What is a Zoned Architecture?
A Zoned Architecture is a security model in which a network is divided into logical Zones with similar security requirements and functionality. Between the Zones, Firewalls, filters and access controls are placed to manage risks and limit attackers’ lateral movement.
Zoned Architecture is a core principle within IEC 62443 and aligns with the zones and conduits model and the Purdue Model for industrial networks.
🧠 Why Zoned Architecture in OT?
In industrial environments such as factories or power stations there are many different systems (e.g. PLC, SCADA, Historian). A single, flat network leaves these systems vulnerable to attacks and disruption.
With a Zoned Architecture you can:
- Limit risks by separating functions
- Fine-tune security per zone
- Apply compliance requirements (such as NIS2, IEC 62443) more easily
- Minimise the impact of incidents
🏗️ Example of zones
| Zone | Example systems | Security level |
|---|---|---|
| Enterprise Zone | ERP, email, intranet, office IT | Basic / high |
| Supervisory Zone | SCADA, Historian, Engineering Station | Medium / high |
| Control Zone | PLC, RTU, HMI | High |
| Field Zone | Sensor, Actuator, IO modules | High |
| DMZ / iDMZ | Remote Access, web server, reporting tools | Additionally protected |
Communication between zones takes place via tightly controlled Conduits (e.g. Industrial Firewall, Protocol Filtering, Jump Server)
🔐 Security measures per zone
- Firewalls and Next-Gen Firewalls between zones
- Access Control and User-Based Access Control
- Anomaly detection in Supervisory and Control zones
- Application Control on servers and engineering stations
- Patch management tailored to zone and availability
- Monitoring and SIEM in Supervisory/DMZ zones
✅ Benefits of Zoned Architecture
- Segmentation limits attack vectors
- Security measures per zone can be better tailored
- Scalable – zones can be expanded or managed individually
- Compliance-friendly for standards such as IEC 62443, ISO 27001, NIST CSF
⚠️ Points of attention
- Requires a clear asset and network inventory
- Incorrect segmentation can disrupt communication
- Must be properly documented and maintained
📌 In summary
Zoned Architecture is a crucial building block in the security of OT networks. It makes risks manageable by introducing logical separations between functions, systems and communication flows.