implementing-iec-62443-security-zones
Installation
SKILL.md
Implementing IEC 62443 Security Zones
When to Use
- When designing a greenfield OT network architecture for a new industrial facility
- When retrofitting security zones into an existing flat OT network after an assessment finding
- When implementing network segmentation to comply with IEC 62443-3-2 certification requirements
- When upgrading from basic VLAN segmentation to policy-enforced zone/conduit architecture
- When an IT/OT convergence project requires defining security boundaries between enterprise and operational networks
Do not use for IT-only network segmentation (see implementing-network-microsegmentation), for cloud-native workload segmentation (see securing-kubernetes-on-cloud), or for physical security zone design without a cyber component.
Prerequisites
- Completed OT network security assessment with asset inventory and traffic flow analysis
- Understanding of IEC 62443-3-2 zone/conduit design process and the Purdue Reference Model
- Industrial firewalls capable of deep packet inspection for OT protocols (Palo Alto with OT Security, Fortinet OT, Cisco ISA-3000)
- Network switches supporting VLANs, 802.1Q trunking, and port security
- Approval from operations management for network architecture changes during maintenance windows