L3 – Network Security – Segmentation and Zoning
Among the methods available for limiting a threat actor’s ability to breach a system and move laterally once an initial compromise has occurred, few are as fundamental as resource isolation. It is, above all, a preventive capability, and one that is intrinsically tied to the design of the infrastructure itself. Because of this dependency, the practices set out in the sections that follow are best applied during the deployment phase, when the cost of adopting them is at its lowest. Isolation that is retrofitted into an environment never designed to accommodate it is seldom straightforward to achieve and is often prohibitively expensive.
The infrastructure network zoning model, or zone model for short, gives this principle a methodical foundation. It is a security capability conceived to provide sufficient resource isolation and to contain threat actors of differing capability and intent. The zone model governs how the infrastructure platform is built and how segmentation is achieved across it, and in doing so it becomes the foundation upon which a resilient security architecture rests.
IEC 62443-3-2: the design and partitioning requirement
This part defines the risk-driven method for arriving at your segmentation design. The relevant requirements are the Zone and Conduit Requirements (ZCRs).
| Requirement | What it mandates |
|---|---|
| ZCR 1 | Identify the System under Consideration (SuC) |
| ZCR 2 | Perform an initial high-level risk assessment |
| ZCR 3 | Partition the SuC into zones and conduits |
| ZCR 4 | Compare initial risk against the organisation’s tolerable risk |
| ZCR 5 | Perform a detailed risk assessment per zone and conduit |
| ZCR 6 | Document the Cyber Security Requirements Specification (CSRS) |
| ZCR 7 | Obtain asset owner approval |
ZCR 3 carries the prescriptive separation rules. The standard explicitly requires you to separate certain asset classes into their own zones rather than co-locating them:
| Sub-requirement | Separation mandated |
|---|---|
| ZCR 3.2 | Separate business or IT assets from IACS assets |
| ZCR 3.3 | Separate safety-related assets (the SIS) into dedicated zones |
| ZCR 3.4 | Separate temporarily connected devices |
| ZCR 3.5 | Separate wireless devices |
| ZCR 3.6 | Separate devices connected over external or untrusted networks |
IEC 62443-3-3: the technical control requirements
This part expresses segmentation through Foundational Requirement 5, Restricted Data Flow (FR 5). The system requirements scale across security levels SL 1 to SL 4 via requirement enhancements (REs).
| Requirement | Capability required | Notable enhancements |
|---|---|---|
| SR 5.1 Network segmentation | Logically segment control networks from non-control networks, and critical control networks from other control networks | RE 1 physical segmentation; RE 2 independence from non-control networks; RE 3 logical and physical isolation of critical networks |
| SR 5.2 Zone boundary protection | Monitor and control communications at zone boundaries to enforce the zones and conduits model | RE 1 deny by default, allow by exception; RE 2 island mode (ability to isolate a zone); RE 3 fail closed |
| SR 5.3 Person-to-person communication restrictions | Restrict general-purpose communications (such as email) from reaching the control system | — |
| SR 5.4 Application partitioning | Partition data and applications by criticality | — |
How this maps in practice
The model aligns loosely with the Purdue or ISA-95 hierarchy, where the classic enforced boundary is the IT/OT conduit (often realised as a DMZ between the enterprise zone and the control zone). The practical takeaway for an architect is that 3-2 tells you how to derive your zones from risk and which assets must never share a zone, while 3-3 tells you the boundary controls each conduit must enforce, with the strength of those controls (deny-by-default, isolation capability, fail-closed behaviour) increasing as the target security level rises.
If you are applying this to a specific environment, the deliverable that ties it together is the CSRS from ZCR 6, which records each zone, its target SL, and the conduit controls derived from the FR 5 requirements.
