Levels of the Purdue Model for ICS security

Purdue Model as a Reference for Segmentation

Cybersecurity Musings

Most people in the ICS/OT space are familiar with the Purdue model as a well-known framework for organizing OT networks. With the growing interconnectivity of devices and networks thanks to converging IT/OT technology, the industrial internet of things (IIoT), Industry 4.0, the cloud, etc, the question has come up before about whether the Purdue model is dead.

While it’s true that many organizations don’t use the Purdue model in all its glory, we’d argue that it’s far from dead or completely irrelevant. Instead, the model is a good way of assessing the segmentation within an OT environment and identifying additional opportunities to bolster security and visibility.

Levels / Segments of the Purdue Model

There are some variations to the Purdue model, but there are generally 6 levels (numbered 0 – 5) that are commonly referenced.

The technology included at each of the levels below are just general examples, since the devices will vary based on an organization’s individual environment and network architecture.

Level 0: Field/Physical

This is the level where industrial devices live and operate. Think physical, such as: switches, sensors, relays, actuators, robots — anything that physically participates in the operational process is part of the field level.

There isn’t a lot at this level in terms of connectivity, since these devices only have a function or output that’s controlled with electrical input. How these devices operate is determined by the devices that control them, which are found at the next level.

Level 1: Connected Devices 

This is the level where devices that control physical machines live, such as PLCs (programmable logic controllers) and RTUs (remote terminal units). These make up part of the overall system that monitors operations.

These devices connect to those at level 0 to execute specific actions based on predefined logic and programming. They can also monitor the environment to log and/or send telemetry to other devices from the field devices they communicate with. 

🚨 Shameless Plug Alert! This is the level on the Purdue model where SynSaber’s software can be deployed, from Level 1 up to Level 5. 

Level 2: Control Systems 

Devices at level 2 are responsible for coordinating and controlling specific processes and operational loops. Examples include HMIs (human machine interfaces) and SCADA (supervisory control and data acquisition) software.

This level includes the technology that gives operators a high-level view of industrial processes for monitoring and basic controls.

Level 3: Manufacturing Operations and Execution

Data and information from each of the lower levels of the OT environment flows up to this level. The devices and software here focus on optimizing manufacturing operations, such as scheduling, quality control, inventory management, and data analysis for process improvement.

Examples of devices here include the data historian, data lake, and other data analytics platforms like network monitoring and threat detection tools.

Level 3.5: IT/OT Demilitarized Zone (DMZ)

The demilitarized zone is meant to separate OT systems connected to production environments from the IT systems more closely related to the business and enterprise-related environments.

The specifics of what’s included at this level will often depend on an organization’s policies, but this is a common place for firewalls configured to monitor and block any unapproved or unnecessary traffic from the business network to the production network and vice versa. Ideally, firewalls should be incorporated between each level and configured to allow only specific and necessary traffic.

Other technology might include intrusion detection and prevention systems (IDPS), and public-facing servers, such as email and web servers.

Level 4 & 5: Business Planning, Logistics, and Enterprise

These two levels commonly make up the greater business and enterprise network. Things like corporate IT systems, cloud access, external or vendor support, ERP (enterprise resource planning), are all technologies and solutions found at these levels.

Using the Purdue Model for Segmentation & Visibility

The Purdue model is by no means a prescriptive list of how a network’s devices should be divided, but it’s still a good reference for where OT devices sit based on their function as a starting point for segmentation.

With the shrinking air gap, demands for more data, and increasingly interconnected IT and OT environments, segmentation is an opportunity to provide an added layer of security. It can prevent unnecessary connections that could be exploited by bad actors or cause a chain reaction of unintended effects in the event of a component failure.

With distinctly segmented environments, it’s easier for both IT and OT teams to see where they might want to monitor and secure any traffic and communications. Any traffic crossing through the DMZ, for example, should be controlled through firewall configurations and further with jump boxes.

Knowing which devices could have a direct impact on physical operations (levels 0 – 2), is another way that an organization can prioritize where to implement additional visibility. These are also the devices typically found at the OT edge, a notoriously difficult part of the network to get visibility into.

North-south data, such as the data passing from Level 2 to Level 3 or higher up is important, but it doesn’t always give the complete picture of the environment. Even if your operations team can see that there’s a problem, they can’t always tell what caused it. This is where east-west traffic — the traffic between devices on the same network segment — comes in handy.

The Purdue model is far from dead. Instead, it’s an opportunity for organizations to evaluate and refine their network segmentation, and a way to determine which systems they have visibility into.