I wouldn't recommend it.
I don't think subnetting can do what you want. In addition, many IO brands automatically take their subnet mask from the PLC, you might not even be able to make them different.
I've seen people do what you want with VLANs, where the PLC and IO and rest of the network are technically on different VLANs and the switches sort it all out. Unless the switches have special support for this kind of setup, however, it has bad side effects with broadcast traffic. It definitely isn't a best practice.
The best practice is to use routers (combined with firewalls if possible/appropriate) to separate systems.
My recommendation would be to have each PLC system on it's own (unique) /24 subnet (or smaller, if you think you can get away with it), and then set it up so that only the PLCs have gateway addresses defined to your router. That way they can talk to each other and your upper level systems, and of course to the IO on the local network, but the IO can't talk out. NAT can be set up to do this if needed (if the IP addresses of the systems all have to be identical for reasons beyond your control), but the best practice is to have each PLC system have unique IPs.
Alternately, you can have an extra Ethernet interface added for each PLC, and connect those to the upper level, if your PLC system supports that kind of expansion.