Implementing a PCN DMZ

Designing and deploying a DMZ for the process control network (PCN)

What is the function of a PCN DMZ?

Assets within a DMZ network serve as a buffer between the underlying process control network and the business network.  While designing DMZ networks, attention must be paid to the type of assets and their functionality.  As a rule of thumb, any asset that communicates to the PCN and to the business network belongs in a PCN DMZ.  Going a step further, subnetting the DMZ by clustering assets of similar functionality enhances the resiliency and reduces the attack surface.  A well-designed DMZ network offers the capability and flexibility to share process data across the enterprise securely while at the same time containing and localizing the impact to plant operations should a cybersecurity event occur.

 

Description of the Service

aeSolutions offers a service to develop the user requirements and assist through conceptual design and deployment.  We typically facilitate a 1 – 2 day workshop to develop user requirements and a conceptual design for the PCN DMZ architecture.  We can also assist with the deployment, testing and commissioning phases of the project.  During the workshop we tackle some of the key challenges implementing a PCN DMZ architecture, some of which are listed below:

  • PCN DMZ structure
  • Determine what assets should belong in the PCN DMZ
  • PCN DMZ services e.g., WSUS, AV, Backup, File Server, etc.
  • Authentication requirements to process control domains
  • Location of data collectors and historian servers
  • Align with remote access requirements e.g., vendors, contractors, employees

Service Deliverables

User requirements and conceptual design of PCN DMZ architecture

Industry Best Practices – Dos and Don’ts

Implementation services