DMZ direct: parallel chains from the internet¶
The Guild Quarter is the DMZ, a separate zone that exists to translate between protocols and manage connections from the city network to the production infrastructure. From the internet zone, unseen-gate has direct network visibility to the DMZ. The chains that target the DMZ do not need a foothold anywhere else first.
Contractors-gate at 10.10.5.20 is an SSH bastion meant to facilitate contractor access to both the DMZ and the enterprise zone. Root access over SSH is enabled. The password is from 2015. It remains valid. The machine is dual-homed to both zones, sitting at the boundary between them.
Guild-exchange at 10.10.5.10 is a gateway application that bridges OPC-UA data to MQTT. Its management console responds with HTTP 200 to an unauthenticated request and serves the entire application configuration in plaintext. That configuration includes the address of the OPC-UA endpoint it connects to, the security mode (None), and the authentication method (anonymous). The endpoint itself sits at another address in the DMZ (10.10.5.13) and is not directly reachable from the internet; it requires a position inside the DMZ. From contractors-gate, the OPC-UA server is reachable, and the available methods are immediately apparent: a pump object that exposes stopPump() and startPump() as callable methods.
Sorting-office is a policy gateway. Clacks-relay is an MQTT broker. Substation-rtu is a field device gateway. Each one serves a function in the DMZ’s role as a translation layer. Each one is an independent entry point, and each one can be the start of a chain.
The effect of chains from the DMZ is immediate. A pump stopped, a sensor reading falsified, the value appearing instantly on the MQTT broker in the DMZ and propagating to any subscriber with network access. The chains are shorter than the IT/OT pivot, which requires traversing enterprise and operational zones in sequence. From the internet directly to the DMZ, the distance is one zone. The blast radius is immediate.