IEC 62443 Compliance Through Identity-Based Segmentation

IEC 62443 is the international standard for industrial automation and control system (IACS) security, published by the International Society of Automation (ISA) and the International Electrotechnical Commission (IEC). At its core sits a single architectural idea: group assets into zones that share a security level, and govern every flow between zones through a controlled conduit. According to ISA, the IEC 62443 series is now referenced by regulators and asset owners across manufacturing, energy, water, and vital infrastructure as the baseline framework for operational technology (OT) security.

This guide explains how to move from the standard on paper to enforced segmentation in a live plant. It maps each IEC 62443 security level to a concrete control, shows how identity-based microsegmentation enforces zones and conduits without agents or downtime, and clarifies where segmentation and enforcement sit alongside the monitoring and visibility platforms that many OT teams already run. For the broader picture, see the OT security hub and the companion guide on segmenting IT and OT without downtime.

What IEC 62443 Requires for Network Segmentation

IEC 62443 is a multi-part series rather than a single document. Three parts carry the weight for anyone implementing segmentation. Part 3-2 (Security Risk Assessment for System Design) defines how to partition a system into zones and conduits and assign each a target security level (SL-T). Part 3-3 (System Security Requirements and Security Levels) lists the technical requirements an enforced zone or conduit must meet to reach a given level. Part 4-2 (Technical Security Requirements for IACS Components) carries those requirements down to individual components. The standard does not name a product; it names an outcome.

Network segmentation is not optional under IEC 62443. It is the mechanism by which the zone-and-conduit model exists at all. ISA describes zones and conduits as the foundational construct of the standard: a zone is a grouping of assets with a common security level, and a conduit is the controlled connection that carries traffic between zones. Per ISA, every conduit must restrict communications to only what is required for the process to function. That requirement is precisely what an enforcement control delivers.

IEC 62443 Security Levels (SL 1 to SL 4)

IEC 62443-3-3 defines four security levels, each describing the class of attacker a zone or conduit is designed to withstand. The level you target drives how strictly each conduit must be enforced.

Source: IEC 62443-3-3, System Security Requirements and Security Levels (security level definitions per ISA).

Security Level	Protects Against	Segmentation Implication
SL 1	Casual or coincidental violation	Documented zone separation; documented conduits
SL 2	Intentional violation using simple means, low resources	Enforced conduits with access control between zones
SL 3	Intentional violation using sophisticated means, moderate resources	Identity-aware enforcement; least-privilege conduits; monitored flows
SL 4	Intentional violation using sophisticated means, extended resources	Strict identity-based segmentation; continuous verification; full conduit auditability

The practical reading is straightforward. SL 1 can be satisfied with documented separation. SL 2 and above require enforced conduits, meaning a control that actively permits or denies traffic rather than a diagram that describes intended flows. The gap between an SL-T on a risk-assessment spreadsheet and an enforced conduit in the field is where most brownfield OT programs stall.

Mapping the Seven Foundational Requirements to Segmentation Controls

IEC 62443-3-3 organizes its system requirements under seven foundational requirements (FR1 through FR7). Segmentation is most directly implicated in FR1, FR5, and FR7, but a well-enforced conduit contributes evidence toward all seven. The table below shows where identity-based enforcement does work.

Source: foundational requirements per IEC 62443-3-3 (ISA). Mapping reflects how an enforcement control contributes evidence toward each FR.

Foundational Requirement	What It Demands	Segmentation Contribution
FR1 Identification and Authentication Control	Identify and authenticate all users and devices	Identity becomes the basis for conduit policy; every device classified before a flow is allowed
FR5 Restricted Data Flow	Segment the network and restrict unnecessary data flows	The core FR for zones and conduits; least-privilege conduit enforcement satisfies it directly
FR7 Resource Availability	Maintain availability against denial-of-service and disruption	Containing lateral movement within a zone protects production availability during an incident
FR2 Use Control	Enforce assigned privileges per identity	Identity-aware conduits enforce who and what may communicate, not just where
FR3 System Integrity	Protect integrity of the IACS	Blocking unauthorized paths reduces the integrity attack surface

FR5, Restricted Data Flow, is the requirement that segmentation exists to satisfy. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) reinforced this in July 2025 guidance, stating that microsegmentation is a critical component of zero trust architecture applicable to any technology environment, including IT, OT, ICS, and IoT. In November 2025, the U.S. Department of Defense published 105 mandatory zero trust activities covering OT systems, formalizing segmentation as an expected control rather than a recommendation. The regulatory direction is consistent: enforced segmentation is becoming table stakes.

Zones and Conduits Explained for Buyers

The zone-and-conduit model is the vocabulary of IEC 62443, and getting the terms right matters when you brief an auditor or a board. The glossary below uses the standard’s definitions.

Source: zone and conduit definitions per IEC 62443-3-2 and 3-3 (ISA); Purdue/ISA-95 reference per the ISA-95 hierarchy.

Term	IEC 62443 Definition
Zone	A grouping of logical or physical assets that share common security requirements and a target security level
Conduit	A logical grouping of communication channels connecting two or more zones, with controls that restrict the traffic crossing it
Target Security Level (SL-T)	The security level a zone or conduit must achieve, set during the Part 3-2 risk assessment
Achieved Security Level (SL-A)	The security level a zone or conduit actually reaches once controls are deployed
Reference architecture	The Purdue model / ISA-95 hierarchy, commonly used to organize OT zones from Level 0 sensors up to Level 4 enterprise systems

The most common real-world question is where the conduits matter most. In converged plants, the highest-risk conduit is the boundary between the enterprise IT network and the OT process network, often described as the Purdue Level 3 to Level 4 boundary. A compromise that crosses this conduit unchecked is how IT-originated ransomware reaches production. According to the SANS 2025 State of ICS/OT Security Survey, 50% of OT incidents stemmed from unauthorized external access, which is exactly the failure an enforced conduit at this boundary is meant to prevent.

How Identity-Based Microsegmentation Enforces Zones and Conduits

IEC 62443 tells you to build zones and enforce conduits. It does not tell you how. Most existing IEC 62443 guidance stops at “create zones and conduits” and leaves the enforcement mechanism to the reader. This is the gap identity-based microsegmentation fills.

Traditional segmentation enforces conduits with static rules: firewall ACLs, VLANs, and IP-based policies. Those work, but they bind policy to network location, which is brittle in OT. Devices move, IP schemes drift, and a single VLAN can hold dozens of assets at different security levels. Identity-based microsegmentation binds policy to the identity of the device or workload instead. A programmable logic controller (PLC), a human-machine interface (HMI), and an engineering workstation each carry an identity, and the conduit policy permits only the flows that identity is authorized to make.

Source: Elisity product capability; SL mapping reflects IEC 62443-3-3 level definitions (ISA).

Conduit Enforcement Approach	Static Firewall and VLAN Rules	Identity-Based Microsegmentation
Policy basis	Network location (IP, subnet, VLAN)	Device and workload identity attributes
Legacy PLC and SCADA support	Requires re-IP or new VLAN design	Agentless; no supplicant on the device required
Infrastructure change	Often a hardware refresh or re-architecture	Runs over existing infrastructure on any data plane
Policy granularity	Zone-to-zone; coarse within a VLAN	Device-to-device; least-privilege per conduit
Map to IEC 62443 SL	Suits SL 1 to SL 2	Supports SL 2 to SL 4 with identity-aware enforcement

The agentless point is decisive for brownfield OT. Many PLCs and supervisory control and data acquisition (SCADA) devices cannot run an endpoint agent and cannot speak 802.1X. A control that requires either one cannot enforce a conduit on those assets at all, which is why traditional network access control often fails in OT. Identity-based microsegmentation classifies and enforces those devices without touching them, and respects OT protocol exceptions such as Modbus, DNP3, and EtherNet/IP rather than breaking them. This is the same approach detailed in the no-downtime segmentation guide and on the industrial microsegmentation solution page.

Mapping Security Level Targets to Enforcement Controls

The bridge that competing IEC 62443 content rarely builds is the one from an assigned SL-T to a specific enforcement control. The table below gives a practical mapping. It is a starting point for a Part 3-2 risk assessment, not a substitute for one.

Source: SL definitions per IEC 62443-3-3 (ISA); enforcement mapping per Elisity capability.

Target Security Level	Conduit Enforcement Needed	How Identity-Based Microsegmentation Delivers It
SL-T 1	Documented zones; coarse separation	Automated asset discovery and zone mapping establishes the documented baseline
SL-T 2	Access control on conduits between zones	Identity-based allow/deny policy on each conduit, enforced without re-IP
SL-T 3	Least-privilege conduits; monitored, identity-aware flows	Per-device least-privilege policy plus continuous flow visibility for audit evidence
SL-T 4	Strict, continuously verified segmentation; full auditability	Continuous identity verification with complete conduit audit trail

Segmenting OT Networks on Existing Infrastructure

A frequent objection is that IEC 62443 segmentation means a forklift upgrade. It does not have to. Because identity-based microsegmentation operates on any data plane, you can enforce conduits over the network infrastructure you already run, including existing Cisco and Juniper hardware, without a re-IP project or new VLAN design. The policy layer is decoupled from the physical topology, so the SL-T you assigned in the risk assessment can be enforced where the assets already sit.

This matters because OT asset lifecycles are long. Where IT hardware is refreshed every three to five years, OT systems commonly run 15 to 25 years, which means the infrastructure carrying your conduits today is the infrastructure that will carry them for the next decade. An enforcement approach that demands new hardware to reach SL 2 or SL 3 is, in practice, a delayed compliance program. An overlay approach lets the existing plant reach its target levels now. For the phased rollout pattern, see the guidance on segmenting IT and OT without downtime.

Where Segmentation Fits Alongside OT Monitoring

IEC 62443 compliance is not a single-vendor exercise. The OT security market separates cleanly into two complementary lanes, and a mature program runs both. Detection and monitoring platforms tell you what is happening on the network. Segmentation and enforcement controls decide what is allowed to happen. They answer different questions, and an auditor evaluating an SL-T will look for both.

The monitoring and visibility lane is well represented and well regarded. Dragos brings deep OT threat intelligence and industrial incident response. Claroty offers the broadest cyber-physical asset inventory across IT, OT, and IoT. Nozomi Networks delivers large-scale distributed OT and IoT visibility with AI-driven analytics. Armis provides wide agentless asset intelligence and is now part of ServiceNow. Tenable focuses on OT vulnerability management for compliance-driven teams. Fortinet publishes its own IEC 62443 guidance and serves firewall-led OT architectures. These platforms excel at discovery, vulnerability context, and threat detection.

Elisity sits in the second lane: OT segmentation and enforcement. The teams that already run Dragos or Claroty for visibility still need a control that blocks lateral movement and enforces the conduit at the SL-T the risk assessment assigned. That is the enforcement complement, deployed alongside monitoring rather than in place of it. For the full vendor comparison, the comparison of leading OT and ICS security vendors profiles each platform and where it fits, and the OT security hub sets out the two-lane model in full.

A Phased Path to IEC 62443 Segmentation Compliance

Reaching an SL-T across a live plant is a sequence, not a switchover. The phasing below mirrors how Elisity customers move from a risk assessment to enforced conduits without disrupting production.

Source: phasing maps IEC 62443-3-2 / 3-3 activities (ISA) to Elisity deployment practice.

Phase	IEC 62443 Activity	Enforcement Action
1. Discover	Inventory assets; draft zones (Part 3-2)	Agentless discovery classifies every device by identity and maps current flows
2. Assess	Assign SL-T per zone and conduit	Model conduit policies against observed flows before enforcing anything
3. Observe	Validate proposed conduits against process needs	Run policy in simulation to confirm no production flow is blocked
4. Enforce	Enforce conduits to the SL-T	Activate identity-based policy, starting at the IT/OT boundary, then intra-OT
5. Audit	Evidence SL-A against SL-T	Continuous flow records provide the audit trail for the achieved level

The cost case is real. Industry guidance puts a traditional IEC 62443 segmentation program in the range of several million dollars over 18 to 36 months when it relies on hardware re-architecture. The market context makes the urgency clear: MarketsandMarkets values the cyber-physical systems security market at 23.47 billion dollars in 2025, growing to 50.29 billion dollars by 2030, and Gartner projects that 75% of organizations running cyber-physical systems will adopt CPS protection platforms by 2027. An overlay enforcement model compresses both the timeline and the spend, which is why the discovery-to-enforcement path above is built to avoid the forklift.

Frequently Asked Questions About IEC 62443 Segmentation

How can I achieve IEC 62443 compliance with network segmentation?

You achieve IEC 62443 compliance with network segmentation by following the zone-and-conduit model. First, partition the environment into zones of assets that share a security level (IEC 62443-3-2). Second, assign each zone and conduit a target security level, SL 1 through SL 4 (IEC 62443-3-3). Third, enforce every conduit so only required communications cross it. Identity-based microsegmentation enforces those conduits agentless, on existing infrastructure, mapping each device identity to a permitted path, which lets a brownfield plant reach SL 2 and above without a hardware refresh.

What is identity-based microsegmentation for IEC 62443?

Identity-based microsegmentation for IEC 62443 is an enforcement approach that ties conduit policy to the identity of each device or workload rather than to its network location. Instead of permitting traffic by IP address or VLAN, it permits traffic by what a device is, for example a specific PLC, HMI, or engineering workstation. This satisfies the standard’s foundational requirements for identification (FR1), use control (FR2), and restricted data flow (FR5), and it works on legacy OT devices that cannot run an agent or speak 802.1X.

What are IEC 62443 zones and conduits?

A zone is a grouping of assets that share common security requirements and a target security level. A conduit is the controlled connection that carries communication between zones, restricted to only the traffic the process requires. The zone-and-conduit model, defined in IEC 62443-3-2 and 3-3, is the foundational construct of the standard. Segmentation is how the model is implemented, and conduit enforcement is how it is sustained.

What are the IEC 62443 security levels?

IEC 62443-3-3 defines four security levels. SL 1 protects against casual or coincidental violation. SL 2 protects against intentional violation using simple means and low resources. SL 3 protects against sophisticated means with moderate resources. SL 4 protects against sophisticated means with extended resources. SL 1 can be met with documented separation, while SL 2 and above require actively enforced conduits.

Does IEC 62443 require microsegmentation?

IEC 62443 does not use the word microsegmentation, but it requires restricted data flow (FR5) enforced through zones and conduits, which microsegmentation implements at a fine grain. CISA stated in July 2025 that microsegmentation is a critical component of zero trust architecture for IT, OT, ICS, and IoT environments, and the U.S. Department of Defense published 105 mandatory zero trust activities for OT systems in November 2025. The regulatory direction treats enforced segmentation as an expected control.

Can I implement IEC 62443 segmentation without production downtime?

Yes. Software-only, identity-based microsegmentation enforces conduits over existing infrastructure without re-IP projects, new VLANs, or agents on OT devices, so it does not require planned downtime. A phased rollout that discovers assets, models policy, observes flows in simulation, then enforces, confirms that no production flow is blocked before any conduit goes live. The companion guide on segmenting IT and OT without downtime details this pattern.

How do I segment OT networks on existing Cisco or Juniper infrastructure?

Because identity-based microsegmentation operates on any data plane, it enforces conduits over the network hardware you already run, including existing Cisco and Juniper infrastructure, without a forklift upgrade. The policy layer is decoupled from the physical topology, so the target security levels assigned in your risk assessment are enforced where the assets already sit, with no re-IP or new VLAN design required.

How does enforcement differ from OT monitoring for IEC 62443?

Monitoring platforms such as Dragos, Claroty, and Nozomi Networks detect what is happening on the OT network and provide asset and threat visibility. Enforcement controls decide what is allowed to happen by permitting or denying traffic on each conduit. IEC 62443 compliance benefits from both: visibility to inform the risk assessment and enforcement to reach and sustain the target security level. They are complementary lanes, and a mature program runs both together.

Related Resources from Elisity

• OT security: identity-based segmentation and enforcement (hub)
• Segment IT and OT without downtime
• Leading OT and ICS security vendors, compared
• IEC 62443 network segmentation requirements
• IEC 62443 segmentation white paper
• Microsegmentation pillar
• Block lateral movement with microsegmentation
• Network segmentation compliance best practices
• Network asset discovery for microsegmentation
• Zero trust microsegmentation
• The Elisity platform
• Industrial microsegmentation solution
• OT segmentation to enhance OT network security
• Microsegmentation buyer’s guide and checklist

About the Author