Decoding OT Network Misconfigurations: Insights from Armexa’s SME’s 

Industrial organizations rely on stable and secure Operational Technology (OT) networks to ensure safe, continuous operations. But the root cause of many disruptions to those networks isn’t always advanced cyberattacks—it’s basic network misconfigurations. 

In our recent Armexa webinar, Steve Stock (Head of Design & Implement) and Josh Ruff (Head of Run & Maintain) explored the misconfigurations they encounter most frequently during assessments, architecture reviews, and remediations. These issues often go unnoticed by traditional security audits, yet they directly impact network availability, operational efficiency, and incident response. 

Why These Issues Matter 

The misconfigurations discussed don’t often show up in standard cyber risk assessments. Why? Because they typically result in availability incidents—outages, dropped traffic, or routing issues—which have a lower consequence than potential HSSE incidents related to a system compromise. While these events may be resolved within hours or maybe a day, they can cause significant production downtime and operational instability. 

Assessing and remediating these recurring problems are often part of the reason clients bring in Armexa. 

Network Pop up 1

Where the Impacts Show Up 

Nearly all of the issues Armexa’s team encounters relate to network availability, not traditional security breaches: 

  • Loss of visibility to control systems and devices 
  • Intermittent or complete loss of control over processes 
  • Communication instability across VLANs or switch segments 
  • Network outages due to loops or poor Spanning Tree Protocol (STP) convergence 
  • Unexpected downtime from misrouted or broadcast traffic 

 

VLAN Hopping: Myth vs. Reality 

Steve and Josh also addressed one of the more hyped network exploits: VLAN hopping—a technique used to bypass logical network segmentation. 

Variant 1: Double-Tagging (Unidirectional) 

In this scenario, the attacker uses Ethernet frames with two VLAN tags to sneak traffic into another VLAN, relying on default configurations (like VLAN 1 as the trunk native VLAN). However, it’s unidirectional, less practical in OT environments, and often overblown as a risk. 

Variant 2: Switch Spoofing (Bidirectional & More Serious) 

The second method leverages Dynamic Trunking Protocol (DTP), enabled by default on Cisco switches. If a device connects to an interface with the default configuration, it can negotiate a trunk with the switch, gaining access to all VLANs. Another variation would be to leave unused ports in trunk mode, administratively up, and allowing all or many VLANs allowing for gaining access to all VLANs allowed over the unused trunk port. 

This version is bidirectional, making it more feasible in real-world scenarios, and doesn’t require specialized tools—a simple Windows NIC with the right configuration can do it. 

 

VLAN sprawl 

Another issue Armexa frequently identifies is VLAN sprawl—where trunk ports are configured to allow all VLANs by default. This makes misrouting and accidental access much more likely, bloats spanning tree topologies, and increases network convergence times. 

Best practice: Only define necessary VLANs on a switch and prune unnecessary VLANs across each switch trunk. This limits attack surfaces, improves performance, and enforces segmentation. 

 

Industry Best Practices  

The webinar concluded with a set of best practices, drawn from industry standards, and Armexa’s hands-on experience: 

For Access Ports (Unused or Default): 

  • Explicitly set unused ports to access mode. 
  • Disable DTP using no negotiate to prevent automatic trunk negotiation. 
  • Assign unused interfaces to an “UNUSED” VLAN. 
  • Administratively shut down all unused interfaces to prevent reactivation without deliberate action. 
  • Enable portfast on access ports. 
  • Don’t assign interfaces to the trunk native VLAN. 

For Trunk Ports (Unused or Default): 

  • Prune UNUSED VLAN from all trunk ports, so devices in it can’t communicate. 

For Spanning Tree: 

  • Set root bridge priorities to create predictable and efficient topologies 
  • Ensure that STP participation is correctly configured. 

VLANs: 

  • Remove unassigned VLANs from the VLAN database. 

 These layers of protection ensure that even if one safeguard is bypassed, others still hold. 

For Trunk Ports: 

  • Prune all unnecessary VLANs—only permit what’s essential for that link. 
  • Use a dedicated native VLAN for trunks (e.g., also an “UNUSED” VLAN), and prune it from routing paths. 
  • Verify that portfast is disabled. 

For Spanning Tree Protocol (STP): 

  • Define root bridge priorities—primary, secondary, and tertiary. 
  • Prevent edge devices from participating in STP elections (e.g., HMIs, Red Lion gateways). 
  • Restrict VLAN propagation—don’t copy every VLAN to every switch, only what’s required locally. 

These simple but structured practices can reduce risk and significantly enhance network reliability. 

 

Learn More: Watch the Full Webinar 

This summary only scratches the surface. In the full webinar, Steve and Josh share real-world case studies and field-tested techniques—including scenarios where entire plants lost connectivity or redundant systems failed due to avoidable misconfigurations. 

Watch the full webinar recording for more examples, deeper explanations, and actionable guidance: https://armexa.com/blog/webinars/common-misconfigurations-threatening-industrial-networks/ 

Need a second set of eyes on your network?
Armexa’s team of OT experts can help you identify and resolve these hidden issues—before they become downtime events. 

 

 

Facebook
X
LinkedIn

Latest Posts

Skip to content