System Partitioning into Zones, To Zone or Not to Zone?

System partitioning using zones and conduits is a foundational requirement in known cybersecurity standards such as IEC 62443-based risk assessments. But while it enables more precise Security Level Target (SL-T) assignments and better alignment between threats and mitigations, it's often misunderstood, misapplied, or over-engineered in practice.

In this talk, we’ll go beyond the theory and into the real-world implications of system partitioning. We’ll examine why poor or missing segmentation undermines risk assessments and why blindly partitioning every system can fragment your control strategy, introduce unnecessary complexity, and create compliance blind spots.

Using IEC 62443-3-2 as a technical case study, I’ll walk through what zones and conduits are meant to achieve, what they actually do in operational environments, and how they can both solve and introduce challenges in security architecture.