IEC 62443 Zones and Conduits Explained

What Are Zones and Conduits?

IEC 62443 defines two building blocks for securing Industrial Automation and Control Systems (IACS):

• Zones are logical or physical groupings of assets that share common security requirements. A zone might contain all PLCs on a production line, or all SCADA servers at a site. Each zone is assigned a Security Level (SL 1 through SL 4) based on the assets it protects.
• Conduits are the controlled communication paths between zones. Every conduit has explicit security controls: firewalls, authentication, encryption, and logging. No traffic flows between zones except through a conduit.

The model is straightforward: group assets by security need, control every path between groups. This limits lateral movement, simplifies compliance, and makes incident containment faster.

Why This Matters

Without zones and conduits, a flat OT network treats every device as equally trusted. A compromised HMI can reach safety controllers, historians, and engineering workstations with no barrier in between.

Zones and conduits fix this by enforcing three principles:

1. Isolation. Assets with different security requirements live in different zones. A Level 0 sensor zone does not share a trust boundary with a Level 3 operations zone.
2. Controlled access. Conduits define exactly what traffic is allowed between zones, who can initiate it, and what protocols are permitted.
3. Auditability. Every conduit is a logging point. When an incident occurs, you know exactly which zone was breached and which conduits were used.

Designing Zones

Step 1: Inventory Your Assets

List every IACS asset, its function, its network connections, and the protocols it uses. You cannot define zone boundaries without knowing what is on the network.

Step 2: Assess Risk per Asset

Evaluate each asset's exposure. Consider:

• What happens if this device is compromised? (Safety impact, production impact, data exposure)
• What vulnerabilities exist? (Unpatched firmware, default credentials, open ports)
• What compliance requirements apply? (CUI handling, CMMC practices, NIS2 obligations)

Step 3: Assign Security Levels

IEC 62443 defines four Security Levels:

Step 4: Group Assets into Zones

Assets with the same Security Level and operational function go into the same zone. Keep zones small. A zone with 200 devices offers little more protection than a flat network.

Technical detail: IEC 62443-3-2 specifies that zone boundaries should align with both security requirements and operational function. Two PLCs on different production lines may have the same SL but belong in separate zones if a compromise on one line should not affect the other.

Establishing Conduits

Every communication path between zones must be a defined conduit with explicit controls.

Define Allowed Flows

For each conduit, specify:

• Source zone and destination zone
• Allowed protocols (Modbus TCP, OPC-UA, HTTPS, etc.)
• Direction of initiation (which zone can start the connection)
• Authentication requirements (certificate, username/password, MFA)

Apply Security Controls

Each conduit needs enforcement at the boundary:

• Firewalls filter traffic by source, destination, port, and protocol
• Authentication verifies identity before allowing access
• Encryption protects data in transit (especially across untrusted segments)
• Logging records every connection for audit and incident response

Monitor Continuously

A conduit is only as good as its monitoring. Log every connection attempt (allowed and denied). Baseline normal traffic patterns and alert on deviations.

Common Pitfalls

Zones That Are Too Large

A zone containing the entire OT network provides no segmentation benefit. If every device shares a zone, a compromised PLC has the same access as a compromised HMI. Break zones down to functional units: one production line, one control loop, one safety system.

Conduits Without Enforcement

Defining a conduit on paper but not deploying a firewall or access control at the boundary is a documentation exercise, not a security measure. Every conduit needs a physical or logical enforcement point.

Ignoring Legacy Devices

Older devices that cannot authenticate or encrypt still need zone protection. Place them in a zone with a higher SL boundary, and enforce access control at the conduit rather than on the device itself. This is where agentless, network-based enforcement is essential.

Technical detail: Legacy PLCs running Modbus RTU/TCP cannot participate in authentication handshakes. The conduit's enforcement point (firewall, access gate, or proxy) must authenticate on behalf of the device by verifying the identity of the connecting user/system before forwarding traffic to the legacy endpoint.

Compliance Alignment

Zones and conduits map directly to requirements in major compliance frameworks:

• CMMC Level 2: AC (Access Control) practices require per-system access restrictions. Zone boundaries enforce this at the network level.
• NIST 800-171: SC (System and Communications Protection) requires network segmentation and boundary defense. Conduits with firewall enforcement satisfy these controls.
• NIS2: Requires risk-based security measures and incident detection. Zone-level monitoring and conduit logging provide the evidence base.

Conclusion

IEC 62443 zones and conduits give you a structured way to segment industrial networks. Group assets by security need, control every path between groups, log everything at the boundary. The result is a network where a breach in one zone stays in that zone, where every cross-zone connection is authorized and recorded, and where compliance evidence is generated as a byproduct of normal operation.

Start with your asset inventory. Define your zones. Deploy enforcement at every conduit. That is the foundation.