ZTNA and iDMZ—The Gold Standard for OT Remote Access
In the maritime world, enabling remote access to critical Operational Technology (OT) networks is essential for maintenance and diagnostics. However, directly exposing these sensitive systems to the internet or the broader IT network is an unacceptable risk.
This is why the combination of a dedicated Industrial Demilitarized Zone (iDMZ) and Zero Trust Network Access (ZTNA) is not just a recommendation, but the modern, gold-standard architecture for achieving secure and controlled remote access to a vessel’s OT network.
The Challenge: Moving Beyond Legacy Security
Traditional methods for remote access, such as generic VPNs or shared Jump Servers, suffer from key flaws:
- VPNs: Grant full, Layer 3 network access, allowing a remote user to see and scan the entire OT subnet once connected.
- Jump Hosts: Require constant patching and maintenance of a full operating system (OS), creating a large, persistent attack surface directly adjacent to the OT network.
The core solution is to implement Zero Trust, where access is granted to the application itself, not the entire network segment.
ZTNA offers a significant advantage by providing a unified remote access solution that securely integrates systems from all OT vendors, enabling centralized access control and management while also being flexible enough to be deployed on top of, or alongside, existing vendor-specific remote access tools to enhance their security posture.
The Solution: ZTNA Deployed in the Dedicated iDMZ
An iDMZ is a highly controlled, isolated network segment strategically placed between the IT (Corporate/Admin) network and the OT (Operational/Control) network. It acts as a neutral buffer zone and, critically, serves as the secure environment for the ZTNA Gateway or Broker.
How ZTNA in the iDMZ Secures Your OT Network:
- Identity-Based Access: Access is granted only after verifying the user’s identity (via MFA) and the device’s security posture (e.g., up-to-date antivirus, corporate-owned).
- Application-Level Control (Micro-Segmentation): ZTNA replaces network access with application access. The user can only connect to the specific HMI software or PLC interface they are authorized for, never seeing the underlying IP addresses or network topology.
- No Inbound Ports: The ZTNA architecture typically uses a secure, outbound-initiated connection from the on-vessel ZTNA gateway (in the iDMZ) to a cloud broker, eliminating the need to expose inbound ports on the vessel’s firewall.
- Two-Layer Firewall Enforcement: The iDMZ maintains the required defense-in-depth:
- Firewall 1 (IT-DMZ): Protects the ZTNA Gateway from the IT network.
- Firewall 2 (DMZ-OT): Controls the application traffic initiated by the ZTNA Gateway into the OT Zone.
Practical Implementation: The ZTNA Gateway Architecture
Instead of a full OS server, the iDMZ hosts a hardened ZTNA Gateway appliance (physical or virtual).
1. ZTNA Connection Flow
- Remote Connection: The remote engineer uses a ZTNA client to request access.
- Authentication: The request goes to the secure cloud/shore-based ZTNA Broker for identity verification (MFA and posture checks).
- Secure Tunnel: The Broker authenticates the user, and the ZTNA Gateway appliance in the iDMZ establishes a secure, encrypted, outbound-initiated tunnel.
- Application Access: The engineer is granted access directly to the specific OT application (e.g., VNC on PLC-1) without ever being placed on the OT network segment itself.
2. Firewall and Policy Configuration
The firewall policies are cleaner and based on application flow:
| Component | Source Zone | Destination Zone | Service/Port | Action | Rationale |
| Gateway Uplink | iDMZ | WAN/Uplink | HTTPS (Specific Broker IP) | PERMIT | Allows the ZTNA Gateway to initiate the secure connection to the cloud broker. |
| OT Access Tunnel | iDMZ | OT | Specific Application Port | PERMIT | Allows the ZTNA Gateway to proxy traffic to the required OT device (e.g., Modbus/502). |
| Default Deny | iDMZ | OT | ANY (Except ZTNA Traffic) | DENY | Blocks all other unmediated traffic into the OT Zone. |
The Advantages of ZTNA 2.0 in the iDMZ
By integrating ZTNA 2.0 into the iDMZ, you achieve the ultimate security controls for your fleet:
- Continuous Trust Verification: Access is not granted once; the ZTNA system continuously verifies the user and device throughout the session.
- Minimal Attack Surface: The ZTNA Gateway is purpose-built, reducing patching needs and overall exposure compared to a general-purpose server.
- Granular Control: Policies are enforced based on identity and application, making it simple and safe to manage multi-vendor access to disparate OT systems.
Implementing the iDMZ with a modern ZTNA solution is the most effective way to enable necessary remote access while maintaining the absolute security and integrity of a vessel’s critical operational systems.
