IEC 62443 zone & conduit design

IEC 62443 zone and conduit design

Zones and conduits are the backbone of IEC 62443. Synapse makes them a first-class model — group assets into zones, control every conduit, and let the engine check the segmentation and SL-T coverage for you.

From risk to SL-T, the 62443-3-2 way

Synapse follows the IEC 62443-3-2 flow: partition the system into zones and conduits, assess risk (consequence × likelihood), and derive the target security level for each zone. SL-T is the output of the risk assessment, not a guess — and the derivation is shown, not hidden.

  • Zones grouped by required security level; every conduit documented and controlled
  • Risk assessment (ZCR-5) derives SL-T; residuals above the tolerable line are flagged
  • Flat-network, duplicate-IP and any-any-conduit violations caught automatically

Evidence the auditor actually wants

Generate the zone-and-conduit diagram, the asset inventory and the requirement-by-requirement 62443-3-3 coverage report — each control traceable to the asset, zone or conduit that satisfies it.

Frequently asked questions

What is a zone and a conduit in IEC 62443?+

A zone is a logical grouping of assets that share the same security requirements; a conduit is a controlled communication path between zones. Every conduit must be documented and protected so that traffic only crosses a trust boundary in a known, controlled way.

How is the target security level (SL-T) determined?+

Under IEC 62443-3-2, each zone is risk-assessed (consequence against likelihood). The resulting risk drives the SL-T the zone must achieve. Synapse computes this from the topology and open findings so the SL-T is defensible and traceable.

Do I need a DMZ between IT and OT?+

In almost all cases, yes. A demilitarised zone terminates remote access and brokers data flows so that untrusted networks never connect straight into the control system. Synapse checks for a DMZ on the relevant conduits and flags direct IT-to-OT paths.

Related

Keep exploring

Bring your next site online — secure by design.

Book a demo to see the model-to-evidence loop on your own architecture — or open the live studio now.