Conduit Security for Building Automation Networks

General BASconduitIEC 62443zones and conduitsOT security
June 2, 2026|9 min read

In OT security, a conduit is the controlled communication path between two security zones — the IEC 62443 term for every data flow that crosses a zone boundary. Conduit security means that path is documented and enforced: only the protocols and direction the zones actually need are allowed, everything else is denied by default, and the traffic is logged. A conduit that links a higher-security zone to a lower one must meet the requirements of the higher zone, so the most common failures are undocumented conduits, inter-VLAN routing left wide open, and remote-access paths that bypass the model entirely.

The Scenario: When "Conduit Security" Comes Up

The phrase usually surfaces in one of three ways. An auditor or insurer asks how traffic between your building automation zones is controlled, and the honest answer is "the core switch routes between the VLANs and there are no rules." An IT security team adopting IEC 62443 hands the BAS integrator a spreadsheet with a "conduit" column and nobody is sure what goes in it. Or a flat BAS network gets segmented into VLANs, and the moment inter-VLAN routing is enabled, the segmentation that looked good on the diagram does nothing — because a VLAN boundary with open routing is not a secured conduit.

One disambiguation first, because the search term is overloaded: this article is about the network and communications conduit from the IEC 62443 standard, not electrical conduit (the physical raceway that protects wiring). Both matter on a building site, but they are unrelated security concepts.

What a Conduit Actually Is

IEC 62443 models an automation network as zones connected by conduits. A zone is a grouping of assets that share the same security requirements. A conduit is a logical grouping of the communication channels that connect two or more zones — the standard treats it as a special kind of zone whose job is to carry and control traffic rather than to host equipment.

The key idea is that a conduit is not just a cable or a VLAN trunk. It includes everything that inspects, filters, or controls the traffic crossing the boundary: firewalls, switch access control lists, protocol-aware gateways, VPN or BACnet/SC endpoints, and the monitoring attached to them. When the standard says a conduit has its own security requirements, it means the enforcement points along that path are what you assess and harden — not the wire.

Conduits are introduced in the risk-assessment part of the series (IEC 62443-3-2), and the security requirements that apply to them sit in the system requirements part (IEC 62443-3-3). Among the seven foundational requirements the standard defines, the one most directly about zones and conduits is Restricted Data Flow — the principle that data should only move where it needs to, and that boundaries should be enforced to stop everything else. A conduit is how Restricted Data Flow is actually implemented on the network.

For the full picture of how zones and conduits fit together — including how to define zones and assign security levels — see IEC 62443 Security Zones for Building Automation. This article focuses on the conduit itself.

What Makes a Conduit Secure

A conduit is secured when four things are true about it. These map onto what an auditor expects to see documented for each boundary:

There is one rule that catches people out: a conduit connecting a higher-security zone to a lower-security one must enforce the requirements of the higher zone. The conduit is the place a compromised device in a weak zone would try to reach a strong one, so it inherits the stronger zone's controls. You cannot let the weaker side set the bar.

How to Secure a Conduit: Step by Step

  1. Find every boundary crossing. Walk the network and list each place traffic moves between zones — inter-VLAN routes, BBMD forwarding paths, IP-to-MS/TP routers, the IT/OT handoff, and any remote-access entry point. Each crossing is a candidate conduit. Most sites find more than the diagram shows.
  2. Document each conduit before you touch a rule. For every conduit record the two zones it connects, the protocols and ports it carries, the direction of flow, the device that enforces the rules, and how it is monitored. An undocumented conduit is, by definition, an uncontrolled one.
  3. Apply default-deny, then open only what the documentation lists. Start from "nothing crosses" and add the specific protocol, port, and address pairs the zones actually need. For the BACnet-specific rules — broadcast handling, the UDP 47808 details, BACnet/SC over TLS — see BACnet Firewall Rules: Ports to Open and Block.
  4. Enforce direction where the flow is one-way. If a zone only ever publishes data, the conduit should not accept inbound connections from the other side. Make the rule match the real data flow, not the protocol's theoretical capability.
  5. Treat remote access as its own conduit. A technician connecting from outside is a conduit crossing into a BAS zone, and it has security requirements distinct from the zone it enters — identity-bound access, a time-boxed session, protocol restriction, and a full audit trail. This is where most third-party exposure lives. See Secure Remote Access for Cyber-Physical Systems (CPS) for the architecture patterns that hold up.
  6. Turn on monitoring and verify the rules bite. Confirm that denied traffic is actually blocked and logged, not silently passing because of a shadowed rule or an open route you forgot. A conduit you never tested is a hope, not a control.

Common Pitfalls

When to Escalate

Bring in dedicated OT security help — internal or an outside firm — when any of these are true:

Source Attribution

The guidance in this entry draws on the following publicly available sources:

Additional patterns and field guidance from SiteConduit's work with building owners and integrators.

conduitIEC 62443zones and conduitsOT securitysegmentation

Was this article helpful?

Related Articles

Need to do this remotely? SiteConduit provides secure Layer 2 remote access to BAS networks with protocol-level controls. Join the waitlist.

SC

SiteConduit Technical Team

Idea Networks Inc.

SiteConduit builds managed remote access for building automation. Our knowledge base is maintained by BAS professionals with hands-on experience deploying and troubleshooting BACnet, Niagara, Modbus, and Facility Explorer systems.