• Home
  • News
  • OT Network Segmentation Using ISA-99 Zones and Conduits: Schneider M580 and Bachmann M1 Practical Guide

OT Network Segmentation Using ISA-99 Zones and Conduits: Schneider M580 and Bachmann M1 Practical Guide

OT Network Segmentation Using ISA-99 Zones and Conduits: Schneider M580 and Bachmann M1 Practical Guide

The Real Problem with Flat OT Networks

Most industrial plants built before 2015 run a flat Ethernet network where the Schneider Electric Modicon M580 PLC, the Bachmann M1 automation controller, the SCADA historian, and the corporate ERP share the same Layer 2 broadcast domain. First, this means a ransomware attack that enters through the corporate network reaches the M580 CPU without passing through any access control point. Second, a misconfigured workstation broadcasting ARP storms can saturate the M580 BM•P 58•2020 CPU Ethernet port — the M580 CPU Ethernet port processes ARP at software level with a 500-packet-per-second ceiling. Third, protocol exploits targeting Modbus TCP port 502 or EtherNet/IP port 44818 travel freely across the flat network. Therefore, ISA-99 / IEC 62443 zone and conduit architecture is not optional — it is the only proven framework that adds network-level protection without disrupting the control strategy.

ISA-99 Zone and Conduit Architecture: Defining the Structure

ISA-99 (IEC 62443-3-3) divides the industrial network into Security Levels (SL) and assigns assets to zones based on the consequence of compromise. First, define your zones before touching any switch configuration. Second, identify every device in the plant network and assign it to one of four zones:

  • Zone 1 — Safety (SIL): Safety PLCs only. For most plants this includes ICS Triplex or Triconex TMR systems. No general-purpose traffic enters this zone. Conduit to Zone 2 allows only read-only Modbus TCP for SCADA display purposes.
  • Zone 2 — Control (SL-2): Schneider M580 CPUs, Bachmann M1 controllers, I/O networks, field device management. EtherNet/IP and Modbus TCP traffic stays inside this zone. External access only through the IDMZ conduit.
  • Zone 3 — Supervisory (SL-1): SCADA servers, DCS historian, operator workstations. This zone accesses Zone 2 via a defined conduit through a stateful firewall — not a flat connection.
  • Zone 4 — Enterprise (SL-0): Corporate ERP, Active Directory, email servers. Zero direct access to Zone 2 or Zone 1. All data exchange happens through the IDMZ only.

Moreover, the Industrial DMZ (IDMZ) sits between Zone 3 and Zone 4. The IDMZ contains the data replication servers — OSIsoft PI, Wonderware Historian, or OPC DA/UA gateway. No traffic traverses the IDMZ end-to-end — both Zone 3 and Zone 4 connect to IDMZ servers but never to each other directly. This is the core ISA-99 boundary control principle.

VLAN and Firewall Configuration for Schneider M580 Networks

The Schneider Modicon M580 uses EtherNet/IP on the CPU backplane Ethernet port (BMEP58•020 series) and a dedicated I/O network Ethernet port for Ethernet RIO drops. First, assign the CPU management port to VLAN 20 (Control Zone) on your managed switch. Second, assign all remote I/O (BMECRA31210 RIO drops) to VLAN 21 (I/O sub-zone). Third, create an ACL (Access Control List) on the switch to block all traffic between VLAN 21 and any zone above Level 2.

On a Cisco IE4000 or Cisco IE3400 managed switch, configure inter-VLAN routing with these firewall rules:

  • Step 1: Create VLAN 20 (Control) and VLAN 21 (RIO). Assign M580 CPU port to VLAN 20 access mode. Assign all BMECRA31210 RIO drop ports to VLAN 21 access mode.
  • Step 2: Apply ACL on VLAN 20 SVI: permit TCP any 192.168.20.0/24 eq 44818 (EtherNet/IP CIP). Permit TCP any 192.168.20.0/24 eq 502 (Modbus TCP). Deny ip any any log. This allows only required protocols to reach M580.
  • Step 3: Block all external access to VLAN 21 at the Layer 3 switch — deny ip any 192.168.21.0/24. RIO traffic must never be accessible from Zone 3 or Zone 4.
  • Step 4: Configure the stateful firewall between Zone 2 and Zone 3 to allow only OPC UA port 4840 from the SCADA server to the Zone 3 OPC UA gateway. Block Modbus TCP port 502 between Zone 3 and Zone 2 — SCADA reads the OPC UA gateway, not the M580 directly.
  • Step 5: Enable port security on all M580 and BMECRA switch ports — lock to the transmitter MAC address. Set port security violation mode to "restrict" (not "shutdown") to generate an alert without dropping the I/O network.

However, the M580 CPU Ethernet port does not support 802.1Q VLAN tagging natively — it operates as a VLAN access port only. Therefore, the switch must handle all VLAN tagging. This is a common M580 network design constraint that engineers overlook when designing segmentation.

Bachmann M1 Controller Segmentation and OPC UA Boundary Control

Bachmann M1 controllers use their own MIO (Modular I/O) Ethernet network on a dedicated interface separate from the programming port. First, assign the Bachmann M1 MIO network to VLAN 22 — separate from the Schneider M580 control VLAN 20. This prevents cross-protocol broadcast storms. Second, Bachmann M1 supports OPC UA server functionality natively in its SolutionCenter programming environment. Configure the OPC UA server to expose only the required tags to Zone 3 — do not expose the full M1 variable namespace.

In Bachmann SolutionCenter, set OPC UA Security Mode to "SignAndEncrypt" and Security Policy to "Basic256Sha256." Reject all anonymous connections — require certificate-based authentication. This aligns with IEC 62443-3-3 Security Level 2 requirements for the Control Zone. Moreover, set the M1 OPC UA server address space to publish only tags listed in the approved SCADA tag list — use the Bachmann OPC UA NodeManager configuration to whitelist specific variable nodes. Block all other nodes at the OPC UA server level, not at the firewall only.

  • Step 1: In Bachmann SolutionCenter, navigate to OPC UA Server configuration under "Communication" module.
  • Step 2: Set Security Mode to "SignAndEncrypt." Set Security Policy to "Basic256Sha256." Disable "None" and "Sign" policies.
  • Step 3: Import SCADA server certificate into Bachmann M1 trusted certificate store. Only certificate-bearing SCADA clients connect.
  • Step 4: Enable Bachmann M1 firewall function — allow TCP 4840 (OPC UA) only from SCADA server IP address 192.168.30.10. Block all other inbound connections on the OPC UA port.
  • Step 5: Configure session timeout to 30 seconds. Any SCADA session inactive for 30 seconds closes automatically — prevents stale sessions accumulating on the M1 session table.
  • Step 6: Log all OPC UA connection events to the Bachmann M1 syslog — configure syslog forwarding to the SIEM server in the IDMZ for security monitoring.

IDMZ Design: Data Replication Without Direct Zone Crossing

The IDMZ contains exactly two types of servers: the data historian replication server and the remote access jump server. First, the OSIsoft PI Relay or Honeywell Uniformance PHD runs in the IDMZ. The historian in Zone 3 pushes data to the IDMZ relay using TCP port 5450 (PI-to-PI interface). The corporate historian in Zone 4 pulls data from the IDMZ relay using the same port. No process data ever travels directly between Zone 3 and Zone 4. Second, the remote access jump server in the IDMZ provides RDP access for maintenance engineers. Configure the jump server to allow RDP connections only from an approved MFA-protected VPN endpoint — never allow direct RDP from Zone 4 to Zone 2 or Zone 1.

Furthermore, apply these firewall rules between Zone 4 and IDMZ: allow TCP 5450 (PI) from Zone 4 historian to IDMZ relay only. Deny all other traffic from Zone 4 to IDMZ. Between IDMZ and Zone 3: allow TCP 5450 from IDMZ relay to Zone 3 historian. Allow RDP (TCP 3389) from IDMZ jump server to Zone 3 SCADA workstations only — with MFA enforced at the jump server gateway.

Conclusion and Action Advice

ISA-99 zone and conduit segmentation for Schneider M580 and Bachmann M1 networks is an engineering task, not an IT security project. First, define your four zones and draw the conduit diagram before touching any switch. Second, assign M580 CPU and M1 MIO networks to dedicated VLANs with ACLs blocking all non-required protocols. Third, enforce OPC UA SignAndEncrypt on Bachmann M1 and use certificate-based authentication from day one. Fourth, build the IDMZ as a true data relay — no direct Zone 3 to Zone 4 paths. Fifth, enable port security on all control VLAN switch ports to prevent rogue device connections. Finally, test your segmentation by attempting a port scan from a Zone 4 workstation toward Zone 2 addresses — if you see any open ports on the M580 or M1 from Zone 4, your conduit rules are incomplete. Fix every open port before declaring the segmentation complete.

Back to blog
Show All
Blog posts
Show All
Batch Sequence Control Using DCS Sequential Function Charts: Emerson DeltaV SFC Configuration and Woodward EasyGen 3200 Synchronization Interlock
Liu Yang

Batch Sequence Control Using DCS Sequential Function Charts: Emerson DeltaV SFC Configuration and Woodward EasyGen 3200 Synchronization Interlock

Batch process control using formal IEC 61131-3 Sequential Function Chart structures in Emerson DeltaV prevents state machine deadlocks and simplifies ISA-88 audit compliance. This guide covers DeltaV Phase Logic SFC design principles, Woodward EasyGen 3200 Modbus TCP register mapping for generator synchronization interlock, Hold and Abort path design, and diagnosis of the four most common SFC batch failure patterns.
Foundation Fieldbus H1: Segment Design and Commissioning
Weijia Chen

Foundation Fieldbus H1: Segment Design and Commissioning

Foundation Fieldbus H1 executes control function blocks inside field devices, maintaining control even when host communication fails — a key advantage for SIL-2 and SIL-3 loops. This guide covers FF H1 power budget calculation, voltage drop analysis, soft-start inrush protection, 5-step commissioning procedure, function block scheduling, and systematic fault diagnosis for segment failure, intermittent device drops, and termination resistance errors.
PROFINET IO Communication Fault Diagnosis: ABB AC500 CM575-PNIO and Phoenix Contact AXL F DI16 Field Troubleshooting
Chen Hao

PROFINET IO Communication Fault Diagnosis: ABB AC500 CM575-PNIO and Phoenix Contact AXL F DI16 Field Troubleshooting

PROFINET IO communication failures between ABB AC500 CM575-PNIO and Phoenix Contact Axioline F distributed I/O are a common source of unplanned downtime. This guide covers physical layer cable checks, GSDML version verification, device name conflict resolution, AR watchdog tuning, and a six-step fault isolation procedure using DIAG_STATUS register bit mapping and Channel Diagnosis alarms.
Recommended Products List
Emerson KL3105X1-LS1 12P6551X032 Isolated Charm Card
Emerson KL3105X1-LS1 12P6551X032 Isolated Charm Card

Emerson
Emerson DeltaV KL4502X1-MA1 Relay Out Terminal Charm
Emerson DeltaV KL4502X1-MA1 Relay Out Terminal Charm

Emerson
Emerson DeltaV KL3021X1-LS1 Hart Analog Input CHARM Module, 4–20 mA
Emerson DeltaV KL3021X1-LS1 Hart Analog Input CHARM Module, 4–20 mA

Emerson
Emerson DeltaV KL3003X1-BA1 DI 24 VDC Dry Contact CHARM Module
Emerson DeltaV KL3003X1-BA1 DI 24 VDC Dry Contact CHARM Module

Emerson
Emerson DeltaV KL3005X1-LS1 Isolated Digital Input Charm Module
Emerson DeltaV KL3005X1-LS1 Isolated Digital Input Charm Module

Emerson
KL4510X1-EA1 | Emerson DeltaV | I.S. CHARM Address Terminal
KL4510X1-EA1 | Emerson DeltaV | I.S. CHARM Address Terminal

Emerson
Emerson DeltaV I.S. CHARM Terminal Block PN: KL4510X1-DA1
Emerson DeltaV I.S. CHARM Terminal Block PN: KL4510X1-DA1

Emerson
Emerson DeltaV KL1501X1-BA1 CSLS Power Module
Emerson DeltaV KL1501X1-BA1 CSLS Power Module

Emerson
KL3003X1-LS1 | Emerson DeltaV | LS DI 24 VDC Dry Contact CHARM
KL3003X1-LS1 | Emerson DeltaV | LS DI 24 VDC Dry Contact CHARM

Emerson
Emerson KL3031X1-BA1 RTD/Resistance Input CHARM Module
Emerson KL3031X1-BA1 RTD/Resistance Input CHARM Module

Emerson
GE Fanuc IC693UAA003 Series 90 Micro PLC Module
GE Fanuc IC693UAA003 Series 90 Micro PLC Module

GE
GE Fanuc RX3i IC694MDL730 12/24VDC Positive Logic Output Module
GE Fanuc RX3i IC694MDL730 12/24VDC Positive Logic Output Module

GE