Network Segmentation in Industrial Control Systems (IEC 62443 Explained)

By | February 17, 2026
0 Comment

Network segmentation is one of the most important cybersecurity principles in modern SCADA and industrial control systems. It is not just a best practice. In the IEC 62443 series of standards, segmentation is a core security requirement.

In simple words, network segmentation means:

Do not allow every device to talk to every other device.

Instead, divide the system into controlled parts, and carefully manage how those parts communicate.

This article explains network segmentation clearly, based on the IEC 62443 standards, especially:

  • (Establishing a cybersecurity management system)
  • (System security requirements – including SR 5.1 Network Segmentation)
  • (Security technologies used to implement segmentation)

What Is Network Segmentation?

Network segmentation is the practice of dividing a large network into smaller, controlled sections.

Instead of one flat network where:

  • PLCs
  • SCADA servers
  • Engineering workstations
  • HMIs
  • Corporate IT systems

are all connected together without restriction,

segmentation creates boundaries between them.

Each section of the network becomes a security zone, and communication between zones is controlled through a conduit.

In IEC 62443 terminology:

  • A zone is a group of assets with similar security requirements.
  • A conduit is a controlled communication path between zones.

This is the foundation of secure industrial architecture.

Why Network Segmentation Is Critical in SCADA

Industrial systems are different from IT systems.

In IT, a security incident may cause data loss or downtime.

In industrial environments, a security incident can affect:

  • Safety
  • Environment
  • Production continuity
  • Physical equipment
  • Human life

Many cyberattacks in industrial environments spread through flat networks. Once an attacker gains access to one device, they can move laterally to:

  • PLCs
  • Safety systems
  • Protection relays
  • SCADA servers

Segmentation limits this lateral movement.

If one device is compromised, segmentation prevents the attacker from reaching everything else.

IEC 62443 Requirement: SR 5.1 – Network Segmentation

In IEC 62443-3-3 (System Security Requirements), segmentation appears under:

FR 5 – Restricted Data Flow

Specifically:

SR 5.1 – Network Segmentation

This requirement states that the control system must:

  • Be segmented into zones
  • Restrict data flow between zones
  • Enforce security policies at zone boundaries

This means segmentation is not optional. It is required for compliance.

The Zones and Conduits Model

The IEC 62443 standards introduce a structured approach using zones and conduits.

What Is a Zone?

A zone is a logical or physical grouping of devices that:

  • Share similar risk levels
  • Have similar security requirements
  • Require similar protection measures

Examples of zones in a substation or plant:

  • Field device zone (PLCs, RTUs)
  • HMI zone
  • SCADA server zone
  • Engineering workstation zone
  • Safety Instrumented System (SIS) zone
  • Corporate IT zone

Each zone can have its own security level target.

What Is a Conduit?

A conduit is a controlled path that connects two zones.

A conduit must:

  • Enforce authentication
  • Restrict traffic
  • Filter allowed protocols
  • Log and monitor communication

Examples of conduits:

  • Industrial firewall
  • Layer 3 router with ACL
  • VPN gateway
  • Secure remote access server

The conduit is where the security policy is enforced.

Security Levels and Segmentation

IEC 62443 defines four Security Levels (SL):

  • SL 1 – Protection against casual or accidental misuse
  • SL 2 – Protection against intentional misuse with simple means
  • SL 3 – Protection against sophisticated attackers
  • SL 4 – Protection against highly sophisticated, well-funded attackers

The higher the security level, the stronger the segmentation must be.

For example:

At SL 1:

  • Basic firewall separation may be enough.

At SL 3:

  • Strict zone isolation
  • Deep packet inspection
  • Limited protocol exposure
  • Strong authentication at conduits

Segmentation strength must match risk level.

Segmentation and the Purdue Model

Although IEC 62443 does not require the Purdue Model, segmentation often aligns with it.

Typical levels:

  • Level 0–1: Field devices (sensors, actuators)
  • Level 2: Controllers (PLCs, RTUs)
  • Level 3: Site operations (SCADA servers)
  • Level 3.5: Industrial DMZ
  • Level 4–5: Enterprise IT

A proper architecture prevents direct communication between:

  • Level 4 IT and Level 1 PLCs
  • Internet and SCADA core
  • Safety systems and corporate systems

Every boundary must be controlled.

How IEC 62443-2-1 Supports Segmentation

IEC 62443-2-1 focuses on management and policy.

It requires organizations to:

  • Perform risk assessments
  • Identify critical assets
  • Define security zones
  • Document segmentation strategy
  • Maintain segmentation over time
  • Audit compliance

Segmentation is not just a network design. It must be part of the Cyber Security Management System (CSMS).

Without documentation and governance, segmentation fails over time.

Technologies Used to Implement Segmentation

IEC/TR 62443-3-1 explains the technologies that support segmentation.

Network Firewalls

Industrial firewalls:

  • Filter traffic by IP and port
  • Inspect protocols
  • Block unauthorized access
  • Log communication events

They are the primary enforcement device between zones.

VLANs

Virtual LANs create logical separation within switches.

They:

  • Reduce broadcast domains
  • Separate traffic logically
  • Provide internal segmentation

However, VLANs alone are not sufficient. They must be combined with firewall rules.

Host-Based Firewalls

These protect individual servers and workstations.

They control:

  • Inbound connections
  • Outbound connections
  • Application-level access

VPNs

VPNs create secure conduits for:

  • Remote access
  • Site-to-site communication

They encrypt traffic and authenticate users.

Deep Packet Inspection

Advanced industrial firewalls can inspect:

  • Modbus
  • DNP3
  • IEC 104
  • Other industrial protocols

This prevents malicious commands even if port numbers are allowed.

Segmentation and DMZ Architecture

A DMZ (Demilitarized Zone) is a special security zone between:

  • Corporate IT
  • Industrial control network

The DMZ typically contains:

  • Data historians
  • Patch servers
  • Remote access jump servers
  • Update servers

The DMZ prevents direct IT-to-OT communication.

It is one of the most important segmentation practices in modern SCADA architecture.

Practical Example: Substation Segmentation

A well-designed digital substation may include:

  • Process Bus zone
  • Station Bus zone
  • Protection relay zone
  • Engineering workstation zone
  • SCADA interface zone
  • Utility WAN zone
  • Corporate IT zone

Each zone has:

  • Defined security level
  • Controlled conduits
  • Limited allowed protocols

For example:

  • GOOSE traffic stays inside station zone.
  • IEC 104 traffic is allowed only through firewall to control center.
  • Engineering access goes through jump server in DMZ.

This reduces risk significantly.

Common Segmentation Mistakes

Many organizations believe they are segmented when they are not.

Common mistakes include:

  • Flat network with only VLAN separation
  • Firewall with “any-to-any” rules
  • Shared Active Directory without restriction
  • Direct remote desktop access to PLC network
  • No logging at zone boundaries
  • Shared switches between IT and OT

These designs create hidden vulnerabilities.

Benefits of Proper Network Segmentation

When segmentation is correctly designed:

  • Attack surface is reduced
  • Lateral movement is limited
  • Incidents are contained
  • Monitoring is easier
  • Compliance is improved
  • Recovery is faster

Segmentation creates structure and visibility.

It is the backbone of defense-in-depth.

Segmentation as Part of Defense-in-Depth

IEC 62443 promotes defense-in-depth.

This means:

No single control should be trusted alone.

Segmentation works together with:

  • Authentication
  • Access control
  • Encryption
  • Monitoring
  • Incident response
  • Patch management

Layered security is stronger than any single control.

Network Segmentation Is Not a One-Time Project

One important concept in IEC 62443-2-1 is lifecycle management.

Segmentation must be:

  • Reviewed periodically
  • Updated when systems change
  • Tested during audits
  • Adjusted after incidents

Industrial systems evolve over time.

If segmentation is not maintained, it slowly degrades.

Final Thoughts

Network segmentation is one of the most powerful cybersecurity controls in industrial environments.

According to IEC 62443:

  • Systems must be divided into security zones.
  • Data flow between zones must be restricted.
  • Conduits must enforce security policies.
  • Segmentation must match risk and security level.
  • Segmentation must be part of a formal cybersecurity program.

In simple terms:

Do not allow unrestricted communication.
Define clear boundaries.
Control every crossing.

When implemented correctly, network segmentation transforms a vulnerable flat network into a structured, resilient, and defensible industrial architecture.

It is not just a design choice.

It is a requirement for modern secure SCADA systems.

Cybersecurity
Author: Zakaria El Intissar

I'm an automation and industrial computing engineer with 12 years of experience in power system automation, SCADA communication protocols, and electrical protection. I build tools and write guides for Modbus, DNP3, IEC 101/103/104, and IEC 61850 on ScadaProtocols.com to help engineers decode, analyze, and troubleshoot real industrial communication systems.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *