Zones and Conduits
Also known as: IEC 62443 Zones and Conduits
Zones and conduits is the architectural model defined in ISA/IEC 62443 for partitioning an industrial automation and control system into security zones and the communication conduits that connect them. The model is used to apply targeted cybersecurity controls based on each zone's assigned security level.
Last updated: April 2026
Key Facts
- Defined in
- IEC 62443-3-2 (Security risk assessment for system design)
- Concept type
- Architectural partitioning model
- Zone
- Logical or physical grouping of assets sharing security requirements
- Conduit
- Communication path between zones (or sometimes within a zone)
- Security Level (SL)
- SL 1 to SL 4, applied per zone
- Purpose
- Targeted application of cybersecurity controls
- Origin
- ISA-99 / IEC 62443 framework
- Typical exercise
- Zone and conduit diagram for a specific plant
- Covered in
- IC32 (overview), IC33 (assessment exercise), IC34 (design)
- Audience
- OT security analysts, control engineers, system integrators
What are Zones and Conduits?
A zone is a logical or physical grouping of assets that share the same security requirements. Examples: a control room workstation zone, a PLC and field device zone, a historian database zone. A conduit is the communication path between zones (or sometimes within a zone), such as the network link between the control room and the PLC zone. Each zone is assigned a target Security Level (SL) based on its risk profile, ranging from SL 1 (protection against casual or coincidental violation) to SL 4 (protection against intentional violation by sophisticated attackers with extended resources). Conduits inherit security requirements from the zones they connect. The model lets practitioners apply targeted security controls rather than blanket measures.
Illustrative Zone and Conduit Layout
| Asset Group | Zone | SL Target | Connected To (via conduit) |
|---|---|---|---|
| Control room HMIs | Operator zone | SL 2 | Engineering zone, Process zone |
| PLCs and field devices | Process zone | SL 3 | Operator zone, Maintenance zone |
| Engineering workstations | Engineering zone | SL 2 | Operator zone, Enterprise zone |
| Enterprise IT | Enterprise zone | Out of scope or SL 1 | Engineering zone (via DMZ conduit) |
This is illustrative only. Real designs depend on specific plant topology, asset inventory, and the outcome of a formal IEC 62443-3-2 risk assessment.
How Zones and Conduits Relates to the IEC 62443 Standard
The zones-and-conduits model is foundational in IEC 62443 system design. IEC 62443-3-2 defines the assessment process for partitioning the IACS into zones and assigning target SLs. Once the partitioning is complete, IEC 62443-3-3 specifies the system requirements that each zone must meet to achieve its target SL. The model is also referenced indirectly throughout the certificate programme — IC33 (risk assessment) covers the partitioning process in depth, and IC34 (design) covers how to translate the zone model into specific control choices.
How Cybersecurity Training Providers Cover Zones and Conduits
Zones and conduits is rarely a standalone course. The concept is covered within IC32 (overview), IC33 (assessment exercise), IC34 (design choices), and other IEC 62443 courses. IC33 in particular runs delegates through a zone-and-conduit partitioning exercise as part of risk assessment training. Some providers offer dedicated 1-day workshops on zone-and-conduit design for engineers needing a focused refresher. An LMS supporting cybersecurity training needs to support diagram-based exercises, secure delivery of plant-specific case studies, and tracking of delegates' progress through the broader 62443 certificate programme where this concept fits.
Common Questions
How do I know how to partition a system into zones?
Through risk assessment under IEC 62443-3-2. Common groupings include the Purdue Reference Model level, function (control vs. supervision), trust boundary (vendor systems vs. internal), and physical location.
What's the difference between a zone and a conduit?
A zone is a group of assets. A conduit is the communication channel between zones. Both can have SL targets and security requirements, although conduits typically inherit from the zones they connect.
Does every system need formal zone-and-conduit design?
In principle, yes — it is the foundation of a 62443-compliant security architecture. In practice, the depth of formality scales with risk. Small systems may use a simple two-zone design; large plants may have dozens of zones.
What are the Security Levels (SL) in zone targeting?
SL 1: protection against casual or coincidental violation. SL 2: intentional violation using simple means. SL 3: intentional violation using sophisticated means with moderate resources. SL 4: intentional violation using sophisticated means with extended resources.
Train Your Delegates with Blend-ed
Cybersecurity training providers need an LMS that supports diagram-based exercises, secure case study delivery, and progression tracking through the IEC 62443 certificate programme. Blend-ed runs cohort-based scheduling, secure case study delivery, identity verification at exam, verifiable certificates, and audit-ready records.
- Test delegate knowledge with the IEC 62443 practice quiz
- Compare LMS platforms for compliance training in regulated industries
- Compare for external training providers more broadly
