Industrial DMZ between IT and OT
Demonstrate that an effective Industrial DMZ architecture exists between IT and OT networks with enforced segmentation, controlled data flows, and proper boundary protections preventing unauthorized direct communication.
Description
What this control does
An Industrial Demilitarized Zone (DMZ) is a network segmentation architecture that establishes a controlled buffer zone between corporate IT networks and operational technology (OT) environments. This architecture typically consists of dual firewalls or similar boundary protection devices creating an intermediary zone where protocol translation, data diodes, jump servers, and application gateways reside. The Industrial DMZ enforces unidirectional or tightly restricted bidirectional data flows, preventing direct connectivity between IT and OT networks while allowing necessary communication through inspected, filtered channels. This control is critical because it prevents malware propagation from business systems to safety-critical industrial control systems and shields OT environments from IT-originated threats while maintaining operational visibility.
Control objective
What auditing this proves
Demonstrate that an effective Industrial DMZ architecture exists between IT and OT networks with enforced segmentation, controlled data flows, and proper boundary protections preventing unauthorized direct communication.
Associated risks
Risks this control addresses
- Malware from corporate IT networks (email attachments, web downloads, compromised endpoints) propagating directly to OT networks and disrupting or damaging industrial control systems
- Unauthorized lateral movement by external attackers who compromise IT systems and pivot into OT environments to manipulate process controls or safety systems
- Insider threats exploiting direct network paths from business workstations to access and tamper with SCADA systems, PLCs, or HMIs
- Inadequate protocol filtering allowing dangerous IT protocols (SMB, RDP with default credentials) into OT zones where they can be exploited
- Lack of visibility and logging at the IT/OT boundary preventing detection of reconnaissance, data exfiltration, or command injection attempts
- Accidental misconfigurations or patches deployed from IT management tools causing unplanned downtime or safety incidents in production environments
- Direct internet exposure of OT assets through IT network connections bypassing industrial security controls
Testing procedure
How an auditor verifies this control
- Obtain current network architecture diagrams and identify all pathways between IT and OT networks, including primary, backup, remote access, and vendor connection points.
- Identify and document all devices comprising the Industrial DMZ boundary (firewalls, data diodes, unidirectional gateways, proxies) including make, model, firmware version, and location.
- Review firewall rulesets and access control lists governing traffic between IT, DMZ, and OT zones, documenting permitted protocols, ports, source/destination pairs, and justifications.
- Conduct network traffic analysis or packet capture at DMZ boundaries during normal operations to verify that only documented and authorized protocols traverse the boundary.
- Test for the absence of direct IT-to-OT connectivity by attempting to ping, connect, or map routes from a sample of IT workstations to OT devices (with operational approval and coordination).
- Review DMZ device logs for a sample period (minimum 30 days) to verify that denied connection attempts, policy violations, and anomalous traffic patterns are logged and monitored.
- Examine change control records for DMZ firewall rules added or modified in the past 12 months, verifying that changes followed approval processes and included business justification.
- Interview IT and OT personnel to confirm roles and responsibilities for DMZ management, incident response procedures, and escalation paths when boundary violations are detected.
Where this control is tested