IEC 62443 zone and conduit design
Zones and conduits are the backbone of IEC 62443. Synapse makes them a first-class model — group assets into zones, control every conduit, and let the engine check the segmentation and SL-T coverage for you.
From risk to SL-T, the 62443-3-2 way
Synapse follows the IEC 62443-3-2 flow: partition the system into zones and conduits, assess risk (consequence × likelihood), and derive the target security level for each zone. SL-T is the output of the risk assessment, not a guess — and the derivation is shown, not hidden.
- Zones grouped by required security level; every conduit documented and controlled
- Risk assessment (ZCR-5) derives SL-T; residuals above the tolerable line are flagged
- Flat-network, duplicate-IP and any-any-conduit violations caught automatically
Evidence the auditor actually wants
Generate the zone-and-conduit diagram, the asset inventory and the requirement-by-requirement 62443-3-3 coverage report — each control traceable to the asset, zone or conduit that satisfies it.
Frequently asked questions
What is a zone and a conduit in IEC 62443?+
A zone is a logical grouping of assets that share the same security requirements; a conduit is a controlled communication path between zones. Every conduit must be documented and protected so that traffic only crosses a trust boundary in a known, controlled way.
How is the target security level (SL-T) determined?+
Under IEC 62443-3-2, each zone is risk-assessed (consequence against likelihood). The resulting risk drives the SL-T the zone must achieve. Synapse computes this from the topology and open findings so the SL-T is defensible and traceable.
Do I need a DMZ between IT and OT?+
In almost all cases, yes. A demilitarised zone terminates remote access and brokers data flows so that untrusted networks never connect straight into the control system. Synapse checks for a DMZ on the relevant conduits and flags direct IT-to-OT paths.
Related
Keep exploring
Bring your next site online — secure by design.
Book a demo to see the model-to-evidence loop on your own architecture — or open the live studio now.