Menu
IEC 62443 Zones and Conduits: A Plain Guide to Segmenting Your OT Network

IEC 62443 Zones and Conduits: A Plain Guide to Segmenting Your OT Network

A plain-language guide to IEC 62443 zones and conduits: how to segment your OT network, assign security levels, and cut the risk of a plant-wide breach.
IEC 62443 Zones and Conduits: A Plain Guide to Segmenting Your OT Network

IEC 62443 zones and conduits is a segmentation model that groups your operational technology (OT) assets into security "zones" and controls every data path between them through defined "conduits." The idea is simple: instead of one flat factory network where a single compromised device can reach every machine, you carve the plant into logical boxes and police the traffic between them. This guide explains the model in plain terms, walks through a worked segmentation example, and shows how a shared data foundation fits alongside it.

Why a flat OT network is a liability

Most legacy shop floors grew organically. A programmable logic controller (PLC) here, a human machine interface there, a historian bolted on later, all sharing one subnet with office laptops and the guest Wi-Fi. On a flat network, lateral movement is trivial: malware that lands on an engineering workstation can scan and reach a safety controller in seconds. The 2021 update of IEC 62443 (the international standard for industrial automation and control system security) exists precisely to break that chain.

The core insight is that not every asset needs to talk to every other asset. A vibration sensor does not need a route to the accounting server. By drawing boundaries around groups of assets with similar risk and function, you shrink the "blast radius" of any single incident. This is the same defensive logic behind a good FMEA in manufacturing: identify failure paths and cut them before they cascade.

What a zone actually is

A zone is a logical or physical grouping of assets that share common security requirements. Grouping is driven by function, criticality, and trust level, not just by where a cable physically runs. Typical zones on a plant floor include:

  • Enterprise / IT zone: ERP, email, business analytics, the corporate domain.
  • DMZ (demilitarized zone): the buffer where historians, patch servers, and remote-access jump hosts live, mediating between IT and OT.
  • Supervisory zone: SCADA servers and operator workstations. If SCADA is new to you, our primer on what SCADA is covers the basics.
  • Control zone: the PLCs and controllers running the process in real time.
  • Safety zone: the safety instrumented systems, kept as isolated as the process allows.

Each zone carries a target Security Level (SL), from SL 1 (protection against casual or accidental misuse) up to SL 4 (protection against a well-resourced, deliberately targeted attacker). A safety zone usually demands a higher SL than a supervisory reporting zone.

What a conduit does

A conduit is the controlled communication path between two zones, or between a zone and the outside world. Every conduit is a chokepoint you deliberately create so you can inspect, authenticate, and restrict what crosses it. A conduit is typically enforced by a firewall, a data diode, a managed switch with access control lists, or a unidirectional gateway.

The rule of thumb: traffic within a zone flows freely; traffic between zones flows only through a conduit, and only if explicitly allowed. A well-designed conduit specifies which protocols, which source and destination addresses, and which direction are permitted. Everything else is denied by default. This deny-by-default posture is what turns a network diagram into an actual security control.

A worked example: segmenting a bottling line

Imagine a beverage plant with 40 networked assets on one flat /24 subnet. Today, any device can reach all 39 others, giving 40 x 39 = 1,560 possible directed communication paths, every one of them an attack path. Here is how zones and conduits collapse that.

  1. Group the assets. Sort the 40 into four zones: Enterprise (8 assets), DMZ (4), Supervisory (10), and Control plus Safety (18).
  2. Assign target security levels. Enterprise SL 2, Supervisory SL 2, Control SL 3, Safety SL 3. The higher the SL, the stricter the conduit controls that guard it.
  3. Define conduits, not open borders. Allow exactly three conduits: Enterprise to DMZ, DMZ to Supervisory, and Supervisory to Control. No direct Enterprise to Control path exists at all.
  4. Count the residual paths. Cross-zone traffic now rides three conduits instead of roaming freely. If each conduit permits, say, 5 specific protocol-and-host rules, you have replaced roughly 1,000-plus cross-zone attack paths with 15 audited, logged rules.

The payoff is concrete. If ransomware lands on an Enterprise laptop, it hits the DMZ conduit firewall first. To reach a PLC it would have to defeat three separate conduits in sequence, each logging the attempt. That is the difference between a bad afternoon and a plant-wide shutdown. Tracking how often such stoppages actually occur is a maintenance-reliability question too, which is why teams watch metrics like MTBF and MTTR and overall equipment effectiveness after any network change.

A practical rollout sequence

You do not have to re-architect everything at once. A sane order of operations:

  • Inventory first. You cannot zone what you have not mapped. Build a complete asset register: every controller, HMI, switch, and sensor, with its function and criticality.
  • Draw zones on paper before touching cables. Group by function and required SL, then validate the grouping with the people who actually run the line.
  • Insert conduits at the highest-value boundaries first. The IT-to-OT border and the safety boundary give the most risk reduction per hour of work.
  • Default-deny, then open what production needs. Start each conduit closed and add rules only when a real, tested process requires them.
  • Document and review. Treat the zone-and-conduit design as a living document, revisited whenever you add equipment. A structured method such as the PDCA cycle keeps the review honest, and a HAZOP study can surface where a security change might create a process-safety risk.

Where Fabrico fits

Zones and conduits govern how your OT network is wired and firewalled. Fabrico does not control that segmentation, and it is not a SCADA or network-control system. What Fabrico gives you is the real-time data foundation that sits on top of a well-segmented plant: live OEE and production monitoring, plus a field-ready CMMS for work orders, asset records, preventive scheduling, and spare-parts tracking. Because Fabrico can read machine state using computer vision even on equipment with no PLC, you can gain visibility without adding new controllers or new cross-zone data paths that complicate your conduit design. Fabrico is EU-built with EU data residency, which matters when your segmentation strategy also has to satisfy data-sovereignty rules. Explore the CMMS overview or the OEE and MES overview to see how the data layer complements your security architecture.

Frequently Asked Questions

Is IEC 62443 the same thing as a firewall?

No. A firewall is one tool you might use to enforce a conduit, but IEC 62443 is a full framework covering asset inventory, risk assessment, security levels, roles, and lifecycle management. Conduits are enforced by firewalls, data diodes, or managed switches, yet the standard is about the whole design discipline, not any single device.

How many zones does a factory need?

There is no fixed number. Some small lines run comfortably with three or four zones, while a large multi-process plant may have a dozen. The right count comes from grouping assets that genuinely share function and security requirements, then splitting further only where the risk justifies the added complexity. Fewer, well-defended boundaries usually beat many poorly maintained ones.

Can I retrofit zones and conduits onto an old plant?

Yes, and most facilities do exactly that. Start with a complete asset inventory, draw logical zones, and insert conduits at the highest-risk boundaries first (typically the IT-to-OT and safety borders). You can phase the work over months without a full rebuild, tightening one boundary at a time while production continues.

Ready to layer real-time OEE and CMMS visibility onto your segmented OT network without adding new cross-zone risk? Book a Fabrico demo and see the data foundation in action.

Latest from our blog

Define Your Reliability Roadmap
Validate Your Potential ROI: Book a Live Demo
Define Your Reliability Roadmap
By clicking the Accept button, you are giving your consent to the use of cookies when accessing this website and utilizing our services. To learn more about how cookies are used and managed, please refer to our Privacy Policy and Cookies Declaration