Conduit
An IEC 62443 communication path between two zones — the place where the integrity and confidentiality controls actually have to live, because zones-in-isolation aren't a system.
Also: security conduit, 62443 conduit
A conduit, in IEC 62443 terminology, is a communication path between two zones. It’s the second half of the zone-and-conduit primitive — zones tell you where the trust boundaries are; conduits tell you where you have to enforce them.
Why the conduit isn’t just “the wire”
A common misreading of 62443 is to draw the conduit as the cable, the VLAN, or the MPLS circuit. That’s the carrier. The conduit is the logical communication path with its own security requirement, derived from the zones it joins, and the controls live wherever they have to live to satisfy that requirement.
Specifically, a conduit can include:
- The transport (cable, fibre, MPLS, radio).
- The protocol on top of it (DNP3, IEC 60870-5-104, MMS).
- Any cryptographic envelope around the protocol (TLS, IPsec, MACsec, GOOSE HMAC).
- The endpoints’ authentication and access-control state.
Two zones connected by the same physical wire but exchanging two different protocols are joined by two different conduits. The wire is shared infrastructure; the conduits are not.
Deriving the conduit’s Security Level
The Security Level target of a conduit is generally the higher of the two zones it joins, applied per Foundational Requirement. A conduit between an SL-2 station bus and an SL-3 protection bus inherits the SL-3 protection requirement on FR3 (System Integrity) — because a forged frame entering the higher-trust zone is what the SL-3 number was sized to prevent.
In practice the SL-T per FR is set explicitly in the design document rather than derived mechanically. Conduits crossing between sharply different trust levels (substation ↔ control centre, OT ↔ IT) are usually pinned to the higher number on every FR; conduits inside a single trust band can be tuned per FR.
Substation conduit examples
| Conduit | Zones joined | Typical SL-T driver |
|---|---|---|
| Process-bus SV/GOOSE | Z-PROC self-loop | FR3 — forged frame trips a breaker |
| Station-bus MMS | Z-PROC ↔ Z-STN | FR1, FR2 — engineering access |
| Substation-to-WAN | Z-STN ↔ Z-WAN | FR1, FR4 — semi-trusted carrier |
| Telecontrol | Z-WAN ↔ Z-RTU | FR3, FR4 — forged setpoint |
| Northbound to ADMS | Z-RTU ↔ Z-OPS | FR1, FR2 — operator session |
| OT-to-IT | Z-IDMZ ↔ corporate | FR1, FR4, FR5 — broadest controls |
Each row implies a different mechanism — TLS, embedded HMAC, IPsec, application-layer authentication — depending on what the underlying protocol can carry. That’s where IEC 62351 does the heavy lifting: it supplies the on-the-wire mechanisms that turn a 62443 SL-T into a deployable control.
What the conduit catalogue forces you to admit
The exercise of enumerating every conduit between zones is uncomfortable in a way 62443 designers find useful. It surfaces:
- Backdoor jump hosts that were never written down.
- Vendor remote-access conduits that bypass the documented architecture.
- The engineering laptop that gets carried between Z-EW and Z-PROC and is, in conduit terms, a mobile conduit nobody wants to draw.
A zone-and-conduit diagram with no mobile conduits drawn on it is almost certainly incomplete.