Operational Technology (OT) networks require a highly disciplined approach to IP addressing and VLAN design to ensure robustness, security, and manageability. Unlike traditional IT networks, OT environments have unique operational, safety, and uptime requirements. This guide presents best practices for developing a logical IP and VLAN infrastructure—favoring approaches that minimize common vulnerabilities and operational risks.

Logical IP Addressing in OT Networks

Best Practices for IP Address Planning

• Avoid Common IP Ranges: Refrain from using the globally popular 192.168.1.x subnet, as this range is frequently used in IT and consumer devices. Utilizing less-common private IP blocks (e.g., 172.16.x.x – 172.31.x.x or non-default 10.x.x.x ranges) decreases the risk of conflicts and unintended overlaps.

• Hierarchical and Predictable Addressing: Structure subnets based on physical areas, process zones, or functional groups. This structure eases troubleshooting and supports efficient security segmentation.

• Static Assignments for Critical Assets: Assign static IPs to essential assets such as PLCs, HMIs, historians, and OT servers, ensuring consistency and reliability in communication.

• Document Addressing Schemes: Maintain clear documentation of all assignments and reserved blocks to simplify management and audits.

• Coordinate with IT: Regularly consult with IT personnel to prevent accidental overlaps between OT and enterprise networking spaces.

Recommended Private IP Range Usage

Avoiding DHCP in OT Networks

Dynamic Host Configuration Protocol (DHCP) is commonly used in IT networks to automatically assign IP addresses and manage network configurations for large numbers of devices. However, in Operational Technology (OT) environments, avoiding DHCP is considered a best practice due to the unique requirements of reliability, security, and deterministic behavior.

Reasons to Avoid DHCP in OT Environments

• Predictability and Determinism: OT networks often support critical processes that depend on highly predictable communication. Static IP addressing ensures that devices always use the same IP, supporting reliable logging, monitoring, and troubleshooting.

• Security Risks: DHCP introduces risk vectors such as unauthorized or rogue devices receiving IP addresses, which can enable unauthorized access, denial-of-service (DoS) attempts, or network scans within the OT environment. DHCP-based attacks (e.g., DHCP starvation, rogue DHCP servers) are well-documented concerns.

• Troubleshooting and Asset Management: With static addressing, each device’s role and location are clearly associated with a specific IP. This simplifies maintenance and rapid fault isolation, facilitating faster response during incidents or plant changes.

• Change Control: OT environments demand rigorous change management. Automated IP assignments via DHCP can lead to unexpected address changes, which complicates device whitelisting, firewall rules, and asset inventories.

• Uptime and Stability: DHCP servers create single points of failure. Loss of DHCP service may leave new or rebooting devices unable to communicate, potentially disrupting operations.

VLAN Segmentation Guidelines for OT

Principles of VLAN Design

• Extended VLAN Ranges: Leverage extended VLAN IDs (1006–4094) for OT infrastructure rather than standard IT VLAN ranges (1–1005). This avoids collisions with typical IT VLAN deployments and improves segmentation.

• Unique VLAN Assignment: Designate separate VLANs for key functional groups—such as control systems, management interfaces, and engineering workstations—to contain faults and improve access control.

• Zone-Based Segregation: Implement network zones according to process safety boundaries, security levels, or compliance requirements, aligning with frameworks like ISA/IEC 62443.

  
  

  

Implementation Best Practices

Key Recommendations

• Favor extended VLAN ranges (1006–4094) over standard ranges to isolate OT from common IT VLANs.

• Avoid using 192.168.1.x and VLAN 1 to reduce the risk of accidental overlap and exposure to universal attacks.

• Avoid using DHCP as it can disrupt predictability, introduce additional points of failure, and become a security risk.

• Build IP schemes and VLAN assignments based on operational zones, with clear documentation.

• Conduct regular audits to maintain infrastructure integrity.

The goal is to provide a structured approach to designing OT networks that are secure, robust, and adaptable minimizing the risks associated with default address spaces and universal VLAN assignments. This methodology supports both operational efficiency and long-term security for industrial environments.