Segmenting Security Zones & Conduits in Critical Infrastructure: Best Practices & Methods

Instructor: Giorgos-Nektarios Panayotidis

George-Nektarios has worked as a tutor and student consultant for five years and has a 4-year university degree in Applied Informatics.

How does one carry out an industrial network's segmentation with regard to its critical infrastructure? In this lesson we will be delving into the proxy, DMZ and other appropriate methods, such as granular zoning.

Keeping the Critical Assets at a Safe Distance

This lesson refers to the critical infrastructure of an industrial network and how this is protected via the appropriate methodologies. How could we describe them, using everyday experience? Let us think of a demilitarized zone. Such a zone often extends just beyond the borderline of a country and is a strip of land where military equipment, personnel and hostile actions are prohibited. However, a demilitarized zone (DMZ) is also one of the most important methodologies in protecting critical infrastructure in industrial networks. The borderline this time comes just after the company's trusted networks. The military elements prohibited are, in this case, the security and the restrained access of the business networks, since the devices belonging to it have direct connectivity to the internet. This method, along with use of proxy and other means, such as granular zoning, will be analyzed and delineated in this lesson.

Best Practices for Network Segmentation for Critical Infrastructure Protection

There are certain very well-known and critically acclaimed methods to protect critical infrastructure of an industrial network. These methods are :

  • Proxy
  • Demilitarized Zone (DMZ)
  • Granular Zoning

The first two will be subsequently analyzed. Concerning granular zoning, one should note that it is the segmentation of an industrial network into security zones with very specific characteristics. More specifically, granular zoning methodology inserts an extra protection layer. The assets are divided into zones, according to their operation (business/supervision workstations), then they are also separated according to whether they are critical assets or not. Security zones containing similar assets will render threats easily traceable and containable, since the communication among security zones is subject to restrictions.


Nearly everyone who has participated in an internet forum should know what a proxy server is due to the discouragement or even prohibition of its use in such a circumstance. A proxy is really an intermediary which prevents direct connectivity to the requested resources within the industrial network. The business's critical infrastructure assets may sometimes communicate via firewall with the proxy server. The steps taken to establish a connection are the following:

  • The proxy server receives a request from a client from a public, insecure network for various resources (files, services, etc.)
  • The proxy server filters and, provided that it's secure according to its internal database, forwards the request to the internal business server
  • The internal server sends the requested resources to the proxy, which then services the client of the public network (internet)

Demilitarized Zone (DMZ)

Similar to proxy servers, a demilitarized zone (DMZ) is an intermediary for devices that need resources and connectivity from the public domain (internet). According to DMZ, devices that require connectivity to the internet, such as peripherals, business portals, e-mail servers, etc., mustn't be included in one of the typical security zones of the industrial network. Instead, a different network segmentation is made. These devices belong to a completely different zone, that is, the demilitarized zone (DMZ). A device which belongs to such a zone cannot be directly connected to a ''trusted'' zone of the industrial network, which contains critical assets.

To unlock this lesson you must be a Member.
Create your account

Register to view this lesson

Are you a student or a teacher?

Unlock Your Education

See for yourself why 30 million people use

Become a member and start learning now.
Become a Member  Back
What teachers are saying about
Try it risk-free for 30 days

Earning College Credit

Did you know… We have over 200 college courses that prepare you to earn credit by exam that is accepted by over 1,500 colleges and universities. You can test out of the first two years of college and save thousands off your degree. Anyone can earn credit-by-exam regardless of age or education level.

To learn more, visit our Earning Credit Page

Transferring credit to the school of your choice

Not sure what college you want to attend yet? has thousands of articles about every imaginable degree, area of study and career path that can help you find the school that's right for you.

Create an account to start this course today
Try it risk-free for 30 days!
Create an account