Industrial DMZ (iDMZ) Deployment: Building the OT Security Air-Lock
Requirement: This module details the deployment of a “Neutral Zone” (iDMZ) to terminate conduits between IT and OT environments, satisfying IACS UR E26 requirements for defense-in-depth and unauthorized access prevention.
2. The Core Article Content
The iDMZ: The Vessel’s Security Air-Lock While VLANs separate traffic logically, the Industrial DMZ (iDMZ) provides the physical and logical “buffer” required to prevent an IT-borne infection (like Ransomware from the Crew Wi-Fi) from jumping directly into the Propulsion or Navigation subnets.
In a compliant IACS UR E26 architecture, no direct communication should ever occur between the Business/Admin Zone and the OT Zone. All data must “break” and “restart” within the iDMZ.
3. Technical Service Placement
A common mistake is leaving critical services (like Antivirus updates or NTP) to run directly from the internet to the OT devices. In a hardened deployment, these services are proxied in the iDMZ.
4. Implementation Steps: Establishing the Conduit
- Physical/Logical Separation: Ensure the iDMZ is either on a physically separate switch or a dedicated, isolated VLAN that has no “trunking” to the OT core.
- Dual-Homed Termination: Configure the Firewall to terminate the IT-side VPN/Connection in the iDMZ.
- Session Inspection: Enable Deep Packet Inspection (DPI) on the conduit between the iDMZ and OT to ensure only sanctioned industrial protocols (e.g., Modbus, OPC-UA) are passing.
Next Security Phase
USB Protection & Removable Media Control
USB Protection & Removable Media Control Regulatory Context: This module aligns with IACS UR E26 (Section 5.3) and E27 regarding the control of physical access points and the prevention of unauthorized software installation via removable media. I...