A Singapore precision engineering company was approached by a new customer — a MNC requiring ISO 27001 certification evidence from all manufacturing suppliers. The company had good quality systems. It had no idea where its production data lived, who could access it, or whether it was backed up. It lost the customer.
ERP and manufacturing system security is not a topic most Singapore manufacturers spend time on — until a data loss, a ransomware incident, or a customer security audit forces the issue. The cost of addressing security reactively is almost always higher than addressing it proactively.
What Manufacturing ERP Security Covers
Access control. Who can see what data, and who can change what records. In a manufacturing system, this means a shopfloor operator can record job completions but cannot change pricing. A salesperson can see customer order history but cannot see cost data. Finance can see all financial records but cannot approve quality certificates. Role-based access control, implemented correctly, limits the damage that any single account compromise can cause.
Audit trail. Every change to a critical record — a production order, a purchase order, a price, an inventory adjustment — should be logged with who made the change, when, and what it changed from and to. Audit trails serve two purposes: they enable investigation when something goes wrong, and they deter deliberate manipulation because the trail exists.
Authentication. Weak passwords are the most common entry point for system compromise. Manufacturing systems should enforce strong password policies, support multi-factor authentication (MFA) for remote access, and have automatic session timeouts. For Singapore businesses, MFA is increasingly expected by enterprise customers as a baseline requirement.
Network security. If the manufacturing system is accessible over the internet (which cloud systems are by definition), it must be protected against unauthorised access. This includes ensuring that the vendor's infrastructure is properly secured, that the system uses HTTPS/TLS for all data in transit, and that administrative interfaces are not publicly exposed.
Data encryption. Sensitive data — customer information, pricing, proprietary specifications — should be encrypted at rest and in transit. For cloud systems, this means verifying that the cloud provider encrypts stored data. For on-premise systems, it means ensuring the database and file storage are encrypted.
Backup: The Most Overlooked Risk
Data loss is more common than breach for most Singapore manufacturers. The causes range from accidental deletion to hardware failure to ransomware encryption. The defence is a backup strategy that actually works.
A backup strategy that actually works has four components:
Frequency. How often is the data backed up? For a manufacturing system where dozens of transactions happen every hour, a daily backup means potentially losing a full day of production records. Continuous backup or hourly snapshots are appropriate for active production systems.
Offsite storage. A backup stored on the same server as the original data does not protect against hardware failure, fire, or ransomware (which typically encrypts all accessible storage including attached backup drives). Backups must be stored in a physically separate location — typically cloud storage — and for ransomware protection, should be immutable (cannot be modified or deleted by a compromised system).
Tested recovery. A backup that has never been tested is a backup that may not work. Recovery testing — actually restoring from backup to a test environment and verifying the data is complete and usable — should happen at least quarterly. Most Singapore manufacturers who have backups have never tested recovery.
Recovery time objective (RTO). How long does it take to get back to operational from a backup? If recovery takes three days and a customer needs goods delivered tomorrow, the backup is not fast enough to matter. The RTO should be defined in advance and the backup and recovery infrastructure sized to meet it.
Cloud vs On-Premise: Security Considerations
Many Singapore manufacturers assume that cloud systems are less secure than on-premise systems because "data is outside my building." The reality is more nuanced.
Cloud security advantages. Reputable cloud providers (AWS, Google Cloud, Azure) invest more in security infrastructure than most SMB manufacturers can justify independently. They have dedicated security teams, automatic patching, geographic redundancy, and compliance certifications (SOC 2, ISO 27001) that provide independent verification of their security posture. Cloud-hosted systems are typically more up-to-date and better maintained than on-premise systems where patching is done manually and intermittently.
On-premise security advantages. Data physically stays within the manufacturer's premises, which can satisfy certain regulatory requirements or customer contractual requirements. The manufacturer controls who has physical access to the hardware. There is no dependency on an internet connection for system access (though this is less relevant for web-based systems).
The real security risk in most Singapore manufacturers is not cloud versus on-premise — it is unpatched software, weak passwords, no MFA, and backups that either do not exist or have never been tested. These risks exist regardless of whether the system is cloud or on-premise.
PDPA Compliance for Manufacturing Businesses
Singapore manufacturers who store personal data — customer contacts, employee records, supplier contact information — are subject to the Personal Data Protection Act (PDPA). Manufacturing ERP systems typically hold this data as part of customer and supplier management.
PDPA requires that personal data be: - Collected only for legitimate purposes that the individual was notified of - Accurate and kept only as long as necessary - Protected against unauthorised access, collection, use, or disclosure - Available to individuals who request access to their own data
For most Singapore manufacturers, PDPA compliance for ERP data means: having a clear data retention policy, ensuring access to customer and supplier data is limited to staff who need it, securing the system against unauthorised access, and having a process to respond to data access or deletion requests.
Customer Security Requirements
An increasingly common trigger for manufacturing system security investment is customer requirements. MNC customers, particularly in aerospace, medical device, electronics, and defence supply chains, are implementing supply chain security programmes that include requirements for:
- Information security policies and procedures
- Evidence of regular backup and recovery testing
- Access control documentation
- Incident response procedures
- Security certification (ISO 27001 or equivalent)
A manufacturer who cannot demonstrate basic security hygiene risks losing or failing to win customers in these sectors. The investment in security is increasingly a cost of doing business in regulated supply chains.
Practical Security Priorities for Singapore Manufacturers
If starting from zero, the highest-priority actions are:
1. Enable MFA for all system access, especially for cloud-based systems and remote access. This single control prevents the majority of account compromise attacks.
2. Implement role-based access control with the principle of least privilege — each user gets access to what they need for their role, nothing more.
3. Set up offsite, immutable backups with a defined frequency and a tested recovery process. Know your RTO.
4. Keep software patched and updated. Unpatched systems are the most common target for automated attacks. Cloud-hosted systems typically handle this automatically; on-premise systems require active patch management.
5. Maintain an audit trail for critical records — price changes, inventory adjustments, purchase order approvals.
These five controls address the majority of the risk for most Singapore manufacturing businesses without requiring significant investment in security tooling.
Start Canyon builds security into the systems we deliver — role-based access, audit trails, encrypted storage, and cloud hosting on platforms with appropriate certifications. If you are facing a customer security audit or building a new manufacturing system, the diagnostic includes a security posture review.