The diagram shows two valid ways to meet the IEC 62443 segmentation requirement, and this is exactly why risk appetite matters. Standards tell you what must be achieved, not how to interpret or implement it. Both designs in the diagram satisfy the requirement for segmentation, but they do it in very different ways — and the driver behind that difference is risk appetite.
On the left, the design reflects a low risk appetite:
multiple physical firewalls, hard boundaries between each Purdue level, and a clearly defined Level 3.5 Industrial DMZ with its own dedicated firewall layers. This approach demands more equipment, more operational overhead, and more funding — but it also delivers stronger isolation and a more defensible architecture.
On the right, the design reflects a higher risk appetite:
a single firewall cluster creating logical zones (including a logical Level 3.5 DMZ), with segmentation handled through policy rather than physical separation. It still meets the standard, but it leans toward efficiency, centralized management, and lower cost.
Both designs are compliant. Both achieve the “what.”
The difference is in the “how,” and that’s where risk appetite becomes the compass.
And just as a reminder — it’s never an easy decision. Organizations only have so much money, time, and resources to work with. In the end, you make the choice that aligns with your risk appetite and supports the outcomes you’re accountable for.
