IEC 62443-3-3:2013 SR 3.1 / NIST SP 800-82 Rev 3 Section 6.2.1 / CIS-12.2 IEC 62443 / NIST SP 800-82 Rev 3

IT / OT boundary firewall with explicit allowlist

Demonstrate that a boundary firewall separates IT and OT networks with all permitted traffic flows explicitly defined, documented, and technically enforced through allowlist rules.

Description

What this control does

This control enforces network segmentation between Information Technology (IT) and Operational Technology (OT) environments using a dedicated firewall configured with an explicit allowlist (default-deny) ruleset. All traffic crossing the IT/OT boundary must be explicitly permitted based on documented business justification, with specific sources, destinations, ports, and protocols defined. This prevents unauthorized lateral movement from compromised IT systems into critical OT infrastructure and limits the attack surface by blocking undocumented or unnecessary communication paths.

Control objective

What auditing this proves

Demonstrate that a boundary firewall separates IT and OT networks with all permitted traffic flows explicitly defined, documented, and technically enforced through allowlist rules.

Associated risks

Risks this control addresses

Lateral movement from compromised IT workstations or servers into OT systems controlling physical processes
Malware propagation from IT business networks into SCADA, ICS, or industrial control systems
Unauthorized remote access to OT devices via IT network entry points bypassing OT-specific security controls
Exploitation of vulnerable OT protocols exposed to broader IT network scanning and reconnaissance
Disruption of operational processes through accidental or malicious configuration changes initiated from IT systems
Data exfiltration from OT historian databases or engineering workstations through unmonitored IT connections
Privilege escalation attacks leveraging trust relationships between IT domain controllers and OT assets

Testing procedure

How an auditor verifies this control

Obtain and review current network architecture diagrams identifying the IT/OT boundary and the firewall(s) enforcing segmentation.
Export the complete active firewall ruleset from all devices positioned at the IT/OT boundary.
Verify the firewall default policy is set to deny all traffic not explicitly permitted by allowlist rules.
Cross-reference each permit rule against a documented business justification or change control record explaining the operational need.
Select a sample of 10-15 permit rules and validate that source IP/subnet, destination IP/subnet, port, and protocol are explicitly specified (not 'any').
Test firewall enforcement by attempting an undocumented connection from an IT subnet to an OT device and confirm the traffic is blocked and logged.
Review firewall logs for the past 30 days to identify denied traffic attempts crossing the IT/OT boundary and verify alerts are generated for repeated violations.
Confirm that firewall configuration changes follow formal change control procedures and require dual approval from both IT and OT stakeholders.

Evidence required Configuration exports from IT/OT boundary firewalls including complete rulesets and default policies; documented business justifications or change tickets corresponding to each permit rule; network diagrams annotating the boundary and firewall placement; firewall deny logs and alert records from the past 30-90 days; change control records showing approval workflows for rule modifications.

Pass criteria The IT/OT boundary firewall is configured with default-deny rules, all permit rules explicitly define source, destination, port, and protocol with documented business justification, and testing confirms that undocumented traffic is blocked and logged.

Where this control is tested

Audit programs including this control

OT Network Segmentation & DMZ

The Purdue model still matters. Quick check on the boundary between IT and OT, the OT DMZ, and…