Part of the PROTECT Playbook ← Return to Hub

Industrial DMZ (iDMZ) Deployment: The Security Air-Lock

Requirement: This module details the deployment of a “Neutral Zone” (iDMZ) to terminate conduits between IT and OT, satisfying IACS UR E26 defense-in-depth mandates.

1. The Architecture: Physical vs. Logical

To implement an iDMZ that passes a Class Survey, you must choose an architecture that ensures Zero Direct Routing. In maritime environments, we typically use the Three-Legged Firewall (for smaller vessels) or Back-to-Back Firewalls (for complex offshore units).

2. Technical Service Placement

By placing proxy services in the iDMZ, we ensure that OT assets (PLCs/HMIs) never “talk” to the internet directly. They only talk to these local authorized proxies.

Service iDMZ Role Security Rationale
Identity (AD) RODC (Read-Only) Allows local authentication for ETOs even if the main ship server is offline or compromised.
Patching/AV Distribution Point The iDMZ server pulls updates from WAN; OT assets pull updates only from the iDMZ server.
Jump Host Hardened Bastion The only device allowed to initiate RDP/SSH into the PLC network.

3. Implementation: Traffic Directional Logic

Success is defined by your Firewall Access Control Lists (ACLs). Use the following “Directionality Matrix” to configure your conduits:

Source Zone Destination Permitted Service Rationale
IT / Crew iDMZ Jump Host HTTPS / RDP + MFA Secure entry point for admins.
OT Assets iDMZ Patch Server SMB / HTTP (Internal) Pulling updates safely.
IT / WAN OT PLC Network DENY ALL Mandatory E26 Compliance.

1. Detailed Port Mapping Guide (IACS UR E26)

To meet IACS UR E26 requirements, network segmentation must be enforced through strictly defined conduits. Use these specific service definitions when configuring your Firewall rules to ensure a “Least Privilege” security posture across the vessel’s OT/IT boundary.

Service Type Ports / Protocols Direction
Remote Mgmt TCP 3389 (RDP), TCP 22 (SSH) IT → iDMZ Jump Host
Identity / AD TCP/UDP 88, 389, 445 OT → iDMZ RODC
Data Historian TCP 44818, 502 OT Level 2 → iDMZ Proxy

Asset: iDMZ Firewall Policy Matrix (TAG-NET-XLS-04)

The downloadable template includes the following mandatory audit columns required for technical compliance validation:

  • Rule ID: Unique identifier (e.g., FW-IDMZ-001) for log cross-referencing.
  • Source Asset: Specific IP/Subnet initiating the connection.
  • Dest. Asset: The target iDMZ service IP.
  • Service/Port: The exact technical port (No “ANY” allowed).
  • Action: Permit / Deny / Inspect (DPI).
  • E26 Mapping: Regulatory clause satisfied by this rule.

Compliance Documentation Previews

Standardized templates and technical logs. View watermarked previews below; premium SOPs and fillable forms require the Pro Bundle.

TAG-NET-XLS-04
Firewall Policy Matrix
Unlock with Pro Bundle
TAG-OT-CRT-01
Conduit Evidence Certificate
View Form

Unlock Full Compliance & Intelligence

Upgrade to the TAGSIA Pro Bundle to get all 40+ fillable documents, editable SOPs, and unlimited access to our real-time Threat Intel feed, CVE Library, and Vendor Advisories.

Upgrade to Pro Bundle
Includes Unlimited Intel Search
Instant access to IACS E26/E27 Templates

Next Section

USB Protection & Removable Media Control

USB Protection & Removable Media Control Regulatory Context: This module aligns with IACS UR E26 (Section 5.3) and E...

Login
Login
Scroll to Top