Smart factories in Industry 4.0 (I4.0) offer economic advantages that base on the universal integration of the associated value chain. Within it, IT relies on new and complex technologies like cyber-physical systems (CPS), that integrate hardware and software with new sensor and communication capabilities. Hence, such production systems become more vulnerable against malicious attacks due to bigger attack surfaces. Therefore, it is essential to address security as early as possible, i.e. during design process (Security by Design). In order to support security risk assessments during the design process, the standard IEC 62443 recommends to define zones addressing multiple security levels instead of using one security level for the complete factory. General ideas, rules and guidelines to define a cybersecurity zone concept are sufficiently described. However, approaches that allow both the model-based system design of industrial automation and control systems (IACS) and the zones, taking into account data flows, represent a gap in this research area. Our approach closes this gap by supporting the modeling of zones and taking explicitly defined data flows into account in a model-based system engineering tool that we created ourselves. To this, we present our domain-specific language (DSL), which meets the basic requirements of IEC 62443, and propose a methodology that takes into account the data flow between zones. The applicability of the approach is validated with means of a fictitious smart factory use case.