Part of the Protect Playbook ← Return to Protect Hub

Industrial DMZ (iDMZ) Deployment: Building the OT Security Air-Lock

Requirement: This module details the deployment of a “Neutral Zone” (iDMZ) to terminate conduits between IT and OT environments, satisfying IACS UR E26 requirements for defense-in-depth and unauthorized access prevention.

2. The Core Article Content

The iDMZ: The Vessel’s Security Air-Lock While VLANs separate traffic logically, the Industrial DMZ (iDMZ) provides the physical and logical “buffer” required to prevent an IT-borne infection (like Ransomware from the Crew Wi-Fi) from jumping directly into the Propulsion or Navigation subnets.

In a compliant IACS UR E26 architecture, no direct communication should ever occur between the Business/Admin Zone and the OT Zone. All data must “break” and “restart” within the iDMZ.

3. Technical Service Placement

A common mistake is leaving critical services (like Antivirus updates or NTP) to run directly from the internet to the OT devices. In a hardened deployment, these services are proxied in the iDMZ.

Service Deployment in iDMZ Security Rationale
Active Directory Read-Only Domain Controller (RODC) Authenticates OT users without exposing the main ship/shore database.
Antivirus / Patching WSUS / AV Update Proxy OT devices pull updates locally from the iDMZ, never the internet.
Time (NTP) Dedicated NTP Relay Ensures synchronized logs across all OT zones for incident forensic readiness.

4. Implementation Steps: Establishing the Conduit

  1. Physical/Logical Separation: Ensure the iDMZ is either on a physically separate switch or a dedicated, isolated VLAN that has no “trunking” to the OT core.
  2. Dual-Homed Termination: Configure the Firewall to terminate the IT-side VPN/Connection in the iDMZ.
  3. Session Inspection: Enable Deep Packet Inspection (DPI) on the conduit between the iDMZ and OT to ensure only sanctioned industrial protocols (e.g., Modbus, OPC-UA) are passing.

Network Air-Lock Established

Ready to Secure the Physical Perimeter?

The iDMZ secures the digital conduit between IT and OT. Next, we address the most common physical entry point for malware in maritime environments: Removable Media.

Continue to USB Protection →

Scroll to Top