Enhancing OT Network Security with a 2.5 DMZ

In our OT network, we're considering adding a Level 2.5 DMZ to bolster security. This would serve as an additional layer of protection between the control systems (Level 2) and the enterprise network (Level 4).

Specific Design:

  • Level 2.5 DMZ: Host third-party servers and Engineering Workstations (EWS).
  • Level 3.5 DMZ: Maintain existing role as a DMZ for the control center and processing systems.

Key Questions:

  1. Benefits and Challenges:

    • What are the potential advantages and drawbacks of this design?
    • How does it impact network complexity, security, and operational efficiency?
  2. Best Practices for DMZ and Remote Access:

    • What are the recommended security practices for DMZs in OT environments?
    • How can we securely enable remote access for third-party vendors to service and configure their packages within the DMZ?
    • What are the best practices for segmenting traffic within the DMZ to further isolate critical systems?

We're eager to hear from OT security experts to gain insights into the best practices and potential pitfalls of this approach.