Separate the ICS Network
- Last UpdatedApr 11, 2025
- 2 minute read
The ICS network itself can be either physically or logically segmented from your other corporate networks. A physically segmented network is by definition the most secure. The network hardware and all computers and devices connected to it form a single closed network with no physical connection to any other network, so an intruder cannot access the network unless they also have access to the physical location.
In contrast, a logically segmented network is physically connected to your other corporate networks and/or the public internet, but it uses various methods to segregate ICS network traffic from other network traffic. This may include:
-
Using a unidirectional gateway
-
Implementing a Demilitarized Zone (DMZ) network architecture with firewalls to prevent network traffic from passing directly between the corporate and ICS networks
-
Having different authentication mechanisms and credentials for users of the corporate and ICS networks.
-
The ICS should also use a network topology that has multiple layers, with the most critical communications occurring in the most secure and reliable layer.
Given below is a sample deployment topology.
In no case should your ICS network and devices be directly accessible from the public internet. If there is some part of your ICS that you want to be accessible, (for example, if you want be able to view web-enabled HMI screens from a browser or smart phone), your ICS software should include features that securely pass the necessary traffic between your ICS network and a public-facing server.