In this scenario, shown in the following diagram, a simple two-port firewall is introduced between the corporate and process control networks, with a significant security improvement:

Firewalls on the market offer stateful inspection for all TCP packets and application proxy services for common internet application protocols such as FTP, HTTP, and SMTP. If they are well configured, they can significantly mitigate the risk of a successful external attack on the control network.

Even so, in this scenario, there is an issue related to which network the servers that need to be shared between the corporate and the control network are on. For this reason, the data historian in the preceding diagram appears on both networks but is grayed out on the control network. If a shared server, such as the data historian or an OPC server, resides on the corporate network, a rule must exist within the firewall that allows the historian or OPC traffic to communicate with the control devices on the control network. A packet originating from a malicious or incorrectly configured host on the corporate network and appearing as legitimated packet (data historian or OPC) would be forwarded to individual PLCs.

If the shared server resides on the process control network, a firewall rule must exist to allow all hosts from the corporation to communicate with it, putting the shared servers at risk of exploits or spoofing.