Key directive: One or more DMZs are needed for the most secure, manageable, and scalable segregation of control and corporate networks.
The recent adoption of a new NIS 2 Directive by the European Commission is a sign of the times. Beset by a world-wide pandemic, many companies across the EU have turned to digital technologies to allow their workforce to stay productive, and to facilitate access to valuable production data. This has led to unprecedented levels of industrial data being passed between company networks and across the Internet, increasing the risk of exposure to malicious intruders.
To combat the threat, the European Commission has accepted revisions to the Directive on Security of Network and Information Systems (NIS), now calling it NIS 2. Among other things, this document mandates a number of basic security elements, including standards for networking data between the production and corporate levels of a company.
The Commission has tasked ENISA, the European Union Agency for Network and Information Security, with implementing the standards. In pursuit of this mandate, ENISA relies on the expertise of three well-known bodies, NIST, ISO, and ISA to provide detailed descriptions of how network security should be implemented, as published in its Mapping of OES Security Requirements to Specific Sectors document.
For example, the recommended way to bring process data into the corporate office is summed up in NIST document SP-800-82. It says: “The most secure, manageable, and scalable control network and corporate network segregation architectures are typically based on a system with at least three zones, incorporating one or more DMZs.”
These three zones are the control zone (OT), the corporate zone (IT), and the DMZ itself. The document describes the value and use of firewalls to separate these zones, and to ensure that only the correct data passes from one to the other. Using a DMZ ensures that there is no direct link between corporate networks and control networks, and that only known and authenticated actors can enter the system at all.
Skkynet recommends using a DMZ for OT/IT networking, and provides the software needed to seamlessly pass industrial data across a DMZ-enabled connection. Most industrial protocols require opening a firewall to access the data, but Skkynet’s patented DataHub architecture keeps all inbound firewall ports closed on both the control and corporate sides, while still allowing real-time, two-way data communication through the DMZ.
Unlike MQTT, which cannot reliably daisy-chain connections across the three zones as ENISA recommends, the DataHub maintains a complete copy of the data and connection status from the source to final destination. Thus, it provides accurate indicators of data reliability at each zone in the system, along with making the data itself available.
We applaud the European Commission for its no-nonsense stance on cybersecurity with NIS 2, and encourage all EU members, indeed any company expanding its use of corporate networking, Industrie 4.0, or Industrial IoT technologies to adhere closely to the guidance of ENISA, and to implement three-zone security using one or more DMZs.