How to Define Zones and Conduits

Many professionals have wrong concepts regarding zones and conduits, the way in which they must be defined, and their implications from the point of view of industrial cybersecurity. A good understanding of zones and conduits is of fundamental importance to avoid making mistakes in risk evaluation, design, implementation, and maintenance.

The concept of zones and conduits was introduced by the ISA99 committee of the ISA/IEC 62443 series of standards, a long time before the first versions of the standard were published in 2007. Today we see that many other organizations use these same terms in different ways, increasing confusion for users and professional communities.

Zone: consists of the grouping of cyber assets that share the same cybersecurity requirements

Conduit: consists of the grouping of cyber assets dedicated exclusively to communications, and which share the same cybersecurity requirements

When modeling zones and conduits, there are a series of important rules that professionals must take into account. Below, we share some practical rules that will be useful:

1. A zone can have sub-zones.
2. A conduit cannot have sub-conduits.
3. A zone can have more than one conduit. Cyber assets (HOSTs) within a zone use one or more conduits to communicate.
4. A conduit cannot traverse more than one zone.
5. A conduit can be used for two or more zones to communicate with each other.

Let’s look at these rules in the following chart. It demonstrates examples of correct and incorrect setups, as well as examples of conduits.

Industrial cyber assets have a very special feature—they can connect to more than one conduit, often to several conduits at the same time. A PLC can easily connect to 10 or more conduits. It is important to consider that many industrial networks are of the redundant type.

Some Common Types of Conduits

Industrial systems have hundreds of protocols in different media, if not thousands of protocols of all kinds, nature, and function. Many of them are deterministic, among other technical qualities that are not worth mentioning here.

• Plant network based on Ethernet with various industrial protocols, including OPC
• Control network of the distributed control system (Example: Yokogawa Centum VNet/IP)
• Industrial field network (Example: Profibus DP, DNP3, and many others)
• Industrial field network: Foundation Fieldbus, HART7, and others
• Wireless network: ISA100, Wireless HART, and others
• A simple RS-232/422/485 serial cable to enable communication between two computers