A DMZ typically:

• Enables the filtering of inbound and outbound traffic
• Enforces security policies
• Performs basic network traffic inspection and scanning
• Isolates services accessible from less-trusted devices
• Limits lateral movement during breaches
• Supports regulatory requirements for segmentation

For example, web servers, email gateways, and VPN concentrators are usually hosted inside DMZs.

DMZs as a Security Mechanism

For decades, DMZs have been a foundational element of network security. The DMZ introduced one of the earliest and most effective forms of network segmentation, helping limit attack surfaces long before Zero Trust became a leading security model.

Put another way, a DMZ creates a security buffer zone or controlled area where access can be tightly regulated and monitored. In OT environments, where full cloud migration and endpoint modernization are often impossible or prohibitively expensive, DMZs can be indispensable.

Why Traditional DMZs Fail in OT

Traditional DMZ network security relies almost entirely on firewalls that filter traffic at layers 3 and 4 of the OSI Model. This creates several critical limitations in OT environments, which operate in fundamentally different ways and with requirements that prevent traditional DMZs from being effective.

• Operational continuity: Downtime for configuration changes, patching, or troubleshooting is often unacceptable. Even brief interruptions can cause costly production delays or disrupt critical services.
• Legacy systems: Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), and Human–Machine Interfaces (HMIs) may be decades old, lack vendor support, and cannot be upgraded to support modern security controls.
• Real-time requirements: Millisecond latency caused by firewall-based introspection can be enough to negatively impact safety and reliability. 
• Brownfield constraints: Rip-and-replace upgrades to accommodate modern firewalls are rarely feasible or cost-effective, forcing security solutions to work around existing architectures and physical infrastructure.
• Safety implications: Cybersecurity failures in OT environments can have effects that extend beyond data loss, including equipment damage, environmental impact, or physical harm to personnel or customers.

These potential consequences demand a different approach—one that preserves the DMZ concept while adjusting its mechanism to match OT realities with cutting-edge security tools.

In an OT environment, this identity enforcement via a Zero Trust DMZ will not require tools like PLCs, RTUs, and other legacy devices to have identity management capabilities. Instead, identity will be assigned to the traffic itself at the packet and session level. This allows for the original OT assets to remain unchanged and become operationally safe. 

A Zero Trust DMZ achieves this by applying Zero Trust principles directly to the DMZ architecture, providing:

• Continuous authentication: Every access attempt is verified without interruption.
• Authorization enforcement: Policies evaluate who, what, when, where, and why users or systems are accessing other digital resources.
• Least privilege access: Permissions are user roles as well as task- and time-bound.
• Breach assumption: The architecture limits blast radius by assuming a threat is already in the network, “locking down” access except for validated connections.
• Microsegmentation: Isolated zones exist even within the DMZ itself, enforced at the packet level. This allows for identity to be confirmed within the traffic path and segmentation decisions are made per session. This occurs without relying on a control-plane overlay or label-based system at the IP level.

→ Resource: Learn more about these principles in Zentera’s resource, What Is Zero Trust Security and Why It Matters.

Traditional DMZ vs. Zero Trust DMZ 

1 Enforcement occurs directly in the network traffic path and does not rely on network tunneling or gateway redirection.

This means that the Zero Trust DMZ must support both traditional network protocols and industrial protocols, such as:

• Modbus
• DNP3
• OPC/OPC UA
• BACnet
• PROFINET

Legacy and Brownfield Challenges

In addition to the need to balance both OT and IT protocols, a Zero Trust DMZ must also account for the following requirements common in legacy systems:

• Hardware or software that cannot run agents
• Devices that cannot be patched
• Zero tolerance for outages

This means the IT team must be able to deploy a Zero Trust DMZ solution that requires no changes to existing devices, deploys inline without network reconfiguration, supports a phased rollout to prevent downtime, and operates alongside existing security tools.

In this zone, traditional IT security tools often fail because:

• Scanning can crash sensitive devices
• Legacy systems do not meet the implementation requirements
• Patch cycles disrupt operations

Zero Trust DMZ as the Bridge

A Zero Trust DMZ enables safe IT-OT convergence by:

• Mediating access between IT users and OT assets at the network level, not hardware
• Enforcing environment-specific policies, regardless of device type
• Providing visibility to security teams without disruption

Comparing OT Firewalls with Zero Trust DMZs

What a Zero Trust DMZ is Not

A Zero Trust DMZ does not rely on tunneling traffic through proxies, use identity and access management applications and firewalls to validate traffic, or enforce segmentation only via control-plane overlays. Similarly, a Zero Trust DMZ does not just evaluate traffic before it enters the DMZ or after it exits like a traditional firewall.

• Inline, Non-Disruptive Deployment

ZTG is deployed directly in front of protected resources or subnets. This allows for inline inspection and enforcement at the packet level, binding identity to live traffic flows without proxying sessions, terminating connections, or introducing gateway bottlenecks. This approach also allows organizations to introduce Zero Trust without downtime or operational disruption.

• Scalable Virtual Segmentation

Through virtual segmentation, a single ZTG can protect up to 32 port pairs, creating multiple isolated security zones with one device. Combined with centralized policy management through zCenter CoIP Controller, security teams can enjoy consistent policy enforcement, visibility, and auditing across distributed OT environments.

• Simple Brownfield Deployments

Zentera’s solution is designed specifically for brownfield deployments, providing fully agentless protection and not requiring changes to legacy PLCs, RTUs, or SCADA systems. 

• Secure Third-Party and Vendor Access

A Zero Trust DMZ delivers identity-verified, least-privilege access for contractors and vendors, ensuring limited, time-bound, and auditable connectivity and eliminating the need for VPNs.

• Remote Access for Engineers

Engineers working remotely can securely access SCADA and control systems using multi-factor authentication without exposing the OT network to external threats, even when legacy systems do not support modern authentication.

• Controlled IT-OT Data Exchange

Operational data can be shared between IT systems through narrowly defined controlled access paths, allowing for analytics while maintaining segmentation between IT and OT networks.

• Incident Response and Containment

In the event of a security incident, a Zero Trust DMZ allows for instant isolation of affected segments without shutting down operations. 

This type of DMZ also helps organizations meet NERC CIP requirements, including CIP-005 for electronic security perimeters and CIP-007 for system security management, and align with IEC 62443 zone and conduit models that require defense in depth. 

Zero Trust DMZ architectures also support compliance with the NIST Cybersecurity Framework by reinforcing the “Identify, Protect, and Detect” security functions across both IT and OT environments.

Zero Trust DMZ Implementation Best Practices

Successful Zero Trust DMZ deployments start by securing the highest-risk access points and critical assets first. Organizations should map existing access patterns before enforcing new policies, validate controls in monitoring mode before blocking traffic, and involve OT operations teams early in the design process. Maintaining clearly defined emergency override procedures is also essential to ensure safety and operational continuity.

DMZs are not obsolete; they are evolving to meet the unique needs of OT and industrial environments. Solutions like Zentera’s Zero Trust DMZ represent that evolution and introduce the safest, most scalable way forward for security teams working in these specialized environments.

By providing a proven way to introduce segmentation with continuous identity verification and in-line, packet-level enforcement deeper than at the firewall or proxy level, Zentera’s Zero Trust DMZ gives organizations the ability to secure critical infrastructure without compromising uptime, safety, or compatibility with legacy systems.