Part of the PROTECT Playbook ← Return to Hub

Industrial DMZ (iDMZ) Deployment: The Security Air-Lock

Requirement: This module details the deployment of a “Neutral Zone” (iDMZ) to terminate conduits between IT and OT, satisfying IACS UR E26 defense-in-depth mandates.

1. The Architecture: Physical vs. Logical

To implement an iDMZ that passes a Class Survey, you must choose an architecture that ensures Zero Direct Routing. In maritime environments, we typically use the Three-Legged Firewall (for smaller vessels) or Back-to-Back Firewalls (for complex offshore units).

2. Technical Service Placement

By placing proxy services in the iDMZ, we ensure that OT assets (PLCs/HMIs) never “talk” to the internet directly. They only talk to these local authorized proxies.

Service iDMZ Role Security Rationale
Identity (AD) RODC (Read-Only) Allows local authentication for ETOs even if the main ship server is offline or compromised.
Patching/AV Distribution Point The iDMZ server pulls updates from WAN; OT assets pull updates only from the iDMZ server.
Jump Host Hardened Bastion The only device allowed to initiate RDP/SSH into the PLC network.

4. Implementation: Traffic Directional Logic

Success is defined by your Firewall Access Control Lists (ACLs). Use the following “Directionality Matrix” to configure your conduits:

Source Zone Destination Permitted Service Rationale
IT / Crew iDMZ Jump Host HTTPS / RDP + MFA Secure entry point for admins.
OT Assets iDMZ Patch Server SMB / HTTP (Internal) Pulling updates safely.
IT / WAN OT PLC Network DENY ALL Mandatory E26 Compliance.

The Implementation Checklist

ETO Step-by-Step Deployment
Define the VLAN Interconnect

Create a “Level 3.5” iDMZ VLAN on the core switch. Ensure no physical cables bypass the firewall to connect IT to OT.

Deploy the “Jump Host”

Install a hardened Windows/Linux server in the iDMZ. This is the only device allowed to bridge the gap via controlled RDP or SSH sessions.

Configure DPI Conduits

On the firewall, enable Deep Packet Inspection (DPI) for OT protocols (Modbus, OPC-UA). Block unauthorized “Write” commands from the iDMZ to Level 2.

Advisor Tip: The “Ping” Test. To verify implementation, try to ping a PLC from the Bridge Office. It should fail. Then, log into the Jump Host and ping. It should succeed. This confirms the air-lock is working.

Next Section

USB Protection & Removable Media Control

USB Protection & Removable Media Control Regulatory Context: This module aligns with IACS UR E26 (Section 5.3) and E...

Scroll to Top