IEC 62443 Zones & Conduits

IEC 62443 recommends partitioning the System Under Consideration into zones (groups of assets with similar security requirements) and conduits (controlled communication paths between zones). This limits blast radius and makes security requirements measurable per zone.

• Inventory assets by function (safety, control, supervisory, engineering, DMZ, enterprise), location, and criticality.
• Group into zones using risk and operational constraints (e.g., Safety zone, Control zone, Site DMZ, Business/IT zone).
• Define conduits for required communications between zones; default to deny by default and allow by exception.
• Assign SL-T per zone/conduit based on threat environment and tolerable risk.

Define conduit policies as allow-lists by protocol, asset identity, role, and maintenance window.

Start in Monitor mode and move to Alert/Enforce to avoid downtime.

• Policy-as-Conduit: allowed service flows, remote support, jump hosts, break-glass procedures.
• Zone posture: per-zone trust drift (patch gaps, tamper events, rogue identities).
• Containment: quarantine or isolate compromised devices by revoking access and restricting egress.

• Business Zone ↔ Site DMZ: Broker IT/OT data exchanges through DMZ services; restrict direct enterprise-to-control connectivity.
• Engineering Workstations: Strong identity, step-up verification, and time-bound access to control networks and PLC tooling.
• Vendor Remote Support: Session-based access with device attestation, recorded commands, and automatic revocation after maintenance windows.