Smart manufacturing systems are an attractive target for cyber attacks, because they embed valuable data andcritical equipment. Despite the market is driving towards integrated and interconnected factories, current smartmanufacturing systems are still designed under the assumption that they will stay isolated from the corporatenetwork and the outside world. This choice may result in an internal architecture with insufficient network andsystem compartmentalization. As a result, once an attacker has gained access, they have full control of the entireproduction plant because of the lack of network segmentation.With the goal of raising cybersecurity awareness, in this paper we describe a practical case study showing attackscenarios that we have validated on a real modular smart manufacturing system, and suggest practical securitycountermeasures. The testbed smart manufacturing system is part of the Industry 4.0 research laboratory hosted byPolitecnico di Milano, and comprises seven assembly stations, each with their programmable logic controllers andhuman-computer interfaces, as well as an industrial robotic arm that performs pick-and-place tasks.On this testbed we show two indirect attacks to gain initial access, even under the best-case scenario of a system notdirectly connected to any public network. We conclude by showing two post-exploitation scenarios that an adversarycan use to cause physical impact on the production, or keep persistent access to the plant.We are unaware of a similar security analysis performed within the premises of a research facility, following ascientific methodology, so we believe that this work can represent a good first step to inspire follow up research onthe many verticals that we touch.