Enforce Physical Segmentation
Segmentation should not just be logical. It should be physically enforceable.
Segmentation should not just be logical. It should be physically enforceable.
Trust boundary enforcement between zones
Defence, Critical infrastructure, Public sector, Manufacturing
How CP-04 enforces physical segmentation.
A FIRE-led pattern. Zones are physically separated; always-on dependencies between them are removed; any temporary crossing is a named, time-bound event.
Grounded in IEC 62443-3-3 SR 5.1 to SR 5.3 and the Purdue Enterprise Reference Architecture.
Zone A
First trust
First trust domain (for example, IT enterprise)
Default-severed boundary with no inherited trust.
Zone B
Second trust
Second trust domain (for example, OT supervisory)
Crossing exists only as a named, time-bound Relay session.
Zone C
Third trust
Third trust domain (for example, field or process)
Crown jewels · detail callout
Authoritative configuration vault
Zone and conduit definitions held offline so they cannot be silently re-drawn from a compromised admin tier.
Modules & symbols
Modules in this Blueprint
How the CP-04 pattern composes.
Firebreak controls the physical path between zones. Isolate separates environments at hardware level. Unlink removes always-on dependencies that quietly tunnel between them. Lock and Relay govern when and how a temporary crossing is ever allowed.
Related Blueprints
Compose alongside.
Stop Kill-Chain Ransomware
Stop ransomware moving, spreading or reaching the crown jewels.
View BlueprintContain Active Breaches
When prevention fails, containment must be physical, immediate and provable.
View BlueprintControl Third-Party Access
Give third parties access without giving them a permanent doorway.
View Blueprint
Build control around your environment
Talk to our team about composing this Blueprint for your estate.
Takes about 2 minutes. No account needed.