IEC 62443 — OT/IT Segmentation in Practice

A client in the energy sector, an auditor at the door: "How far along are you with IEC 62443?" The client answers: "We have a firewall between the office and production." That isn't IEC 62443. That's an assumption that breaks on the first penetration test. This article is about what it really means to take IEC 62443-3-3 to a level that passes the audit and holds against a real attack.

Why now — the NIS2 deadline

The NIS2 Directive (EU 2022/2555) became binding for operators of essential services in Slovakia on **17 October 2024** (transposition via Act 366/2024 Z.z. on cybersecurity). For **NIS2 operators (energy, water, transport, healthcare, manufacturing critical to the supply chain, digital infrastructure)** it means an obligation to:

• A risk management framework under a recognised standard — IEC 62443 is the de facto reference for OT.
• Incident reporting within **24 hours** of detection of a significant incident to the National Cybersecurity Centre.
• Penalty up to **€10M or 2% of turnover**, whichever is higher.

The Slovak reality: the first-year NÚKIB NIS2 audit (autumn 2025) showed that ~70% of operators of essential services don't have even a Z/C model (zones and conduits) implemented, never mind network segmentation that would satisfy SL-1 (Security Level 1).

Z/C model — the foundation drawn first

IEC 62443-3-2 introduces the concept of **Zones** and **Conduits**. Zone = a group of assets with the same security requirement. Conduit = a controlled communication channel between zones.

A typical Z/C model for a production hall linked to ERP

Z0 — Internet / Untrusted (Wild West). Z1 — Enterprise IT (offices, ERP, email). Trust level Standard. Z2 — DMZ (web servers, VPN endpoint, jump servers). Trust level Stricter. Z3 — Operations Management / Historian / MES (Purdue Level 3). Trust level OT-Standard. Z4 — SCADA + HMI (Purdue Level 2). Trust level OT-Strict. Z5 — PLC + control devices (Purdue Level 1). Trust level OT-Critical. Z6 — Field instrumentation (Purdue Level 0). Trust level OT-Critical.

Conduits: C0↔1 — firewall + IDS. ALL deny by default, exceptions for HTTP/HTTPS outbound from the VPN endpoint. C1↔3 — OT-IT DMZ with reverse proxy. Historian data read-only upward (Z3 → Z1). No commands downward. C3↔4 — data diode or unidirectional gateway for SCADA → MES data. No control commands upward. C4↔5 — protocol-aware firewall (Tofino Xenon, Hirschmann Eagle One with DPI for Modbus/TCP, EtherNet/IP, S7Comm).

Where the OT-IT firewall sits in practice

A typical argument in implementation: **where the OT-IT firewall physically sits**. Three variants:

1. **Between Purdue L2 (SCADA) and L3 (Historian / MES)** — the most common solution. Here a hardware firewall with OT-specific signatures is deployed: Fortinet FortiGate 1000F/2000F with OT Threat Intelligence, Cisco Industrial Security Appliance ISA-3000, Hirschmann EAGLE40-7G, or Tofino Xenon (Belden) if the requirement is "fail-secure." 2. **Between L3 and L4 (Enterprise IT)** — some security teams prefer this layer, because L3 is already an OT zone. It works, but L3 systems (Historian) then breathe under IT policies and push the attack onto base data. 3. **Both (defence in depth)** — the best choice for SL-2+ level. Two firewall layers, different vendors (Fortinet + Palo Alto is a common mix), no single point of failure.

Rule: **a conduit between zones of different trust level MUST have an explicit control point**. A switch with VLANs is not a conduit. A switch is topology. A conduit needs L3-L7 inspection.

SL-1 vs SL-2 vs SL-3 — where the bar sits

IEC 62443-3-3 defines 7 foundational requirements (FR), each with 4 levels (SL-0 to SL-4). The practical line:

SL-1 — protection against casual or coincidental violation

The minimum any industrial system must have today. Concretely:

• User identification and authentication for HMI/Engineering Workstation (password, no shared accounts).
• Access control layer (RBAC at the HMI level — operator, maintainer, engineer, admin).
• Logging of changes (who logged in, what they changed, when).
• USB ban on engineering workstations (BIOS-level disable + GPO).
• Antivirus / EDR on all Windows OS stations in OT zones.

Cost of SL-1 for a mid-size plant (50–100 OT stations): **€30–60k** infrastructure + **150–300 hours** engineering.

SL-2 — protection against intentional violation using simple means with low resources

Here the price changes radically. Concretely SL-2 over SL-1:

• **MFA (multi-factor authentication)** for privileged access. Most often YubiKey 5 NFC (~€55 each × 30 people = €1,650) or Duo Security (€8/user/month).
• **Anti-malware with OT signatures** — Nozomi Networks Guardian, Claroty xDome, Dragos Platform, Forescout SilentDefense. Prices: **€25–80k licence/year** depending on the number of monitored nodes.
• **Network segmentation at VLAN+ACL+firewall level**, not just VLAN. Microsegmentation in OT is relevant but compute-expensive — typically Cisco TrustSec or Forescout eyeSegment.
• **Encryption of management traffic** (HTTPS instead of HTTP for HMI web access, SSH instead of Telnet, no SNMPv2c — only SNMPv3 with authPriv).
• **Logging with SIEM integration** — all firewall logs, IDS alerts, authentication events into the SIEM. Splunk Enterprise (€2–4/GB/day), QRadar, Elastic Security, or open-source Wazuh + ELK if budget is tight.
• **Backup / restore procedures with offline copies.** Immutable copy, air gap, monthly restore tests.

Cost of SL-2: **€120–280k** infrastructure + **500–1,000 hours** engineering, plus **15–25% annually** for maintenance + threat intelligence subscription.

SL-3 — protection against intentional violation using sophisticated means with moderate resources

Here you add:

• **NIDS with deep packet inspection** for OT protocols (Modbus TCP, EtherNet/IP, S7Comm, OPC UA, DNP3) — Nozomi or Claroty in advanced mode.
• **Active hardening** — port disable on unused interfaces, certificate-based device authentication, application whitelisting (Microsoft AppLocker, Carbon Black Protection).
• **Air-gapped engineering networks** — the engineering laptop is never connected to OT and IT at the same time.
• **Quarterly red team exercises.**
• **Tightly validated change management process** — no PLC firmware change without 3-stage approval (engineering, operations, security).

The cost of SL-3 is in a different league — **€500k–1.5M** infrastructure + **2,000+ hours** engineering + a dedicated OT-security team (3–5 FTE). This is the level achieved today mainly by energy (nuclear power, transmission), critical water, some large chemical sites.

NERC CIP — comparison for energy clients

For operators in energy (especially transmission, gas networks) US NERC CIP (Critical Infrastructure Protection) is also relevant. The difference vs. IEC 62443:

• **NERC CIP-007** (System Security Management): comparable to IEC 62443-3-3 FR3 + FR4.
• **NERC CIP-005** (Electronic Security Perimeter): defines an "Electronic Security Perimeter" (ESP), stricter than an IEC 62443 zone — requires an **explicit inventory of every access point across the ESP** and annual review.
• **NERC CIP-010** (Configuration Change Management and Vulnerability Assessments): requires baseline configuration on every control device, monthly vulnerability assessment. IEC 62443 covers this in FR2.
• **NERC CIP-008** (Incident Reporting): 1-hour reporting window for NERC vs 24 hours for NIS2.

Clients with both NERC CIP and NIS2 exposure (typically large pan-European utilities) usually map both standards onto **one internal framework** that satisfies the stricter of the two.

Deep packet inspection of Modbus TCP — what it actually does

Modbus TCP is a SCADA protocol from 1979 (Modbus RTU) with a 1999 TCP wrapper. **No authentication, no encryption.** Any device on the network that sees port 502 can send Write Single Coil (function code 5) and flip an output.

A deep packet inspection (DPI) firewall, such as Tofino Xenon or Fortinet OT-aware, does:

• **Read-only vs Read-Write distinction**: allows function codes 1–4 (read coils, read registers), denies function codes 5–6, 15–16 (write single/multiple coil/register) from unauthorised sources.
• **Function code filtering**: certain function codes (8 — diagnostic, 17 — report slave ID) are denied entirely outside the maintenance window.
• **Address whitelisting**: SCADA → PLC addresses 1–247 are allowed, outside the range = drop + alert.
• **Rate limiting**: > 10 write operations per second from one IP = anomaly, alert.

Real attack detection in Modbus TCP via DPI: on average **80–95%** of basic attacks (replay, command injection, address scanning). Sophisticated attacks (Stuxnet-like) require **PLC configuration integrity** (HMI sees the same value as the PLC sends), which is a job for NIDS (Nozomi or Claroty), not for the firewall itself.

"Patches" in OT — don't expect a monthly Patch Tuesday

In IT the norm is a monthly patch cycle. In OT the norm is **2–4 patch windows a year**, typically:

• **Spring maintenance** (March–April): planned outage 5–10 days, full OS patching, PLC firmware update, SCADA server upgrade.
• **Autumn maintenance** (September–October): same scope.
• **Extraordinary window for a critical CVE** (CVSS 9+) on production-exposed services, requiring a 24–72 hour response.

OT patch management requires:

• **Test bed / digital twin** — patches are first tested on duplicate hardware or a simulator (Mimic Simulation Software, Codesys SoftPLC), never in live operation.
• **Compensating controls** between patches — if a patch isn't possible (vendor end-of-life, validated system), compensation by firewall rules, additional IDS monitoring, or network isolation.
• **Approved baseline** — a patch is rolled out only if it passes the change management board.

Practical steps for the first 90 days for a NIS2-bound operator

If you're in a position where an audit could come in 6–12 months and IEC 62443 is only a term on PowerPoint:

1. **Inventory assets** (month 1). Passive scan of the OT network — Nozomi Guardian Trial, Claroty xDome PoC, or open-source GRASSMARLIN/Wireshark + custom scripts. Goal: list every PLC, HMI, switch, transmitter, drive, robot — IP, MAC, firmware version, vendor. 2. **Draft Z/C model** (months 1–2). Workshop with OT engineers + IT security + management. Output: one A1 diagram pinned to the server room wall. 3. **Risk assessment under IEC 62443-3-2** (month 2). Table: zone × threat × likelihood × consequence × SL target. 4. **Priority conduits for implementation** (month 3). The highest score typically goes to C3↔4 (SCADA-MES) and C1↔3 (IT-OT DMZ). Least often C5↔6 (PLC-field). 5. **Vendor selection + PoC** (month 3). Three vendors, two weeks each in a lab environment, pick based on protocol coverage + alerting accuracy + price.

After 90 days you have an audit-defensible documentation pack + an implementation roadmap that takes another 12–18 months for SL-2 / 24–36 months for SL-3.

The most common mistakes in Slovak implementations

• **"We have a firewall."** Ask: does it have OT-aware signatures? Modbus/S7Comm inspection? Do logs go into a SIEM? If not, you have an L3 packet filter, not a security boundary.
• **"We separated everything with VLANs."** A VLAN without ACL or without an L3 firewall between is just broadcast separation. An attacker on the same switch with VLAN hopping (DTP/802.1Q double tagging) jumps it in 30 seconds.
• **"PLCs aren't on the internet."** After 6 months at every audit we've found at least one PLC reachable via an undocumented 4G modem (plugged straight into the panel for quick "updates from home") through Shodan.
• **"The vendor updates remotely over TeamViewer."** TeamViewer / AnyDesk / VNC in OT zones without a jump host and MFA is an entry point for a supply chain attack. Replace with a bastion host with recording (Wallix, BeyondTrust, or open-source Apache Guacamole + audit log).
• **"We have nothing to protect, we're a small firm."** NIS2 also applies to **medium entities** in the supply chain of essential services. If you're a supplier to a big utility, their audit drags an audit to you.

---

*We write this as a technical partner that over the last 8 years has implemented OT segmentation in energy, water and manufacturing. If a NIS2 audit or IEC 62443 implementation is ahead of you, the first consultation (90 minutes) walks through your Z/C model, current conduits and roadmap, and gives you a realistic CAPEX and engineering hours estimate for SL-1 or SL-2 according to your risk profile.*