* [Blog](https://www2.paloaltonetworks.com/blog) * [Palo Alto Networks](https://www2.paloaltonetworks.com/blog/corporate/) * [Cybersecurity](https://www2.paloaltonetworks.com/blog/category/cybersecurity-2/) * The Need to Isolate Remot... # The Need to Isolate Remote, Wide-Area Communications Into a Separate Zone [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2016%2F06%2Fthe-need-to-isolate-remote-wide-area-communications-into-a-separate-zone%2F) [](https://twitter.com/share?text=The+Need+to+Isolate+Remote%2C+Wide-Area+Communications+Into+a+Separate+Zone&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2016%2F06%2Fthe-need-to-isolate-remote-wide-area-communications-into-a-separate-zone%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww2.paloaltonetworks.com%2Fblog%2F2016%2F06%2Fthe-need-to-isolate-remote-wide-area-communications-into-a-separate-zone%2F&title=The+Need+to+Isolate+Remote%2C+Wide-Area+Communications+Into+a+Separate+Zone&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www2.paloaltonetworks.com/blog/2016/06/the-need-to-isolate-remote-wide-area-communications-into-a-separate-zone/&ts=markdown) \[\](mailto:?subject=The Need to Isolate Remote, Wide-Area Communications Into a Separate Zone) Link copied By [Lionel Jacobs](https://www.paloaltonetworks.com/blog/author/lionel-jacobs/?ts=markdown "Posts by Lionel Jacobs") Jun 21, 2016 5 minutes [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown) [SCADA \& ICS](https://www.paloaltonetworks.com/blog/category/scada-ics/?ts=markdown) [IIoT](https://www.paloaltonetworks.com/blog/tag/iiot/?ts=markdown) [Zero Trust](https://www.paloaltonetworks.com/blog/tag/zero-trust/?ts=markdown) In our [Reference Blueprint for Industrial Control and SCADA](https://www.paloaltonetworks.com/resources/whitepapers/industrial-control-blueprint-reference), we describe the need to isolate remote communication technologies into a separate zone. Devices like iNets, unlicensed and licensed microwave, satellite, AMI meters and other forms of longer-range, radio-based communications need to be looked at carefully before being implemented and extra consideration of these types of technology is essential to preventing unintentional access into enterprise and OT systems. ### Benefits of Remote Communication Technologies With the advent of the Industrial Internet of Things (IIoT), or Industry 4.0, new highly efficient, low-energy and low-cost wide-area communication devices are continually being produced, providing more bandwidth and flexibility in deployment items deemed essential in an ICS/SCADA environment. Improvements in communication technology not only make the possibility of remote automation doable but also attractive, if not a necessity. These advancements in communication help with automation, and make it possible to place more intelligent devices further out, and they reduce labor costs, as an army of people would no longer be required to travel to remote destinations, retrieve information and bring it back. Improved communications would allow operators to gather this information back to a single location, cutting many of the expenses associated with vehicle maintenance, gas and hourly wages. Remote automation is not only cost-effective, dependable, and safe, it enables owner/operators to be competitive in several ways: * It helps improve the efficiency of the system, allowing for real-time, or near real-time, information at regular intervals. * It produces data for analytics, which helps improve system performance, increase efficiencies and produce higher yields in a product. * It increases visibility into our systems, allowing us to adjust as necessary. There is, however, a downside to these innovations in communications for ICS/SCADA, which is the need for greater enforcement of security at remote locations. ### Challenges of Remote Communication Technologies Putting high-speed, high-bandwidth connections in remote unmanned areas makes them ideal beachhead attack points, and some areas can take hours to reach due to the remoteness and terrain, serving as an excellent foothold for an adversary because of the access to both enterprise and OT systems. The remoteness of the asset provides attackers with ample time to come and go as needed. At remote facilities, it is possible for someone to install micro-computing devices that can be left in place and go unnoticed for months, if not years, if the physical placement of equipment and site layout goes unaudited for a long period of time. On-premise equipment could be reloaded with weaponized or malicious code and leveraged against the owner/operator's internal systems, giving the ability to cause major disruptions. Placing more intelligent devices further out at remote locations -- devices with far more computing power than those previously used -- can give attackers better internal resources with which to attack our systems. Today's broadband technology, in most cases, is some form of shared medium, meaning people with the right skill set and tools are capable of eavesdropping on others, making for insecure communications on systems that run critical real-time production. One other key element many fail to consider when deploying communication technologies, such as satellite or microwave, is that many of these technologies are easy to remove and relocate. It is not uncommon for satellite dishes to go missing. Just think about what happens when the outdoor unit, dish and block upconverter (BUC), and the indoor unit (IDU) satellite modem go missing, and the relocation still shows online. Another nefarious scenario is using these remote access points as an attack vector against a competitor or generating denial of service (DoS) attacks against others routed through the owner/operator's network. With all of these advances in communication technologies, older forms like frame relay or dedicated leased lines are no longer in use. If they are, they are very expensive to maintain. But older technologies, being point-to-point in nature, do provide slightly more security at remote facilities, unlike most of today's Internet-based communication technologies, which is why greater attention much be paid to the security, both physical and cyber, of remote communication technologies. ### Securing Remote Communication Technologies Physical security at these locations is difficult to maintain due to their remoteness, but cybersecurity and ensuring the traffic coming in from a field site is only that which is required -- and nothing more -- is an achievable, sustainable objective. At Palo Alto Networks® we believe in and follow the best practices of [Zero Trust networking](https://www.paloaltonetworks.com/solutions/initiatives/network-segmentation). In the Zero Trust networking model, it is highly advised that access to and from remote assets be set in an entirely separate zone, and that communications be restricted to only the applications, ports, and protocols needed for the process. By following this tactic, a company can minimize its attack surface and limit possible exposure caused by breaches with their communications link. By zoning remote connections into a separate isolated enclave restricted by application and user ID, the field of focus is narrowed, providing better visibility into attempts to use the sites' communications. Unauthorized attempts to access the OT/IT networks would be painfully obvious in the logs, which would be seen as failed or dropped attempts at communication, especially if contact attempts are made with resources that the zone has no need to communicate with. This would be a clear indicator of compromise (IoC) from that device or facility. To learn about other useful strategies to help you better secure your ICS/SCADA/PCN networks, go to visit the [ICS/SCADA industry page](https://www.paloaltonetworks.com/solutions/industries/enterprise/scada-and-industrial-control) at [paloaltonetworks.com](https://www.paloaltonetworks.com/) and [download our reference blueprint architecture for industrial control and SCADA systems](https://www.paloaltonetworks.com/resources/whitepapers/industrial-control-blueprint-reference). *** ** * ** *** ## Related Blogs ### [Cloud Computing](https://www.paloaltonetworks.com/blog/category/cloud-computing-2/?ts=markdown), [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown) [#### Five steps to deploy a zero-trust attack surface management solution](https://www2.paloaltonetworks.com/blog/security-operations/zero-trust-attack-surface-management-framework/) ### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown) [#### All Layers Are Not Created Equal](https://www2.paloaltonetworks.com/blog/2019/05/network-layers-not-created-equal/) ### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown) [#### You Want Network Segmentation, But You Need Zero Trust](https://www2.paloaltonetworks.com/blog/2019/01/you-want-network-segmentation-but-you-need-zero-trust/) ### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown) [#### Define a Protect Surface to Massively Reduce Your Attack Surface](https://www2.paloaltonetworks.com/blog/2018/09/define-protect-surface-massively-reduce-attack-surface/) ### [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [SCADA \& ICS](https://www.paloaltonetworks.com/blog/category/scada-ics/?ts=markdown), [Secure the Enterprise](https://www.paloaltonetworks.com/blog/category/secure-the-enterprise/?ts=markdown) [#### In OT Environments, Security Must Not Be an Afterthought](https://www2.paloaltonetworks.com/blog/2018/08/ot-environments-security-must-not-afterthought/) ### [Cybersecurity](https://www.paloaltonetworks.com/blog/category/cybersecurity-2/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown) [#### The Cybersecurity Moonshot and Zero Trust](https://www2.paloaltonetworks.com/blog/2018/04/cybersecurity-moonshot-zero-trust/) ### Subscribe to the Blog! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://www2.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language