Zone-and-conduit documentation is foundational to OT security. It shows how your network is logically segmented, which systems communicate across segment boundaries, and what controls protect those boundaries. But most zone-and-conduit diagrams are created once, become outdated immediately as systems are added and removed, and end up misleading rather than informative. The solution is treating documentation as a living artifact that is updated with every network change, reviewed quarterly, and actively used for operational decisions.
Documentation that is outdated is worse than no documentation. An engineer referencing a diagram that shows devices that no longer exist, or missing new production lines, makes decisions based on false assumptions. Accurate documentation requires discipline and processes, not just initial effort.
Documentation Components
Zone-and-conduit documentation should include three elements: a high-level network diagram showing all zones and how they connect, a detailed breakdown of each zone showing specific systems and their functions, and a table of data flows showing which systems communicate across zone boundaries and what traffic is allowed.
The high-level diagram should be simple enough to fit on a page and clear enough that someone unfamiliar with your facility can understand your network architecture. Use consistent symbols for zones (rectangles), conduits (lines between zones), and edge devices (circles or boxes for firewalls and gateways). Color-code by criticality or function for visual clarity.
Format That Stays Maintainable
- Version Control: Store diagrams in a version control system so you can track changes, see who modified what and when, and roll back if a change was incorrect. Use Lucidchart, Draw.io, or similar tools that generate exportable diagrams but store underlying data in text format.
- Automated Dependency Tracking: Maintain a supplementary spreadsheet or database that lists each device, its zone, its function, and what other devices it communicates with. Use this as the source of truth for network topology. Generate diagrams from the spreadsheet so the two stay synchronized.
- Quarterly Review Process: Schedule a quarterly review where your network team systematically verifies the documentation against actual infrastructure. Walk through each zone, confirm devices match the diagram, confirm connections are correct. Update the diagram immediately when discrepancies are found.
- Change Documentation Requirement: Any network change—adding a device, removing a device, changing a connection, modifying firewall rules—requires updating the documentation before the change is marked as complete. This is the only way to keep documentation current.
Using Documentation for Operations
Good documentation is not a compliance checkbox. It is an operational tool. When troubleshooting a communication problem, the diagram should tell you what path the traffic should follow and what boundary devices might be involved. When planning a change, the documentation should tell you what systems might be affected. When investigating a security incident, the documentation should tell you what systems a compromised device could potentially reach.
Treat documentation as part of your incident response plan. During incident response, technicians should be referencing your zone-and-conduit documentation to understand what systems are affected and what communication paths might be used for lateral movement.
If you'd like to develop or improve zone-and-conduit documentation for your facility, reach out.
This article was written by the Cascadia OT Security practice, which advises Pacific Northwest data centers and manufacturers on industrial cybersecurity. For engagement inquiries, reach our practice team.