IEC 62443 and the Perimeter: Where the OT Standard Meets the Fence

IEC 62443 is read in most plants as a software standard, and that reading is wrong. The standard governs the security of industrial automation and control systems as a whole, which includes the physical means by which a zone is bounded and a conduit is protected.

The consequence of the misreading is visible in every audit. Network segmentation is documented in detail. Firewall rules are tabulated. Asset inventories are maintained. And the fence around the substation, the gate to the pump house, the door to the relay room, the camera that watches the conduit trench, sit in a separate folder, owned by a different department, governed by a different budget cycle. The standard does not authorise that separation. The standard requires that the physical and the logical boundaries of a zone be considered together, because an attacker who walks through the fence has already defeated the firewall that sits behind it.

What the standard actually says about physical boundaries

IEC 62443-3-3 lists foundational requirements that apply to the system under consideration. Several of them have no purely software implementation. FR 5, restricted data flow, depends on the physical isolation of network segments. FR 6, timely response to events, depends on the ability to detect intrusion at the perimeter and route the signal to a responder before the attacker reaches the asset. FR 7, resource availability, depends on protecting cabinets, cabling and power supply from physical interference. None of these requirements can be satisfied by configuration alone.

The standard refers explicitly to physical access controls in 62443-3-3 SR 2.1, which addresses authorisation enforcement, and in the related requirements on physical security in 62443-2-1. The latter document, which covers the security programme for asset owners, treats physical security as one of the elements of the management system, not as a parallel discipline. The text expects the operator to identify physical access points to each zone, to control them, to log access, and to detect attempts at unauthorised entry. That language is not metaphorical. It describes fences, doors, locks, badge readers, cameras, sensors and the procedures around them.

The drift in practice comes from the way the standard is sold. Vendors of network security products quote 62443 as the justification for their offering. Vendors of physical security products quote ISO 27001 or local building codes. The asset owner is left to assemble a coherent picture from two vendor narratives that do not meet. The result is documentation that satisfies neither the letter nor the spirit of the standard, and a perimeter that is treated as an architectural decoration rather than a control surface. The author has examined this in greater depth in BOSWAU + KNAUER. From Building to Security Technology, where the integration chapter sets out why the physical and the logical layers must be designed in one motion.

Zones and conduits as physical objects

The central organising idea of 62443 is the zone and the conduit. A zone is a logical or physical grouping of assets that share security requirements. A conduit is the channel that connects zones and through which communication flows. Both definitions admit a physical reading and require one.

A zone has edges. Those edges may be defined by VLAN boundaries, by IP subnets, by firewall rules. They are also defined by walls, doors, fences and ground. The control room is a zone. Its edge is the door, the window, the cable penetration in the floor. The substation yard is a zone. Its edge is the fence, the gate, the cable trench that leaves it. The SCADA server room is a zone. Its edge is the rack, the access control system on the door, the raised floor through which the network cable runs to the patch panel in the adjacent room. To define the zone without defining the physical edge is to leave the zone open on one side. An attacker selects the open side.

A conduit has a route. The route may be a fibre run, a copper pair, a wireless link. It is also a physical object. Fibre runs through a duct, a trench, a tray, a riser. Copper crosses through a panel, a junction box, a terminal block. Wireless propagates through a building envelope that may be hardened or transparent. The conduit security requirements in 62443 ask for confidentiality, integrity and availability of the communication that traverses the conduit. None of those properties can be guaranteed if the physical path of the conduit is accessible to an unauthorised person. A tapped fibre, a spliced copper pair, a wireless link extended by a repeater placed in the parking lot, defeats the cryptography that runs on top of it, because the attacker no longer needs to break the cipher, only to mirror the traffic or inject into the path.

The mapping from zones and conduits to physical components is therefore not an optional layer. It is the foundation on which the logical controls rest. An operator who can name every zone, every conduit, and the physical object that bounds or carries it, has built a defensible system. An operator who can only name the logical version has built a model, not a defence.

The components that belong to the perimeter under 62443

The components that satisfy the physical reading of the standard fall into a small number of categories. The categorisation matters because it determines who in the organisation owns the budget, the maintenance and the audit response.

The first category is the boundary. Fences, walls, gates, doors, hatches, manhole covers, roof access points. The standard does not prescribe materials, but it does require that the boundary be commensurate with the risk to the assets within. A substation that controls a regional grid is not bounded by the same fence as a parking lot. The boundary must resist the threat actor identified in the risk assessment for the zone. ASIS International publishes guidance on the rating of physical barriers that is widely used as a reference. The German GDV provides comparable guidance for insured assets.

The second category is access control. Locks, badge readers, biometric devices, key management systems, visitor logs. The 62443 requirement on authorisation enforcement extends to physical access. A person who enters the zone must be identified, authorised and logged with the same rigour as a process that establishes a network session. The logs must be reviewable and tied to the same identity management system that governs logical access, because an account that has been disabled in Active Directory should not still open the door to the relay room.

The third category is surveillance. Cameras, motion sensors, vibration sensors, fence-mounted detection systems, infrared barriers, audio sensors. These components serve FR 6, timely response to events. They must produce signals that reach a responder, and the path from sensor to responder must itself be considered as a conduit under the standard. A camera that records to a recorder in the same room that the camera watches is a camera that records its own theft.

The fourth category is the protection of the conduit itself. Cable trays with tamper detection, duct seals, locked patch panels, monitored junction boxes, shielded enclosures for wireless equipment. These are the components that prevent the conduit from being accessed between zones. They are the least visible category and the one that audits most often miss, because they sit behind walls and under floors. CISA guidance on industrial control systems repeatedly identifies the cable plant as a source of compromise, and NIST 800-53 control PE-4, access control for transmission, addresses exactly this category.

The fifth category is the supporting infrastructure. Power supplies, uninterruptible power, environmental controls, fire suppression, all of which protect the availability of the zone. Loss of power to a perimeter detection system is a perimeter failure. Loss of cooling to a control cabinet is a zone failure. The standard treats these as part of the system under consideration, not as building services that lie outside its scope.

Security levels and what they mean at the fence

IEC 62443 defines four security levels, SL 1 through SL 4, that describe the capability of the threat actor that the system is designed to resist. SL 1 addresses casual or coincidental violation. SL 2 addresses intentional violation by simple means with low resources and generic skills. SL 3 addresses intentional violation by sophisticated means with moderate resources and IACS specific skills. SL 4 addresses intentional violation by sophisticated means with extended resources and IACS specific skills.

These levels translate directly into perimeter design choices. An SL 1 perimeter is a fence that keeps out the curious. An SL 2 perimeter resists a determined trespasser with hand tools. An SL 3 perimeter resists a team that has surveyed the site, brought purpose-built equipment and has time to operate. An SL 4 perimeter resists an actor with the resources of a state or an organised criminal enterprise, including insider support. The materials, the detection density, the response time and the redundancy of the perimeter scale across these levels in ways that are quantifiable.

The mistake in practice is to assign a security level to the logical system and not to the perimeter that bounds it. A substation rated SL 3 on its protection relays cannot be defended by an SL 1 fence. The threat actor capable of compromising the relays through a 62443 SL 3 attack is the same actor who walks across the SL 1 fence at three in the morning and connects directly to the engineering port. The security level must be consistent across the layers of the zone, which means that the perimeter must be rated for the same actor as the logical controls. NICB data on equipment theft from utility sites in the United States, and BSI advisories on attacks against German KRITIS operators, both show that the physical entry vector is used precisely because it is the cheaper path.

The implication for procurement is that perimeter components must be specified with security levels in mind. A camera that loses image quality in low light is not an SL 3 camera regardless of its resolution on the datasheet. A fence that can be cut with consumer-grade bolt cutters in under a minute is not an SL 3 fence regardless of its height. A door that opens with a badge reader that has not received a firmware update in two years is not an SL 3 door regardless of the lock that holds it. The level is the property of the deployed system, not of the component in the box.

Conduits across the property line

The conduits that leave the property are the hardest part of the architecture and the most often neglected. A fibre that runs from the substation to the control centre crosses public ground. A wireless link from the wind farm to the SCADA operator passes through air that is accessible to anyone with the right antenna. A leased line from the water treatment plant to the municipal network sits in a telecommunications cabinet that the operator does not own and cannot inspect.

The standard addresses this through the conduit requirements in 62443-3-3 and through the management requirements in 62443-2-1 on third-party services. The operator is expected to assess the security of conduits that leave the boundary of the system under consideration, and to apply compensating controls where the conduit cannot be physically protected. In practice this means encrypted transport with authenticated endpoints, monitoring of conduit integrity through means such as optical time-domain reflectometry for fibre, and contractual obligations on the carrier that include physical security of their facilities.

The compensating controls are not optional. They are required because the conduit cannot be made physically secure across the property line. NIST CSF 2.0 places this concern under the protect and detect functions, and ISO 27001 addresses it in the annex controls on communications security and supplier relationships. The auditor who reads the 62443 documentation should expect to see a conduit register that names every external conduit, the controls applied to each, and the residual risk that remains. A register that lists only the internal network segments is incomplete.

A second concern at the property line is the meeting point between the operator's perimeter and the public space. Cable risers that emerge from a trench into a roadside cabinet, antennas that mount on towers visible from public roads, microwave dishes that point across open country, are all conduits whose endpoints sit at the edge of the zone. The physical protection of those endpoints determines whether the conduit can be tapped, jammed or redirected. The operator who places a junction cabinet next to a public footpath without monitoring it has created a conduit access point that no firewall can defend.

What holds

IEC 62443 is a standard about systems, and a system in operational technology is not a set of software components running on hardware. It is a set of processes, machines, networks, cables, rooms, doors and people, arranged to produce a physical effect. The security of that system cannot be allocated to the network team or to the facilities team alone. It must be designed across the disciplines, audited across the disciplines, and operated across the disciplines.

The zone and conduit model gives the operator the language to do that. A zone is bounded by physical and logical edges, both of which must be specified, controlled and monitored. A conduit is carried by physical and logical paths, both of which must be protected. The security level assigned to a zone applies to every layer that bounds it, from the cipher on the network to the lock on the door. An auditor who finds inconsistency across those layers has found a defect, regardless of which layer is the weaker.

For operators who have not yet mapped their zones and conduits to physical components, a sixty-minute confidential conversation with the author is the appropriate first step. For operators who suspect that the inconsistency is substantial but cannot quantify it, a three to five day audit produces the register, the gap analysis and the remediation plan that the standard expects. The conversation costs nothing beyond the time. The audit produces a document that is usable independently of any vendor.

Frequently asked questions

How does IEC 62443 treat physical perimeters?

The standard treats physical perimeters as an integral part of the system under consideration. 62443-2-1 requires the operator to identify physical access points to each zone, control them, log access and detect unauthorised entry. 62443-3-3 includes foundational requirements that cannot be satisfied without physical controls, including restricted data flow, timely response to events and resource availability. The standard does not prescribe specific materials or technologies, but it requires that the physical boundary be commensurate with the security level assigned to the zone it bounds.

What is a zone and conduit in IEC 62443?

A zone is a grouping of assets that share common security requirements. A conduit is the channel that connects zones and through which communication flows between them. Both definitions admit a physical reading. A zone has physical edges, walls, fences, doors. A conduit has a physical route, fibre runs, copper pairs, wireless paths. The standard expects the operator to identify both the logical and the physical extent of every zone and every conduit, and to apply controls consistent with the security level assigned to each.

How do you certify against 62443?

Certification against 62443 is offered by accredited bodies including TÜV, exida and others. The certification can apply to products, to systems or to the security programme of an asset owner. Product certification follows 62443-4-1 and 62443-4-2. System certification follows 62443-3-2 and 62443-3-3. Asset owner certification follows 62443-2-1 and 62443-2-4. The process involves documentation review, on-site assessment and verification of the controls in operation. Certification is not a substitute for ongoing operation of the security programme.

Which security levels apply to perimeter components?

Perimeter components must be specified at the same security level as the zone they bound. A zone rated SL 3 requires a perimeter that resists an actor with moderate resources and IACS specific skills. This translates into fence specifications, lock ratings, camera capabilities, sensor density and response times that are quantifiable and auditable. A perimeter rated below the logical controls of the zone behind it creates the cheapest attack path. Operators should expect their auditors to verify that the security level is consistent across the layers, from cipher to door, and not only on the network.