{"id":552,"date":"2020-03-26T14:53:00","date_gmt":"2020-03-26T14:53:00","guid":{"rendered":"http:\/\/opcconnect.integrationobjects.com\/?p=552"},"modified":"2026-04-03T16:24:03","modified_gmt":"2026-04-03T16:24:03","slug":"secure-file-transfer-industrial-network","status":"publish","type":"post","link":"https:\/\/integrationobjects.com\/blog\/secure-file-transfer-industrial-network\/","title":{"rendered":"Remote work requirements during COVID-19 outbreak: Secure File Transfer Across Industrial Networks and DMZ Environments"},"content":{"rendered":"\r\n

Transferring files between an industrial control network and the outside world sounds straightforward until you consider what’s at stake. Industrial networks running SCADA, DCS, or other OT systems are deliberately isolated from corporate IT networks and the internet. That isolation is a core security principle. But operations still need files to move: historian exports, configuration backups, firmware updates, reports, log files, and more.<\/p>\r\n

When that transfer is handled carelessly via USB drives, open FTP, uncontrolled VPN access, or direct network connections that bypass the DMZ, the security boundary that protects your control network is compromised. A single insecure file transfer path into an OT network is enough to introduce malware, enable unauthorized access, or become the entry point for a targeted attack on critical infrastructure.<\/p>\r\n

This article explains the specific challenge of secure file transfer in industrial environments, what a purpose-built solution looks like, and how File Tunneller<\/a> addresses the requirements that generic file transfer tools simply cannot meet.<\/p>\r\n

Why secure file transfer in industrial networks is different<\/h2>\r\n

In enterprise IT, secure file transfer<\/a> typically means encryption in transit and authentication. Those are necessary but in industrial environments, they are not sufficient on their own.<\/p>\r\n

OT networks operate under a fundamentally different security model. The Purdue Model and IEC 62443 both define clear zone boundaries between the industrial control network (Level 2\u20133), the DMZ (Level 3.5), and the enterprise IT network (Level 4). The principle is strict: nothing should cross these boundaries without explicit, controlled authorization. Direct, persistent connections between the OT network and corporate or external networks are not permitted under this model.<\/p>\r\n

This creates a specific set of requirements that file transfer in industrial environments must satisfy:<\/p>\r\n

No persistent open connections into the OT network.<\/strong> A file transfer solution that requires an always-on inbound connection to the control network violates the zone separation principle and creates a permanent attack surface.<\/p>\r\n

Firewall traversal through a single, defined port.<\/strong> Industrial firewalls are configured to allow only specific, known traffic. A solution that requires multiple ports, dynamic port negotiation, or protocol inspection exceptions is operationally difficult to approve and audit.<\/p>\r\n

Support for DMZ-based architectures.<\/strong> Many industrial sites route all IT\/OT data exchange through a DMZ. The file transfer solution must be able to operate correctly in a multi-hop topology: OT network \u2192 DMZ \u2192 IT network, without establishing a direct path between the two zones.<\/p>\r\n

Encryption and authentication as baseline requirements.<\/strong> Files crossing from an OT network may contain sensitive process data, configuration files, or intellectual property. Encryption in transit is non-negotiable. Authentication ensures only authorized systems and users can initiate or receive transfers.<\/p>\r\n

Resilience to network disruptions.<\/strong> OT networks – especially at remote sites connected via VSAT, WAN, or radio links – experience intermittent connectivity. A file transfer solution must handle connection drops gracefully, resuming or retrying transfers without data loss or corruption.<\/p>\r\n

Scheduling and automation.<\/strong> Operations teams cannot be expected to manually initiate every file transfer. Scheduled, automated transfers triggered by time or event, are essential for historian exports, log archiving, and configuration backups.<\/p>\r\n

Common approaches to industrial file transfer and their risks<\/h2>\r\n

Understanding why generic solutions fall short helps clarify what a purpose-built tool needs to do.<\/p>\r\n

USB drives and removable media.<\/strong> Still the most common method at many industrial sites, and one of the highest-risk. USB drives are a well-documented malware vector the Stuxnet attack, which caused physical damage to industrial equipment, was introduced via USB. Removable media also has no audit trail, no encryption enforcement, and no way to prevent unauthorized copies of sensitive data.<\/p>\r\n

Standard FTP \/ SFTP.<\/strong> FTP in any form is unsuitable for industrial networks it transmits credentials in plain text and requires multiple ports. SFTP is more secure but is still a general-purpose protocol that requires opening inbound SSH access to a host on or near the OT network. In most OT security policies, direct SSH access into the control network zone is not permitted.<\/p>\r\n

VPN-based file transfer.<\/strong> VPN extends the corporate network across the tunnel, which is convenient but problematic from a zone-separation standpoint. A compromised endpoint on the VPN has lateral movement access into the OT network. For site-to-site file transfer between defined systems, VPN is architecturally over-privileged.<\/p>\r\n

Manual copy via a jump host or bastion server.<\/strong> Operationally complex, requires human intervention for every transfer, creates bottlenecks, and is difficult to audit consistently. Suitable for ad-hoc access by engineers but not for automated, recurring transfers.<\/p>\r\n

What industrial environments need is a solution designed specifically for this architecture: TCP-based, firewall-friendly, DMZ-aware, encrypted, authenticated, and capable of operating unattended on a schedule.<\/p>\r\n

How File Tunneller addresses industrial file transfer security<\/h2>\r\n

File Tunneller<\/a> is Integration Objects’ purpose-built solution for secure file transfer across industrial networks, DMZ environments, and wide-area connections. It was designed from the ground up for the specific constraints of OT environments not adapted from a general-purpose enterprise tool.<\/p>\r\n

Single TCP port communication<\/h3>\r\n

All File Tunneller traffic moves through a single, user-configurable TCP port. This makes firewall rules simple, predictable, and auditable. Your firewall team approves one port. There are no dynamic port negotiations, no protocol inspection exceptions, and no need to open a broad range of ports that increases the attack surface.<\/p>\r\n

DMZ-compatible architecture<\/h3>\r\n

File Tunneller supports multi-hop topologies, allowing it to be deployed in a proper DMZ architecture where no direct connection exists between the OT network and the IT network. The DMZ host acts as an intermediary files pass from the OT side to the DMZ host, and from the DMZ host to the IT side, without ever creating a routed path between the two zones.<\/p>\r\n

Encryption and user authentication<\/h3>\r\n

All file transfers are encrypted in transit, ensuring confidentiality and integrity of the data regardless of the network path. User authentication ensures that only authorized systems and accounts can initiate or receive transfers preventing unauthorized access even if a network segment is compromised.<\/p>\r\n

Resilience and automatic retry<\/h3>\r\n

File Tunneller maintains reliability over unreliable links including VSAT, WAN, VPN, and NAT environments. If a transfer is interrupted by a network disruption, it automatically retries and resumes, ensuring files arrive intact without requiring manual intervention.<\/p>\r\n

Scheduled and automated transfers<\/h3>\r\n

Transfers can be scheduled on a daily, weekly, or monthly basis, or configured to run at a custom interval. This enables fully automated workflows – historian exports, configuration backups, log archiving – without requiring an operator to be present or manually trigger each transfer.<\/p>\r\n

Multiple simultaneous connections<\/h3>\r\n

File Tunneller<\/a> supports multiple concurrent client connections and simultaneous file transfers, making it suitable for multi-site deployments where several remote locations transfer files to a central historian or data repository.<\/p>\r\n\r\n\r\n\r\n

\r\n
\"Integration<\/figure>\r\n<\/div>\r\n\r\n\r\n\r\n

Typical use cases for secure industrial file transfer<\/h2>\r\n

Historian data export to IT.<\/strong> Process historians on the OT network generate large volumes of time-series data that analytics teams, business intelligence tools, and ERP systems need. File Tunneller automates the scheduled export of historian files from the OT zone to the IT zone without creating a persistent data connection between them.<\/p>\r\n

Firmware and software updates into the OT network.<\/strong> Applying updates to PLCs, RTUs, and SCADA servers requires getting files from the IT network into the OT network in a controlled, auditable way. File Tunneller provides a one-way or bidirectional transfer path that keeps the firewall configuration clean and the transfer logged.<\/p>\r\n

Configuration backups from control devices.<\/strong> Regular backup of PLC and DCS configuration files to a secure off-network repository is a core OT resilience practice. File Tunneller can automate these backups on a schedule, ensuring current configuration files are always available for disaster recovery.<\/p>\r\n

Log and alarm file archiving.<\/strong> Industrial systems generate operational logs and alarm histories that must be preserved for compliance, incident investigation, and performance analysis. Automating their transfer to long-term storage in the IT zone eliminates the manual effort and the security risk of removable media.<\/p>\r\n

Remote site to central office data consolidation.<\/strong> For organizations operating multiple industrial sites – refineries, substations, offshore platforms, water treatment facilities – File Tunneller provides a consistent, secure mechanism for consolidating data from geographically distributed OT environments to a central location.<\/p>\r\n

Frequently asked questions about secure file transfer in industrial networks<\/span><\/span>\u00a0<\/span><\/h2>\r\n