What’s in a DMZ?

Dec. 24, 2018
The demilitarized zone—which securely separates business and industrial control networks—is a staple of good network design that is getting renewed focus in the world of Industry 4.0.

Most of us have been around industrial networks long enough to see major changes come to how we handle our industrial control system (ICS) networks. From the concept of air gapping to the implementation of the Purdue model, a constantly changing cybersecurity threat environment has been driven by an adapt-or-be-hacked mindset. And as enterprises try to coordinate their decisions between the plant floor and the office high-rise, more and more changes are expected as we work to access the valuable data inside our manufacturing centers.

But to safely and securely enable the Industry 4.0 evolution, we need to focus on a stalwart of good network design—the demilitarized zone (DMZ). Today, we’ll answer three questions about the DMZ: what it is, how it works and why it’s valuable.

The concept of a network DMZ, or perimeter network, goes back to the advent of the Purdue model. How do we securely separate two networks with vastly different purposes and requirements? The answer is through the implementation of a DMZ. The DMZ exists to provide a safe, neutral area to exchange data between our highly connected but highly risky business networks and our low-connection, low-risk ICS networks. Data flows up from the manufacturing center, and decisions flow down from the boardroom. But how does the DMZ protect us? Let’s talk about how the modern DMZ works.

The modern DMZ acts as a logical and physical barrier between the business network and the ICS network. Traffic from the business network is pointed toward systems that live in the DMZ, and the DMZ systems have limited and monitored access to any ICS assets. No traffic is allowed a direct link between the business and ICS networks. In this way, the DMZ gives us a single place to monitor and validate all traffic that is trying to transit between networks. By using different firewalls at the ingress and egress points of the DMZ, we also provide a strategy of defense in depth. With different responsibilities and access, a misconfigured rule in one firewall won’t propagate through another firewall, reducing our risk and improving our resilience.

But why does a DMZ need to exist in the first place? How does it provide value and what do we gain from it?

The DMZ exists because it is and has been the key to fully unlocking Industry 4.0. By enabling connectivity between the business and ICS networks, we can link the strategic decisions of the enterprise with the operational decisions of the plant. We can take real-time action based on real-time data, and the improved responsiveness of plants will continue to feed into more efficient manufacturing. Enterprises can use this data to fully implement Industry 4.0 and plants can continue to work toward being nimble, effective and lean. And by using a DMZ, we can maintain the cyber safeguards that keep us safe and productive. As we integrate the connected enterprise with the connected plant, the DMZ will remain an essential aspect of good network design and continue to provide value for years to come.

Thomas Roth is IIoT lead at Hargrove Controls + Automation, a certified member of the Control System Integrators Association (CSIA). For more information about Hargrove Controls + Automation, visit its profile on the Industrial Automation Exchange.