IEC 62443: Zones and Conduits

What are Zones and Conduits?

Zones

A zone is a logical or physical grouping of assets that have similar security requirements within an OT environment. A zone can have multiple sub-zones and multiple conduits. A firewall is the means to segregate networks into zones.

Zones should be defined as part of the "Specification" phase of the Automation Solution Security Lifecycle.

Conduits

Conduits are the controlled communications channels between each zone. Assets within a zone use a conduit to communicate.

A conduit cannot:

  • have sub-conduits;

  • traverse more than 1 zone; or;

  • be used for more than 2 zones.

https://www.trendmicro.com/en_us/research/20/g/guidelines-related-to-security-in-smart-factories-part-2-system-design-and-security-level-of-iec62443.html
Left - Nested Zones, Right - Segregation into seperate zones. https://www.youtube.com/watch?v=0s8luqyczxU&t=804s

Why use Zones and Conduits?

Zones and conduits are useful to:

  • Segregate low security and high security devices.

  • Create layer 3 boundaries.

  • Assist in filtering traffic.

  • Maintain a defence-in-depth approach.

PreviousFramework ArchitecturesNextSteps for Zoning

Last updated