CYBERSECURITY A-Z

Purdue Model

What Is the Purdue Model?

Created in the early 1990s at Purdue University by Theodore J. Williams and members of the Industry-Purdue University Consortium for computer integrated manufacturing (CIM), the Purdue model (also known as PERA) is a reference model for enterprise architecture. It focuses on large-scale, complex environments that require several different systems – always including industrial control systems (ICS) – working together to automate industrial equipment functions.

“The most important contribution of the Purdue Architecture is the level of detail and practical proposal to assimilate and integrate enterprises within standard industrial processes, manufacturing and services industries,” explains the U.S. Department of Energy.1

The Purdue reference architecture segments layers of the enterprise and depicts the systems and technologies that reside within six levels of control. Here’s how the SANS Institute (SANS) depicts them2:

Level 0: Field Devices

Sensors and actuators for the cell, line, process, or distributed control systems (DCS). Often combined with Level 1, Level 0 includes:

  • Basic sensors and actuators
  • Smart sensors/actuators speaking fieldbus protocols
  • Intelligent Electronic Devices (IEDs)
  • Basic sensors and actuators
  • Smart sensors/actuators speaking fieldbus protocols
  • Intelligent Electronic Devices (IEDs)

Level 1: Local Controllers

Devices and systems to provide automated control of a process, cell, line, or DCS. Modern ICS solutions often combine Levels 1 and 0. Level 1 includes:

  • Programmable Logic Controllers (PLCs)
  • Control processors
  • Programmable relays
  • Remote terminal units (RTUs)
  • Process-specific microcontrollers

Level 2: Local Supervisory

Monitoring and supervisory control for a single process, cell, line, or DCS. Isolate processes from one another, grouping by function, type, or risk. It includes:

  • HMIs
  • Alarm servers
  • Process analytic systems
  • Historians
  • Control room (if scoped for a single process and not the site/region)

Level 3: Site-Wide Supervisory

Monitoring, supervisory, and operational support for a site or region. It includes:

  • Management servers
  • Human-machine interfaces (HMIs)
  • Alarm servers
  • Analytic systems
  • Historians (if scoped for an entire site or region)

———————–IT/OT Boundary (DMZ)———————–

Level 4: Business Networks

IT networks for business users at local sites. Connectivity to Enterprise wide area network (WAN) and possibly local Internet access. Direct Internet access should not extend below this level. It includes:

  • Business workstations
  • Local file and print servers
  • Local phone systems
  • Enterprise Active Directory (AD) replicas

Level 5: Enterprise Networks

Corporate-level services supporting individual business units and users. These systems are usually located in corporate data centers. It includes servers providing:

  • Enterprise Active Directory (AD)
  • Internal email
  • Customer Relationship Management (CRM) systems
  • Human Resources (HR) systems
  • Document Management systems
  • Backup solutions
  • Enterprise Security Operations Centre (SOC)

What’s particularly interesting about the SANS depiction is the insertion of an OT/IT boundary (or DMZ) that appears between levels 3 and 4. It reflects how SANS interprets the model: “The goal of the Purdue Model was to define best practices for the relationship between industrial control systems and business networks – meaning between operational technology (OT) and IT.3 The DMZ illustrates the need to segment the lower levels from the upper levels as much as possible while allowing for necessary interactivity.

 

Why Is the Purdue Model Ideal for ICS Security?

In general, as you consider the model’s levels below the DMZ (between OT and IT), notice that the technologies in those levels have far fewer security capabilities and much less of a security focus than those technologies used above the DMZ (in levels 4 and 5). That’s where the value and applicability of the Purdue model comes into play for enterprise security.

Initially, the model placed strong emphasis on establishing an “air gap” between the enterprise IT network and the OT/ICS control network. This meant that they were physically disparate networks — making direct access virtually impossible. As IoT and cloud-based solutions adoption grew, the notion of maintaining a physical air gap had to go away. So, the model had to evolve.

Today, the model still emphasizes the DMZ (as SANS puts it) – not via an air gap, but by controlling how data is exchanged between different levels of the ICS, including data filtering and validation mechanisms. In addition, it continues to stress the importance of implementing strong security measures at every level of the ICS network.

The model’s layered architecture creates multiple security checkpoints which can make it difficult for cyber attackers to gain entry into critical systems. Also, since the model clearly defines segmentation points (as levels), it becomes easier for IT and IT security teams to isolate critical ICS components from purposeful and accidental infiltration and damage. This ultimately captures the value of having a robust segmentation strategy. Consider the following example:

On October 7, 2024, American Water Works, the U.S.’s largest regulated water and wastewater utility company, announced it was hit by a cyberattack in the form of “unauthorized activity” in their computer networks and systems. Despite security issues at the higher network levels, the company said that “none of its water or wastewater facilities or operations have been negatively impacted by this incident.” It went on to highlight the value of segmentation: “Upon learning of the issue, our team immediately activated our incident response protocols and third-party cybersecurity professionals to assist with containment, mitigation and an investigation into the nature and scope of the incident,”4

 

How the Purdue Model Compares to the IEC 62443 Series of Standards

According to ISA, the ISA/IEC 62443 series of standards “set best practices for security and provide a way to assess the level of security performance…The standards define requirements for key stakeholder groups who are involved in control system cybersecurity and address the security of industrial automation and control systems (IACS) throughout their lifecycle.”5

While Purdue was not created for security purposes, IEC 62443 was specifically created for security. Purdue levels represent the separation of duties across the different processes while the IEC 62443 standards apply security at each level. The closer you get to the process level, the more stringent the regulations become.

Nevertheless, the two are complementary. The Purdue Model emphasizes functional separation to prevent interference between the six different levels of the enterprise network for ICS. By contrast, IEC 62443’s ‘Zones’ and ‘Conduits’ focus on securing communication channels, minimizing the attack surface, and implementing strong access controls to protect against cyber threats.

Another major difference is that the Purdue Model does not suggest, much less prescribe, specific implementation steps or security measures which should be taken. IEC 62443, on the other hand, gives very specific guidance around such things as security controls and securing the conduits between the standard’s different zones.

Ideally, IT teams can leverage Purdue to establish structural clarity, following that up by using IEC 62443’s zones and conduits to segment elements on the network for optimal security and to control communication pathways.

 

The Purdue Model’s Alignment with ICS Security Best Practices

To achieve robust ICS security in any industry, organizations should implement a series of ICS security best practices. The Purdue Model clearly corresponds to two of the three major best practice areas:

  1. Network Segmentation and Isolation Techniques:
    The Purdue Model emphasizes segmentation and isolation between levels, and network segmentation is a key practice for ICS security. By dividing the network into smaller, isolated segments, organizations can limit the impact of a potential breach and prevent lateral movement by attackers. This approach helps to contain any malicious activity and reduces the risk of compromising the entire ICS infrastructure.
  2. Enforcement of Strong Access Controls and Authentication:
    As reflected above, establishing robust access controls and authentication mechanisms is foundational to ICS security. Organization minimize security risk by deploying and enforcing elements like strong passwords, multi-factor authentication, and role-based access control (RBAC) to secure access to critical systems exclusively for authorized personnel.

 

How Does Forescout Help with ICS Security?

Forescout’s ICS security solutions are designed to protect ICS from cyber threats. They provide organizations with a comprehensive suite of features specifically tailored to address the distinctive challenges of securing industrial control systems.

Moreover, Forescout delivers real-time visibility and control over all connected devices within an ICS environment. This enables IT teams to identify and classify every device, including legacy systems and IoT devices, ensuring that only authorized devices are permitted on the network.

Forescout’s advanced network segmentation capabilities make it intuitive to establish secure zones within an ICS environment to minimize the potential impact of a cyber-attack. As stressed in the Purdue Model and IEC 62443, this prevents an attacker who may gain access to one part of the network from achieving lateral movement and compromising critical systems.

Finally, Forescout’s ICS security solutions boast robust threat detection and response capabilities. Our platform utilizes machine learning and behavioral analytics to detect anomalous behavior and potential cyber threats, empowering organizations to take immediate action to mitigate risks.

To get started in reducing the risk in your ICS environment, request a demo today.


1 United States Department of Energy, Purdue Model Framework for Industrial Control Systems & Cybersecurity Segmentation, Topic Paper 4-14, Page 2, December 12, 2019.
2 Stephen Mathezer, The SANS Institute Blog, Introduction to ICS Security Part 2, July 16, 2021. Accessed online October 8, 2024 from the following source: Introduction to ICS Security Part 2 | SANS Institute
3 Ibid.
4 Daniel Munoz and Thao Nguyen, USA Today, Largest water utility company in the US says it was targeted by a cyberattack, October 8, 2024. Accessed online October 10, 2024 from the following source: American Water Works: Largest water utility in US hit by cyberattack (usatoday.com)
5 International Society of Automation (ISA), ISA/IEC 62443 Series of Standards, The World’s Only Consensus-Based Automation and Control Systems Cybersecurity Standards. Accessed online October 10, 2024 from the following source: ISA/IEC 62443 Series of Standards – ISA

Demo RequestForescout PlatformTop of Page