ISA/IEC 62443-3-2:2020, Clause 4.4 covers partitioning the SUC into zones and conduits as zone and conduit requirement ZCR 3.
ZCR 3 turns a flat asset list into a security model: assets that share security needs sit together; communications between groupings travel through named conduits. One base requirement establishes the model; further requirements and recommendations drive industry best-practice separations (business/IACS, safety, temporary links, wireless, remote connections). That list is not claimed to be exhaustive.
Reference: ISA/IEC 62443-3-2:2020, Clause 4.4
Related:
Zone, Conduit and Risk Assessment (Clause 4)
|
IEC 62443-1-1 Models
|
Network Segmentation
ZCR pages: ZCR 1 | ZCR 2 | ZCR 3 | ZCR 4 | ZCR 5 | ZCR 6 | ZCR 7
Reference: ISA/IEC 62443-3-2, Clause 4.4
Clause: 4.4.2
The intent is to gather assets that need similar protection so common countermeasures can be designed once. Zone membership can be revised after the detailed risk assessment. Safety systems, wireless, Internet-facing endpoints, externally managed interfaces and mobile devices deserve particular attention when building the first cut.
A practical approach starts with operational areas (storage, processing, finishing, …) and then functional layers (MES, supervisory HMI, primary control, safety). Purdue-style reference models and supplier reference architectures are common aids — not mandatory templates.
Clause: 4.4.3
Business IT and IACS differ in function, ownership, location and consequence profile — especially HSE impacts if the control system fails. Mixing them in one zone blurs accountability and usually under-protects OT.
Clause: 4.4.4
Safety assets usually need stronger protection because compromise can escalate to personnel harm or environmental damage. Marking an inseparable mix as safety-related prevents under-protecting the safer-looking neighbour devices.
Clause: 4.4.5 · Recommendation
Transient devices often roam outside the plant and therefore face a broader threat set. An exception can apply when a handheld never leaves a single zone’s physical boundary and never joins other networks.
Clause: 4.4.6 · Recommendation
Radio paths are not stopped by cabinet walls, so exposure is harder to fence. Access points are commonly modelled as the conduit between wireless and wired zones; stronger separation (for example firewall behaviour) may be needed if the AP cannot enforce it alone.
Clause: 4.4.7 · Recommendation
Remote maintenance, vendor support and partner access sit outside the physical plant boundary. Modelling that access as distinct zones with their own security requirements keeps remote risk from being casually merged into plant control zones.