Utilities & Energy

Electric, gas, and water utilities operate OT/SCADA networks across generation, transmission, substations, and control centres. Learn how LightMesh IPAM supports safe network intelligence, incident attribution, and segmentation evidence for regulated utility infrastructure.

Utilities run networks where IP mistakes become operational incidents. A bad allocation, duplicate address, stale NAT rule, or undocumented HMI affects control-room visibility, remote substation access, field operations, and incident response. This is OT network intelligence, not generic IPAM.

LightMesh provides a read-only source of network truth for utilities: who owns each IP, which zone it belongs to, what changed recently, and how planned state compares to live state. It does not push changes into control networks. It is a planning surface, audit record, and attribution layer, not a control plane.

This guide covers utility network environments, common operational challenges, and practical LightMesh modelling recommendations. For the underlying OT architecture, see OT Networks.

Why utility networks matter

Utilities are critical infrastructure under increasing regulatory and cybersecurity scrutiny. NERC CIP, DOE C2M2, ISA/IEC 62443, and CISA CPGs all require evidence of asset inventory, segmentation, and change governance. Auditors do not accept spreadsheets.

Structural pressures compound the challenge. IT/OT convergence is increasing connectivity between enterprise and control networks. Substation automation is adding IP-connected devices to field networks. Distributed energy resources (DER), including solar, wind, and battery storage, are introducing new address requirements at the grid edge. Vendor access is proliferating as equipment becomes more complex. And the experienced workforce that designed these networks is retiring.

The result is a growing, increasingly complex address space that must be documented, auditable, and safe to change. Utilities need a trusted view of address space that spans control centres, substations, generation plants, DER sites, and field regions.

Common network environment

flowchart TB
  subgraph ControlCentres["Control Centres"]
    Primary["Primary Control Centre - SCADA Master, Historian"]
    Backup["Backup Control Centre - DR"]
  end
  subgraph FieldNetworks["Field Networks"]
    Sub["Substations - PLCs, RTUs, IEDs, Relays"]
    Gen["Generation Plants - Turbines, Control Systems"]
    DER["DER - Solar, Wind, Battery Storage"]
  end
  subgraph OTDMZ["OT DMZ"]
    Jump["Jump Hosts"]
    Vendor["Vendor Access"]
    Eng["Engineering Workstations"]
  end
  ControlCentres -->|"Industrial Protocol"| FieldNetworks
  OTDMZ -->|"Firewall"| ControlCentres
  Vendor -->|"VPN / Cellular"| OTDMZ

Control centres run SCADA masters and historians that aggregate data from all field sites. Field networks include substations (PLCs, RTUs, IEDs, protective relays), generation plants (turbines, control systems), and DER sites (solar inverters, wind controllers, battery storage). The OT DMZ hosts jump hosts, vendor access points, and engineering workstations.

Common operational challenges

  • Control centre to substation visibility. Many utilities manage substation address space in spreadsheets maintained by a single engineer. When that engineer is unavailable (vacation, illness, retirement), the knowledge is unavailable.

  • SCADA incident attribution. When the SOC detects suspicious traffic on a SCADA IP, they need to know which substation, which zone, which device, who owns it, and what changed. Without a central source of truth, this requires multiple tools and phone calls.

  • IT/OT segmentation evidence. Auditors require evidence that enterprise and control networks are segmented. Utilities need to show which subnets sit in which zones and how address space is partitioned.

  • Vendor remote access governance. Equipment vendors maintain remote access for maintenance and troubleshooting. These paths have long lifecycles and limited patch windows. Documentation is often incomplete.

  • Overlapping RFC1918 across sites. Substations and generation plants may use the same private address ranges. When sites connect via VPN or during incident response, overlapping ranges create attribution ambiguity.

  • Change-control constraints. Utility changes happen during formal change windows with engineering review. Planning must be precise because there is no opportunity for quick rollback if an address conflict surfaces during cutover.

  • Renewable integration. DER adds new address requirements at the grid edge. Solar farms, wind installations, and battery storage facilities need address space that is planned, documented, and integrated into the existing OT network.

How LightMesh helps

OT network source of truth

Model control centres, substations, generation plants, DER sites, and OT DMZs as separate Zones. Use custom attributes to capture utility-specific metadata:

Custom Attribute Purpose
Asset Class PLC, RTU, IED, Relay, HMI, Gateway
Site Substation A, Generation Plant 3
Process Area Generation, Transmission, Distribution
Voltage Class High Voltage, Medium Voltage, Low Voltage
Safety Criticality High, Medium, Low
Vendor Equipment manufacturer
Maintenance Owner Support group or individual
Change Window Scheduled maintenance periods

This model makes it possible to search by site, filter by voltage class, or export all assets owned by a specific vendor.

SCADA incident attribution

When the SOC calls about a suspicious IP:

  1. Search the IP in LightMesh
  2. See the site, subnet, zone, asset class, and owner
  3. View the support group and maintenance owner
  4. Check recent changes: who modified this subnet, when, and what changed
  5. Identify NAT mappings if the IP is translated

This workflow resolves IP → site → zone → asset class → owner → recent changes in seconds.

IT/OT segmentation evidence

LightMesh documents which zones exist, which subnets belong to each zone, and how address space is partitioned across control centres, substations, generation plants, and the OT DMZ. This provides evidence for NERC CIP, C2M2, ISA/IEC 62443, and CISA CPG assessments.

LightMesh does not enforce segmentation. That belongs to firewalls, NAC, and network access control. LightMesh provides the documentation layer that supports those controls.

Change-control-safe address planning

Before any change window, review:

  • Planned subnet allocations vs. actual allocations
  • Overlap detection across sites and zones
  • Stale reservations that can be released
  • Address space reserved for equipment that was never deployed

Use reservations to hold address space during engineering review. When the change window opens, the addresses are ready. When it closes, the audit trail is complete.

Substation and plant network modernization

For network refreshes, PLC upgrades, or SCADA migrations:

  1. Model the target state in LightMesh before the change window
  2. Compare planned vs. live state
  3. Track old and new ranges during phased cutovers
  4. Document NAT exceptions for temporary connectivity
  5. Record rollback notes for each phase

This workflow is supported by Data Migration workflows.

Vendor access documentation

Use custom attributes on subnets or zones to document vendor remote access:

  • Vendor name and contact
  • Purpose of access (maintenance, troubleshooting, upgrade)
  • NAT mapping (external IP → internal IP)
  • Access window and expiry
  • Support group responsible

Review quarterly. Expired vendor access should be archived.

Best practices

  1. Model the full OT hierarchy before importing data. Define control centres, substations, generation plants, DER sites, and OT DMZs. Create Sites and Zones before importing subnets.

  2. Import passively. Use DHCP Discovery Agent, nmap scan sync, or spreadsheet import to populate LightMesh. Do not run active scans against SCADA, PLCs, RTUs, IEDs, or protective relays.

  3. Document every vendor access path. Record vendor name, contact, purpose, NAT mapping, and expiry. Review quarterly. Expired access should be archived.

  4. Use voltage and process-area attributes for fast filtering. Voltage class and process area are high-value filters during incident response. Apply them consistently.

  5. Separate overlapping sites by Site and Zone. If two substations use 10.0.0.0/24, model them in separate Sites with separate Zones. LightMesh tracks IP uniqueness within a Zone, but overlapping ranges across sites need clear separation.

  6. Link NAT mappings to IP assignments. Use NAT records to document vendor access translations and substation connectivity. During incident response, search the translated IP to find the original source.

  7. Export audit evidence on demand. Use audit logging and roles and RBAC to generate evidence for NERC CIP, C2M2, ISA/IEC 62443, or internal audit assessments.

  8. Plan DER integration early. Reserve address space for solar, wind, and battery storage before connecting them to the grid. DER sites often have different connectivity requirements than traditional generation.

What LightMesh does not do

LightMesh is a read-only source of network intelligence for utility environments. It does not:

  • Control PLCs, RTUs, IEDs, protective relays, SCADA masters, or safety systems. LightMesh does not push configuration into utility control equipment. Operational changes remain under your engineering controls, change windows, and downstream tooling.

  • Push network configuration. LightMesh does not configure routers, switches, or firewalls. It is a documentation and planning layer.

  • Guarantee NERC CIP, C2M2, or ISA/IEC 62443 compliance. LightMesh provides evidence and audit trails that support these frameworks. It does not certify compliance; that requires your security and compliance teams.

  • Replace your SIEM, CMDB, OT monitoring, SCADA, or historian. LightMesh complements these tools by providing IP attribution context for utility networks.

  • Safely discover every OT asset. Active scanning against SCADA, PLCs, and IEDs can cause process interruptions or protective relay operations. LightMesh supports passive discovery and manual import.

Operational changes remain under your engineering controls, change windows, and downstream tooling. LightMesh is the planning surface, audit record, and attribution layer, not the control plane.

FAQ

How does LightMesh help utilities with SCADA incident attribution? LightMesh resolves IP → site → subnet → zone → asset class → owner → support group → recent changes → NAT mappings. When the SOC detects suspicious traffic, they search the IP in LightMesh and get attribution in seconds instead of hours of phone calls to substation operators.

Can LightMesh control my SCADA or substation equipment? No. LightMesh is a read-only source of network truth. It documents address space, provides attribution, and supports audit evidence. It does not push configuration into PLCs, RTUs, IEDs, protective relays, SCADA masters, or any utility control equipment.

Can LightMesh help with NERC CIP compliance? LightMesh provides audit trails, asset inventory evidence, and segmentation documentation that support NERC CIP assessments. It documents which subnets sit in which zones and tracks change history. LightMesh does not certify NERC CIP compliance. It provides evidence your compliance teams can use.

How do I model substations in LightMesh? Model each substation as a separate Site with Zones for network segmentation. Use custom attributes for asset class (PLC, RTU, IED, relay), site name, voltage class, safety criticality, vendor, and maintenance owner. Import subnets via DHCP discovery, nmap scan, or spreadsheet.

What about distributed energy resources (DER)? DER, including solar farms, wind installations, and battery storage, need address space planned and documented before connection. Model DER sites as separate Sites. Reserve address space early, before the interconnection date. Track DER address assignments alongside traditional generation.

Can LightMesh scan my OT network? LightMesh supports passive discovery: DHCP lease sync, nmap scan sync on safe protocols, and spreadsheet import. Active scanning against SCADA, PLCs, RTUs, and IEDs can cause process interruptions or protective relay operations.

How does LightMesh support IT/OT segmentation evidence? LightMesh documents which zones exist and how address space is partitioned across control centres, substations, generation plants, DER sites, and the OT DMZ. This provides the documentation layer that supports segmentation controls (firewalls, NAC) and satisfies auditor requirements.

References