← Home

IEC 62443-3-2 Clause 4.4 – Partition into Zones and Conduits

ISA/IEC 62443-3-2:2020, Clause 4.4 covers partitioning the SUC into zones and conduits as zone and conduit requirement ZCR 3.

ZCR 3 turns a flat asset list into a security model: assets that share security needs sit together; communications between groupings travel through named conduits. One base requirement establishes the model; further requirements and recommendations drive industry best-practice separations (business/IACS, safety, temporary links, wireless, remote connections). That list is not claimed to be exhaustive.

Teaching note: The summaries below paraphrase ISA/IEC 62443-3-2:2020 for learning purposes. They are not a verbatim extract of the standard — always refer to the published text for normative wording and assessment. Items labelled Recommendation are not mandatory requirements in the same sense as the shall statements.

Reference: ISA/IEC 62443-3-2:2020, Clause 4.4
Related: Zone, Conduit and Risk Assessment (Clause 4) | IEC 62443-1-1 Models | Network Segmentation

ZCR pages: ZCR 1 | ZCR 2 | ZCR 3 | ZCR 4 | ZCR 5 | ZCR 6 | ZCR 7


Requirements in this ZCR


ZCR 3 – Partition the SUC into zones and conduits

Reference: ISA/IEC 62443-3-2, Clause 4.4

ZCR 3.1: Establish zones and conduits

Clause: 4.4.2

Summary
IACS and related assets shall be grouped into zones or conduits based on risk. Grouping uses the initial risk assessment and/or other drivers such as criticality, operational function, physical or logical location, access needs (least privilege) and accountable organisation.

The intent is to gather assets that need similar protection so common countermeasures can be designed once. Zone membership can be revised after the detailed risk assessment. Safety systems, wireless, Internet-facing endpoints, externally managed interfaces and mobile devices deserve particular attention when building the first cut.

A practical approach starts with operational areas (storage, processing, finishing, …) and then functional layers (MES, supervisory HMI, primary control, safety). Purdue-style reference models and supplier reference architectures are common aids — not mandatory templates.

ZCR 3.2: Separate business and IACS assets

Clause: 4.4.3

Summary
IACS assets shall sit in zones that are logically or physically separated from business or enterprise system assets.

Business IT and IACS differ in function, ownership, location and consequence profile — especially HSE impacts if the control system fails. Mixing them in one zone blurs accountability and usually under-protects OT.

ZCR 3.3: Separate safety-related assets

Clause: 4.4.4

Summary
Safety-related IACS assets shall be grouped into zones separated (logically or physically) from non-safety IACS zones. Where separation is not feasible, the whole combined zone shall be treated as safety-related.

Safety assets usually need stronger protection because compromise can escalate to personnel harm or environmental damage. Marking an inseparable mix as safety-related prevents under-protecting the safer-looking neighbour devices.

ZCR 3.4: Separate temporarily connected devices

Clause: 4.4.5  ·  Recommendation

Summary
Devices allowed only temporary connection to the SUC (maintenance laptops, portable equipment, USB media, portable security appliances, and similar) should be modelled in separate zone(s) from permanently attached assets.

Transient devices often roam outside the plant and therefore face a broader threat set. An exception can apply when a handheld never leaves a single zone’s physical boundary and never joins other networks.

ZCR 3.5: Separate wireless devices

Clause: 4.4.6  ·  Recommendation

Summary
Wireless devices should occupy one or more zones separated from wired devices.

Radio paths are not stopped by cabinet walls, so exposure is harder to fence. Access points are commonly modelled as the conduit between wireless and wired zones; stronger separation (for example firewall behaviour) may be needed if the AP cannot enforce it alone.

ZCR 3.6: Separate devices connected via external networks

Clause: 4.4.7  ·  Recommendation

Summary
Devices that reach the SUC over networks outside the SUC should be grouped into their own zone(s).

Remote maintenance, vendor support and partner access sit outside the physical plant boundary. Modelling that access as distinct zones with their own security requirements keeps remote risk from being casually merged into plant control zones.


Key Takeaways