreRecon doesn't. We understand the Purdue Model, can tune SIEM for Modbus/DNP3/OPC-UA, and know the difference between a legitimate operator command and a setpoint manipulation attack.

🔌

Purdue Model + IT/OT Segmentation

The Purdue Model defines the five levels of manufacturing automation — from Level 0 (physical devices) through Level 5 (enterprise business planning). Most corporate IT sits at Levels 4–5; your shop floor sits at Levels 0–3. CoreRecon implements the IT/OT boundary at the Level 3.5 / DMZ boundary: monitored firewall rules, passive NTA sensors, and documented authorized communication channels between corporate IT and shop floor OT.

🔋

SIEM Tuning for Industrial Protocols

Generalist MSPs send Modbus and DNP3 traffic to their SIEM as noise. CoreRecon engineers understand the protocol layer: function codes, exception responses, and polling patterns. We build baselines of normal OT traffic and alert on anomalies — a setpoint write outside normal parameter ranges, an unauthorized remote HMI session, a CNC controller reaching out to an unexpected external IP. This is not commodity alert triage; it requires domain knowledge your current MSP doesn't have.

🛡

Downtime-Priority Incident Response

Every hour of production downtime in a discrete manufacturing line has a $/minute cost. In automotive supply, lines running just-in-time inventory can lose $50K–$200K per hour of unplanned downtime. CoreRecon's IR playbook for manufacturing anchors response decisions to your actual downtime cost — so analysts know immediately when an OT incident is climbing toward production-stop territory and needs escalation within minutes, not hours.

📢

Supply Chain Attack Tabletop Exercise

Most manufacturers have a Tier 1–3 supply chain that is an extension of their OT environment — suppliers with remote access to shared engineering platforms, shared BOM systems, and collaborative CAD environments. CoreRecon offers a supply chain attack tabletop exercise that walks your team through a scenario where a compromised supplier's credentials are used to access your engineering and production systems. It surfaces the gaps before an attacker does.

Why Generalist MSPs Fail Manufacturers

They monitor your office.
Your shop floor is dark.

Every manufacturer that has been breached through an OT pathway had an MSP that thought everything was fine. The gap isn't malicious — it's architectural. Generalist MSPs were built for office environments. Here are the specific failure modes.

🔎

They Can't Read Industrial Protocols

Modbus, DNP3, EtherNet/IP, and OPC-UA are the languages of your shop floor. Generalist MSPs log this traffic as noise and ignore it. When a threat actor uses Modbus function codes to issue a setpoint write command — they see nothing. CoreRecon's analysts are trained on industrial protocol analysis and can distinguish a legitimate command from an attacker's command.

🌎

They Don't Know the Purdue Model

The Purdue Model is the architectural framework for industrial automation segmentation. Level 4 (corporate business planning) and Level 3 (manufacturing operations management) are your IT. Levels 0–2 are your OT. Most MSPs put everything in one flat network or apply corporate IT security posture to a Level 2 cell area that has entirely different constraints. You can't run CrowdStrike on a CNC controller. CoreRecon understands the architectural constraints and works within them.

🚧

They Treat the Shop Floor LAN Like an Office

Office security is: keep bad things out, patch your endpoints. Shop floor security is: keep bad things from moving between PLCs, protect operator workstations that run proprietary software you can't patch, and monitor for anomalies in control system communication patterns that have nothing to do with malware signatures. The threat model is completely different. CoreRecon maps it correctly.

💥

They Have No Downtime Cost Model

When a generalist MSP's SOC gets an alert about an OT system, they put it in a queue. They don't know that every minute of production stoppage at a mid-size manufacturer costs $5K–$50K+. They don't know the difference between a Level 2 PLC communication and a Level 0 actuator command. They triage it as low-priority IT noise. CoreRecon's IR playbook for manufacturing has your downtime cost model loaded and escalating thresholds calibrated to it.

The CoreRecon Technical Approach

IT/OT segmentation review.
OT-aware monitoring.
Production-safe IR.

CoreRecon's approach for manufacturers starts with understanding your production environment — not just your IT perimeter. We map the IT/OT boundary, identify every exposure point between your corporate network and your shop floor, and build a monitored architecture that protects without disrupting production.

🔍

IT/OT Segmentation Review (Day 1)

CoreRecon starts with an external attack surface scan + OT discovery: we identify every internet-exposed OT device, every remote access path into your shop floor (VNC, RDP, TeamViewer to HMIs or PLCs), and map your Purdue Model architecture against your actual network topology. Typical finding for a mid-size manufacturer: 3–6 exposed OT interfaces operators don't know about.

🔐

Claroty / Dragos-Compatible Monitoring Posture

CoreRecon's monitoring architecture is compatible with Claroty xDome and Dragos Platform integrations — and works standalone if you're not running those platforms. We use passive NTA at the IT/OT boundary to monitor Modbus, DNP3, EtherNet/IP, and OPC-UA traffic. If you already have Claroty or Dragos, we integrate with your existing investment. If you don't, we build the equivalent coverage with best-in-class open architecture sensors.

💥

30-Min SLA on OT Incidents

When a threat actor reaches your shop floor LAN, you don't have hours to wait for a SOC analyst to triage. CoreRecon's 30-minute SLA applies to OT incidents — anomalous setpoint commands, unauthorized HMI access, unexpected device-to-device communication. Our analysts understand industrial protocols and can escalate to your OT team with the right context in 30 minutes or less. Fortress and Command tiers include this SLA as standard.

📈

Downtime-Cost-Calibrated IR Playbook

CoreRecon builds a production-specific IR playbook that includes your downtime $/hour model for each manufacturing line or facility. The playbook maps response decisions against production cost thresholds — so analysts know when an incident is approaching a production-stop scenario and require immediate escalation. This is qualitatively different from a standard IR playbook and requires OT-domain expertise to build.

Documented Incidents — Manufacturing Sector

Documented incidents.
The gaps a monitored SOC would close.

These are real documented incidents — not CoreRecon client data, which we keep confidential. They're the incidents that define the threat landscape for Texas manufacturers.

Brunswick Corp — 2024

Ransomware + $85M production loss — Maritime / Recreational Vehicles

Brunswick Corp — parent of Mercury Marine, Sea Ray boats, and other recreational and commercial marine brands — suffered a ransomware attack that forced production shutdowns across multiple manufacturing facilities. The company confirmed $85M in production losses in the subsequent earnings report. The attack targeted OT to maximize production disruption and create payment pressure. Post-incident, Brunswick disclosed the attacker had accessed manufacturing systems — not just IT. The incident illustrates that production shutdown costs from OT-targeted ransomware can reach eight figures. A downtime-cost-calibrated IR playbook would have escalated the OT alert immediately, before production impact compounded.

Auto-Parts Supply Chain — TX, 2024

Ransomware wave against TX auto-parts suppliers — just-in-time disruption

A coordinated ransomware wave targeted Texas auto-parts suppliers in 2024 — organizations in the supply chain for major OEMs. The attacks disrupted just-in-time delivery schedules, causing cascading production slowdowns at assembly plants. Multiple incidents were confirmed in the Dallas-Fort Worth and Austin metro areas. The attack vector: the same IT-side compromise path (phishing → corporate network → shop floor) that attackers use to reach manufacturing OT. CoreRecon's IT/OT segmentation and lateral movement detection would break this path before the shop floor was reached.

IP Exfiltration — Nation-State (Manufacturing)

Foreign adversaries targeting TX aerospace + automotive supplier specs

CISA and FBI advisories have documented multiple instances of foreign adversaries — linked to PRC, Russia, and Iran — targeting manufacturing companies for IP theft. The pattern: spearphishing to gain initial access, lateral movement to reach engineering systems, and exfiltration of CAD files, BOMs, tooling specifications, and process parameters. For manufacturers in aerospace, automotive, and defense supply chains, this data has direct intelligence value. ITAR-regulated technical data (CTI) is the highest-risk target category. CoreRecon's ITAR enclave architecture and CTI access controls address this threat profile specifically.

Ongoing Work

Building CoreRecon's first documented manufacturing case study

We are currently documenting our first CoreRecon manufacturing client case study — working with the client to get permission to publish under NDA. Until then, contact us for direct references from defense contractor and automotive supply chain verticals. We've had multiple manufacturing clients with confirmed OT-adjacent incidents that our SOC detected and contained before production impact. We're happy to walk through what that looked like.

Request References →

Pricing for Texas Manufacturers

Shop-floor-aware SOC.
Month-to-month. CMMC-ready.

CoreRecon's manufacturing tiers cover your staff IT endpoints, OT network monitoring, and CMMC Level 2 compliance posture. Fortress is our recommended tier for manufacturers in the defense supply chain — the combination of CMMC-mapped compliance reporting, ITAR enclave capability, and dedicated OT-aware analysts addresses the full stack of needs in a single engagement. No minimums. No 3-year contracts.

Tier	Price / Endpoint / Month	What's Included	Best For
Sentinel	$89	24/7 SOC monitoring on IT/staff endpoints, external attack surface scan (OT discovery included), MFA enforcement on all remote access paths, lateral movement detection, TX SB 820 / HB 4 notification support, monthly executive report, IT/OT boundary awareness baseline, IR letter for cyber insurance	Small-to-mid manufacturers (<50 endpoints); non-defense supply chain; general OT/IP exposure without CMMC or ITAR obligations; first layer of IT/OT boundary hardening
Fortress	$109	All Sentinel + OT/SCADA passive monitoring (NTA sensors at IT/OT boundary), CMMC L2 practice mapping and SPRS posture improvement, NIST SP 800-171 evidence documentation, SSP artifact support for C3PAO readiness, ITAR enclave architecture and CTI access controls, IT/OT segmentation review, 30-min SLA on OT incidents, supply chain attack tabletop exercise (annual)	Recommended for defense supply chain and CMMC-pursuing manufacturers. Mid-size manufacturers (50–200 endpoints); CMMC L2 flow-down obligations; ITAR-regulated environments; any manufacturer with high-value IP that needs IT/OT boundary monitoring and CMMC compliance artifacts
Command	$129	All Fortress + advanced OT threat hunting (Modbus/DNP3/EtherNet/IP protocol anomaly detection), continuous ICS monitoring with Claroty/Dragos-compatible sensor architecture, annual OT penetration test, nation-state IP theft hunt packages, CMMC RP consultation for C3PAO audit, multi-facility OT monitoring, dedicated analyst team	Large manufacturers (200+ endpoints); multi-site operations with multiple OT environments; post-incident environments requiring remediation documentation; organizations with active CMMC C3PAO audit in progress; ITAR-regulated environments with DDTC registration

* OT/SCADA monitoring pricing depends on the number of facilities, SCADA nodes, and PLC/controller count. An OT network assessment (scope, sensor placement, Purdue Model architecture review) is included in the free posture assessment. Pricing above is per IT/staff endpoint; OT monitoring is quoted based on facility count and asset inventory. CMMC L2 compliance artifacts (SSP, POA&M) are included at Fortress tier. ITAR enclave configuration is available at Fortress and Command tier.

Frequently Asked Questions

What Texas manufacturers
ask us about OT security and CMMC.

If you hold any DoD contract that includes DFARS 252.204-7012 — and virtually every subcontract does — CMMC L2 applies to your unclassified environment. The CMMC requirement flows down through every tier of the supply chain. Primes are now requiring their subs to achieve CMMC L2 as a contract condition. If your SPRS score shows gaps and you get a breach notification, DoD can suspend your contract pending remediation. CoreRecon's Fortress tier is specifically designed to drive your SPRS score upward and build the SSP artifacts your C3PAO will need to review.
Yes — CoreRecon uses passive network traffic analysis (NTA) at the IT/OT boundary. Sensors read Modbus, DNP3, EtherNet/IP, and OPC-UA traffic without installing anything on PLCs, CNC controllers, robots, or SCADA historians. Your machines run exactly as they are. The monitoring happens at the network layer — we detect anomalous setpoint commands, unauthorized remote access to HMIs, and unexpected device-to-device communication patterns that indicate a threat actor inside your network.
ITAR and EAR compliance affect how we architect your monitoring environment. Controlled technical information (CTI) — CAD files, BOMs, process parameters, tooling specifications — must not be routed through systems outside the U.S. or accessible to foreign nationals. CoreRecon's U.S.-person-only SOC policy is a hard requirement for ITAR-environment clients. We architect your monitoring to operate within ITAR bounds: CTI stays on your premises, log feeds to our SOC contain metadata only (no design files or controlled technical content), and the monitoring boundary respects your export-controlled enclaves.
Every hour of production downtime in a discrete manufacturing line has a direct $/minute cost — it's the labor of idle workers, lost throughput, contractual delivery penalties, and in some cases perishable work-in-progress that spoils. The Brunswick Corp ransomware in 2024 caused $85M in production losses alone. Beyond downtime: ITAR-regulated data exfil triggers export control violation disclosure to DDTC, CMMC incident reporting to DIBNet, potential False Claims Act exposure if you certify SPRS and didn't protect the data that was stolen, and customer notification obligations that can cost you prime relationships. CoreRecon's downtime-priority IR playbook maps your production cost-per-hour against every response decision — so analysts know to escalate immediately when a shop-floor OT incident could cost $50K/hour and climbing.
Yes — and the threat landscape is the same whether you hold a defense contract or not. IBM X-Force data shows manufacturing has been the #1 most-attacked industry for four consecutive years — across all manufacturing, not just defense. Your CAD files, process specifications, and supplier relationships have real market value to nation-state actors. Automotive and industrial manufacturers are increasingly targeted by ransomware groups specifically because their OT/IT convergence creates a direct pathway from corporate email compromise to shop floor control. Texas auto-parts suppliers were hit in 2024 by ransomware waves that disrupted just-in-time delivery to major OEMs. You don't need ITAR to be a target — you just need to have something worth stealing or disrupting.

Manufacturing is the #1 attacked industry in America. Your shop floor is the entry point.

Three attack vectors.One SOC team that understands your floor.

Five frameworks.One team to manage them all.

Your shop floor is on the network.Most MSPs can't see it.

They monitor your office.Your shop floor is dark.

IT/OT segmentation review.OT-aware monitoring.Production-safe IR.

Documented incidents.The gaps a monitored SOC would close.

Shop-floor-aware SOC.Month-to-month. CMMC-ready.

Texas manufacturers.Real threats. OT-aware monitoring.

What Texas manufacturersask us about OT security and CMMC.

Find out how exposed your shop floor is before an attacker does.