Zoning / Segmentation
Zoning and segmentation is the IEC 62443 architectural pattern of dividing a system into separate zones by risk profile, with controlled conduits between them. The illustration shows how a classical CAN network is split into two segments: a physically well-protected classical CAN segment (orange) and a section with exposed wiring where SPsec provides secure CAN FD communication. It is not a per-node defensive shell, it is a choice about how the CAN topology itself is laid out, applied selectively where it helps. IEC 62443-3-2 SR 5.x
What Zoning Means on CAN
A zone in the IEC 62443 sense is a grouping of assets with common security requirements. On a CAN system, a zone is typically one CAN segment: the wires and the nodes attached to them. The whole system is divided into zones based on what is reachable, what is exposed, and what level of trust each part of the system holds. Conduits between zones are the bridges, routers, or gateways that carry traffic from one zone to another with controlled filtering and policy enforcement.
Classical CAN in Protected Zones, CAN FD on Exposed Segments
The most common payoff from CAN zoning is mixing or selecting protocols depending on exposure profiles. Classical CAN remains a low-cost, well-understood, real-time solution where wires and connectors are physically protected: inside a sealed enclosure or between cards on a backplane. On segments where the wiring leaves the protected enclosure, attaches to user-accessible connectors, or runs near a remote-service interface, CAN FD with Frame Security carries the integrity and authenticity guarantees that the higher exposure demands. The bridge between the two segments mediates which messages are allowed to cross.
Bridges and Gateways Between Zones
Every conduit between zones is a control point. A bridge between a classical-CAN inner zone and a CAN FD outer zone enforces which messages can cross, with whose authority, and in which direction. The hardening of these coupling devices is general industrial cybersecurity practice; the dedicated Secure Gateways page covers the IEC 62443-3-3 SR 5.x and NIST SP 800-82 expectations that apply to them.
IEC 62443 and CRA Mapping
Zoning and segmentation aligns with IEC 62443-3-2 (zone and conduit modeling as the basis for risk assessment) and IEC 62443-3-3 SR 5.x (Restricted data flow / zone-and-conduit). It is the architectural lever that the risk assessment uses to bring high-exposure parts of the system back to an acceptable IEC 62443 SL without forcing every segment to the same baseline. CRA Annex I I-2i (limit attack surfaces) and I-2j (reduce incident impact) both favor systems that partition cleanly into zones with controlled conduits. IEC 62443-3-2 IEC 62443-3-3 SR 5.x
What This Approach Does Not Catch
Zoning is a layout decision; it does not by itself defend any
individual frame, node, or object. Within each zone, the
appropriate shells from the catalog still need to be selected
and deployed. A poorly hardened bridge between zones turns the
conduit itself into the weakest link: if the bridge can be
subverted, the segmentation no longer holds.
Frequently Asked Questions
Why is zoning and segmentation treated separately from the per-node defensive shells?
The per-node shells (bus load monitoring, local injection detection, frame security, anomaly event monitoring, SOFA) are applied uniformly across a CAN segment. Zoning and segmentation is a system-level architectural pattern: a choice about how the CAN topology itself is laid out. It is applied selectively and asymmetrically across segments, so it does not fit a single column on the threats matrix.
When does it make sense to keep classical CAN in part of the system?
When the segment is inside a physically protected enclosure with controlled wiring and no remote-service interface. Classical CAN is cheap, well understood, and adequate where access is not a concern. Adding cryptographic frame protection to an internal segment whose wires are inside a sealed cabinet often costs more than the residual risk it removes.
How does zoning relate to Secure Gateways?
Secure Gateways covers the perimeter coupling devices between CAN and other networks. Zoning and segmentation is the architectural choice about how to partition the CAN side into segments before those gateways come into play. The two complement each other: zoning defines the segments, Secure Gateways handles the conduits leaving CAN entirely.