Industrial DMZ (iDMZ) Deployment: The Security Air-Lock
Requirement: This module details the deployment of a “Neutral Zone” (iDMZ) to terminate conduits between IT and OT, satisfying IACS UR E26 defense-in-depth mandates.
1. The Architecture: Physical vs. Logical
To implement an iDMZ that passes a Class Survey, you must choose an architecture that ensures Zero Direct Routing. In maritime environments, we typically use the Three-Legged Firewall (for smaller vessels) or Back-to-Back Firewalls (for complex offshore units).
2. Technical Service Placement
By placing proxy services in the iDMZ, we ensure that OT assets (PLCs/HMIs) never “talk” to the internet directly. They only talk to these local authorized proxies.
| Service |
iDMZ Role |
Security Rationale |
| Identity (AD) |
RODC (Read-Only) |
Allows local authentication for ETOs even if the main ship server is offline or compromised. |
| Patching/AV |
Distribution Point |
The iDMZ server pulls updates from WAN; OT assets pull updates only from the iDMZ server. |
| Jump Host |
Hardened Bastion |
The only device allowed to initiate RDP/SSH into the PLC network. |
4. Implementation: Traffic Directional Logic
Success is defined by your Firewall Access Control Lists (ACLs). Use the following “Directionality Matrix” to configure your conduits:
| Source Zone |
Destination |
Permitted Service |
Rationale |
| IT / Crew |
iDMZ Jump Host |
HTTPS / RDP + MFA |
Secure entry point for admins. |
| OT Assets |
iDMZ Patch Server |
SMB / HTTP (Internal) |
Pulling updates safely. |
| IT / WAN |
OT PLC Network |
DENY ALL |
Mandatory E26 Compliance. |
The Implementation Checklist
ETO Step-by-Step Deployment
Define the VLAN Interconnect
Create a “Level 3.5” iDMZ VLAN on the core switch. Ensure no physical cables bypass the firewall to connect IT to OT.
Deploy the “Jump Host”
Install a hardened Windows/Linux server in the iDMZ. This is the only device allowed to bridge the gap via controlled RDP or SSH sessions.
Configure DPI Conduits
On the firewall, enable Deep Packet Inspection (DPI) for OT protocols (Modbus, OPC-UA). Block unauthorized “Write” commands from the iDMZ to Level 2.
Advisor Tip: The “Ping” Test. To verify implementation, try to ping a PLC from the Bridge Office. It should fail. Then, log into the Jump Host and ping. It should succeed. This confirms the air-lock is working.
Next Section
USB Protection & Removable Media Control
USB Protection & Removable Media Control Regulatory Context: This module aligns with IACS UR E26 (Section 5.3) and E...
