What is a Conduit in the Zone and Conduits Model?
A conduit is a secured communication channel between two or more Zones within an industrial automation environment, as defined in IEC 62443.
Where a Zone is a group of systems or devices with similar security requirements, the conduit ensures that only controlled and permitted communication takes place between those Zones. A conduit may include physical or logical connections, such as network cables, Firewalls, VPNs or switches.
🧠 What does a conduit do?
A conduit:
- Connects Zones to each other in a controlled manner
- Filters and inspects network traffic between Zones
- Manages risks that arise from communication across zone boundaries
- Implements security measures such as Firewalls, encryption and Logging
🔒 Examples of conduits
| Source zone | Target zone | Conduit type |
|---|---|---|
| PLC Zone | SCADA/HMI Zone | Industrial Switch with VLAN segmentation |
| SCADA Zone | MES Zone | Firewall with protocol filtering |
| MES Zone | ERP/IT Zone | Secured VPN tunnel |
| Guest network | Maintenance zone | Temporarily permitted connection via Jump Server |
🔧 Common security measures per conduit
- Firewalls and routing rules
- Intrusion Detection/Prevention Systems (IDS/IPS)
- VPNs or encrypted tunnels (TLS)
- Logging and traffic auditing
- Authentication and authorisation
- Data diodes (for one-way traffic)
🔄 Conduits within the Zone and Conduits model
Each conduit must be assessed for the risks of the communication between the Zones, and assigned appropriate security per IEC 62443 guidance.
📌 In summary
A conduit is a controlled and secured communication path between Zones within an industrial environment. It prevents cyber threats from spreading freely and makes it possible to implement network segmentation in a truly safe and manageable way.