In Information Technology (IT) environments, the Demilitarized Zone (DMZ) is used as a buffer between external and internal networks to prevent direct access between the two network zones. The DMZ can host publicly accessible services such as web servers. For an ICS environment, it is as equally important to create this security boundary between the ICS network and the Business network. One example of why this is important is in scenarios where IT (Business network) incidents can sprawl into the ICS network. In fact, a large proportion of ICS incidents can be escalations of IT incidents from the Business network.
Firewalls are used in an IDMZ to help create the enforcement boundary between the Enterprise and Control networks. This solution has been validated to run with a certain set of firewall access-list rules that restrict the flow of data between the Enterprise and Control networks to only allow traffic for basic functionality between ISV components and for access to ISV resources. Users must consider any unique requirements for their environments, as well as the list of expected ports, protocols, and services for each software component in the solution. Additionally, it is essential to confirm and test different use cases once the IDMZ with a firewall has been implemented. It is also recommended to define a baseline of expected traffic to further enhance these rules or define additional rules.