Automated Network Diagrams: From Asset Inventory to Zone Architecture in Minutes
Manual network diagrams are outdated the moment you finish them. Learn how automated zone and conduit diagram generation keeps your OT architecture documentation accurate and audit-ready.
Automated Network Diagrams: From Asset Inventory to Zone Architecture in Minutes
Ask any OT security engineer their least favorite task, and "updating network diagrams" is near the top of the list.
The problem? Manual network diagrams are:
- Tedious to create (hours in Visio or Draw.io)
- Instantly outdated (new device added? Diagram is now wrong)
- Inconsistent (everyone has their own diagramming style)
- Audit liabilities (auditors find discrepancies between diagrams and reality)
What if your network diagrams generated themselves from your asset inventory? And updated automatically when assets change?
That's exactly what Provn's automated diagram generation does.
The Problem with Manual Network Diagrams
Scenario: Annual IEC 62443 Audit
Auditor: "Can I see your zone and conduit diagram for the manufacturing floor?"
You: "Sure, here it is." (hands over diagram from last year's audit)
Auditor: "This shows 4 PLCs in Zone 3. Your asset inventory lists 6. Which is correct?"
You: "Oh... we added two PLCs in Q2. I haven't updated the diagram yet."
Auditor: "And this conduit between the SCADA server and the historian—what firewall rules protect it?"
You: "Let me check the firewall..." (realizes rules don't match the diagram)
Result: Finding. Non-compliance. Remediation required.
Why Manual Diagrams Fail
- Time-intensive: Creating a comprehensive zone/conduit diagram for a mid-sized facility can take 8-16 hours
- Single point of failure: One person (usually) maintains the diagram
- Version control nightmare: "Which Visio file is the current one?"
- No automation: Adding a new PLC means manually updating the diagram
- Audit risk: Diagrams diverge from reality, creating compliance gaps
What Is Automated Network Diagram Generation?
Concept: Your network diagrams are generated automatically from your asset database.
How it works:
- Asset Inventory: You maintain an asset inventory (manually or via integrations)
- Zone Assignment: Assign each asset to a zone
- Conduit Mapping: Define communication paths between zones
- Auto-Generation: Click "Generate Diagram" → instant visualization
Benefits:
- ✅ Always accurate (diagram reflects current asset state)
- ✅ Instantly updated (new asset? Diagram regenerates)
- ✅ Consistent formatting (same layout rules applied)
- ✅ Audit-ready (diagram matches inventory with 100% fidelity)
IEC 62443 Zone & Conduit Architecture
Before diving into automation, let's review what we're diagramming.
Zones
A zone is a logical grouping of assets with:
- Similar security requirements
- Similar function/purpose
- High inter-zone communication
Example Zones:
- Zone 1: Enterprise Network (ERP, email, workstations)
- Zone 2: DMZ (data historians, remote access jump servers)
- Zone 3: Control Room (HMIs, SCADA servers)
- Zone 4: Process Controllers (PLCs, RTUs, DCS)
- Zone 5: Field Devices (sensors, actuators, I/O modules)
Conduits
A conduit is a communication channel between zones or within a zone.
Conduit Properties:
- Source zone
- Destination zone
- Protocols allowed (Modbus TCP, OPC UA, HTTPS)
- Protection mechanisms (firewall, IDS, encryption)
IEC 62443 Zone & Conduit Architecture
Defense in Depth: Multiple security layers between Enterprise and OT
Zone 1: Enterprise Network
Zone 2: DMZ
Zone 3: Control Room
Zone 4: Process Controllers
Zone 5: Field Devices
How Automated Diagram Generation Works
Step 1: Build Your Asset Inventory
Assets can be added:
Manually:
- Enter asset details via web UI
- CSV bulk import
Automatically:
- Integration with CMDBs (ServiceNow)
- Network scanning tools (Claroty, Nozomi, Dragos)
- Firewall integrations (Fortigate API)
- SIEM asset enrichment
Asset Attributes Needed:
- Asset name
- Asset type (PLC, HMI, Server, Firewall, etc.)
- IP address / location
- Zone assignment
- Communication protocols
- Network connections
Step 2: Define Zones
Create zones based on your IEC 62443-3-2 risk assessment:
Zone Configuration:
- Zone name (e.g., "Control Room")
- Zone description
- Target Security Level (SL-T)
- Consequence level (Low/Medium/High)
- Physical location (optional)
Assign Assets to Zones:
- Drag-and-drop UI
- Bulk assignment via filters
- Auto-suggestion based on asset type/location
Step 3: Map Conduits
Define communication paths:
Conduit Configuration:
- Name (e.g., "Business Network ↔ DMZ Historian")
- Source zone
- Destination zone
- Allowed protocols
- Protection devices (firewalls, IDS)
- Security controls (encryption, authentication)
Auto-Detection:
- System analyzes firewall rules to suggest conduits
- Network flow data identifies active communication paths
- Validates conduit definitions against observed traffic
Step 4: Generate the Diagram
Click "Generate Zone Diagram" →
Output:
- Visual network diagram showing zones as containers
- Assets grouped within their zones
- Conduits as labeled arrows between zones
- Security controls annotated on conduits
- Color-coding for security levels
- Export formats: PNG, SVG, PDF, Visio (VSDX)
Example: Automated Diagram for a Water Treatment Plant
Asset Inventory
| Asset Name | Type | Zone | IP Address |
|---|---|---|---|
| ERP-SERVER-01 | Server | Enterprise Network | 10.10.1.10 |
| HISTORIAN-01 | Server | DMZ | 10.20.2.10 |
| SCADA-01 | Server | Control Room | 192.168.10.5 |
| HMI-01, HMI-02 | Workstation | Control Room | 192.168.10.11-12 |
| PLC-01, PLC-02, PLC-03 | PLC | Process Controllers | 192.168.20.1-3 |
| SENSOR-FLOW-01 | Sensor | Field Devices | 192.168.30.10 |
Conduits
-
Enterprise ↔ DMZ (Conduit A)
- Protocols: HTTPS (port 443)
- Protection: Firewall FW-01, IDS
-
DMZ ↔ Control Room (Conduit B)
- Protocols: OPC UA (port 4840)
- Protection: Firewall FW-02, Data diode (unidirectional)
-
Control Room ↔ Process Controllers (Conduit C)
- Protocols: Modbus TCP (port 502)
- Protection: Internal firewall, IDS
-
Process Controllers ↔ Field Devices (Conduit D)
- Protocols: Modbus RTU, Ethernet/IP
- Protection: VLAN segmentation
Generated Diagram
Below is the auto-generated zone and conduit diagram showing all 5 zones with their assets and protection mechanisms:
Advanced Features
1. Threat Mapping on Diagrams
Overlay threats from CAPEC library:
Visual Indicators:
- 🔴 High-risk conduits (targeted by multiple threats)
- 🟡 Medium-risk conduits
- 🟢 Low-risk conduits
Example: Conduit B (DMZ ↔ Control Room) flagged as High Risk because:
- CAPEC-233 (Malicious Software Download) targets this path
- CAPEC-439 (Manipulation via Malicious Logic) could propagate here
Action: Strengthen Conduit B protection (add application whitelisting, enhance DPI)
2. Security Control Visualization
Show which security controls protect each conduit:
Conduit B: DMZ ↔ Control Room
Protection Layers:
✅ Firewall (FW-02): Deny-by-default rules
✅ Data Diode: Unidirectional OT → DMZ
✅ IDS: OT-specific signatures (Nozomi)
✅ Encryption: TLS 1.3 for OPC UA
⚠️ MFA: Not implemented (gap)
3. Change Detection & Version Control
Automatic Change Tracking:
- New asset added → Diagram regenerates with timestamp
- Asset moved to different zone → Visual diff showing change
- Conduit modified → Highlight what changed
Version History:
- "Diagram as of 2026-01-15" (before PLC-03 added)
- "Diagram as of 2026-02-20" (after PLC-03 added)
- "Diagram as of 2026-04-10" (current state)
Audit Trail:
- Who made the change?
- When was it made?
- What was the reason? (linked to change ticket)
4. Compliance Export
Generate audit-ready documentation packages:
IEC 62443 Package:
- Zone & Conduit Diagram (PDF)
- Asset inventory per zone (Excel)
- Conduit protection matrix (showing SRs met)
- Gap analysis report
NIS Directive Package:
- Network segmentation diagram
- Asset criticality matrix
- Risk assessment per zone
Real-World Impact
Before Automation: Manual Diagram Maintenance
Scenario: Mid-sized manufacturing plant, 150 OT assets
Process:
- Security engineer creates Visio diagram (12 hours)
- Diagram stored on shared drive
- New PLC added (engineer updates diagram if they remember)
- Annual audit: Diagram has 8 discrepancies with reality
- Finding issued: "Network documentation does not reflect actual architecture"
- Remediation: Engineer spends 6 hours fixing diagram + explaining discrepancies
Annual Time Investment: ~25 hours Audit Risk: High (diagram inaccuracies found every year)
After Automation: Provn Platform
Process:
- Asset inventory maintained in Provn (integrated with CMDB)
- New PLC added to inventory → Diagram auto-regenerates
- Pre-audit: Export current diagram (30 seconds)
- Audit: Diagram matches inventory with 100% accuracy
- Finding: None
- Remediation: None needed
Annual Time Investment: ~2 hours (managing asset inventory updates) Audit Risk: Minimal (diagram always accurate)
Time Savings: 23 hours/year Audit Confidence: Dramatically improved
ROI: Manual vs Automated Network Diagrams
Manual Diagram Process
- •Initial creation: 25 hours per diagram
- •Updates: 8-12 hours per change
- •High risk of errors and omissions
- •Audit findings: Diagram-reality mismatch
- •Multiple diagram versions (confusion)
Automated Diagram Generation
- •Initial creation: 2 hours (asset import)
- •Updates: 5 minutes (click regenerate)
- •100% accuracy (diagram = asset database)
- •Zero audit findings on diagrams
- •Single source of truth (always current)
How Provn Generates Diagrams
Technical Implementation
Frontend:
- React Flow for interactive diagram rendering
- D3.js for advanced visualizations
- Export to PNG, SVG, PDF using client-side rendering
Backend:
- Graph algorithm determines optimal zone layout
- Conduit routing avoids overlaps
- Consistent styling based on zone security levels
Asset Data Sources:
- PostgreSQL database (asset inventory)
- Real-time updates via WebSocket
- Integration APIs (CMDBs, network scanners)
Diagram Layouts
Standard Layout:
- Zones arranged hierarchically (Enterprise → DMZ → OT)
- Assets within zones shown as cards
- Conduits as directional arrows
Circular Layout:
- Zones arranged in circle
- Conduits radiate from center
- Good for showing interconnectedness
Hierarchical Layout:
- Zones in tree structure
- Purdue Model alignment (Levels 0-5)
- Best for complex multi-site architectures
Best Practices
1. Keep Asset Inventory Current
Automation only works if your source data is accurate:
- Integrate with CMDBs for single source of truth
- Automate asset discovery where possible
- Regular reconciliation (quarterly reviews)
2. Define Zones Early
Base zones on IEC 62443-3-2 risk assessment:
- Group assets by consequence level
- Align with Purdue Model levels
- Consider physical locations
3. Document Conduit Protection
For each conduit, document:
- What security controls protect it?
- What protocols are allowed?
- What evidence validates it's working?
4. Version Control Diagrams
Export diagrams at key milestones:
- Post-audit diagrams (evidence of compliance state)
- Pre-change baselines (before major upgrades)
- Annual snapshots (year-over-year comparison)
5. Use Diagrams in Training
Visual diagrams help new team members understand:
- Where assets live
- How zones communicate
- Where security controls exist
- What protocols are in use
Ready to stop wasting time on manual network diagrams? Request a demo to see Provn's automated zone and conduit diagram generation in action.