Manufacturing
Manufacturing networks mix enterprise IT, plant-floor OT, vendor-maintained systems, and production-line infrastructure. Learn how LightMesh IPAM supports plant network modelling, industrial DMZ documentation, vendor access governance, and incident attribution for manufacturing.
Manufacturing networks mix enterprise IT, plant-floor OT, vendor-maintained systems, robotics, building automation, quality systems, and production-line infrastructure. These environments use long-lived static IPv4 assignments, isolated production cells, industrial DMZs, remote vendor access, and undocumented legacy ranges.
IPAM for manufacturing helps teams describe, govern, and investigate industrial network zones without claiming to control production equipment. LightMesh provides a read-only source of truth for address space attribution, segmentation evidence, and change history across plant networks.
This guide covers manufacturing network environments, common operational challenges, and practical LightMesh modelling recommendations. For the underlying OT architecture, see OT Networks.
Why manufacturing networks matter
Production cannot stop for network renumbering. Manufacturing environments run 24/7 with tight change windows. A misconfigured IP address, an undocumented vendor access path, or an overlapping address range can disrupt production lines, delay maintenance, or create security blind spots. Unlike enterprise IT, where a helpdesk ticket can resolve an IP conflict in hours, a manufacturing IP conflict during a line change can cost thousands of dollars per minute in lost production.
Ransomware attacks on manufacturing have demonstrated that segmentation and attribution are operational concerns, not just compliance checkboxes. When a production line goes down, the first question is: what was affected, what is the blast radius, and what can be restored? That question requires a clear map of address space, ownership, and connectivity.
Industry 4.0 and IIoT are pushing connectivity into previously isolated plant networks. MES systems, quality monitoring, predictive maintenance sensors, and cloud-connected analytics add new address requirements to environments that were never designed for external connectivity.
Common network environment
flowchart TB
subgraph EnterpriseIT["Enterprise IT"]
ERP["ERP / SAP"]
Email["Email / Corporate"]
OfficeWiFi["Office Wi-Fi"]
VPN["VPN"]
end
subgraph IndustrialDMZ["Industrial DMZ"]
Jump["Jump Hosts"]
VendorAccess["Vendor Access"]
HistProxy["Historian Proxies"]
end
subgraph PlantFloor["Plant Floor"]
Cell1["Production Cell A - PLCs, HMIs, Robotics"]
Cell2["Production Cell B - PLCs, HMIs, Robotics"]
MES["MES / Historian / Engineering Workstations"]
Building["Building Automation - HVAC, Access, CCTV"]
end
EnterpriseIT -->|"Firewall"| IndustrialDMZ
IndustrialDMZ -->|"Firewall"| PlantFloor
The Industrial DMZ sits between enterprise IT and plant floor. It hosts jump hosts, vendor access points, and historian proxies. Plant floor networks are segmented into production cells, each with its own PLCs, HMIs, and robotics. Building automation (HVAC, access control, CCTV) may share infrastructure with production or operate on separate networks.
Common operational challenges
-
Mixed ownership. IT, controls engineering, operations, and vendors all maintain parts of the network. No single team has full visibility into address space allocation across all these groups.
-
Long-lived static assignments. PLCs and HMIs deployed a decade ago still use the IP addresses they were originally configured with. The engineer who made those assignments may have retired, and the documentation may be incomplete or missing.
-
Address conflicts during line changes. When a production line is reconfigured or expanded, new devices need addresses. If the existing address space is poorly documented, conflicts surface during commissioning, the worst possible time.
-
Vendor remote support paths undocumented. Integrators and equipment vendors maintain remote access for troubleshooting and maintenance. These paths are rarely recorded in network documentation.
-
Active scanning is unsafe for PLCs, HMIs, and robotics. Many production devices react unpredictably to network scanning. Port scans can trigger device reboots, alarm conditions, or process interruptions.
-
Post-acquisition plant integration. Acquired plants bring overlapping RFC1918 ranges. Merging address space across plants requires a clear view of what exists, what is in use, and what can be retired, without disrupting production.
-
ISA/IEC 62443 assessment pressure. ISA/IEC 62443 requires evidence of zone segmentation, asset inventory, and change governance. Spreadsheets do not satisfy assessors.
How LightMesh helps
Plant network source of truth
Model each plant as a separate Site with Zones for production cells, process areas, and the Industrial DMZ. Use custom attributes to capture plant-specific metadata:
| Custom Attribute | Purpose |
|---|---|
| Line Owner | Controls engineer responsible |
| Process Area | Assembly, Welding, Painting, Packaging |
| Safety Criticality | High, Medium, Low |
| Vendor | Primary integrator |
| Maintenance Window | Scheduled change periods |
| Source System | Where this data originated |
This model makes it possible to search by plant, filter by process area, or export all assets owned by a specific controls engineer.
Incident attribution for plant-floor networks
When the SOC calls about a suspicious IP from a manufacturing environment:
- Search the IP in LightMesh
- See the plant, cell, process area, device class, and vendor
- View the support group and controls engineer
- Check recent changes: who modified this subnet, when, and what changed
- Identify NAT mappings if the IP is translated
This workflow resolves IP → plant → cell → owner → recent changes without disrupting production.
Industrial DMZ planning and audit evidence
Document which subnets sit in the enterprise zone, which in the Industrial DMZ, and which on the plant floor. Use Zones to model the Purdue Model layers. This provides evidence for ISA/IEC 62443 assessments and demonstrates that segmentation exists between enterprise IT and production networks.
LightMesh does not enforce segmentation. That belongs to firewalls and NAC. LightMesh provides the documentation layer that supports those controls.
M&A and plant rationalization
When integrating an acquired plant:
- Import each plant as a separate Site
- Identify overlapping RFC1918 ranges across plants
- Plan a rationalization strategy: renumbering, NAT, or segmentation
- Track old and new ranges during phased cutovers
- Document rollback notes for each phase
This workflow is supported by Data Migration workflows.
Vendor access documentation
Use custom attributes on subnets or zones to document vendor remote access:
- Vendor name and contact
- Purpose of access (maintenance, troubleshooting, upgrade)
- NAT mapping (external IP → internal IP)
- Access window and expiry
- Support group responsible
Review quarterly. Expired vendor access should be archived.
SIEM enrichment via the LightMesh API
A SIEM can call the LightMesh GraphQL API to enrich log entries with network context. When a SIEM sees a source IP from the plant floor, it can query LightMesh for the site, zone, subnet, support group, vendor, and recent audit history for that IP.
Example enrichment flow:
- SIEM extracts source IP
10.0.1.42from a manufacturing alert. - SIEM queries LightMesh via the GraphQL API using a read-only API key.
- LightMesh returns site, zone, subnet, support group, vendor, and recent changes.
export LIGHTMESH_API_TOKEN="lmr_xxx"
curl -s -X POST https://your-tenant.lightmesh.com/graphql \
-H "Authorization: Bearer $LIGHTMESH_API_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"query": "query($address:String!){ ipAddress(address:$address){ address site{ name } zone{ name } subnet{ networkAddress } deviceClass vendor supportGroup{ name } auditHistory{ changedAt changedBy field oldValue newValue } natMappings{ source destination type } } }",
"variables": {"address":"10.0.1.42"}
}'
The response gives the SOC enough context to decide whether the IP is a known production device, a documented vendor access path, or something that needs escalation. This is read-only enrichment: the SIEM queries LightMesh; LightMesh does not write back to the SIEM or to production equipment.
For the complete GraphQL schema, see API Documentation.
Best practices
-
Model Purdue Model layers before importing data. Define your enterprise, Industrial DMZ, plant floor, and safety zones before importing subnets. A good model makes import faster and audit evidence easier to generate.
-
Import passively. Use DHCP Discovery Agent, nmap scan sync, or spreadsheet import to populate LightMesh. Do not run active scans against production devices.
-
Document every vendor access path. Record vendor name, contact, purpose, NAT mapping, and expiry as custom attributes. Review quarterly.
-
Use consistent custom attributes. Define a standard schema (plant, cell, process area, safety criticality, vendor, controls engineer, maintenance window) and apply it uniformly across all plants.
-
Separate overlapping plants by Site and Zone. If two plants use 10.0.0.0/24, model them in separate Sites with separate Zones. LightMesh tracks IP uniqueness within a Zone, but overlapping ranges across plants need clear separation.
-
Review before every line expansion. Before commissioning new production equipment, run planned-vs-live reconciliation. Check that the planned address space does not conflict with existing allocations.
-
Export audit evidence for ISA/IEC 62443. Use audit logging and roles and RBAC to generate evidence for ISA/IEC 62443 assessments, NIST SP 800-82, and CISA CPGs.
What LightMesh does not do
LightMesh is a read-only source of network intelligence for manufacturing environments. It does not:
-
Control PLCs, HMIs, robotics, SCADA systems, or production equipment. LightMesh does not push configuration into production equipment. Operational changes remain under your engineering controls and change windows.
-
Push network configuration. LightMesh does not configure routers, switches, or firewalls. It is a documentation and planning layer.
-
Guarantee ISA/IEC 62443 or NIST CSF compliance. LightMesh provides evidence and audit trails that support assessments. It does not certify compliance.
-
Replace your SIEM, CMDB, OT monitoring, MES, or historian. LightMesh complements these tools by providing IP attribution context for plant networks.
-
Safely discover every plant-floor asset. Active scanning against production devices can cause process interruptions. LightMesh supports passive discovery and manual import.
Related documentation
- OT Networks - underlying OT architecture and Purdue Model
- Network Architectures - section hub for all network architecture guides
- Industry Guides - section hub for all industry guides
- NAT - source and destination NAT documentation
- Audit Logging - change history and evidence
- Data Migration - network migration workflows
- Self-Hosted - on-premises deployment option
- Roles & RBAC - access control for sensitive plant data
- Getting Started - fundamentals of LightMesh IPAM
FAQ
How does LightMesh help manufacturing with incident attribution? LightMesh resolves IP → plant → cell → process area → device class → vendor → support group → recent changes. When the SOC detects suspicious traffic, they search the IP in LightMesh and get attribution in seconds instead of hours of phone calls to plant operators.
Can LightMesh control my PLCs or production equipment? No. LightMesh is a read-only source of network truth. It documents address space, provides attribution, and supports audit evidence. It does not push configuration into PLCs, HMIs, robotics, or any production equipment.
How do I model production lines in LightMesh? Model each plant as a separate Site. Within each plant, use Zones for production cells, process areas, and the Industrial DMZ. Use custom attributes for line owner, process area, safety criticality, vendor, and maintenance window.
Can LightMesh help with ISA/IEC 62443 assessments? Yes. LightMesh provides zone documentation, asset inventory evidence, and change history that support ISA/IEC 62443 assessments. It documents which subnets sit in which Purdue Model layers. LightMesh does not certify compliance. It provides evidence your assessors can use.
What about overlapping IP ranges across multiple plants? Model each plant as a separate Site. Identify overlaps using planned-vs-live reconciliation. Plan a rationalization strategy (renumbering, NAT, or segmentation) before merging into production zones. LightMesh Data Migration workflows support phased rationalization.
Can LightMesh scan my plant-floor network? LightMesh supports passive discovery: DHCP lease sync, nmap scan sync on safe protocols, and spreadsheet import. Active scanning against PLCs, HMIs, and robotics can cause process interruptions.
How does LightMesh handle vendor remote access documentation? Use custom attributes on subnets or zones: vendor name, contact, purpose, NAT mapping, access window, and expiry. Review quarterly and archive expired access. This documentation supports incident response and audit evidence.
References
- NIST SP 800-82 Rev. 3 - Guide to OT Security - Defines OT, ICS, SCADA scope. September 2023.
- ISA/IEC 62443 - Industrial Automation and Control Systems Security - Zone-and-conduit model for IACS cybersecurity.
- CISA Cross-Sector Cybersecurity Performance Goals (CPGs) 2.0 - Aligned to NIST CSF 2.0 with sector-specific goals.
- NIST Cybersecurity Framework (CSF) 2.0 - Risk management framework applicable to manufacturing environments.