De-militarized zones (DMZ), semi-trusted zones, are a common electronic security perimeter good practice. The firewall segmenting IT from the Internet will often have one or more DMZ to limit direct Internet to IT network communication. A web server, database application, remote access server or other cyber asset that must be accessible from the Internet and have access to IT systems and information is often placed in a DMZ.
IT, the corporate network, is considered an untrusted network by OT. Whenever practical, communication between OT and IT should be mediated through an OT DMZ.
Some common uses for an OT DMZ include:
- Making historical data available to users on IT
- Making Operator Station screen view available to users on IT
- Passing updates (anti-virus, patches, firmware) from IT to OT
- Passing scheduling, shipping, recipe, and other information needed by Operations from IT to OT
- Secure remote access into OT
If you don’t have an OT DMZ, establishing one likely will be more than a one week task. Design the OT DMZ this week and establish it as a project. If you have an OT DMZ, this week is the time to evaluate its security and sufficiency.
Ask and answer the following questions:
- Is there any direct OT to IT communication that should be mediated through an OT DMZ?
- Do I have the right number of OT DMZs? An additional DMZ might be warranted if the users, privileges, or protocols differ significantly for a DMZ use. For example, OT remote access is often on a different OT DMZ than access to historical data.
- Are the OT DMZs configured with a least privilege ruleset? You should have the answer to this from last week.
- Are the source addresses in firewall rules in the more trusted zones? OT source to OT DMZ destination is desired rather than vice versa.
- Are any of the protocols allowed from the OT DMZ to OT insecure or high risk? Insecure remote access protocols and control protocols are two examples that should raise a red flag.