ZONING, CONDUITING AND SUBNETTING ARCHITECTURE FOR INDUSTRIAL CONTROL SYSTEMS

This technical paper presents a structured engineering methodology for the design of Industrial Control System (ICS) network architectures, with specific focus on zoning, conduiting, and IP subnetting strategies for process industry environments. It addresses the critical gap between traditional, incrementally developed control networks and the need for formally engineered architectures that are both cybersecurity-resilient and compliant with functional safety requirements.

The work integrates the principles of IEC 62443 zone and conduit modeling with IPv4 subnet design and VLAN segmentation, establishing a unified framework that enables clear system boundary definition, controlled communication pathways, and enforceable security policies. It further demonstrates the direct relationship between network segmentation and the independence requirements of IEC 61511, positioning network architecture as a core functional safety consideration rather than a purely IT-driven activity.

The paper provides a comprehensive technical foundation tailored for instrumentation and control engineers, including fundamental networking concepts, practical subnet sizing methodologies, and their application to key ICS components such as Distributed Control Systems (DCS), Safety Instrumented Systems (SIS), Fire and Gas Systems (FGS), vendor package systems, and supporting infrastructure.

A complete worked example of a hypothetical process facility is included, comprising zone definition, VLAN allocation, subnet architecture, conduit register, and firewall rule mapping. These deliverables are intended for direct adoption in engineering design, commissioning, and system integration activities.

The methodology emphasizes defense-in-depth, elimination of flat network architectures, segregation of safety-critical systems, and controlled interfacing with enterprise and external networks through industrial DMZ structures. It also addresses common design deficiencies observed in operational facilities and provides best practices aligned with international standards including IEC 62443, IEC 61511, and NIST SP 800-82.

This paper is intended for use by instrumentation and control engineers, functional safety professionals, and OT cybersecurity practitioners involved in the specification, design, review, and lifecycle management of ICS network architectures in oil and gas, petrochemical, power, and related process industries.