Zone

A zone, in IEC 62443 terminology, is a set of assets that share the same security requirement. It is the unit of security analysis in the zone-and-conduit model — the thing you write a single Security Level statement about.

What “share the same security requirement” actually means

Not “are physically near each other”. Not “are on the same VLAN”. The test is functional:

• Would a reasonable adversary treat these assets as equivalent targets?
• Would equivalent controls defend them?

If yes, they belong in the same zone. If a single asset would warrant materially stronger or weaker controls than its neighbours, it belongs in a different zone.

Typical substation-and-control-centre zones

A composite GB transmission setup might partition into:

• Z-PROC — Process bus. Merging units and protection IEDs exchanging Sampled Values and trip GOOSE under PRP. Sub-millisecond latency budget.
• Z-STN — Station bus. Station gateway, local HMI, IED engineering interfaces, time source.
• Z-WAN — Virtual zone for the MPLS circuit between substation and control centre. Semi-trusted.
• Z-RTU — Virtualised RTU VMs in the control-centre cluster.
• Z-OPS — ADMS application servers, also virtualised.
• Z-EMS — Bare-metal EMS in the same data hall, different zone because the trust requirement is wider.
• Z-EW — Engineering workstations. The most volatile zone — population changes weekly.
• Z-IDMZ — Industrial DMZ between OT and IT.

Some zones — Z-WAN, Z-IDMZ — exist only to give a place to anchor security controls. A zone whose job is to be a documented boundary is still a useful zone.

What sits between zones

Conduits. A conduit is the communication path between two zones, with its own Security Level target derived from the zones it joins.