Industrial DMZ Design Patterns.
From flat networks to proxy-based segmentation — architectures that protect legacy OT without replacing equipment.
Industrial Networks Were Built for Reliability, Not Security
Early automation networks were closed, purpose-built ecosystems. When Ethernet and TCP/IP entered plants, they were overlaid onto environments that retained their original assumptions — stability and availability above all.
The Traditional DMZ Became a Shared Services Zone
Originally designed for a narrow problem, the Level-3.5 DMZ accumulated responsibilities it was never built to carry — historians, patch servers, remote access tools — gradually forming another trusted environment with its own complexity.
Security Depended on Configuration Discipline
As industrial connectivity expanded, the centralized DMZ became a convergence point for unrelated workflows. Architectural clarity gave way to operational convenience. Security became a matter of configuration hygiene.
Field Assessments Confirm the Gap
The majority of critical OT incidents originate from authorized engineering pathways rather than unauthorized network intrusion.
Industrial Security Risk Is Defined by Interactions, Not Asset Location.
A controller sharing telemetry carries fundamentally different risk than that same controller accepting configuration changes — even if both occur over the same network segment.
Operational Context Matters
Understanding intent is more important than mapping topology. Security must evaluate what a connection does, not just where it goes.
Segmentation Alone Is Insufficient
Network boundaries reduce exposure but cannot distinguish acceptable from unsafe connectivity. Effective security requires mediation — explicit, constrained, purpose-aligned exchanges.
Infrastructure Evolves Toward Controlled Movement
Transportation networks rely on signaling and checkpoints to regulate behavior without redesigning the roads. Industrial cybersecurity follows the same principle: supervise interactions, don't attempt to separate systems entirely.
A Distributed Mediation Layer.
Security Introduced at the Moment of Interaction.
The Industrial DMZ must evolve into a distributed control layer that mediates interactions between systems while leaving those systems fundamentally unchanged. Security is introduced through carefully placed enforcement points that respect the operational character of industrial infrastructure.
Four Patterns for Securing OT Without Redesign.
Inline Mediation
- Device inserted directly between communicating systems
- Observes and governs exchanges without requiring changes
- Deployment risk stays low — topology remains intact
- Operational teams retain familiarity with their environment
- Device inserted directly between communicating systems
- Observes and governs exchanges without requiring changes
- Deployment risk stays low — topology remains intact
- Operational teams retain familiarity with their environment
Inline Mediation
Download the Full Design Patterns Guide.
Get the complete guide: the limits of the traditional DMZ, four design patterns for proxy-based segmentation, and how to apply Zero Trust principles without altering plant networks.
What You'll Learn
How industrial networks came to look the way they do. Why the centralized DMZ concept fails at scale. Four design patterns — inline mediation, functional segmentation, overlay connectivity, and operational observability — that introduce control without operational disruption.
Apply It With Access Gate
Access Gate implements all four design patterns as a single inline appliance — no network redesign, no agent installation, no changes to existing OT assets.
Common Questions About Industrial DMZ Design.
design patterns for securing OT environments. Each addresses a distinct architectural challenge: deployment, segmentation, overlay, and observability.
Inline mediation places an enforcement device directly between two communicating systems without requiring either system to be reconfigured. In OT environments where downtime is unacceptable and equipment lifecycles span decades, this matters because security can be introduced into existing signal paths — exactly the way industrial plants already add instrumentation and safety interlocks — without disrupting the process.
VLAN-based segmentation divides address spaces. Functional segmentation defines policy based on operational intent. A maintenance session, a telemetry feed, and a configuration update may traverse the same physical cable, but they carry fundamentally different risk. Functional segmentation allows policy to describe which operational actions are permitted under which circumstances — not just which subnet may speak to another.
An overlay adds an additional logical layer that governs trust relationships without altering physical infrastructure. Switching, routing, IP addressing, and VLANs remain completely unchanged. Access Gate establishes authenticated, encrypted communication paths as an overlay — leaving the existing network exactly as it is while adding identity and policy enforcement above it.
Yes. The four design patterns described in this whitepaper support compliance through mediation rather than migration. Inline enforcement provides the access control and audit trail required by NIS2 and CMMC. Functional segmentation supports IEC 62443 zone and conduit models. All without requiring infrastructure redesign or equipment replacement.
Correct. The inline mediation pattern requires no modification to endpoints — legacy PLCs, HMIs, RTUs, and SCADA systems that cannot run modern security software are protected through the proxy layer. The OT asset communicates exactly as it always has; enforcement happens at the Access Gate, not on the device itself.
