Implementing IEC 62443 Security Zones

When to Use

• When designing a greenfield OT network architecture for a new industrial facility
• When retrofitting security zones into an existing flat OT network after an assessment finding
• When implementing network segmentation to comply with IEC 62443-3-2 certification requirements
• When upgrading from basic VLAN segmentation to policy-enforced zone/conduit architecture
• When an IT/OT convergence project requires defining security boundaries between enterprise and operational networks

Do not use for IT-only network segmentation (see implementing-network-microsegmentation), for cloud-native workload segmentation (see securing-kubernetes-on-cloud), or for physical security zone design without a cyber component.

Prerequisites

• Completed OT network security assessment with asset inventory and traffic flow analysis
• Understanding of IEC 62443-3-2 zone/conduit design process and the Purdue Reference Model
• Industrial firewalls capable of deep packet inspection for OT protocols (Palo Alto with OT Security, Fortinet OT, Cisco ISA-3000)
• Network switches supporting VLANs, 802.1Q trunking, and port security
• Approval from operations management for network architecture changes during maintenance windows