Physical Enforcement of Industrial Automation Security
IEC 62443 defines zone and conduit requirements for industrial control system security. Firevault Control provides the physical enforcement layer that ensures zones are truly separated and conduits are genuinely controlled.
IEC 62443
IEC 62443 requires zones and conduits. If those zones are defined by firewall rules rather than physical separation, every firewall misconfiguration is a potential zone boundary failure.
SL 4
Security Level achievable with physical enforcement
100%
Zone boundary physical enforcement
9
Control modules mapping to IEC 62443 requirements
Full
Automated compliance evidence generation
Software-only zone enforcement falls short.
Logical vs Physical Zones
IEC 62443 defines zones and conduits, but most implementations rely on firewalls and VLANs that can be bypassed through misconfiguration or compromise.
Purdue Model Erosion
The Purdue model's hierarchical separation erodes as organisations connect Level 3 systems to cloud services and remote access platforms.
Evidence Gaps
Demonstrating continuous zone enforcement to auditors is difficult when boundaries are defined in software configurations that change frequently.
The Scenario
Scenario: Zone Boundary Failure During Audit
During an IEC 62443 certification audit, the assessor discovers that a firewall rule change made three months earlier had inadvertently created a path between Level 2 (control system) and Level 4 (enterprise) zones. The change was part of a routine maintenance update and had passed through the change management process without flagging the zone boundary violation. For three months, the control system zone was directly reachable from the enterprise network. With Firevault Control, zone boundaries are physical. No software change, configuration error, or routine maintenance can create a path between zones without explicit, multi-party authorised physical activation.
"We passed our IEC 62443 assessment in January. By April, a routine firewall change had created a path from our enterprise zone directly into the control system zone. Nobody noticed for three months. The zone boundary existed only as long as the firewall rules were correct."
Where IEC 62443 system requirements meet Control modules.
IEC 62443-3-3 defines seven foundational requirements and the system requirements (SR) beneath them. Firevault Control supplies the physical enforcement that turns those requirements from configurable intent into a boundary that holds.
Reference: IEC 62443-3-3:2013 System security requirements and security levels, mapped against the foundational requirements FR 1 to FR 7.
FR 1 - Identification and Authentication Control
Know who is acting before granting reach.
-
SR 1.1
Human user identification
Named identity required for any reach into a protected zone.
Lock -
SR 1.13
Access via untrusted networks
Remote vendor reach is a time-bound, scoped session, not a standing tunnel.
RelayLock
FR 2 - Use Control
Authorise the action, not just the user.
-
SR 2.1
Authorisation enforcement
Privileged actions require explicit approval before the path opens.
ExecuteLock -
SR 2.8
Auditable events
Every governed action is captured and sealed beyond casual edit.
ValidateArchive
FR 3 - System Integrity
Prove the system is in the expected state.
-
SR 3.1
Communication integrity
Conduit state is continuously attested with cryptographic evidence.
Validate -
SR 3.4
Software and information integrity
Golden images and operational data live in tamper-evident offline copies.
ArchiveValidate
FR 4 - Data Confidentiality
Restrict what data can be reached, not just by whom.
-
SR 4.1
Information confidentiality
Sensitive data crosses boundaries only through governed Transfer events.
TransferLock
FR 5 - Restricted Data Flow
Zones and conduits as physical fact, not policy.
-
SR 5.1
Network segmentation
Zone boundaries are physically severed by default. The path does not exist until it is opened.
FirebreakIsolate -
SR 5.2
Zone boundary protection
Cross-zone reach is a named, time-bound conduit with explicit approval.
IsolateRelayExecute
FR 6 - Timely Response to Events
See and respond before the blast widens.
-
SR 6.1
Audit log accessibility
Audit and conduit state remain readable from a side channel even during an incident.
ValidateArchive -
SR 6.2
Continuous monitoring
Continuous attestation surfaces boundary drift before it becomes an incident.
Validate
FR 7 - Resource Availability
Recover from intentional and unintentional events.
-
SR 7.3
Control system backup
Recovery copies sit in an offline vault that is not reachable on the live network.
ArchiveTransfer -
SR 7.4
Control system recovery and reconstitution
Restoration is an authorised, evidenced action with quorum approval.
ExecuteValidate
Modules & symbols
Featured In
'%3e%3cpath%20fill='%23E40784'%20d='M141.363%2026.6a5.905%205.905%200%200%201-5.899-5.9%205.905%205.905%200%200%201%205.899-5.895%205.901%205.901%200%200%201%205.895%205.895%205.9%205.9%200%200%201-5.895%205.9Zm0-8.347a2.448%202.448%200%200%200%200%204.895%202.449%202.449%200%200%200%202.447-2.448%202.449%202.449%200%200%200-2.447-2.447ZM141.363%200c-.821%200-1.638.052-2.447.144v3.731a16.897%2016.897%200%200%201%202.447-.177c9.373%200%2017.002%207.626%2017.002%2017.002%200%20.825-.063%201.642-.177%202.448h3.732c.095-.81.143-1.627.143-2.448%200-11.411-9.285-20.7-20.7-20.7Z'/%3e%3cpath%20fill='%23E40784'%20d='M141.363%207.268c-.825%200-1.645.077-2.447.228v3.787a9.733%209.733%200%200%201%202.447-.313c5.369%200%209.734%204.368%209.734%209.734%200%20.832-.107%201.652-.313%202.447h3.783c.151-.802.228-1.623.228-2.447.004-7.412-6.024-13.436-13.432-13.436Z'/%3e%3cpath%20fill='%23fff'%20d='M71.382%207.537h-2.84a5.82%205.82%200%200%200-5.815%205.818v9.785h4.037v-9.789a1.78%201.78%200%200%201%201.777-1.777h2.841V7.537ZM80.539%2019.1a3.787%203.787%200%200%201-3.783-3.784%203.787%203.787%200%200%201%203.783-3.783%203.787%203.787%200%200%201%203.783%203.784%203.787%203.787%200%200%201-3.783%203.783Zm0-11.6c-4.313%200-7.82%203.507-7.82%207.82%200%204.313%203.507%207.82%207.82%207.82%201.372%200%202.66-.357%203.78-.982v.982h4.036V15.32c.004-4.313-3.503-7.82-7.816-7.82ZM41.806%2018.71a5.512%205.512%200%200%201-4.34%202.1%205.55%205.55%200%200%201-5.541-5.541%205.55%205.55%200%200%201%205.542-5.543c1.696%200%203.279.766%204.339%202.102l.088.114%201.656-1.656-.077-.092a7.865%207.865%200%200%200-6.01-2.797c-4.339%200-7.871%203.533-7.871%207.872s3.532%207.871%207.871%207.871a7.865%207.865%200%200%200%206.01-2.797l.077-.091-1.656-1.656-.088.113ZM19.479%207.397c-4.34%200-7.872%203.53-7.872%207.872%200%204.342%203.533%207.871%207.872%207.871a7.883%207.883%200%200%200%207.205-4.71l.081-.18H24.15l-.037.058a5.543%205.543%200%200%201-10.05-1.873h13.2l.015-.11c.048-.357.073-.714.073-1.053%200-4.346-3.529-7.875-7.871-7.875Zm-5.417%206.705a5.54%205.54%200%200%201%205.417-4.376%205.54%205.54%200%200%201%205.417%204.376H14.06ZM46.192%2023.14h2.33v-8.847a4.599%204.599%200%200%201%204.593-4.592%204.599%204.599%200%200%201%204.592%204.592v8.844h2.33v-9.149h-.008a6.887%206.887%200%200%200-2.082-4.648%206.89%206.89%200%200%200-4.832-1.972%206.863%206.863%200%200%200-4.593%201.751V.545h-2.33V23.14ZM2.686%207.393H0v2.33h2.686v8.471a4.944%204.944%200%200%200%204.94%204.939h2.435v-2.33H7.625a2.613%202.613%200%200%201-2.609-2.612V9.726h3.772v-2.33H5.016V1.84h-2.33v5.553ZM101.968%208.457a7.721%207.721%200%200%200-2.547-.858c-.088-.014-.177-.03-.265-.04-.1-.011-.199-.022-.302-.03a9.993%209.993%200%200%200-.574-.029c-.022%200-.04-.004-.062-.004h-.037c-4.313%200-7.82%203.507-7.82%207.82%200%204.313%203.507%207.82%207.82%207.82h.037c.25%200%20.496-.014.743-.04l.037-.003a7.742%207.742%200%200%200%203.003-.939v.979h4.037L106.005.537h-4.037v7.92Zm0%206.863a3.788%203.788%200%200%201-3.769%203.78%203.786%203.786%200%200%201-3.76-3.78c0-2.08%201.688-3.772%203.764-3.78a3.787%203.787%200%200%201%203.765%203.78ZM119.75%2023.11h4.037V15.299c-.011-4.302-3.515-7.798-7.82-7.798-4.313%200-7.821%203.507-7.821%207.82%200%204.313%203.508%207.82%207.821%207.82%201.372%200%202.66-.357%203.783-.982v.953Zm-3.783-4.01a3.786%203.786%200%200%201-3.783-3.784%203.786%203.786%200%200%201%203.783-3.783%203.79%203.79%200%200%201%203.783%203.78v.003a3.787%203.787%200%200%201-3.783%203.784ZM132.273%207.5a5.824%205.824%200%200%200-5.818%205.818v9.822h4.037v-9.822a1.78%201.78%200%200%201%201.777-1.777h2.841V7.5h-2.837ZM173.736%2020.807a5.534%205.534%200%200%201-5.527-5.527%205.534%205.534%200%200%201%205.527-5.528%205.535%205.535%200%200%201%205.528%205.528%205.535%205.535%200%200%201-5.528%205.527Zm0-13.399a7.852%207.852%200%200%200-5.527%202.274V7.393h-2.344V30h2.344v-9.127a7.836%207.836%200%200%200%205.527%202.275c4.339%200%207.872-3.533%207.872-7.872s-3.533-7.868-7.872-7.868ZM186.735%2023.14h-2.385v-9.81a5.84%205.84%200%200%201%205.833-5.834h2.848v2.385h-2.848a3.45%203.45%200%200%200-3.448%203.448v9.811ZM202.813%209.774a5.535%205.535%200%200%200-5.528%205.528%205.535%205.535%200%200%200%205.528%205.527%205.534%205.534%200%200%200%205.527-5.527%205.534%205.534%200%200%200-5.527-5.528Zm0%2013.4c-4.339%200-7.872-3.533-7.872-7.872%200-4.34%203.533-7.872%207.872-7.872s7.872%203.53%207.872%207.872c0%204.339-3.533%207.871-7.872%207.871Z'/%3e%3c/g%3e%3cdefs%3e%3cclipPath%20id='a'%3e%3cpath%20fill='%23fff'%20d='M0%200h210.68v30H0z'/%3e%3c/clipPath%3e%3c/defs%3e%3c/svg%3e){kind=small}
Key Capabilities
Physical Zone Enforcement
Zone boundaries are physical, not logical. No software change can create an unauthorised path between zones regardless of privilege level.
Conduit Control
Every conduit between zones requires multi-party authorisation, operates within defined time windows, and generates full audit evidence.
Continuous Evidence
Automated logging generates continuous IEC 62443 compliance evidence, eliminating the gap between point-in-time assessments.
Purdue Model Alignment
Control modules map directly to Purdue model levels, providing clear, auditable alignment between your architecture and the standard.
Audit-Ready Logs
Tamper-proof logs record every zone boundary state change, conduit activation, and access authorisation for assessor review.
Evidence Preservation
Tamper-evident compliance records are held independently of production systems so audit evidence persists through compromise.
Demo to Live
Adoption Guide
Zone and Conduit Assessment
Map your current IEC 62443 zone architecture and identify where logical boundaries should be replaced with physical enforcement.
Physical Zone Design
Design physically enforced zone boundaries with Control modules at each conduit, aligned to your target Security Level.
Compliance Validation
Deploy in a representative zone boundary with full evidence generation to validate compliance claims before your next assessment.
Full Zone Enforcement
Physical enforcement across all zone boundaries with continuous compliance evidence and tamper-proof audit archives.
Zone and Conduit Assessment
Map your current IEC 62443 zone architecture and identify where logical boundaries should be replaced with physical enforcement.
Physical Zone Design
Design physically enforced zone boundaries with Control modules at each conduit, aligned to your target Security Level.
Compliance Validation
Deploy in a representative zone boundary with full evidence generation to validate compliance claims before your next assessment.
Full Zone Enforcement
Physical enforcement across all zone boundaries with continuous compliance evidence and tamper-proof audit archives.
Explore More
Control for OT Environments
Physical network governance for SCADA, ICS and industrial control.
Learn more about Control for OT EnvironmentsControl for Oil and Gas
Upstream, midstream, and refinery control path protection.
Learn more about Control for Oil and GasNIST CSF Framework
Identify, protect, detect, respond, recover alignment.
Learn more about NIST CSF FrameworkQuestions