What is the primary purpose of placing a Demilitarized Zone (DMZ) between the SCADA network and the corporate network?
Think about how a DMZ acts like a buffer zone to protect sensitive systems.
A DMZ acts as a buffer zone that isolates the SCADA network from the corporate network, controlling and limiting access to protect critical systems from threats.
Given the following firewall rule on a SCADA firewall:
allow tcp from 192.168.10.0/24 to 10.0.0.5 port 502
What will be the effect of this rule?
Port 502 is commonly used for Modbus TCP in SCADA systems.
The rule explicitly allows TCP traffic from the 192.168.10.0/24 subnet to the SCADA device at 10.0.0.5 on port 502, which is the standard Modbus TCP port.
A SCADA operator reports that the control center cannot communicate with a remote RTU (Remote Terminal Unit). The firewall between them has the following rules:
1. allow tcp from 10.1.1.0/24 to 192.168.100.10 port 102 2. deny all from any to any
What is the most likely reason communication is failing?
Check if the IP addresses and ports in the allow rule match the actual devices and protocols used.
The allow rule only permits TCP traffic from 10.1.1.0/24 to 192.168.100.10 on port 102. If the RTU uses a different IP or port, the traffic is blocked by the deny all rule.
What is the correct order of steps to securely configure a DMZ between the corporate network and SCADA network?
Think about physical setup before rules and testing last.
First, physically separate the DMZ network, then define firewall rules, place monitoring tools, and finally test everything to ensure security and functionality.
Which firewall strategy best balances security and operational reliability for a SCADA system connected to a corporate network?
Consider defense in depth and isolation principles.
Using multiple firewalls with a DMZ creates layers of defense, isolating critical SCADA systems from corporate networks and reducing attack surfaces while maintaining operational reliability.