Security zoning

Using the concept of security zoning, a system can be segmented into subsets of assets that have a similar risk level. One security zone can be separated from another by a firewall or by other means to limit the impact of an incident.

The concept of security zoning is described in IEC62443. In short, security zoning is a method to segment a system into zones with different security levels. A security level is complied with by implementing a combination of security countermeasures.

Network security and security zoning has a lot of similarities with physical security. To get into a building there is a gate or a door. Even within a building there most often are doors which prevents untrusted personnel from entering certain rooms. The principles of security zoning are the same. Between enterprise and control system networks there almost always is a firewall that only allows trusted traffic. Also within a control system network it might make sense to filter out untrusted or unneeded traffic.

Are you looking for support or purchase information?

Security zones for increased cyber security

The reason why it sometimes makes sense to divide a system into security zones, is that this enables cyber security countermeasures to be utilized where they are most needed or to reduce risk in a particular part of the system. 

For example, the use of Windows XP could be argued to increase the likelihood of an incident because it has a wide range of known vulnerabilities exploitable by malware. Therefore, if a system must continue to use Windows XP machines, it is recommended to segment them into a separate security zone, with complementing additional countermeasures. Additionally, a safety system can be segmented into a separate security zone to decrease the risk of being affected by other assets or systems.
Article on Control Engineering
Cyber security is now more cost efficient for industrial control systems
Loading documents
Select region / language