Leave a Comment / Cyber Security

Why Your Firewall Isn’t Enough: Building an IT/OT DMZ That Actually Works

Introduction

In today’s industrial landscape, convergence between Information Technology (IT) and Operational Technology (OT) is accelerating faster than ever. Whether it’s predictive maintenance from cloud analytics or remote access to PLCs, the demand for interconnected systems is real—and growing. But here’s the catch: if you’re relying solely on a firewall to protect your critical infrastructure, you’re putting your plant, your data, and possibly your job, at serious risk.

After 30+ years in industrial automation and cybersecurity, I’ve seen the consequences of weak segmentation strategies firsthand—from ransomware crippling production to safety system compromise due to unsecured connections. The solution? A well-architected IT/OT DMZ (Demilitarized Zone)—not just a firewall rule slapped between networks.

In this blog, we’ll explore:

  • Why firewalls alone fall short in IT/OT security
  • What a functional DMZ architecture looks like
  • Real-world case studies and best practices
  • Common mistakes to avoid when designing your DMZ

What Is an IT/OT DMZ?

A DMZ in cybersecurity is a buffer zone between two networks—in this case, your enterprise IT network and your plant floor OT network. It’s designed to control and filter traffic flowing between the two, providing a secure gateway for data exchange without exposing either side to direct threats.

Think of it like an airlock in a biosafety lab. You don’t walk straight from the outside into the core lab—you pass through containment stages. A good IT/OT DMZ performs the same function.

Why Your Firewall Alone Isn’t Enough

Most facilities today have a basic firewall separating IT and OT. While this is a good start, it’s not enough. Here’s why:

🚨 1. Firewalls Can’t Stop Application-Layer Attacks

Firewalls filter IPs, ports, and protocols—but they don’t understand the application logic. Malware can piggyback on allowed traffic (e.g., HTTP, DNS, SMB) and reach deep into your control systems.

🔄 2. Firewalls Allow Bidirectional Traffic by Default

Misconfigured or overly permissive rules often allow two-way traffic between IT and OT—this completely defeats the purpose of segmentation.

🛑 3. Firewalls Can’t Detect Lateral Movement

Once an attacker breaches one device (e.g., a misconfigured HMI), they can pivot laterally across the OT network, targeting PLCs, HMIs, historians, and SCADA servers.

⚙️ 4. Firewalls Don’t Log or Analyze OT-Specific Behavior

A firewall might block or allow traffic, but it doesn’t analyze protocol misuse or anomalies within Modbus, DNP3, or OPC UA communications.

What a Real IT/OT DMZ Should Look Like

A proper DMZ isn’t just a box on a network diagram—it’s a security architecture made of multiple layers, policies, and specialized services. Here’s what you need:

1. Dual Firewall Architecture

Use two firewalls:

  • IT-facing firewall: Protects enterprise systems from malicious or unauthorized OT access.
  • OT-facing firewall: Filters and inspects traffic heading into the plant network.

Both should be different vendors or OS if possible (to prevent simultaneous exploits).

2. Application Proxy or Data Diode

Use a proxy server or unidirectional gateway (data diode) for data flowing from OT to IT. This ensures IT systems can read process data without any command traffic reaching control systems.

3. Intrusion Detection System (IDS) / Deep Packet Inspection

Deploy an OT-aware IDS inside the DMZ to analyze traffic for known attack patterns, protocol misuse, or suspicious commands.

4. Asset Inventory & Patch Management

Create a mirror or staging zone in the DMZ for patch testing, backups, and security scanning before anything touches the OT network.

5. Jump Servers / Bastion Hosts

For remote access, use a jump server located in the DMZ. Never allow direct RDP or VPN into the OT network.

Interactive Checklist: Is Your DMZ Functional or Just Fictional?

Check all that apply:

✅ We have two separate firewalls between IT and OT
✅ We use proxies or data diodes for one-way traffic
✅ We control who accesses the DMZ and monitor all activity
✅ We perform deep packet inspection on OT protocols
✅ We don’t allow direct RDP or SMB into the control network
✅ We have a backup & patch testing environment in the DMZ

4 or more? You’re on the right track.
Less than 4? Your DMZ might be putting your operations at risk.

Real-World Case Study: DMZ Saved a Food Manufacturer from Ransomware

👨‍🏭 Background:

A large food manufacturer implemented a structured DMZ between their ERP system and their plant floor MES and SCADA systems.

⚠️ Incident:

An employee on the corporate network clicked a phishing email, deploying ransomware. The attacker attempted to move laterally into the OT environment.

The DMZ Defense:

  • Unidirectional gateway blocked all command traffic.
  • Jump servers were locked down with MFA and zero trust policies.
  • Firewall rules allowed only outbound MQTT data from OT to DMZ.

🛡️ Result:

The attack was contained to the IT network, with zero impact on production lines.

Common Mistakes When Building an IT/OT DMZ

1. One Firewall for Both Zones

Using a single firewall with VLAN rules isn’t a DMZ—this increases your attack surface.

2. Overly Permissive Rules

Allowing any/any port or IP exceptions for convenience is a major red flag.

3. Not Inspecting OT Traffic

Assuming Modbus or OPC is secure because it’s “just plant traffic” is dangerous. These protocols lack native security.

4. Remote Access into OT

Direct RDP, TeamViewer, or VPN access into control systems is a serious risk without proper segmentation and authentication.

Best Practices for a Secure, Working DMZ

PracticeWhy It Matters
Use dual firewallsLayered protection and policy separation
Enforce unidirectional data flowStops command/control traffic from reaching OT
Log all traffic & use SIEMDetect anomalies and unauthorized attempts
Use OT-aware firewalls or IDSDetect attacks on industrial protocols
Patch only via staging zonesAvoid untested patches corrupting OT systems
Implement MFA and RBACReduce risk of credential compromise

Looking Ahead: The Role of Zero Trust in IT/OT Security

As industrial threats become more sophisticated, expect to see Zero Trust architectures replace traditional perimeter models. This means:

  • Verifying every user and device before granting access.
  • Continuous monitoring instead of one-time authentication.
  • Microsegmentation to isolate every network segment—even within OT.

A DMZ is your first step toward Zero Trust. It won’t solve everything, but it forms a critical layer in your defense-in-depth strategy.

Conclusion

A firewall is a tool, not a strategy. As IT and OT systems become more integrated, relying solely on firewalls is akin to locking your front door but leaving the windows wide open.

A properly designed IT/OT DMZ goes beyond port blocking—it incorporates secure data flows, access controls, visibility, and intelligent analysis. It not only protects your critical assets but ensures business continuity in the face of growing cyber threats.

Key Takeaways

  • Firewalls are necessary, but not sufficient, for IT/OT security.
  • A functional DMZ filters, monitors, and isolates all traffic between zones.
  • Use multiple security layers: dual firewalls, proxies, IDS, and jump servers.
  • Test and patch via staging environments to prevent downtime or breaches.
  • Embrace Zero Trust principles for future-proof protection.
Share The Post :

Related Posts

Leave a Reply