Usually we see how many professionals have a wrong concept regarding Zones and Conduits, the way in which these must be defined and the implications from the point of view of industrial cyber security.

A good understanding of the Zones and Conduits is of fundamental importance to avoid making mistakes when evaluating risks, designing, implementing and maintaining them.

The concept of Zones and Conduits was introduced by the ISA99 committee in the ISA/IEC-62443 series of standards, a long time before the first versions of the standard were published in 2007.

Today we see how many other organizations are making different use of these same terms, increasing confusion for users and professional communities.

Neighborhood. It consists of the grouping of Cyber-Assets that share the same cyber security requirements.

Conduit. It consists of the grouping of Cyber-Assets dedicated exclusively to communications and that share the same cyber security requirements.

When modeling Zones and Conduits there are a series of important rules that professionals must take into account. Below, we share some practical rules that will be useful:

  1. A Zone can have Sub-Zones.
  2. A Conduit cannot have Sub-Conduits.
  3. A Zone can have more than one Conduit. Cyber-Assets (HOSTs) within a Zone use one or more Conduits to communicate.
  4. A conduit cannot traverse more than one Zone.
  5. A conduit can be used for two or more Zones to communicate with each other.

Let's look at these definitions in the following easy-to-understand charts. Examples of Correct. Examples of Incorrect. Examples of Conduits.

Industrial Cyber-Assets have the very special feature that they connect to more than one conduit. And many times to several conduits at the same time. A PLC can easily connect to 10 or more conduits. It is important to consider that many of the industrial networks are of the redundant type.

Some more common types of conduits. The industrial systems' has hundreds of protocols in different media, if not thousands of protocols of all kinds, nature and function. Many of them deterministic, among other technical qualities that are not worth mentioning here.

  • Plant network based on Ethernet with various industrial protocols including OPC.
  • Control Network of the Distributed Control system. Example. Yokogawa Centum VNet/IP.
  • Industrial Field Network: Example: Profibus DP, DNP3, and many others.
  • Industrial Field Network: Foundation Fieldbus, HART7, and others.
  • Wireless Network: ISA100, Wireless HART, and others.
  • A simple RS-232/422/485 serial cable to communicate two computers with each other.

ISA/IEC-62443 suggests a series of minimum or elementary criteria to carry out an initial Zone and Conduit segmentation, before conducting a detailed cyber risk study, also called Cyber-PHA (Cyber ​​Pocess Hazardous Analysis), Cyber-HAZOP. , or Cyber-LOPA. Many people believe that this is the last word, the recommendation is correct but not enough. In fact, it is far from the right thing to do.

Once the detailed risk assessment has been carried out, there will be an optimal segmentation of Zones and Conduits, together with a, often extensive, list of recommendations and countermeasures. Simple segmentation in itself is necessary but not sufficient. A series of recommendations must accompany the optimal segmentation. Each Zone or Conduit (Node) will have an SL-T - required security level (Secutity Level Target), and an SL-A - current security level (Security Level Achieved), all without going into much technical detail.

Initial SegmentationBefore carrying out the Detailed Risk Assessment (Cyber-PHA)

ISA/IEC-62443 suggests a series of minimum or elementary criteria to carry out an initial Zone and Conduit segmentation, before conducting a detailed cyber risk study, also called Cyber-PHA (Cyber ​​Pocess Hazardous Analysis), Cyber-HAZOP. , or Cyber-LOPA. Many people believe that this is the last word, the recommendation is correct but not enough. In fact, it is far from the right thing to do.

Optimal SegmentationAfter completing the Detailed Risk Assessment (Cyber-PHA)

Once the detailed risk assessment has been carried out, there will be an optimal segmentation of Zones and Conduits, together with a, often extensive, list of recommendations and countermeasures. Simple segmentation in itself is necessary but not sufficient. A series of recommendations must accompany the optimal segmentation. Each Zone or Conduit (Node) will have an SL-T - required security level (Secutity Level Target), and an SL-A - current security level (Security Level Achieved), all without going into much technical detail.

close

LET'S KEEP IN TOUCH!

We'd love to keep you updated with our latest news and offers 😎

We don't spam! Read our Privacy policy for more info.

About the author: Maximillian Kon WiseGroup Manager Into Cybersecurity ISA Qualified Instructor ISA Groups Member
CEO & Managing Director