IEC 62443 zones and conduits is a segmentation model that groups your operational technology (OT) assets into security "zones" and controls every data path between them through defined "conduits." The idea is simple: instead of one flat factory network where a single compromised device can reach every machine, you carve the plant into logical boxes and police the traffic between them. This guide explains the model in plain terms, walks through a worked segmentation example, and shows how a shared data foundation fits alongside it.
Most legacy shop floors grew organically. A programmable logic controller (PLC) here, a human machine interface there, a historian bolted on later, all sharing one subnet with office laptops and the guest Wi-Fi. On a flat network, lateral movement is trivial: malware that lands on an engineering workstation can scan and reach a safety controller in seconds. The 2021 update of IEC 62443 (the international standard for industrial automation and control system security) exists precisely to break that chain.
The core insight is that not every asset needs to talk to every other asset. A vibration sensor does not need a route to the accounting server. By drawing boundaries around groups of assets with similar risk and function, you shrink the "blast radius" of any single incident. This is the same defensive logic behind a good FMEA in manufacturing: identify failure paths and cut them before they cascade.
A zone is a logical or physical grouping of assets that share common security requirements. Grouping is driven by function, criticality, and trust level, not just by where a cable physically runs. Typical zones on a plant floor include:
Each zone carries a target Security Level (SL), from SL 1 (protection against casual or accidental misuse) up to SL 4 (protection against a well-resourced, deliberately targeted attacker). A safety zone usually demands a higher SL than a supervisory reporting zone.
A conduit is the controlled communication path between two zones, or between a zone and the outside world. Every conduit is a chokepoint you deliberately create so you can inspect, authenticate, and restrict what crosses it. A conduit is typically enforced by a firewall, a data diode, a managed switch with access control lists, or a unidirectional gateway.
The rule of thumb: traffic within a zone flows freely; traffic between zones flows only through a conduit, and only if explicitly allowed. A well-designed conduit specifies which protocols, which source and destination addresses, and which direction are permitted. Everything else is denied by default. This deny-by-default posture is what turns a network diagram into an actual security control.
Imagine a beverage plant with 40 networked assets on one flat /24 subnet. Today, any device can reach all 39 others, giving 40 x 39 = 1,560 possible directed communication paths, every one of them an attack path. Here is how zones and conduits collapse that.
The payoff is concrete. If ransomware lands on an Enterprise laptop, it hits the DMZ conduit firewall first. To reach a PLC it would have to defeat three separate conduits in sequence, each logging the attempt. That is the difference between a bad afternoon and a plant-wide shutdown. Tracking how often such stoppages actually occur is a maintenance-reliability question too, which is why teams watch metrics like MTBF and MTTR and overall equipment effectiveness after any network change.
You do not have to re-architect everything at once. A sane order of operations:
Zones and conduits govern how your OT network is wired and firewalled. Fabrico does not control that segmentation, and it is not a SCADA or network-control system. What Fabrico gives you is the real-time data foundation that sits on top of a well-segmented plant: live OEE and production monitoring, plus a field-ready CMMS for work orders, asset records, preventive scheduling, and spare-parts tracking. Because Fabrico can read machine state using computer vision even on equipment with no PLC, you can gain visibility without adding new controllers or new cross-zone data paths that complicate your conduit design. Fabrico is EU-built with EU data residency, which matters when your segmentation strategy also has to satisfy data-sovereignty rules. Explore the CMMS overview or the OEE and MES overview to see how the data layer complements your security architecture.
No. A firewall is one tool you might use to enforce a conduit, but IEC 62443 is a full framework covering asset inventory, risk assessment, security levels, roles, and lifecycle management. Conduits are enforced by firewalls, data diodes, or managed switches, yet the standard is about the whole design discipline, not any single device.
There is no fixed number. Some small lines run comfortably with three or four zones, while a large multi-process plant may have a dozen. The right count comes from grouping assets that genuinely share function and security requirements, then splitting further only where the risk justifies the added complexity. Fewer, well-defended boundaries usually beat many poorly maintained ones.
Yes, and most facilities do exactly that. Start with a complete asset inventory, draw logical zones, and insert conduits at the highest-risk boundaries first (typically the IT-to-OT and safety borders). You can phase the work over months without a full rebuild, tightening one boundary at a time while production continues.
Ready to layer real-time OEE and CMMS visibility onto your segmented OT network without adding new cross-zone risk? Book a Fabrico demo and see the data foundation in action.