5 Recommendations for the Deployment of Secure OT Networks (Part II)
As a continuation of this entry, we propose the last two recommendations: 4. Create a DMZ (demilitarized zone) if the SCADA WEB server needs to be accessed by users from the Internet and/or the OT net...
As a continuation of this entry, we propose the last two recommendations:
4. Create a DMZ (demilitarized zone) if the SCADA WEB server needs to be accessed by users from the Internet and/or the OT network.
A demilitarized zone or DMZ is an intermediate network that is created between two other networks through two firewalls. The purpose of this intermediate network is that the information/application that wants to be shared by the users of the main networks is located in said intermediate network, allowing said access on the one hand, but avoiding traffic and direct access between the two main networks.
The figure shows how an intermediate network, the DMZ, with its own IP address range (202.168.1.Y), has been created between network A or IT (192.168.1.X) and network B or OT (193.167.1.X). This intermediate network houses the applications and/or information that needs to be shared by users of the IT and OT networks (MES solutions or a Historian-Replicated so that process data is accessible from IT) or the servers that must be accessible from outside (SCADA Web Server).
5. Incorporate industrial DPI (Deep Packet Inspection) firewalls between the SCADA servers and the PLCs to guarantee the security of the process against possible threats and malicious actions.
The industrial DPI firewalls are located between the SCADA systems and the PLCs, guaranteeing their security, and therefore that of the process. The fact that they perform DPI implies that they block malware built on typically IT protocols. That is, most malware is not built on industrial protocols. By being able to define specific segmentation rules by industrial protocol (Modbus, Profinet, OPC, Ethernet/IP, DNP3) this traffic would not be allowed.
In addition, it allows segmentation of traffic that does not conform to the “standard” of the selected industrial protocol and even define segmentation rules by Function Codes specific to protocols such as Modbus or Ethernet IP. For example, if the protocol used is Modbus TCP/IP, it is possible to define a rule that does not allow a master to execute the “function codes” 05 “write cole” and 06 “write register” on a slave.
We hope that these recommendations for the deployment of secure OT Networks have been useful to you.
