Segmenting Networks Using a DMZ

Summary

Every day we hear of a plant or company getting hit by a cyberattack. In most cases, the hackers were able to invade the corporate network. Once in IT, they penetrated OT (operations) through open firewall ports, or simply by being on the right VPN. Many of these companies have sophisticated cybersecurity applications that should have stopped the attack. But that’s not always enough.
 
The most secure way to connect industrial systems to IT is using network segmentation. Governments and industry leaders worldwide agree on this basic industrial cybersecurity practice, and the NIS2 Directive and ISA-95 standard require it. Network segmentation means completely isolating OT data from IT networks using DMZs (demilitarized zones), behind closed firewalls.
 

What about VPNs?

Some companies still use VPNs (virtual private networks) to access data on their OT networks. But a VPN does not segment networks—in fact, it joins them. A VPN extends the IT security perimeter into the plant network, effectively connecting the two networks. Any successful hack of the IT network that breaks into the VPN can reach every other connected node, including those on a linked OT network. To eliminate the risks posed by VPNs, the OT and IT networks must be segmented with a DMZ to allow the secure transmission of data.
 

Using a DMZ

A DMZ isolates the production system from IT, ensuring no direct link between corporate networks and control networks. Only known and authenticated actors can enter the system at all. Firewalls protect both operations and IT sides, and should be configured to allow only outbound connections to the DMZ. This ensures that only the correct data passes between networks.
 

Protocol challenges

Getting data out of a plant through a DMZ typically requires three servers, daisy-chained together to move data from OT to the DMZ and then on to IT. Two of the most popular industrial protocols, OPC UA and MQTT, were not built for this. Although often used in Industrial IoT and Industry 4.0 systems, they were designed in the early 2000's, before accessing industrial data from IT was common.
 
The OPC UA protocol is simply too complex to reproduce well in a daisy chain across three servers. Information will be lost in the first hop. The synchronous multi-hop interactions needed to pass data across a DMZ would be fragile on all but the most reliable networks, and would result in high latencies. And there would be no access to the data at each node in the chain.
 
MQTT, on the other hand, can be chained but it requires each node in the chain to be aware that it is part of the chain, and to be individually configured. The QoS (Quality of Service) guarantees in MQTT cannot propagate through the chain, making data at the ends of the chain unreliable.
 

Tunnel/mirroring

Since neither OPC UA nor MQTT is well-suited to passing data through a DMZ, another approach is needed—one that integrates well with both of these protocols. Secure tunnel/mirroring software can do this and pass the data along daisy-chained connections, securely crossing a DMZ.


The tunnel/mirror software connects to MQTT, OPC UA or any other common industrial protocol at each end of the tunnel, and mirrors the full data set through each server in the chain. It maintains the data in a unified namespace, and provides access to it for registered, qualified clients at each node as well as at the final destination. The mirroring capability of the tunnel/mirror software guarantees consistency, so that any client or intermediate point in the chain remains consistent with the original data source.
 
Today’s competitive environment demands access to operations data, and operational data must be secure. These two requirements need not conflict, though. OT networks can have zero attack surface. There is no need to expose OT systems to the Internet, or to join OT and IT networks, either directly or through a VPN. It is possible to isolate OT and IT networks from each other and still allow qualified users to access your production data. Segregating networks using a DMZ is the recommended approach, and this is best implemented with secure tunnel/mirroring.