IEC-62443 Zones and Conduits using Zero-Trust Network Architecture

A best practice in Industral Automation Control System Cyber Security is Zones and Conduits. These are complex to implement without strong identity and an identity-based firewall. Merging the best practices of a Zero-Trust Network Architecture with the ISA/IEC-62443 Zones and Conduits model improves security due to simpler implementation and greater control and audit.

Four key principles need addressing:

  • Least Privilege (which means per-user identity and multi-factor)
  • Defense In Depth (which means controlling lateral traversal and blast radius)
  • Risk Analysis (understanding the downside)
  • Compensating Security (the great list of workarounds)

The ISA/IEC 62443 standard has a conceptual architecture of zones and conduits. In theory easy to understand, in practice hard to implement.

An identity-based zero-trust network architecturecan bridge the gap of theory and practice.

Vendor single-sign-in, per person, no shared accounts. No VPN’s True micro-segmentation.