Industrial DMZ
A buffer zone between the corporate IT network and the industrial OT network, enabling controlled data exchange without a direct connection between the two.
What is an Industrial DMZ?
An Industrial DMZ (demilitarised zone) is a buffer zone in the network architecture placed between the corporate network (IT) and the industrial network (OT). Its purpose is to enable controlled data exchange between these environments without creating a direct network connection that an attacker could exploit.
In the Purdue reference model, the Industrial DMZ corresponds to Level 3.5 - an intermediate layer between the business operations zone (Levels 4-5) and the manufacturing operations zone (Level 3). Intermediary servers are placed in the DMZ zone: data historians, file transfer servers, remote access proxy servers, email gateways and other systems requiring communication with both sides.
The key architecture principle of an Industrial DMZ: no network connection should pass directly from IT to OT. Every communication goes through an intermediary server in the DMZ zone. Firewalls on both sides of the DMZ filter traffic, restricting it to the essential minimum.
Why does it matter?
The Industrial DMZ is a fundamental element of security architecture in organisations that need IT-OT data exchange but cannot afford full isolation (air gap). A properly designed DMZ zone with appropriate firewall rules, traffic monitoring and access management significantly limits the possibility of attack propagation from IT to the industrial environment.
Related topics
Related SEQRED services
Documentation, assessment and development of IT, OT and cloud security architecture....
IEC 62443 AuditIEC 62443 audit and certification preparation for OT systems. Zones, conduits, Security Levels SL-T/SL-A....
OT Security AssessmentOT security audit, monitoring and protection of SCADA, DCS and PLC systems. Nozomi Networks, IEC 62443....
Need help in this area?
Our experts will help you assess the risk and plan next steps.