An industrial DMZ (iDMZ) is a dedicated network zone between the OT (operational technology) network and the IT (enterprise) network. Its one rule: no traffic crosses the IT/OT boundary without terminating in the iDMZ first. Traffic from the enterprise side never reaches a PLC, DCS, or SCADA system directly. Traffic from the OT side never reaches enterprise systems directly. Every data exchange is brokered, inspected, and logged inside the iDMZ.
Last reviewed: 2026Reading time: ~10 minTopics: iDMZ, industrial DMZ, IT/OT boundary, dual firewall, data diode, OPC tunneling, jump server, historian mirror
What is an industrial DMZ?
In traditional IT networking, a DMZ (demilitarized zone) is the network segment between an organization's internal network and the internet, where public-facing services like web servers and email gateways live. The DMZ acts as a buffer: external users can reach services in it, but those services have no direct path into the internal network. The concept was adapted for industrial environments to solve a structurally identical problem at the IT/OT boundary.
An industrial DMZ applies the same principle between the IT enterprise network and the OT industrial control network. The OT network contains PLCs, DCS systems, SCADA, HMIs, safety systems, and all the infrastructure that controls physical processes. The IT network contains ERP systems, business analytics, cloud platforms, and standard enterprise infrastructure. These two zones have fundamentally different security requirements, different tolerance for downtime, different update cycles, and different failure consequences. An iDMZ is the controlled separation point between them.
The iDMZ sits at Level 3.5 of the Purdue Model, between Level 4 (site business/IT) and Level 3 (manufacturing operations). It is not part of the OT network and not part of the IT network. It is a third zone with its own security policy, its own servers, and its own responsibility assignment. Recommended by NIST SP 800-82 Rev. 3, ISA/IEC 62443, and CISA guidance, the iDMZ is the architecture that makes IT/OT data integration possible without creating direct network paths between enterprise systems and industrial control systems.
The defining rule of an iDMZ: traffic from the enterprise network is not allowed to go directly to the industrial side. It has to land in the iDMZ first. And OT systems should never initiate connections toward the enterprise network. The Purdue Model defines the structural context; the iDMZ is where that model's most critical boundary is enforced.
The dual-firewall architecture
The standard iDMZ implementation uses two firewalls in series: an IT-facing firewall between the enterprise network and the iDMZ, and an OT-facing firewall between the iDMZ and the OT network. Using two separate firewalls from different vendors is strongly recommended, because a vulnerability or misconfiguration in one vendor's firmware cannot simultaneously compromise both boundaries.
iDMZ dual-firewall architecture: data flows and zone relationships
This is not a single-firewall configuration with multiple zones. It is two physically separate firewalls. The IT-facing firewall controls what can enter the iDMZ from the enterprise network. The OT-facing firewall controls what can enter the OT network from the iDMZ. This arrangement makes lateral movement from IT to OT significantly harder, because an attacker must compromise two independent boundary devices rather than one.
What belongs in the iDMZ
The iDMZ is not a place to arbitrarily locate servers that "need access to both networks." It has a very specific and narrow purpose: it is where systems that must communicate with both IT and OT reside in order to avoid creating direct connections across the boundary. Every system in the iDMZ must have a clear justification for being there.
📊
Data historians (read-only replicas)
Historian servers that pull data from OT-side sources but are accessible to IT-side analytics and reporting consumers. The iDMZ placement means historians have no persistent connection into the OT zone beyond scheduled data collection.
🔐
Remote access jump servers
Bastion hosts or jump boxes that require explicit authentication before allowing any session into the OT network. Vendors and remote engineers connect to the jump server; the jump server provides controlled, session-specific, recorded access to OT systems.
🔄
OPC tunneling and data transfer endpoints
OPC tunneling endpoints (such as Cogent DataHub) that accept outbound connections from the OT side and expose OPC data to IT consumers. The OT-side instance initiates the outbound connection; no inbound port on the OT network firewall needs to be opened.
📡
MQTT brokers for UNS data transit
An MQTT broker in the iDMZ receives Sparkplug B publications from edge nodes or OPC servers in the OT zone (outbound connections from OT) and exposes topic subscriptions to IT-side consumers. The broker is the single controlled egress point for OT data.
🔧
Patch and update servers
Patch distribution servers that receive updates from IT-side sources and stage them for controlled deployment into OT systems. OT devices never connect directly to the internet to retrieve updates; they pull from the iDMZ-hosted server after IT-side validation.
👁️
OT network monitoring dashboards
Passive OT monitoring tools (Claroty, Dragos, Nozomi) that collect visibility data from the OT network and present it to security operations teams on the IT side. Their management interfaces sit in the iDMZ; their OT-facing sensor taps are passive read-only.
The iDMZ rule: all IT-originated traffic must terminate in the iDMZ. No Level 4 or Level 5 system should ever initiate a connection that reaches Level 3 or below directly. This is not just a best practice; the January 2026 CISA/NCSC-UK joint guidance on OT connectivity explicitly states that all connections with the OT environment should be initiated as outbound connections from within the OT environment. The iDMZ enforces this by acting as the only permitted transit point and by applying deny-all default inbound rules on the OT-facing firewall.
Data flow patterns that respect the iDMZ boundary
Designing data flows that go through the iDMZ rather than around it requires choosing connectivity methods that support the controlled, outbound-only architecture. These four patterns are the standard approaches for secure IT/OT data transfer through an iDMZ.
Firewall ports
Explicit port opening with application firewall inspection
Open specific ports on the OT-facing firewall for well-known protocols (OPC UA, MQTT over TLS, SSH for jump access). Pair with deep packet inspection and application-layer firewall rules that verify protocol compliance. This is the traditional approach but requires ongoing rule management and port monitoring. Suitable for low-frequency, well-defined connections where outbound-only is not feasible.
Outbound tunnel
Outbound-only tunneling (DataHub model)
The OT-side data source initiates an encrypted outbound connection to an iDMZ-hosted endpoint. The iDMZ endpoint never initiates inbound. No port needs to be opened on the OT-facing firewall for inbound traffic. This is the CISA-recommended pattern: OT initiates all connections. Cogent DataHub implements this with its tunneling architecture. Best for real-time OPC data transfer across the boundary.
Pub/Sub
MQTT broker in iDMZ with OT as publisher
MQTT broker sits in the iDMZ. OT-side edge nodes and OPC servers publish Sparkplug B topics to the broker over TLS (outbound from OT). IT-side consumers subscribe to topics from the broker. The broker is the controlled single egress point; no IT system connects into OT. This is the UNS-aligned pattern and works well with N3uron edge nodes publishing to the iDMZ broker.
Data diode
Hardware-enforced one-way data diode
Physical data diode hardware enforces unidirectional data flow from OT to IT at the hardware level, making reverse connections physically impossible. Used in high-security environments (defense, critical infrastructure, nuclear) where bidirectional communication is prohibited by policy. Cogent DataHub supports data diode mode for organizations that require hardware-enforced unidirectionality.
Common mistakes that defeat the iDMZ
The iDMZ is only as effective as the discipline around maintaining its boundary rules. These are the most common ways organizations undermine their own iDMZ architecture without realizing it.
⚠️
Opening "temporary" firewall rules that never get removed
A vendor requests temporary access to diagnose an issue. The firewall rule allowing direct IT-to-OT access is opened but never deleted after the vendor finishes. Over time, the firewall rule list accumulates dozens of "temporary" exceptions that remain live indefinitely. Regular firewall rule audits and automatic expiration policies are the only remediation.
🔓
Placing engineering workstations in the iDMZ with dual network interfaces
An engineering workstation needs access to both IT and OT networks, so it is placed in the iDMZ with two NICs: one connected to IT and one to OT. This defeats the entire purpose of the iDMZ. That workstation becomes a bridge. If compromised, lateral movement from IT to OT requires no firewall bypass at all. Engineering workstations belong in the OT zone, not the iDMZ. Remote access for engineers should go through a jump server.
📂
Using the iDMZ as a general-purpose file share or print server
The iDMZ is treated as a convenient middle ground for shared services: file servers, print servers, or general utility servers that both IT and OT teams use. This increases the attack surface in the iDMZ and introduces services with no security justification for being there. The iDMZ should contain only systems with a specific IT/OT data transfer role.
🌐
Allowing internet access from the iDMZ
iDMZ servers are allowed to browse the internet directly, either for convenience or because patch servers need to pull updates. This introduces a direct path from the internet to a zone that can reach OT systems. Patch servers should pull updates from IT-side mirrors; they should not have outbound internet access themselves. If internet access is absolutely required, proxy it through the IT-side firewall with URL filtering and logging.
🔍
No logging or monitoring of traffic crossing the iDMZ boundary
Traffic is allowed to flow through the iDMZ firewalls, but no one logs what crosses or monitors for anomalies. The security value of the iDMZ depends on visibility. Every connection across the iDMZ boundary should be logged, with alerts for unexpected protocols, unusual data volumes, or connections from unauthorized sources. SIEM integration is essential.
How SWTB products implement iDMZ-compliant data flows
Software Toolbox products are specifically designed to work with dual-firewall iDMZ architectures rather than requiring direct IT-to-OT connections. Each product implements one of the approved data flow patterns documented above, ensuring that the iDMZ boundary remains intact.
DataHub is architected specifically for iDMZ deployment. The OT-side DataHub instance initiates an encrypted outbound connection to the iDMZ-hosted instance. No inbound port needs to be opened on the OT-facing firewall. Data flows one-way from OT to IT through the tunnel. IT-side consumers (Power BI, cloud analytics, ERP) connect to the iDMZ DataHub instance, never to OT. DataHub also supports data diode mode for hardware-enforced unidirectionality when required by policy.
TOP Server is deployed in the OT zone (Level 3) where it collects data from PLCs, DCS, and SCADA systems using native device protocols. It exposes that data as OPC DA and OPC UA to consumers within the OT zone and to the iDMZ-hosted DataHub instance. TOP Server never crosses the iDMZ boundary itself; it remains entirely in the OT zone. This concentrates device protocol connectivity in the OT zone and reduces the number of systems that need firewall access.
N3uron edge nodes are deployed at Level 2 or 3 in the OT zone. They collect data from devices using built-in protocol drivers and publish Sparkplug B topics over TLS to an MQTT broker hosted in the iDMZ. The connection is outbound from OT to the broker; no inbound port is required. IT-side consumers subscribe to topics from the broker. The broker is the single controlled egress point. This is the iDMZ-compliant pattern for Unified Namespace implementations.
OPC Router is deployed at Level 3 in the OT zone to create explicit, documented data flows from OT sources to iDMZ endpoints and IT consumers. Its visual workflow model produces an auditable record of which data flows from which source to which destination under which conditions. Router workflows can publish to iDMZ-hosted MQTT brokers, write to iDMZ database mirrors, or push data through DataHub tunnels. The workflow export provides documentation for IEC 62443 conduit requirements.
Frequently asked questions
Do I need a separate physical network for the iDMZ or can I use VLANs?+−
VLANs are sufficient for most industrial environments, provided the firewalls between zones enforce strict access control lists and the VLANs are properly segregated at the switch level. Physical separation (separate switches, separate cabling) provides stronger isolation and is recommended for high-security environments, critical infrastructure, or sites where regulatory requirements demand physical segmentation (defense, nuclear, water/wastewater).
The key security requirement is that traffic crossing the iDMZ boundary must pass through a firewall with enforced rules and logging. VLAN hopping vulnerabilities are a concern, so use 802.1Q trunk isolation, disable DTP (Dynamic Trunking Protocol), and regularly audit switch configurations to prevent VLAN leakage.
Can I combine the iDMZ and DMZ for internet-facing services into one zone?+−
No. The internet-facing DMZ and the iDMZ serve different purposes and should not be combined. The internet-facing DMZ buffers your internal IT network from the internet and hosts public-facing services (web servers, email gateways). The iDMZ buffers your OT network from your IT network. Combining them means an internet-exposed service compromised by a public attack now has network proximity to systems that can reach your OT environment.
Best practice is to implement three separate zones: an internet-facing DMZ between the internet and the IT network, the IT network itself, and an iDMZ between the IT network and the OT network. Each boundary has its own firewall with its own security policy.
How often should I audit the firewall rules on the iDMZ boundaries?+−
Quarterly audits are the recommended baseline. Firewall rules accumulate over time as temporary exceptions become permanent and forgotten. Each audit should identify unused rules, overly broad rules, and rules with no documented business justification. Automated firewall rule analysis tools can help by identifying unused rules based on traffic logs.
Additionally, any change to firewall rules should go through a formal change control process with documented approval, a defined purpose, and a scheduled expiration date for temporary rules. Many organizations implement "default expiration" policies where temporary rules are automatically disabled after 30 or 60 days unless explicitly renewed.
Does an iDMZ slow down real-time data access?+−
Properly implemented, no. Outbound tunneling solutions like Cogent DataHub add minimal latency (typically less than 50 ms) because they maintain persistent encrypted tunnels rather than establishing new connections for each data transfer. MQTT pub/sub through an iDMZ broker is real-time by design; subscribers receive published data as soon as it arrives at the broker.
The performance concern with iDMZ architectures is typically around firewall throughput, not the data transfer pattern itself. Industrial firewalls must be sized appropriately for the volume of OT-to-IT data transfer. Deep packet inspection and IPS features on the firewall can introduce latency if not properly tuned for industrial protocols. For high-volume historian replication or streaming analytics, select firewalls with sufficient throughput and test under realistic load before deployment.
What is the difference between an iDMZ and a screened subnet?+−
These terms are sometimes used interchangeably, but "screened subnet" is the more precise networking term for a network segment separated from two other networks by firewalls on both sides. An iDMZ is the industrial-specific application of the screened subnet architecture, positioned between IT and OT networks with specific design principles (outbound-only from OT, no dual-homed hosts, minimal services, logging of all boundary crossings).
In practice, if you see "screened subnet" in the context of OT security, it is describing the same dual-firewall architecture as an iDMZ. ISA/IEC 62443 uses the term "conduit" to describe the controlled pathways between zones, and the iDMZ is the physical implementation of a conduit with bidirectional communication capability under strict control.
Our site has been running for years without an iDMZ. How do we implement one now?+−
Retrofitting an iDMZ into a running plant requires careful planning and staged implementation. Start with a network assessment to document all existing IT-to-OT connections, identify which systems need cross-boundary communication, and determine current data flow patterns. Then design the target iDMZ architecture with explicit rules for which connections will be permitted and through which mechanisms (tunneling, jump servers, MQTT broker, etc.).
The implementation is typically staged: deploy the iDMZ zone and its firewalls, migrate services one at a time (start with read-only data consumers like historians, then add jump servers for remote access, finally migrate bidirectional services), and verify functionality at each stage before proceeding. The most disruptive phase is cutting over the OT-facing firewall, which will require a coordinated outage window. Budget 6–12 months for a full migration in a complex industrial site, and plan for vendor coordination since many OT vendors will need to reconfigure their remote access methods to comply with the new architecture.
Getting started with iDMZ architecture
If your organization does not currently have an iDMZ separating IT from OT, the first step is to document every existing connection that crosses the IT/OT boundary. Identify what data flows, in which direction, over which protocols, and for what business purpose. This assessment reveals the scope of the migration and identifies which data flow patterns (tunneling, MQTT, jump servers) are needed.
Second, deploy the dual-firewall architecture with deny-all defaults on both firewalls and explicit allow rules only for documented, justified connections. Use outbound-only data transfer mechanisms (Cogent DataHub tunneling, N3uron edge publishing to MQTT) so the OT network never needs to accept inbound connections from IT. This is the CISA-recommended architecture and the foundation of every iDMZ implementation.
Software Toolbox has been designing and deploying iDMZ-compliant data architectures for decades. Whether you are implementing your first iDMZ, migrating legacy DCOM connections to OPC tunneling, or building a Unified Namespace with an MQTT broker in the iDMZ, our engineering team can help you design and deploy an architecture that meets both operational and security requirements.
Need secure data transfer through your iDMZ?
Cogent DataHub's outbound-only tunneling architecture is specifically designed for iDMZ deployment: OT initiates all connections, no inbound firewall ports required, data diode mode available for one-way enforcement. Let us show you how it fits your architecture.
