Knowledge/Risk Assessment/0.1

Module 0: Zones, conduits, and the partitioning mindset(1/3)

What is a security zone and why it matters

30 min3 min readRef: IEC 62443-3-2 §4

title: "What is a security zone and why it matters" duration: "30 min"

From flat networks to structured defence

In the Foundations track you learned that flat networks are the number-one root cause behind every major ICS incident. This lesson introduces the tool IEC 62443 provides to fix that problem: the security zone.

Key takeaway

Definition (IEC 62443-1-1)

A security zone is a grouping of logical or physical assets that share common security requirements. All assets within a zone are protected to the same Security Level (SL-T).

Why zones, not just firewalls?

A firewall is a mechanism. A zone is a policy decision. You decide which assets belong together based on:

  • Function — do they participate in the same process?
  • Risk — do they face the same threats?
  • Trust — do they share the same trust domain (authentication, authorisation)?
  • Criticality — would their compromise have the same consequence?

Only after you define zones do you decide how to enforce them (firewalls, VLANs, data diodes, physical air gaps).

Zone properties

Every zone has four defining properties:

PropertyDescriptionExample
BoundaryThe logical or physical perimeter of the zoneVLAN 10 + access control list
SL-TThe target Security Level — derived from risk assessmentSL-T 3 for the SIS zone
AssetsThe devices, software, and data within the zonePLCs, HMI, engineering workstation
ConduitsThe communication paths connecting this zone to othersModbus/TCP conduit to Level 1 zone

Zone design principles

1. Minimise the attack surface

The fewer conduits a zone has, the fewer paths an attacker can exploit. Ideal: each zone has exactly one conduit to one adjacent zone. Reality: most zones have 2–4 conduits.

2. Group by security requirement, not by vendor

Do not create a "Siemens zone" and a "Rockwell zone." Create a "Level 1 control zone" that contains all controllers regardless of vendor, because they all face the same threats and need the same SL-T.

3. Isolate safety-critical assets

The SIS, burner management system, and emergency shutdown system must be in their own zone(s) with the highest SL-T. Never combine safety-critical and non-safety assets in the same zone.

Analogy

Zones are like hospital wards. You do not mix the neonatal ICU with the cafeteria. Each ward has its own access controls, staffing ratios, and emergency procedures — because the patients (assets) have different risk profiles.

4. Start coarse, then refine

For a first-pass risk assessment, start with broad zones aligned to Purdue levels. Then split zones where you discover assets with significantly different risk profiles.

Diagram

Common mistakes

Worked example

Mistake 1: Putting the engineering workstation in the same zone as the HMI. The engineering workstation has PLC programming capability — a much higher privilege than the HMI's read/display function. They need different SL-Ts.

Mistake 2: Creating too many zones. If you have 50 zones with 200 conduits, you cannot manage them. A typical medium-sized plant should have 5–12 zones.

How zones feed the rest of the 3-2 process

Zones are the unit of analysis for everything that follows:

  1. Threat identification — threats are assessed per zone, not per device.
  2. Risk scoring — consequence and likelihood are scored per zone.
  3. SL-T assignment — each zone gets its own SL-T vector.
  4. System requirements — the SRs you implement are determined by each zone's SL-T.

Key Takeaways

  1. A security zone is a grouping of assets that share common security requirements.
  2. Zones are policy decisions; firewalls are enforcement mechanisms.
  3. Every zone has a boundary, an SL-T, a set of assets, and conduits to other zones.
  4. Isolate safety-critical assets in their own zone with the highest SL-T.
  5. Start with coarse zones aligned to Purdue levels, then refine based on risk.

Knowledge Check

3 questions — test your understanding before moving on.

  1. Q1.According to IEC 62443-1-1, what is a security zone?

    • A physical room where servers are located.
    • A grouping of logical or physical assets that share common security requirements.
    • A firewall rule set.
    • A VLAN on a network switch.

    A security zone is a grouping of assets that share common security requirements. All assets within a zone are protected to the same Security Level (SL-T). Zones are policy decisions; firewalls and VLANs are enforcement mechanisms.

  2. Q2.Why should safety-critical assets (SIS, ESD) be in their own security zone?

    • To make them easier to find on the network diagram.
    • Because their compromise could allow a catastrophe, so they need the highest SL-T and a dedicated conduit.
    • Because safety controllers are always on a different VLAN.
    • To reduce the cost of network switches.

    Safety-critical assets like the SIS have the highest consequence of compromise — a disabled safety system could allow an uncontrolled process upset. They must be in their own zone with the highest SL-T and a unidirectional conduit to minimise their attack surface.

  3. Q3.How many zones should a typical medium-sized industrial plant have?

    • 1–2 zones
    • 5–12 zones
    • 50–100 zones
    • One zone per device

    A typical medium-sized plant should have 5–12 zones. Too few zones means assets with different risk profiles are grouped together. Too many zones (50+) creates unmanageable complexity with hundreds of conduits.