IEC 62443 Zones and Conduits for Brownfield Plants
Many industrial sites want to improve OT cybersecurity but cannot redesign the plant network from a blank sheet. Production must continue, vendor support must remain possible, and safety-related systems cannot be treated like ordinary IT assets. That is where IEC 62443 zones and conduits become useful: they give engineering, operations, maintenance, and IT teams a practical language for grouping assets by risk and controlling communication between those groups.
What Are IEC 62443 Zones and Conduits?
In an IEC 62443-style design, a zone groups industrial automation and control system assets that share similar security requirements. A conduit defines and protects the communication path between zones. Instead of asking whether the whole plant is “secure,” the team asks sharper questions: which assets belong together, what security level is needed for each group, and which protocols must cross the boundary?
This is especially important in brownfield plants, where PLCs, DCS controllers, engineering stations, safety systems, historians, remote access tools, and vendor laptops may have grown over many years. NIST SP 800-82 Rev. 3, published in September 2023, emphasizes that OT security must account for performance, reliability, and safety requirements, not only confidentiality. That makes segmentation a risk engineering exercise, not a simple firewall project.
A Practical Brownfield Workflow
1. Start With Assets and Process Criticality
Begin with a focused OT asset register. Include controllers, operator stations, engineering workstations, safety instrumented systems, analyzers, network switches, remote access gateways, historians, patch servers, and backup systems. For each asset, record owner, location, function, vendor, operating system or firmware family, communication protocols, and process consequence if it is unavailable or manipulated.
2. Draw the Current Communication Paths
Brownfield teams often discover that the real network is different from the last drawing. Use interviews, switch configuration reviews, firewall rules, historian connections, and safe passive discovery to identify actual communication. Pay special attention to remote services, engineering workstation access, vendor modems or VPNs, and data flows from control networks to business systems.
3. Group Zones by Risk, Not by Convenience
A useful first pass may separate enterprise IT, industrial DMZ, control system operations, safety-related systems, package units, remote access, and field device networks. The objective is not to create many zones for appearance. The objective is to create boundaries that make engineering sense and can be operated by the plant team.
4. Define Conduits With Allowed Traffic
For each zone boundary, define the required traffic: source, destination, protocol, port, direction, business or engineering purpose, owner, and monitoring requirement. If a communication path has no named owner or purpose, it is a candidate for removal or redesign. MITRE ATT&CK for ICS highlights techniques such as remote services, network discovery, program download, command messages, and manipulation of control, all of which become easier to manage when conduits are explicit.
5. Sequence Improvements Around Plant Risk
Do not start by changing every firewall rule. Start with high-consequence paths: remote access into control zones, engineering workstation access to controllers, business-to-control data exchange, and uncontrolled communication involving safety or protection layers. Use maintenance windows, rollback plans, and management of change so cybersecurity improvements do not create availability or safety problems.
Common Mistakes to Avoid
- Copying an IT segmentation model directly into OT. Industrial systems may have real-time, vendor, and safety constraints that require different assumptions.
- Creating zones without ownership. Every zone and conduit needs an accountable owner for change approval, monitoring, and periodic review.
- Ignoring temporary access. Vendor laptops, contractor tools, and maintenance connections often become the weakest route into the control environment.
- Designing controls without operator input. Control room, maintenance, and process safety teams usually know the failure modes that drawings miss.
How Training Helps the Design Succeed
Zones and conduits are not only a network drawing deliverable. They require shared understanding between automation engineers, process control specialists, safety engineers, IT security, maintenance, and management. A short, practical workshop can align the team on terminology, asset grouping, risk ranking, remote access rules, and the first 90-day improvement plan.
Roqqy Training and Consulting supports organizations with industrial cybersecurity training, IEC 62443 awareness, OT risk assessment facilitation, and practical engineering workshops for brownfield plants. The goal is honest progress: better visibility, clearer boundaries, safer access, and a roadmap that respects production reality.
Useful Internal Resources
- Engineering Training and Consulting Services
- Roqqy Courses
- exida Certificates and Professional Training
- Digital Products and Corporate Toolkits
- Contact Roqqy
Sources
- NIST SP 800-82 Rev. 3, Guide to Operational Technology (OT) Security – final publication, September 2023, with a July 2024 planning note.
- ISA99, Industrial Automation and Control Systems Security – ISA/IEC 62443 standards committee overview.
- MITRE ATT&CK for ICS Matrix – live ICS tactics and techniques matrix.
FAQ
Is IEC 62443 only for new plants?
No. Brownfield sites can use IEC 62443 concepts to document current risk, prioritize improvements, and phase segmentation changes without redesigning everything at once.
Should safety systems always be a separate zone?
Often they should be treated with special care, but the final zoning decision should follow the site architecture, risk assessment, safety lifecycle requirements, vendor constraints, and approved operating practices.
Can a firewall alone satisfy zones and conduits?
No. Firewalls may enforce conduits, but the design also needs asset ownership, approved traffic, monitoring, backup and recovery, access control, change management, and periodic review.
What is the best first step for a plant team?
Start with a short asset and communication workshop. Confirm the real connections, identify high-consequence paths, and choose a small set of improvements that can be implemented safely.
Need help applying IEC 62443 to a real plant? Contact Roqqy Training and Consulting to plan an OT cybersecurity training session or a practical zones and conduits workshop for your engineering and operations team.