Industrial Security Zones Designer

Design and validate IEC 62443-compliant security zones and conduits for industrial (OT) networks.

Install
cmdop skills install agensi-industrial-security-zones-designer

The Industrial Security Zones Designer is a skill for architecting and auditing network segmentation in Operational Technology (OT) and Industrial Control System (ICS) environments. It applies the ISA/IEC 62443 standard alongside the Purdue Enterprise Reference Architecture (PERA) and NIST SP 800-82 to guide engineers through defining security zones, managing conduits between those zones, and mapping assets according to Purdue Model levels, criticality, and functional requirements.

Industrial networks frequently operate with flat architectures or poorly managed IT/OT convergence, both of which introduce serious security risks. Manually designing segmentation that respects safety-critical constraints, process integrity, and complex traffic flows is error-prone. This skill automates the zone and conduit design logic, enforcing strict industrial safety constraints so that every conduit is justified by a business requirement, has defined directionality, and carries identified security controls.

The skill is vendor-neutral and can work with data from firewall platforms such as Fortinet, Cisco, and Palo Alto, as well as asset inventory tools including Nozomi, Claroty, and Dragos, and any network monitoring system. Its outputs include zone and conduit registers, firewall flow allowlists, and remediation roadmaps. It explicitly avoids proposing dangerous destructive testing or hallucinated network paths, which are known failure modes in generic AI-assisted network design.

Use cases

  • Design IEC 62443-compliant zone and conduit architecture for a greenfield OT network
  • Audit an existing industrial network for flat-architecture risks and improper IT/OT convergence
  • Generate firewall flow allowlists from a defined conduit register
  • Map industrial assets to Purdue Model levels based on criticality and function
  • Produce a remediation roadmap for bringing an ICS environment into IEC 62443 compliance
  • Validate that every inter-zone conduit has a documented business justification and security control

When to use it

  • Segmenting OT/ICS networks that must comply with IEC 62443 or NIST SP 800-82
  • Auditing existing industrial network architectures for security zone deficiencies
  • Generating structured outputs such as registers, allowlists, and roadmaps for industrial network design reviews
  • Working across multiple firewall or asset inventory vendors without tool-specific constraints

When not to use it

  • IT-only enterprise network segmentation with no OT or ICS components
  • Environments that require live network interaction or device configuration push — this skill produces design artifacts, not active configurations
  • Use cases requiring direct integration with a specific proprietary ICS platform beyond the listed vendor data sources