multi-homed device

A multi-homed device is a single physical or virtual host that has two or more independent network interfaces, each connected to the same or different networks. In industrial and OT environments, this is typically a controller, server, gateway, or workstation that participates in multiple network segments or security zones at the same time.

Key characteristics

• Multiple interfaces: The device has at least two network interfaces (physical ports, virtual NICs, or logically separated interfaces).
• Separate networks or zones: Each interface is assigned to a distinct IP subnet, VLAN, or security zone, often with different trust levels.
• Single host, multiple roles: The same device can act as a node in several networks, for example serving as an engineering workstation in a control network while also being connected to a corporate or DMZ network.

Operational meaning in industrial and OT systems

In manufacturing and regulated OT environments, multi-homed devices commonly appear as:

• Firewalls and security gateways: Deliberately multi-homed to separate zones (for example, control network, DMZ, enterprise network) and enforce traffic rules.
• Data diodes and protocol gateways: Devices that bridge or translate between OT protocols and IT protocols across networks.
• Servers or VMs hosting multiple functions: For example, a server that has one interface in an MES or historian network and another in a plant-floor control network.
• Engineering or maintenance workstations: Laptops or fixed workstations with ports or wireless adapters that can connect to both secure OT segments and less trusted networks.

From a security zoning perspective (such as in IEC 62443 architectures), a multi-homed device may:

• Be modeled as a single device that participates in multiple zones via separate, strictly controlled interfaces, or
• Be represented as multiple logical hosts or roles on one physical platform, each tied to a specific zone, especially when virtualization or strong separation controls are used.

In regulated environments, multi-homed devices typically require clear documentation, explicit trust boundaries, and defined responsibilities for configuration, hardening, and monitoring, because they can create paths between networks with different risk profiles.

What it is not

• It is not simply a device with several physical ports all bridged into one flat network.
• It is not just a switch or hub whose primary role is L2 forwarding; the term usually refers to a host or security device that processes traffic at higher layers.
• It is not the same as running multiple applications on one interface within a single security zone.

Common confusion

• Multi-homed device vs. dual-homed device: “Dual-homed” is a specific case of a multi-homed device with exactly two interfaces. In practice, the terms are often used interchangeably when only two networks are involved.
• Multi-homed device vs. router: Routers are inherently multi-homed but are specialized for routing. In OT and industrial contexts, the term “multi-homed device” more often refers to servers, workstations, or security appliances that are not pure routers but still bridge trust zones.
• Multi-homed device vs. redundant NICs: A device with two ports teamed for redundancy or bandwidth on the same network is usually not called multi-homed in security zoning discussions, because it does not span different networks or zones.

Link to IEC 62443 zoning context

When applying IEC 62443 concepts, a multi-homed device can intersect multiple zones or sit between zones as part of a conduit. Architecture decisions around such devices typically focus on:

• Ensuring each interface aligns with a defined zone or conduit.
• Using technical controls (for example, virtualization, strict interface separation, firewall rules) so that cross-zone communication is intentional and documented.
• Clearly describing the multi-homed setup in network and security design documents to avoid ambiguity in audits or assessments.