DMZ

In industrial and manufacturing cybersecurity, a DMZ (demilitarized zone) is a logically separate network segment placed between two networks with different trust levels, most commonly between the corporate IT network and the industrial control system (ICS/OT) network.

The DMZ is designed so that neither side can directly initiate unrestricted connections to the other. Instead, communication passes through controlled services hosted in the DMZ, such as application proxies, jump servers, data historians, or file transfer gateways. This limits the impact of a compromise on one side and reduces the attack surface of critical production systems.

Key characteristics in manufacturing environments

In regulated and industrial settings, a DMZ commonly:

• Sits between the enterprise IT network and OT/ICS zones, often behind industrial firewalls.
• Hosts intermediaries such as:
• Data historians or replication nodes that receive OT data and publish it to IT systems.
• Application gateways or APIs for MES/ERP integration with plant-floor systems.
• Jump servers or remote access gateways used for vendor or maintenance access.
• File transfer servers used for exchanging recipes, batch records, or reports.
• Enforces strict, predefined traffic rules (for example, one-way data flows from OT to IT for monitoring).
• Supports security zones and conduits concepts from standards such as IEC 62443, by acting as a controlled conduit between zones of differing criticality and trust.

What a DMZ is and is not

• Is: A network architecture pattern and dedicated segment used to isolate and broker traffic between networks with different risk profiles.
• Is not: A single product or device. Firewalls, proxies, and servers can be components of a DMZ, but none of them alone is the DMZ.
• Is not: A replacement for zoning within OT. Internal OT zones (for example, safety systems vs basic control vs monitoring) are still typically segmented separately, even if they connect via the DMZ to higher-level systems.

Operational role

Practically, a DMZ appears in workflows when:

• Plant data needs to be shared with enterprise systems (MES, ERP, analytics) without exposing controllers and HMIs directly to the IT network or the internet.
• Remote support or vendor access is required, but routed first through a controlled jump host and authentication layer.
• Regulated environments need to demonstrate structured segmentation between business and control networks as part of risk management and alignment with cybersecurity frameworks.

Common confusion

• DMZ vs. firewall: A firewall is a device or function that enforces traffic rules. A DMZ is a network segment whose boundaries are typically enforced by one or more firewalls.
• DMZ vs. OT zone: An OT security zone groups assets with similar security requirements inside the industrial network. A DMZ is usually a separate, intermediary zone between OT and IT, not a replacement for OT-internal zoning.
• DMZ vs. VLAN: A VLAN is a Layer 2 segmentation mechanism. A DMZ is a higher-level security design concept. A DMZ may use one or more VLANs, but the terms are not interchangeable.

Relation to IEC 62443 zoning

Under IEC 62443 concepts, a DMZ is typically treated as its own security zone or set of zones with distinct security requirements. It functions as a controlled conduit between lower-level OT zones and higher-level IT or external zones, helping to isolate critical control assets while still enabling data exchange and integration.