Using DHCP in the OT Space

[BobLfoot 302]

I've been working in Factory Industrial Operational Technology for 36 years now and realize that times and methods are changing, but I need to bounce something off the community and update my understanding of there the technology is at.

For OT System I have traditionally used statuc IPV4 addressing , turning off IPV6.  Now, my ITSec Department is wanting use to migrate to DHCP so all systems have a current and accurate DNS entry and report into DNS.  This is to streamline the operation of their security tools.  But I know the headaches that happen when servers change IP address because you shut down a line for a week of maintainance and some other device grabs that IP..

I am proposing we use a Hybrid Approach with Static IP but Dynamic DNS from DHCP.  

IF you care to share, what are others doing?  Anyone know if there are any relevant standards to this question?

[pturmel 160]

First, IPv6 doesn't have wide support among PLCs, so anything that is going to talk to a PLC needs to use IPv4.

Second, DHCP servers can be configured to hand out dynamic addresses in one range, but offer specific IP addresses to specific MAC IDs in a separate range.  With this approach, no laptop or guest system will clash with an IP address reserved for an OT device.  Many PLCs can use DNS names instead of IP addresses in their configurations, too. (All modern Rockwell stuff can do this.)

That said, I'd still set static IP's on critical systems.  There's no reason your IT department needs DHCP to have a complete DNS picture.  That's what zone files are for.

[BobLfoot 302]

1 hour ago, pturmel said:

 There's no reason your IT department needs DHCP to have a complete DNS picture.  That's what zone files are for.

So if they don't have a maintained zone file , we can make them one from our ip tracking spreadsheet?

[NevergoldMel 38]

I.T. needs to stay out of controls.

[chelton 66]

6 hours ago, NevergoldMel said:

I.T. needs to stay out of controls.

IT can be your best friend or your worst enemy. Far better off working with them. 

Port mirroring from remote switches, remote access just to name a few. 

 

[pturmel 160]

IT is usually your friend.  Until they move critical "IT" functions out of the production LAN.  Like a DHCP server that provides addresses in an OT LAN.  Or a database that machinery talks to on every cycle.  Such things need to physically reside on the OT LAN.  One of the criteria behind US-CERT's network partitioning and service placement guidance is that the OT world should keep running when a crisis requires it be isolated from the IT world (firewalls and DMZ shut down/cut off).

(If your facility is considered critical infrastructure in the United States, and therefore subject to Department of Homeland Security regulators, your IT may find itself in legal trouble if they don't follow US-CERT guidance.  It is good guidance for everyone, though.)

https://www.cisa.gov/