A model-based industrial security policy configuration system implements a plant-wide industrial asset security policy in accordance with security policy definitions provided by a user. The configuration system models the collection of industrial assets for which diverse security policies are to be implemented. An interface allows the user to define security policies for a plant environment at a high-level by grouping the industrial assets into security zones, and defining any additional communication permissions in terms of asset-to-asset, asset-to-zone, or zone-to-zone conduits. Based on the model and these policy definitions, the system generates asset-level security setting instructions configured to set appropriate security settings on one or more of the industrial assets, and deploys these instructions to the appropriate assets in order to implement the defined security policy.