Andrei Mungiu
Cybersecurity & Software Engineer
Foredrag
System Partitioning into Zones, To Do or Not to Do? Realistic Trade-Offs in Segregating Systems: System partitioning using zones and conduits is a foundational requirement in known
cybersecurity standards such as IEC 62443-based risk assessments. But while it enables
more precise Security Level Target (SL-T) assignments and better alignment between
threats and mitigations, it's often misunderstood, misapplied, or over-engineered in
practice.
In this talk, we’ll go beyond the theory and into the real-world implications of system
partitioning. We’ll examine why poor or missing segmentation undermines risk
assessments, but also why blindly partitioning every system can fragment your control
strategy, introduce unnecessary complexity, and create compliance blind-spots.
Using IEC 62443-3-2 as a technical case study, I’ll walk through what zones and conduits
are meant to achieve, what they actually do in operational environments, and how they can
both solve and introduce challenges in security architecture. You’ll learn how partitioning
affects SL-Ts, how shared controls lose effectiveness across zone boundaries, and why
over-partitioning without operational maturity leads to implementation debt.
More importantly, we’ll confront a critical misconception: that every supplier system must
fully meet all security (SL-T) requirements internally. In reality, system owners must
architect for gaps by using compensating controls at the infrastructure level, not penalize
vendors for honesty. We’ll explore how to design architectures that assume variability in
supplier security capabilities while still achieving compliance and resilience.
This talk is targeted at engineers, architects, and risk professionals working with ICS/OT
systems or complex hybrid environments. Whether you're applying IEC 62443, NIST 800-82,
ISO/IEC 27005, or working with cloud-native control domains, this session will give you a
deeper understanding of partitioning as a strategic architectural tool, and how to use it
responsibly.
Bio
At work I design Cybersecurity Architectures. As a hobby I program using the latest .NET9(C#)/Blazor/Python all integrated with Azure Cloud (including authentication). I also post my analysis on the latest Cybersecurity Standards and Legislation at www.cyber-laws.com.
Achievements in cybersecurity:
- Designed and led Cybersecurity Architectures for nation-wide infrastructure projects
- Established and led company-wide Cybersecurity strategies
- Established and led Cyber-Risk Assessment boards
- Established and led Threat Modeling teams for application code and application infrastructure
- Helped consolidate the supply chain cybersecurity for nation-wide infrastructure projects
- Represented a CVE numbering authority at MITRE US
Achievements in programming:
- Integrated Identity Access Management solutions on premise and in cloud using Microsoft Azure
- Designed and implemented an application layer Network protocol for distributed p2p communication (using Python / distributed hash tables & multiparty computation)
- Designed and implemented the network infrastructure of a cryptocurrency mining farm with full serviceability and VPN monitoring
- Designed and implemented a Secure Remote Physical Lock using LoRaWAN, FreeRTOS (real-time OS) and hardware
Favorite sources of knowledge:
- SABSA - for app & network Cybersecurity Architecture
- TOGAF - for network Cybersecurity Architecture
- COBIT - for governance and management of enterprise IT
- MITRE ATT&CK - For Threat Modelling
- IEC62443 - for OT Cybersecurity best practices
- ISO2700x - for OT/IT Cybersecurity best practices
- NIST SP 800 - for OT/IT Cybersecurity best practices
- NERC-CIP - for OT Cybersecurity best practices
- GDPR - for personal information best practices
