zone and conduit diagram

A zone and conduit diagram is a high-level representation of how systems and networks are segmented into security zones and how those zones are interconnected by conduits. It is commonly used in industrial control system (ICS) and operational technology (OT) environments to describe cybersecurity architecture and trust boundaries.

The diagram groups assets (such as PLCs, HMIs, servers, historian, MES, ERP interfaces, and remote access components) into zones that share similar security requirements and risk profiles. It then shows conduits, which are the controlled pathways that allow data or control signals to move between zones. Conduits usually correspond to network segments, firewalls, VPNs, serial links, or other communication channels that can be governed by access control and monitoring rules.

Typical contents of a zone and conduit diagram

In industrial and regulated manufacturing environments, a zone and conduit diagram commonly includes:

• Named zones, such as enterprise IT, DMZ, control network, safety system, lab network, vendor access, or cloud services
• Representative assets in each zone, especially critical control, safety, quality, and data management systems
• Conduits that connect zones, labeled with directionality where relevant
• Key technologies on each conduit, such as firewalls, routers, data diodes, or VPN gateways
• Indicative protocols or data types crossing conduits, such as OPC UA, Modbus/TCP, HTTPS, or file transfers
• Ownership or responsibility boundaries, for example between OT, IT, and external service providers

The diagram is usually at a logical or logical-physical level. It is more detailed than a simple block diagram of the plant, but less detailed than a full network topology that lists every device and cable.

How it is used operationally

Zone and conduit diagrams are commonly used to support:

• Cybersecurity risk analysis by identifying trust boundaries, exposed conduits, and critical paths
• Network and access control design, such as where to place firewalls and how to segment VLANs or subnets
• Impact analysis for changes, such as adding a new MES interface, cloud connector, or remote support link
• Documentation for audits and assessments, providing an understandable view of how OT and IT are separated and connected
• Incident response and troubleshooting, helping teams quickly see which zones and conduits may be affected

In regulated plants, zone and conduit diagrams are often maintained under document control and formal change management so they remain aligned with the actual implemented architecture.

Common confusion

A zone and conduit diagram is related to but distinct from:

• Network topology diagrams, which focus on detailed device-level connectivity, IP addressing, and cabling. A zone and conduit diagram stays at a higher level, emphasizing security boundaries instead of every component.
• Process flow diagrams, which show how materials and products move through equipment and process steps. Zone and conduit diagrams instead describe how information and control signals move between networks and systems.
• Enterprise architecture diagrams, which may cover broad business functions and applications. A zone and conduit diagram is narrower, centered on security segmentation and communication paths, particularly for ICS/OT.

Relationship to industrial cybersecurity standards

Zone and conduit concepts are commonly associated with industrial cybersecurity frameworks for control systems. These frameworks describe how to partition systems into zones with similar security needs and to manage the conduits between them. The diagram is the practical documentation of that partitioning, supporting consistent implementation, review, and assessment across OT and IT environments.

Derived from context: detail level considerations

In brownfield and regulated manufacturing sites, zone and conduit diagrams are typically detailed enough to show boundaries, trust levels, critical assets, protocols, and ownership, but not every cable or device. The emphasis is on accuracy, clarity, and maintainability so the diagrams can reliably support risk analysis, access control decisions, and change impact assessments over time.