Sales 01249 446506 | General Enquiries 01249 446500 info@vysiion.co.uk

Across the UK, the security of Critical National Infrastructure (CNI) is a growing concern, as the increasingly interconnected nature of the systems we depend on create a whole new range of potential attack vectors – all of which global bad actors are already racing to take advantage of, executing a range of increasingly insidious, sophisticated strategies to compromise the systems on which we all depend.

With this in mind, it is essential that the CNI sector as a whole is ready to work closely with its technology partners to establish a new standard of security – one that encompasses both IT and OT, ensuring that their increased and ongoing convergence does not put the integrity of our critical data at risk. This presents a number of challenges when we consider the highly remote nature of most CNI environments, the inherent complexity of the resulting cross-site dataflows, and the need for a cyber security posture that ensures reliable and remote access can still be provided, when required.

What is a Demilitarised Zone (DMZ)?

A DMZ is combination of equipment (including, but not limited to, routers, firewalls, and switches) deployed when third parties require secure remote access to certain assets within the site. It accomplishes this by segmenting the on-site network, based on access rights and security policies on a per user or per team basis, so the measures taken to grant access (e.g. opening the ports on firewalls) can be automated, reducing the need for manual intervention. Dual-factor authentication is the applied to ensure only an “allow-list” of individuals can gain access. This way, it is impossible for bad actors to access the assets in question without gaining control of the designated individuals’ own equipment, allowing seamless remote access to coexist with a robust security posture.

A DMZ is a key security tool for any challenging and remote CNI environments (e.g. offshore windfarms) where providing third parties with on-site access will not typically be an option, due to cost, safety, and compliance obligations. However, while the concept is ostensibly simple, putting it into practice is challenging…

Securing the most complex CNI environments

The process for creating an effective DMZ will naturally vary from site to site, depending on the nature of the systems and the access rights that will need to be established and implemented. This all begins with a pro-forma document, setting out the systems that need to be secured (including all IP addresses and subnets), the teams, individuals, and their roles that require access, and the tools and protocols they will be using to do so.

In other words, it is an inherently bespoke process that demands a keen understanding of the convergence of IT and OT, the new dataflows this creates, and how these can be secured without compromising operational performance. Any DMZ project must begin with a period of in-depth consultation to collate all the information required for the design and deployment phases. This will be followed by a period of intensive testing and review to ensure the pro-forma is correct and has been correctly executed.

Once the DMZ has been established, it will need to be continually monitored, audited, and updated, as policies evolve, team members join and leave, and new security vulnerabilities emerge. This will require CNI organisations to cultivate strong, long-lasting partnerships with their technology providers, entrusted to provide ongoing support and consultation as the threat landscape evolves.

If you would like to explore the security of your own CNI environments, do not hesitate to contact the team. Vysiion has served a trusted technology partner for organisations across the UK’s CNI sector since 1996, delivering over £200 million of projects on an international scale. As part of this, we have designed, deployed, and continue to manage and maintain a range of leading-edge DMZs, drawing on our deep knowledge of IT/OT integration and Cloud transformation, and utilising the full range of our evolving solution portfolio. Whatever the nature of your sites, dataflows, and security requirements, we will work closely with you to deliver a tailor-made solution that optimises both data protection and operational efficiency, then work closely with you to maintain it as the threat landscape evolves.