Most manufacturing facilities treat VLANs as security controls. They are not. VLANs are routing convenience—a way to avoid broadcast storms and organize IP addressing. Separating devices into different VLANs creates a false sense of security that collapses the moment an attacker sits behind a managed switch with access to the VLAN management interface.
We have seen production networks breached by attackers who gained administrative access to a single switch, reconfigured VLAN memberships, and moved laterally across supposed security boundaries. VLANs require the switch itself to be trusted—an assumption that fails immediately under sophisticated attack.
The VLAN Weakness
VLAN separation works only if the devices enforcing VLAN boundaries are themselves hardened, monitored, and protected from unauthorized reconfiguration. In practice, most manufacturing facilities run dozens of network switches with local password access, SNMP community strings, and no centralized change control. Any technician or compromised workstation with physical access can reconfigure VLAN membership through the CLI or web interface.
More subtly, VLAN tagging can be stripped or spoofed on certain network interfaces, especially older industrial equipment. Devices that support native VLAN only (untagged frames) bypass tagging entirely if an attacker can manipulate the default VLAN. Double-tagging attacks and VLAN hopping techniques have worked in practice against industrial networks.
What You Need Beyond VLANs
- Routed Firewalls Between Zones: Deploy Layer 3 firewalls at zone boundaries, not just Layer 2 switches. Traffic between VLANs must traverse a firewall with explicit access control rules. This prevents drift and enforces policy regardless of VLAN configuration.
- Switch Port Security: Enable port security, DHCP snooping, and ARP inspection on managed switches. This prevents unauthorized devices from spoofing MAC addresses or joining VLANs. Document which ports are trusted for administrative access and audit changes monthly.
- Management Network Isolation: Run switch management, SNMP, and Netconf traffic on a separate administrative network that is itself segmented from production networks. Never allow production devices to reach management interfaces directly.
- Network Access Control (NAC): Implement 802.1X port authentication or MAC-based access lists that enforce device identity before allowing VLAN membership. Combine this with asset tracking to detect rogue devices automatically.
The Reality of Layered Security
VLAN segmentation is useful for organization and reducing broadcast traffic, but it is a network convenience layer, not a security control layer. Security boundaries must be enforced by devices that cannot be rebroadcasted or reconfigured by the systems they protect—firewalls, routers, and access control devices must sit in the trust boundary, not inside it.
Build VLAN design for operational ease, then overlay firewalls and access control for security. If your entire segmentation strategy depends on VLAN configuration, you have routing isolation, not security segmentation. If you'd like to discuss network segmentation for your facility, reach out.
This article was written by the Cascadia OT Security practice, which advises Pacific Northwest data centers and manufacturers on industrial cybersecurity. For engagement inquiries, reach our practice team.