Industrial DMZ is a demilitarized zone positioned between IT and OT networks that controls and inspects all traffic crossing the IT/OT boundary. It prevents direct communication between enterprise systems and industrial control systems by requiring all data exchanges to pass through intermediary services hosted within the DMZ.
How an industrial DMZ works
An industrial DMZ follows the same conceptual principle as a traditional IT DMZ but addresses constraints specific to OT environments. In a standard IT DMZ, web servers and mail relays sit between the internet and the internal network, terminating external connections and initiating new internal connections so that no single session spans both zones. An industrial DMZ applies this pattern to the IT/OT boundary.
Within the industrial DMZ, intermediary services broker all communication between the enterprise and the plant floor. A historian mirror might replicate process data from the OT historian to a read-only copy that enterprise BI tools can query. A patch management relay might stage firmware updates downloaded from vendor sites on the IT side, then push them to OT assets on a controlled schedule. A remote access jump server might terminate VPN sessions from corporate users and establish separate, audited sessions into the OT network.
The critical design requirement is that no single network session should traverse the DMZ end to end. An enterprise user connects to the jump server in the DMZ. The jump server then opens a separate connection to the target OT asset. This session break prevents an attacker who compromises an enterprise system from establishing a direct path to OT controllers.
Unlike a standard IT DMZ, an industrial DMZ must account for OT protocol characteristics. Protocols such as Modbus TCP, EtherNet/IP, and OPC UA have different latency tolerances, session behaviors, and security capabilities than HTTP or SMTP. The DMZ architecture must not introduce latency or jitter that could disrupt real-time control loops.
OT and industrial context
A food and beverage manufacturer running a Level 3 MES platform that needs to send production counts to the Level 4 ERP would deploy an industrial DMZ between the two. The MES pushes data to a database relay in the DMZ. The ERP pulls from that relay. Neither system communicates directly with the other. If the ERP is compromised by ransomware, the attacker cannot pivot through it to reach the MES or the PLCs behind it.
In water and wastewater, SCADA systems that report telemetry to state regulators often require an internet-facing data export path. An industrial DMZ with a unidirectional gateway (data diode) can ensure that data flows out of the OT network to the reporting server without allowing any inbound connection from the external network.
Common implementation patterns include:
- Data diodes and unidirectional gateways: Hardware-enforced one-way data flow from OT to IT, physically preventing any return path.
- Proxy-based DMZ: Application-layer proxies that parse, validate, and re-create protocol messages at the DMZ boundary.
- Jump server DMZ: Remote access is terminated in the DMZ and re-initiated as a separate session into the OT zone.
Compliance relevance
IEC 62443 zones and conduits framework explicitly calls for a conduit (the DMZ) between the enterprise zone and the control zone, with defined security requirements for the conduit. NERC CIP-005 requires Electronic Security Perimeters with Electronic Access Points that function as DMZ enforcement mechanisms. NIST SP 800-82 recommends an industrial DMZ as a best practice for IT/OT boundary protection. NIS2 network and information system segmentation obligations are supported by documented DMZ architectures.
Related terms
Access Gate connection
Access Gate enforces IT/OT boundary controls by creating overlay-based DMZ segments where intermediary services broker all cross-boundary traffic, without requiring inline appliances in the production network path. Learn more at Industrial DMZ.
