What is the Purdue Model?

Developed in the 1990s, the Purdue Model, formally the Purdue Reference Architecture (PERA), is a reference data flow structural model for industrial control system (ICS) security, concerning physical processes, sensors, supervisory controls, operations, and logistics. Purdue Reference Model, provides a model for enterprises where end-users, integrators, and vendors can collaborate in integrating applications at key layers of the enterprise network and process infrastructure.

It divides the ICS architecture into two zones – Information Technology (IT) and Operational Technology (OT) and subdividing these zones into six levels starting at level 0. At the base of the Purdue model is the OT, which is separated from the IT zone, found at the top of the model. In between, we find a Level 3.5 DMZ zone to separate and control access between the IT and OT zones.

The Purdue Model Reference Architecture

Level 0 – Physical Process: Defines the actual physical components that build products, including motors, pumps, sensors, valves, etc.

Level 1 – Basic Control: Level 1 is composed of systems that monitor and send commands to the devices at Level 0, including process sensors, analyzers, actuators, and related instrumentation, essentially the Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), and Intelligent Electronic devices (IEDs).

Level 2 – Area supervisory control: Level 2 are devices that control the overall processes within the system, including human-machine interfaces (HMAs) and SCADA software to supervise, monitor, and control physical processes.

Level 3 – Manufacturing operations systems: Level 3 supports management of production workflows, including batch management, manufacturing operations management/ manufacturing execution systems (MOMS/MES), and data historians. The communication between the enterprise level and manufacturing level typically occurs through a dedicated backhaul network to the main data center and when disrupted, can lead to downtime as it impacts the entire manufacturing plant.

Level 3.5 – Industrial Demilitarized zone (iDMZ): A recent addition, level 3.5 is where the IT and OT worlds converge and includes security systems, such as firewalls and proxies, used to separate or air gap the IT and OT worlds. The iDMZ creates a barrier between the IT and OT networks, providing limited access to ICS systems from IT environments and help prevent infections within the IT environment from spreading to OT systems. The rise of automation and IIoT devices, leading to higher efficiencies, has also created an increased need for bidirectional data flow between OT and IT systems.

Level 4 – Site business planning/logistics: Level 4 are the devices to all the IT systems that support the production processes, including database servers, application servers (web, report, MES), file servers, email clients, supervisor desktops, and etc.

Level 5 – Enterprise network: Level 5 is where the primary business functions occur, providing business direction and orchestrates manufacturing operations. The accumulated data, from subordinate systems, report on the overall production status, inventory, and demand.

Is the Purdue Model Still Relevant?

New technologies, including Cloud Services and 5G wireless networks, are challenging this foundational, hierarchical approach to designing and operating OT systems. The embrace of IT solutions to enhance traditional OT has created a solution typically called the Industrial Internet of Things (IIoT). A standard IIoT reference architecture has three parts: the edge, the (cloud) platform, and the enterprise.

OT cybersecurity teams are increasingly being confronted with the need to protect OT environments that include IIoT components. Some organizations have gone to the effort of modifying the traditional Purdue model with IIoT components. One advantage of the Purdue model is its hierarchy, where system components are clearly defined and components are grouped into distinct layers. The Purdue model can still be used to create a hierarchical topology to secure today’s Industrial Control System (ICS).

Zero trust in Industrial Control System (ICS)

ICS network operators are focused on delivering products, however cyber and ransomware attacks on critical infrastructures are raising awareness of the risks of cyber threats to OT and ICS.  A zero-trust architecture can simplify security and solve key challenges, such as secure remote access, without requiring hefty physical segmentation at each layer. A zero-trust approach to security starts with zero trust for anything inside or outside of the perimeter. Security must verify anything and everything trying to connect to its systems before granting access.

Applying the zero trust guiding principles of IT networks for workflow, system design, and operations can greatly improve the security stance of OT networks and help organizations accelerate digital transformation.

Featured Product


IEC 61850-3 Wide Temperature ICS Cyber Security Gateway with Intel Atom CPU

CPU Intel Atom x7-E3950 or x5-E3930
Chipset SoC

Read more