Back to Details

implementing-iec-62443-security-zones

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Implementing IEC 62443 Security Zones

实施IEC 62443安全区域

When to Use

适用场景

  • When designing a greenfield OT network architecture for a new industrial facility
  • When retrofitting security zones into an existing flat OT network after an assessment finding
  • When implementing network segmentation to comply with IEC 62443-3-2 certification requirements
  • When upgrading from basic VLAN segmentation to policy-enforced zone/conduit architecture
  • When an IT/OT convergence project requires defining security boundaries between enterprise and operational networks
Do not use for IT-only network segmentation (see implementing-network-microsegmentation), for cloud-native workload segmentation (see securing-kubernetes-on-cloud), or for physical security zone design without a cyber component.
  • 为新建工业设施设计全新的OT网络架构时
  • 评估发现问题后,为现有扁平化OT网络改造安全区域时
  • 实施网络分段以满足IEC 62443-3-2认证要求时
  • 从基础VLAN分段升级为策略强制的区域/通信管道架构时
  • IT/OT融合项目需要定义企业网络与运营网络之间的安全边界时
不适用场景:仅针对IT网络的分段(请参考implementing-network-microsegmentation)、云原生工作负载的分段(请参考securing-kubernetes-on-cloud),或无网络安全组件的物理安全区域设计。

Prerequisites

前置条件

  • Completed OT network security assessment with asset inventory and traffic flow analysis
  • Understanding of IEC 62443-3-2 zone/conduit design process and the Purdue Reference Model
  • Industrial firewalls capable of deep packet inspection for OT protocols (Palo Alto with OT Security, Fortinet OT, Cisco ISA-3000)
  • Network switches supporting VLANs, 802.1Q trunking, and port security
  • Approval from operations management for network architecture changes during maintenance windows
  • 已完成OT网络安全评估,包含资产清单和流量分析
  • 理解IEC 62443-3-2的区域/通信管道设计流程以及普渡参考模型
  • 支持OT协议深度包检测的工业防火墙(如带OT Security的Palo Alto、Fortinet OT、Cisco ISA-3000)
  • 支持VLAN、802.1Q trunking和端口安全的网络交换机
  • 运营管理部门批准在维护窗口期进行网络架构变更

Workflow

实施流程

Step 1: Perform Zone Partitioning Based on Risk Assessment

步骤1:基于风险评估进行区域划分

Partition the IACS into zones based on functional requirements, security requirements, criticality, and consequence of compromise. Each zone contains assets with common security requirements.
yaml
undefined
根据功能需求、安全要求、关键程度和被入侵后的影响,将IACS划分为不同区域。每个区域包含具有相同安全要求的资产。
yaml
undefined

IEC 62443-3-2 Zone Definition Document

IEC 62443-3-2 Zone Definition Document

facility: "Petrochemical Refinery - Unit 3" assessment_date: "2026-02-23" standard: "IEC 62443-3-2:2020"
zones:
  • zone_id: "Z1-SIS" name: "Safety Instrumented Systems" purdue_level: 1 security_level_target: "SL 3" criticality: "Safety Critical" assets:
    • "Triconex 3008 Safety Controller (SIS-01)"
    • "Triconex 3008 Safety Controller (SIS-02)"
    • "SIS Engineering Workstation" security_requirements:
    • "Physically isolated from all other zones (air-gapped)"
    • "Dedicated engineering workstation with removable media controls"
    • "No remote access permitted under any circumstances"
    • "Change management requires dual authorization" allowed_conduits: [] # No network conduits - fully air-gapped
  • zone_id: "Z2-BPCS" name: "Basic Process Control System" purdue_level: "1-2" security_level_target: "SL 2" criticality: "High" assets:
    • "Allen-Bradley ControlLogix PLCs (PLC-01 through PLC-12)"
    • "Rockwell FactoryTalk View HMIs (HMI-01 through HMI-06)"
    • "Engineering Workstation (EWS-01)" security_requirements:
    • "Industrial firewall at zone boundary with protocol inspection"
    • "Read-only access from Level 3 for data acquisition"
    • "Write access restricted to engineering workstation subnet"
    • "USB ports disabled on HMIs" allowed_conduits: ["C1-BPCS-OPS"]
  • zone_id: "Z3-OPS" name: "Site Operations" purdue_level: 3 security_level_target: "SL 2" criticality: "Medium" assets:
    • "OSIsoft PI Historian (HIST-01)"
    • "OPC UA Server (OPC-01)"
    • "MES Application Server (MES-01)"
    • "Alarm Management Server (ALM-01)" security_requirements:
    • "Firewall between operations and control zones"
    • "Firewall between operations and DMZ"
    • "No direct internet access"
    • "Antivirus with OT-approved signatures" allowed_conduits: ["C1-BPCS-OPS", "C2-OPS-DMZ"]
  • zone_id: "Z4-DMZ" name: "Industrial Demilitarized Zone" purdue_level: 3.5 security_level_target: "SL 2" criticality: "Medium" assets:
    • "PI-to-PI Interface (DMZ-HIST-01)"
    • "Patch Management Server (DMZ-WSUS-01)"
    • "Remote Access Jump Server (DMZ-JUMP-01)"
    • "Data Diode - Waterfall Security (DMZ-DD-01)" security_requirements:
    • "Dual-homed firewalls on both sides"
    • "No direct traffic traversal - all connections terminate in DMZ"
    • "Data diode for unidirectional historian replication"
    • "Jump server with MFA for remote access" allowed_conduits: ["C2-OPS-DMZ", "C3-DMZ-ENT"]
  • zone_id: "Z5-ENT" name: "Enterprise Network" purdue_level: 4 security_level_target: "SL 1" criticality: "Low (from OT perspective)" assets:
    • "Corporate systems accessing OT data" security_requirements:
    • "Firewall between enterprise and DMZ"
    • "No direct access to any OT zone below DMZ" allowed_conduits: ["C3-DMZ-ENT"]
conduits:
  • conduit_id: "C1-BPCS-OPS" name: "Control-to-Operations Conduit" connects: ["Z2-BPCS", "Z3-OPS"] security_level: "SL 2" protocols_allowed:
    • protocol: "OPC UA" port: 4840 direction: "Z2 -> Z3 (read only)" security_mode: "SignAndEncrypt"
    • protocol: "Modbus/TCP" port: 502 direction: "Z3 -> Z2 (read only, FC 3/4 only)" security_mode: "Firewall-enforced function code filtering" controls:
    • "Industrial firewall with OT protocol DPI"
    • "Allowlisted source/destination IP pairs"
    • "Function code filtering (block all write operations from L3)"
    • "Connection rate limiting"
  • conduit_id: "C2-OPS-DMZ" name: "Operations-to-DMZ Conduit" connects: ["Z3-OPS", "Z4-DMZ"] security_level: "SL 2" protocols_allowed:
    • protocol: "PI-to-PI" port: 5450 direction: "Z3 -> Z4 (unidirectional via data diode)"
    • protocol: "HTTPS" port: 443 direction: "Z4 -> Z3 (patch downloads only)" controls:
    • "Data diode for historian replication (Waterfall Security)"
    • "Firewall with application-layer inspection"
    • "Patch server pulls only from approved vendor repositories"
  • conduit_id: "C3-DMZ-ENT" name: "DMZ-to-Enterprise Conduit" connects: ["Z4-DMZ", "Z5-ENT"] security_level: "SL 1" protocols_allowed:
    • protocol: "HTTPS" port: 443 direction: "Z5 -> Z4 (historian read, remote access portal)"
    • protocol: "RDP" port: 3389 direction: "Z5 -> Z4 (jump server with MFA)" controls:
    • "Next-gen firewall with SSL inspection"
    • "MFA required for all remote access sessions"
    • "Session recording on jump server"
undefined
facility: "Petrochemical Refinery - Unit 3" assessment_date: "2026-02-23" standard: "IEC 62443-3-2:2020"
zones:
  • zone_id: "Z1-SIS" name: "Safety Instrumented Systems" purdue_level: 1 security_level_target: "SL 3" criticality: "Safety Critical" assets:
    • "Triconex 3008 Safety Controller (SIS-01)"
    • "Triconex 3008 Safety Controller (SIS-02)"
    • "SIS Engineering Workstation" security_requirements:
    • "Physically isolated from all other zones (air-gapped)"
    • "Dedicated engineering workstation with removable media controls"
    • "No remote access permitted under any circumstances"
    • "Change management requires dual authorization" allowed_conduits: [] # No network conduits - fully air-gapped
  • zone_id: "Z2-BPCS" name: "Basic Process Control System" purdue_level: "1-2" security_level_target: "SL 2" criticality: "High" assets:
    • "Allen-Bradley ControlLogix PLCs (PLC-01 through PLC-12)"
    • "Rockwell FactoryTalk View HMIs (HMI-01 through HMI-06)"
    • "Engineering Workstation (EWS-01)" security_requirements:
    • "Industrial firewall at zone boundary with protocol inspection"
    • "Read-only access from Level 3 for data acquisition"
    • "Write access restricted to engineering workstation subnet"
    • "USB ports disabled on HMIs" allowed_conduits: ["C1-BPCS-OPS"]
  • zone_id: "Z3-OPS" name: "Site Operations" purdue_level: 3 security_level_target: "SL 2" criticality: "Medium" assets:
    • "OSIsoft PI Historian (HIST-01)"
    • "OPC UA Server (OPC-01)"
    • "MES Application Server (MES-01)"
    • "Alarm Management Server (ALM-01)" security_requirements:
    • "Firewall between operations and control zones"
    • "Firewall between operations and DMZ"
    • "No direct internet access"
    • "Antivirus with OT-approved signatures" allowed_conduits: ["C1-BPCS-OPS", "C2-OPS-DMZ"]
  • zone_id: "Z4-DMZ" name: "Industrial Demilitarized Zone" purdue_level: 3.5 security_level_target: "SL 2" criticality: "Medium" assets:
    • "PI-to-PI Interface (DMZ-HIST-01)"
    • "Patch Management Server (DMZ-WSUS-01)"
    • "Remote Access Jump Server (DMZ-JUMP-01)"
    • "Data Diode - Waterfall Security (DMZ-DD-01)" security_requirements:
    • "Dual-homed firewalls on both sides"
    • "No direct traffic traversal - all connections terminate in DMZ"
    • "Data diode for unidirectional historian replication"
    • "Jump server with MFA for remote access" allowed_conduits: ["C2-OPS-DMZ", "C3-DMZ-ENT"]
  • zone_id: "Z5-ENT" name: "Enterprise Network" purdue_level: 4 security_level_target: "SL 1" criticality: "Low (from OT perspective)" assets:
    • "Corporate systems accessing OT data" security_requirements:
    • "Firewall between enterprise and DMZ"
    • "No direct access to any OT zone below DMZ" allowed_conduits: ["C3-DMZ-ENT"]
conduits:
  • conduit_id: "C1-BPCS-OPS" name: "Control-to-Operations Conduit" connects: ["Z2-BPCS", "Z3-OPS"] security_level: "SL 2" protocols_allowed:
    • protocol: "OPC UA" port: 4840 direction: "Z2 -> Z3 (read only)" security_mode: "SignAndEncrypt"
    • protocol: "Modbus/TCP" port: 502 direction: "Z3 -> Z2 (read only, FC 3/4 only)" security_mode: "Firewall-enforced function code filtering" controls:
    • "Industrial firewall with OT protocol DPI"
    • "Allowlisted source/destination IP pairs"
    • "Function code filtering (block all write operations from L3)"
    • "Connection rate limiting"
  • conduit_id: "C2-OPS-DMZ" name: "Operations-to-DMZ Conduit" connects: ["Z3-OPS", "Z4-DMZ"] security_level: "SL 2" protocols_allowed:
    • protocol: "PI-to-PI" port: 5450 direction: "Z3 -> Z4 (unidirectional via data diode)"
    • protocol: "HTTPS" port: 443 direction: "Z4 -> Z3 (patch downloads only)" controls:
    • "Data diode for historian replication (Waterfall Security)"
    • "Firewall with application-layer inspection"
    • "Patch server pulls only from approved vendor repositories"
  • conduit_id: "C3-DMZ-ENT" name: "DMZ-to-Enterprise Conduit" connects: ["Z4-DMZ", "Z5-ENT"] security_level: "SL 1" protocols_allowed:
    • protocol: "HTTPS" port: 443 direction: "Z5 -> Z4 (historian read, remote access portal)"
    • protocol: "RDP" port: 3389 direction: "Z5 -> Z4 (jump server with MFA)" controls:
    • "Next-gen firewall with SSL inspection"
    • "MFA required for all remote access sessions"
    • "Session recording on jump server"
undefined

Step 2: Configure Industrial Firewalls for Zone Boundaries

步骤2:为区域边界配置工业防火墙

Deploy and configure industrial-grade firewalls at each zone boundary with OT protocol-aware deep packet inspection.
bash
undefined
在每个区域边界部署并配置支持OT协议深度包检测的工业级防火墙。
bash
undefined

Cisco ISA-3000 Industrial Firewall Configuration

Cisco ISA-3000 Industrial Firewall Configuration

Conduit C1: BPCS (Zone 2) <-> Operations (Zone 3)

Conduit C1: BPCS (Zone 2) <-> Operations (Zone 3)

Define zone interfaces

Define zone interfaces

interface GigabitEthernet1/1 nameif zone-bpcs security-level 90 ip address 10.20.1.1 255.255.0.0
interface GigabitEthernet1/2 nameif zone-ops security-level 70 ip address 10.30.1.1 255.255.0.0
interface GigabitEthernet1/1 nameif zone-bpcs security_level 90 ip address 10.20.1.1 255.255.0.0
interface GigabitEthernet1/2 nameif zone-ops security_level 70 ip address 10.30.1.1 255.255.0.0

OPC UA from BPCS to Operations (read-only data flow)

OPC UA from BPCS to Operations (read-only data flow)

access-list BPCS-to-OPS extended permit tcp 10.20.0.0 255.255.0.0 host 10.30.1.50 eq 4840
access-list BPCS-to-OPS extended permit tcp 10.20.0.0 255.255.0.0 host 10.30.1.50 eq 4840

Modbus read from Operations historian to PLCs (FC 3,4 only)

Modbus read from Operations historian to PLCs (FC 3,4 only)

access-list OPS-to-BPCS extended permit tcp host 10.30.1.50 10.20.0.0 255.255.0.0 eq 502
access-list OPS-to-BPCS extended permit tcp host 10.30.1.50 10.20.0.0 255.255.0.0 eq 502

Deny all other traffic between zones

Deny all other traffic between zones

access-list BPCS-to-OPS extended deny ip any any log access-list OPS-to-BPCS extended deny ip any any log
access-list BPCS-to-OPS extended deny ip any any log access-list OPS-to-BPCS extended deny ip any any log

Apply access lists

Apply access lists

access-group BPCS-to-OPS in interface zone-bpcs access-group OPS-to-BPCS in interface zone-ops
access-group BPCS-to-OPS in interface zone-bpcs access-group OPS-to-BPCS in interface zone-ops

Enable Modbus protocol inspection with function code filtering

Enable Modbus protocol inspection with function code filtering

policy-map type inspect modbus MODBUS-INSPECT parameters # Allow read operations only from Operations zone match func-code read-coils match func-code read-discrete-inputs match func-code read-holding-registers match func-code read-input-registers # Block all write function codes match func-code force-single-coil action drop log match func-code preset-single-register action drop log match func-code force-multiple-coils action drop log match func-code preset-multiple-registers action drop log
policy-map type inspect modbus MODBUS-INSPECT parameters # Allow read operations only from Operations zone match func-code read-coils match func-code read-discrete-inputs match func-code read-holding-registers match func-code read-input-registers # Block all write function codes match func-code force-single-coil action drop log match func-code preset-single-register action drop log match func-code force-multiple-coils action drop log match func-code preset-multiple-registers action drop log

Apply to service policy

Apply to service policy

policy-map global_policy class inspection_default inspect modbus MODBUS-INSPECT
policy-map global_policy class inspection_default inspect modbus MODBUS-INSPECT

Logging to OT SIEM

Logging to OT SIEM

logging host zone-ops 10.30.1.60 logging trap informational logging enable
undefined
logging host zone-ops 10.30.1.60 logging trap informational logging enable
undefined

Step 3: Implement VLAN Segmentation at Switch Level

步骤3:在交换机层面实施VLAN分段

Configure network switches to enforce zone boundaries at Layer 2, preventing broadcast domain overlap between Purdue levels.
bash
undefined
配置网络交换机以在二层强制区域边界,防止普渡各层级之间的广播域重叠。
bash
undefined

Cisco Industrial Ethernet Switch Configuration

Cisco Industrial Ethernet Switch Configuration

Zone-based VLAN assignment

Zone-based VLAN assignment

VLAN definitions aligned with zones

VLAN definitions aligned with zones

vlan 10 name Z1-SIS-Safety vlan 20 name Z2-BPCS-Control vlan 30 name Z3-OPS-Operations vlan 35 name Z4-DMZ vlan 40 name Z5-Enterprise
vlan 10 name Z1-SIS-Safety vlan 20 name Z2-BPCS-Control vlan 30 name Z3-OPS-Operations vlan 35 name Z4-DMZ vlan 40 name Z5-Enterprise

PLC ports - Zone 2 BPCS

PLC ports - Zone 2 BPCS

interface range GigabitEthernet1/0/1-12 description PLC connections - Zone 2 switchport mode access switchport access vlan 20 switchport port-security switchport port-security maximum 1 switchport port-security mac-address sticky switchport port-security violation shutdown spanning-tree portfast spanning-tree bpduguard enable no cdp enable no lldp transmit
interface range GigabitEthernet1/0/1-12 description PLC connections - Zone 2 switchport mode access switchport access vlan 20 switchport port-security switchport port-security maximum 1 switchport port-security mac-address sticky switchport port-security violation shutdown spanning-tree portfast spanning-tree bpduguard enable no cdp enable no lldp transmit

HMI ports - Zone 2 BPCS

HMI ports - Zone 2 BPCS

interface range GigabitEthernet1/0/13-18 description HMI connections - Zone 2 switchport mode access switchport access vlan 20 switchport port-security switchport port-security maximum 1 switchport port-security mac-address sticky switchport port-security violation restrict spanning-tree portfast
interface range GigabitEthernet1/0/13-18 description HMI connections - Zone 2 switchport mode access switchport access vlan 20 switchport port-security switchport port-security maximum 1 switchport port-security mac-address sticky switchport port-security violation restrict spanning-tree portfast

Trunk to industrial firewall

Trunk to industrial firewall

interface GigabitEthernet1/0/24 description Trunk to ISA-3000 Firewall switchport mode trunk switchport trunk allowed vlan 20,30,35 switchport trunk native vlan 999
interface GigabitEthernet1/0/24 description Trunk to ISA-3000 Firewall switchport mode trunk switchport trunk allowed vlan 20,30,35 switchport trunk native vlan 999

Disable unused ports

Disable unused ports

interface range GigabitEthernet1/0/19-23 shutdown switchport access vlan 999
undefined
interface range GigabitEthernet1/0/19-23 shutdown switchport access vlan 999
undefined

Step 4: Deploy Data Diode for Unidirectional Historian Replication

步骤4:部署数据二极管实现单向历史数据复制

Install a hardware-enforced data diode between the operations zone and DMZ to ensure unidirectional data flow from OT to IT. Data diodes physically prevent any data from flowing back into the OT network.
python
#!/usr/bin/env python3
"""Data Diode Configuration Validator.

Validates that historian replication across the data diode
(Waterfall Security, Owl Cyber Defense, or Siemens) is
functioning correctly with unidirectional enforcement.
"""

import socket
import struct
import time
import json
from datetime import datetime


class DataDiodeValidator:
    """Validates data diode unidirectional enforcement."""

    def __init__(self, diode_tx_ip, diode_rx_ip, historian_port=5450):
        self.tx_ip = diode_tx_ip  # OT side (transmit)
        self.rx_ip = diode_rx_ip  # IT/DMZ side (receive)
        self.port = historian_port
        self.results = []

    def test_forward_flow(self):
        """Verify data flows from OT (TX) to DMZ (RX) through diode."""
        test_payload = f"DIODE_TEST_{datetime.now().isoformat()}"

        try:
            # Send test data to TX interface
            sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
            sock.settimeout(5)
            sock.sendto(test_payload.encode(), (self.tx_ip, self.port))
            sock.close()

            self.results.append({
                "test": "forward_flow",
                "status": "PASS",
                "detail": f"Data sent to TX interface {self.tx_ip}:{self.port}",
            })
        except Exception as e:
            self.results.append({
                "test": "forward_flow",
                "status": "FAIL",
                "detail": f"Cannot reach TX interface: {e}",
            })

    def test_reverse_flow_blocked(self):
        """Verify reverse flow (DMZ to OT) is physically blocked by diode."""
        try:
            sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            sock.settimeout(3)
            result = sock.connect_ex((self.tx_ip, self.port))
            sock.close()

            if result != 0:
                self.results.append({
                    "test": "reverse_flow_blocked",
                    "status": "PASS",
                    "detail": "Reverse connection to OT side correctly rejected",
                })
            else:
                self.results.append({
                    "test": "reverse_flow_blocked",
                    "status": "CRITICAL_FAIL",
                    "detail": "REVERSE FLOW POSSIBLE - Data diode bypass detected!",
                })
        except (socket.timeout, ConnectionRefusedError):
            self.results.append({
                "test": "reverse_flow_blocked",
                "status": "PASS",
                "detail": "Reverse connection timed out (expected with hardware diode)",
            })

    def test_historian_replication_latency(self):
        """Measure replication latency across the data diode."""
        try:
            sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            sock.settimeout(10)
            start = time.time()
            sock.connect((self.rx_ip, self.port))
            latency = (time.time() - start) * 1000
            sock.close()

            status = "PASS" if latency < 1000 else "WARN"
            self.results.append({
                "test": "replication_latency",
                "status": status,
                "detail": f"Replication endpoint latency: {latency:.1f}ms",
            })
        except Exception as e:
            self.results.append({
                "test": "replication_latency",
                "status": "FAIL",
                "detail": f"Cannot reach RX historian: {e}",
            })

    def run_all_tests(self):
        """Run complete data diode validation suite."""
        print("=" * 60)
        print("DATA DIODE VALIDATION REPORT")
        print("=" * 60)

        self.test_forward_flow()
        self.test_reverse_flow_blocked()
        self.test_historian_replication_latency()

        for r in self.results:
            status_icon = "+" if r["status"] == "PASS" else "-"
            print(f"  [{status_icon}] {r['test']}: {r['status']}")
            print(f"      {r['detail']}")

        return self.results


if __name__ == "__main__":
    validator = DataDiodeValidator(
        diode_tx_ip="10.30.1.100",   # Operations zone TX
        diode_rx_ip="172.16.1.100",  # DMZ zone RX
    )
    validator.run_all_tests()
在运营区域和DMZ之间安装硬件强制的数据二极管,确保数据从OT单向流向IT。数据二极管从物理层面阻止任何数据回流到OT网络。
python
#!/usr/bin/env python3
"""Data Diode Configuration Validator.

Validates that historian replication across the data diode
(Waterfall Security, Owl Cyber Defense, or Siemens) is
functioning correctly with unidirectional enforcement.
"""

import socket
import struct
import time
import json
from datetime import datetime


class DataDiodeValidator:
    """Validates data diode unidirectional enforcement."""

    def __init__(self, diode_tx_ip, diode_rx_ip, historian_port=5450):
        self.tx_ip = diode_tx_ip  # OT side (transmit)
        self.rx_ip = diode_rx_ip  # IT/DMZ side (receive)
        self.port = historian_port
        self.results = []

    def test_forward_flow(self):
        """Verify data flows from OT (TX) to DMZ (RX) through diode."""
        test_payload = f"DIODE_TEST_{datetime.now().isoformat()}"

        try:
            # Send test data to TX interface
            sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
            sock.settimeout(5)
            sock.sendto(test_payload.encode(), (self.tx_ip, self.port))
            sock.close()

            self.results.append({
                "test": "forward_flow",
                "status": "PASS",
                "detail": f"Data sent to TX interface {self.tx_ip}:{self.port}",
            })
        except Exception as e:
            self.results.append({
                "test": "forward_flow",
                "status": "FAIL",
                "detail": f"Cannot reach TX interface: {e}",
            })

    def test_reverse_flow_blocked(self):
        """Verify reverse flow (DMZ to OT) is physically blocked by diode."""
        try:
            sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            sock.settimeout(3)
            result = sock.connect_ex((self.tx_ip, self.port))
            sock.close()

            if result != 0:
                self.results.append({
                    "test": "reverse_flow_blocked",
                    "status": "PASS",
                    "detail": "Reverse connection to OT side correctly rejected",
                })
            else:
                self.results.append({
                    "test": "reverse_flow_blocked",
                    "status": "CRITICAL_FAIL",
                    "detail": "REVERSE FLOW POSSIBLE - Data diode bypass detected!",
                })
        except (socket.timeout, ConnectionRefusedError):
            self.results.append({
                "test": "reverse_flow_blocked",
                "status": "PASS",
                "detail": "Reverse connection timed out (expected with hardware diode)",
            })

    def test_historian_replication_latency(self):
        """Measure replication latency across the data diode."""
        try:
            sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
            sock.settimeout(10)
            start = time.time()
            sock.connect((self.rx_ip, self.port))
            latency = (time.time() - start) * 1000
            sock.close()

            status = "PASS" if latency < 1000 else "WARN"
            self.results.append({
                "test": "replication_latency",
                "status": status,
                "detail": f"Replication endpoint latency: {latency:.1f}ms",
            })
        except Exception as e:
            self.results.append({
                "test": "replication_latency",
                "status": "FAIL",
                "detail": f"Cannot reach RX historian: {e}",
            })

    def run_all_tests(self):
        """Run complete data diode validation suite."""
        print("=" * 60)
        print("DATA DIODE VALIDATION REPORT")
        print("=" * 60)

        self.test_forward_flow()
        self.test_reverse_flow_blocked()
        self.test_historian_replication_latency()

        for r in self.results:
            status_icon = "+" if r["status"] == "PASS" else "-"
            print(f"  [{status_icon}] {r['test']}: {r['status']}")
            print(f"      {r['detail']}")

        return self.results


if __name__ == "__main__":
    validator = DataDiodeValidator(
        diode_tx_ip="10.30.1.100",   # Operations zone TX
        diode_rx_ip="172.16.1.100",  # DMZ zone RX
    )
    validator.run_all_tests()

Step 5: Validate Zone Architecture

步骤5:验证区域架构

After implementation, validate the zone architecture by verifying that only authorized conduit traffic passes between zones and that all prohibited cross-zone paths are blocked.
bash
undefined
实施完成后,通过验证仅授权的通信管道流量可在区域间传输,且所有禁止的跨区域路径均被阻断,以此确认区域架构的有效性。
bash
undefined

Validation test from Enterprise zone - should be blocked from reaching BPCS

Validation test from Enterprise zone - should be blocked from reaching BPCS

nmap -sT -p 502,44818,102,4840 10.20.0.0/16 --reason
nmap -sT -p 502,44818,102,4840 10.20.0.0/16 --reason

Expected: All ports filtered/closed

Expected: All ports filtered/closed

Validation test from Operations zone - read-only Modbus should work

Validation test from Operations zone - read-only Modbus should work

python3 -c " from pymodbus.client import ModbusTcpClient client = ModbusTcpClient('10.20.1.10', port=502) client.connect()
python3 -c " from pymodbus.client import ModbusTcpClient client = ModbusTcpClient('10.20.1.10', port=502) client.connect()

Read should succeed

Read should succeed

result = client.read_holding_registers(0, 10, slave=1) print(f'Read test: {"PASS" if not result.isError() else "FAIL"}')
result = client.read_holding_registers(0, 10, slave=1) print(f'Read test: {"PASS" if not result.isError() else "FAIL"}')

Write should be blocked by firewall

Write should be blocked by firewall

result = client.write_register(0, 100, slave=1) print(f'Write blocked: {"PASS" if result.isError() else "FAIL - WRITE PERMITTED!"}') client.close() "
result = client.write_register(0, 100, slave=1) print(f'Write blocked: {"PASS" if result.isError() else "FAIL - WRITE PERMITTED!"}') client.close() "

Verify data diode blocks reverse traffic

Verify data diode blocks reverse traffic

ping -c 3 10.30.1.100 # From DMZ to OT - should timeout
ping -c 3 10.30.1.100 # From DMZ to OT - should timeout

Expected: 100% packet loss (hardware diode blocks ICMP)

Expected: 100% packet loss (hardware diode blocks ICMP)

undefined
undefined

Key Concepts

核心概念

TermDefinition
Security ZoneA grouping of logical or physical assets that share common security requirements, as defined by IEC 62443-3-2
ConduitA logical grouping of communication channels connecting two or more zones, subject to common security policies
Security Level Target (SL-T)The desired security level for a zone, ranging from SL 1 (casual violation) to SL 4 (state-sponsored attack)
Data DiodeHardware-enforced unidirectional network gateway that physically prevents data from flowing in the reverse direction
MicrosegmentationGranular network segmentation at the device level, managing communication device-by-device based on roles and functions
Deep Packet Inspection (DPI)Firewall capability to inspect industrial protocol payloads (Modbus function codes, OPC UA service calls) beyond Layer 4
Defense in DepthLayered security approach where multiple security controls protect assets at different levels of the architecture
术语定义
安全区域依据IEC 62443-3-2定义,将具有相同安全要求的逻辑或物理资产归组形成的集合
通信管道连接两个或多个区域的逻辑通信通道组,受统一安全策略管控
安全等级目标(SL-T)区域的期望安全等级,范围从SL 1(普通违规)到SL 4(国家级攻击)
数据二极管硬件强制的单向网络网关,从物理层面阻止数据反向流动
微分段在设备层面进行细粒度的网络分段,基于角色和功能管理设备间的通信
深度包检测(DPI)防火墙的一种能力,可检查OT协议的负载内容(如Modbus功能码、OPC UA服务调用),而不止于四层信息
纵深防御分层安全防护方法,通过多层面的安全控制保护架构中不同层级的资产

Tools & Systems

工具与系统

  • Cisco ISA-3000: Industrial security appliance providing OT-aware firewall, IPS, and VPN capabilities with Modbus, DNP3, and EtherNet/IP inspection
  • Fortinet FortiGate Rugged: Ruggedized next-gen firewall with OT protocol support for industrial environments
  • Palo Alto IoT/OT Security: Cloud-delivered OT security subscription providing device identification and protocol-aware policy enforcement
  • Waterfall Security Solutions: Hardware-enforced unidirectional security gateways (data diodes) for OT-to-IT data transfer
  • Tofino Xenon: Industrial security appliance providing deep packet inspection for Modbus, OPC, and EtherNet/IP protocols
  • Cisco ISA-3000:工业安全设备,提供支持OT协议检测的防火墙、IPS和VPN功能,可检测Modbus、DNP3和EtherNet/IP协议
  • Fortinet FortiGate Rugged:加固型下一代防火墙,支持OT协议,适用于工业环境
  • Palo Alto IoT/OT Security:云交付的OT安全订阅服务,提供设备识别和基于协议的策略强制
  • Waterfall Security Solutions:硬件强制的单向安全网关(数据二极管),用于OT到IT的数据传输
  • Tofino Xenon:工业安全设备,为Modbus、OPC和EtherNet/IP协议提供深度包检测

Common Scenarios

常见场景

Scenario: Migrating Flat OT Network to Zone Architecture

场景:从扁平化OT网络迁移到区域架构

Context: A manufacturing plant operates all OT devices on a single VLAN (10.10.0.0/16) with no segmentation between PLCs, HMIs, historians, and the corporate network. An IEC 62443 gap assessment identified this as a critical finding requiring zone implementation.
Approach:
  1. Capture complete traffic baseline for 4 weeks using passive monitoring to identify all legitimate communication flows
  2. Classify all assets into Purdue levels and group into logical zones based on function and security requirements
  3. Design VLAN architecture with one VLAN per zone and inter-zone firewall rules based on observed legitimate traffic
  4. Deploy industrial firewalls at zone boundaries with initial "monitor only" mode (log but do not block)
  5. Analyze firewall logs for 2 weeks to identify any legitimate traffic that would be blocked
  6. Switch firewalls to enforcement mode during a scheduled maintenance window
  7. Validate that all process control communications function correctly post-segmentation
  8. Implement data diode between operations and DMZ for historian replication
Pitfalls: Implementing zone firewalls without a complete traffic baseline will break unknown but legitimate communication paths. Scheduling zone cutover during production instead of maintenance windows risks process disruptions. Placing SIS controllers in the same zone as BPCS violates IEC 62443 safety system isolation requirements.
背景:某制造工厂的所有OT设备都运行在单个VLAN(10.10.0.0/16)上,PLC、HMI、历史数据库和企业网络之间没有分段。IEC 62443差距评估将此列为关键问题,要求实施区域架构。
实施方法
  1. 使用被动监控捕获4周的完整流量基线,识别所有合法通信流
  2. 将所有资产分类到普渡层级,并根据功能和安全要求分组为逻辑区域
  3. 设计VLAN架构,每个区域对应一个VLAN,并基于观察到的合法通信流制定区域间防火墙规则
  4. 在区域边界部署工业防火墙,初始设置为“仅监控”模式(记录但不阻断流量)
  5. 分析2周的防火墙日志,识别任何会被阻断的合法流量
  6. 在预定维护窗口期将防火墙切换到强制模式
  7. 验证分段后所有过程控制通信正常运行
  8. 在运营区域和DMZ之间部署数据二极管用于历史数据复制
注意事项:在没有完整流量基线的情况下部署区域防火墙会中断未知但合法的通信路径。在生产期间而非维护窗口期进行区域切换会有流程中断风险。将SIS控制器与BPCS放在同一区域违反了IEC 62443安全系统隔离要求。

Output Format

输出格式

IEC 62443 Zone Implementation Report
=====================================
Facility: [Name]
Implementation Date: YYYY-MM-DD
Standard: IEC 62443-3-2/3-3

ZONE ARCHITECTURE:
  Zone [ID]: [Name] (SL-T: [1-4])
    Assets: [count]
    Conduits: [list]
    Controls: [firewall type, data diode, etc.]

CONDUIT CONFIGURATION:
  Conduit [ID]: [Zone A] <-> [Zone B]
    Protocols: [allowed protocols with direction]
    Firewall Rules: [count allow / count deny]
    DPI Enabled: Yes/No

VALIDATION RESULTS:
  Cross-zone tests: [pass/fail count]
  Prohibited path tests: [all blocked / exceptions]
  Protocol enforcement: [function code filtering verified]
IEC 62443 Zone Implementation Report
=====================================
Facility: [Name]
Implementation Date: YYYY-MM-DD
Standard: IEC 62443-3-2/3-3

ZONE ARCHITECTURE:
  Zone [ID]: [Name] (SL-T: [1-4])
    Assets: [count]
    Conduits: [list]
    Controls: [firewall type, data diode, etc.]

CONDUIT CONFIGURATION:
  Conduit [ID]: [Zone A] <-> [Zone B]
    Protocols: [allowed protocols with direction]
    Firewall Rules: [count allow / count deny]
    DPI Enabled: Yes/No

VALIDATION RESULTS:
  Cross-zone tests: [pass/fail count]
  Prohibited path tests: [all blocked / exceptions]
  Protocol enforcement: [function code filtering verified]