DMZ (Demilitarized Zone) cyber security between IT systems and the internet differs from DMZ cyber security between OT (Operation Technology) systems and IT systems. A DMZ in IT refers to a network segment that sits between a protected internal network and the Internet. Such a DMZ is designed to provide a secure, isolated environment for hosting Internet-exposed resources such as web servers, databases, or their supporting servers.
A DMZ in the context of OT systems is a network segment that sits between an IT network and the OT network hosting industrial automation systems, safety systems and monitoring and control devices such as programmable logic controllers (PLCs), sensors, and actuators. While the IT DMZ cyber security model and approach is well established, it is not necessarily an effective security measure when applied to OT networks.
The best practice for IT DMZ implementation is to deploy two firewalls: one between the internet and the IT system, and the other between the DMZ and the IT network. This reduces the risk that the compromise of a single firewall or web server or other Internet-exposed system can propagate easily into the protected IT network. However, misconfigurations and software vulnerabilities can still lead to breaches in IT DMZs. Effective IT DMZ cyber security requires a well-coordinated effort from an experienced team.
The same practice of using two firewalls for IT DMZs can be extrapolated for OT systems, with a firewall placed between OT and the DMZ, and another between the DMZ and IT. However, when worst-case consequences of compromise of the OT network are unacceptable safety or critical infrastructure reliability breaches, defense in depth principles recommend using unidirectional gateways to protect at least one side of the IT/OT DMZ and replicate OT systems to the IT network. For example, securing historians like AVEVA (formerly OSISOFT) PI servers that require access from both IT and OT networks can benefit from this approach, which improves DMZ cyber security.
The defining feature of a Unidirectional Gateway is that it is hardware-enforced: a combination of hardware and software that physically moves information in one direction only – meaning no messages whatsoever (including attacks) can enter the protected OT network from external sources, thus fulfilling the mission and purpose of implementing an IT/OT DMZ. This is consistent with the field of network engineering and cybersecurity engineering. Also, it follows Secure Operations Technology (SEC-OT) best practices, a methodology that places a strong emphasis on securing the physical operations of the industrial systems.
The gateways are used routinely to provide robust segmentation for industrial control networks in industries such as power generation, rail systems, and petrochemical pipelines. Unlike firewalls, which only mitigate attacks, Unidirectional Gateways eliminate the risk of external cyberattacks, such as targeted ransomware.
And if at any time you would like an update on the latest Unidirectional Gateway developments, please use the form below to request a free consultation with one of Waterfall’s unidirectional technology experts:
The new UITP Practical Guidance on Cybersecurity report on procurement practices has important lessons for awareness, network criticality, a common approach to standards, alignment of buyers with vendors, and engineering-grade cybersecurity. Safety and security are siblings, with interdependencies growing ever more apparent in today’s escalating cyber threat environment
ISO 27001 is all about protecting information. This is a source of great confusion in many industrial enterprises however, because as NIST 800-82 points out, the top priorities for physical industrial operations is almost always to protect safe and reliable operation of the physical process from cyber threats, not to protect information.
NERC CIP is written in an abstract language – independent of technologies and network designs. Interpreting the standard for specific technologies and networks can be tricky. In this article, we look at one of the tricky bits in the standard: mixed-trust Active Directory servers.
Our exclusive infographic has you covered. With the top 10 most impactful OT cyber attacks of the past years, you can stay up to date on the threats facing critical infrastructure and take the necessary steps to protect your operations. Plus, our infographic makes it easy to understand and remember all this important information.
Gartner Peer Insight reviews of Waterfall Security confirm Waterfall’s industry-leading products and technologies are trusted by IT and OT professionals
Attacks on refineries threaten public safety. The cost of the damage is extreme. Download our new guide on oil and gas cyber security!
English
Français
Español
עברית
Deutsch
日本語
한국어
中文
اَلْعَرَبِيَّةُ
