Leveraging the Purdue Model to Understand Your Organization’s ICS Security Needs

Since the 1990s, the Purdue Model has been a fundamental networking method across Industrial Control Systems (ICS). However, as organizations digitally transformed their business models, the incorporation of Internet of Things (IoT) and Industrial Internet of Things (IIoT) devices blurred the lines, creating challenges when security architects work to segment networks.

Despite these challenges, the Purdue Model remains relevant for implementing a layered architecture to mitigate cybersecurity risks. At its core, the Purdue Model focuses on segmentation, defense-in-depth, and risk management, tenets fundamental to modern security programs. Despite the rapid evolution of technology, the model helps organizations prioritize resources effectively and enhance their resilience against cyber threats.

By understanding how the Purdue Model functions, organizations can adopt technologies that help them maintain the best practices and improve their ICS security. 

What is the Purdue Model?

The Purdue Model organizes industrial control systems (ICS) into distinct layers or zones to establish a structured framework for enhancing security and resilience. This model emphasizes the separation between operational technology (OT) and information technology (IT) for improved management of both domains.

This approach seeks to mitigate the risk that vulnerabilities affecting the IT environment will compromise critical OT systems. By compartmentalizing operational environments from enterprise systems, organizations can create structured security programs that improve operational efficiency and monitoring. 

Over time, the Purdue Model evolved to consist of the following levels:

• Level 5: External/Vendor Support/Cloud Access
• Level 4: Business/Enterprise IT Systems
• Level 3.5: Demilitarized Zone (DMZ)
• Level 3: Operational Control Systems
• Level 2: Supervisory Control Systems 
• Level 1: Basic Control Systems
• Level 0: Physical Processes

Diving Deep into the Purdue Model’s Layers and Zones

The Purdue Model model categorizes systems into distinct layers and zones that facilitate communication, data flow, and functionality. While the theoretical model treats these as separate layers, the reality of most OT/IT networks is that the interconnection across physical devices, control systems, and enterprise IT blurs the lines in modern systems. 

Level 4/5: Enterprise Zone

This zone consists of typical enterprise IT systems that include business-enabling devices and applications like:

• Software-as-a-Service (SaaS) applications
• Public and private cloud environments
• Workstations
• Servers, like web servers, DNS servers, application servers, DHCP servers
• Network access control (NAC) devices
• Cybersecurity technologies, like a security information and event management (SIEM) tool

Although traditionally these technologies remained siloed from the OT environment, IoT and IIoT devices need to communicate with their connected applications. This interconnectedness makes it difficult to completely separate the OT and IT network environments. 

Level 3.5: Demilitarized Zone (DMZ)

The DMZ facilitates bidirectional data flows between the IT and OT systems. Using firewalls and proxies to create logical barriers, the DMZ limits the communications between the two systems to mitigate lateral threat movement risks. 

This layer typically includes:

• Cloud-based security services
• Remote access servers
• Cloud-based patch management services

This layer acts as a critical buffer for organizations that use IoT and IIoT devices. As the firewalls and proxies limit incoming and outgoing traffic, the organization can mitigate risk. However, dynamic networks make maintaining this segmentation difficult, especially when connectivity disruptions can interrupt critical processes. 

Level 3: Operational Control Systems Zone

This zone consists of the technologies that are used to optimize production workflows on the shop floor, like:

• Manufacturing Operations Management (MOM) systems: end-to-end operations oversight technologies that ensure efficient, cost-effective resource allocation
• Manufacturing Execution Systems (MES): real-time production activity monitoring and management to mitigate workflow disruption risk

Some examples of resources at this layer include:

• Data historians that capture and store real-time data from processes
• Engineering workstations (EWS) for managing PLC and RTUs

Level 2: Supervisory Control Systems Zone

The technologies in this layer help supervise, monitor, and control physical processes. They facilitate real-time data collection, analysis, and management so that operators can maintain performance and safety for different processes. 

Some technologies in this zone include:

• Supervisory control and data acquisition (SCADA): software for local or remote management and control of physical processes
• Distributed control systems: locally deployed technologies that perform SCADA functions
• Human-machine interfaces (HMIs): applications that human operators use for managing the controller hardware

Level 1: Basic Control Systems Zone

At this layer, the technologies focus on the industrial environment’s operational efficiency. Some typical technologies include:

• Programmable Logic Controllers (PLCs): real-time field device monitoring to process data and make output adjustments that control machinery and processes
• Remote Terminal Units (RTUs): computers with radio interfacing that communicate with field equipment when the internet is not available

This layer may also typically includes IIoT sensors and actuators that need to communicate with their connected application. In 2018, the European Union Agency for Cybersecurity (ENISA) suggested that these IIoT devices should be a separate layer. Essentially, ENISA suggested a data flow that allowed only outbound communications from supervisory control systems to the IIoT devices while the IIoT devices would only send outgoing communications to their platforms. 
Level 0: Physical Process Zone

This zone consists of the basic components in the field that directly interact with the physical world. Some typical technologies at this layer include:

• Valves
• Motors
• Pumps
• Sensors

Challenges Securing IT/OT Systems in a Digitally Transformed World

The Purdue Model fails to fully secure modern IT/OT environments. It assumes that the organization’s DMZ will “air gap,” or isolate, the OT environment from the enterprise technology stack. However, in recent years, the IT/OT convergence means that attackers can leverage vulnerabilities across the architecture, especially at Level 2 and Level 3. 

Some examples of weaknesses in the model include:

• Weak authentication: Many devices cannot implement multi-factor authentication, especially IoT/IIoT devices, giving attackers a way to gain unauthorized access to networks. 
• Social engineering: Attackers use phishing emails to trick operators into clicking on malicious links or attachments to install malware on Level 3 devices. 
• Lateral Movement: Attackers compromise Level 3 devices and then try to follow data flows to gain access to Level 2 devices for more access within the connected systems. 
• Software and firmware vulnerabilities: Many devices across the converged IT/OT/IoT/IIoT system are difficult to scan for vulnerabilities and others may no longer be supported by their manufacturers, offering an exploit opportunity. 

Best Practices for Securing Converged IT/OT/IoT/IIoT Systems

To supplement an organization’s logical and physical network zones, these best practices can help mitigate remaining risks.

Identify and Classify Assets

With a passive network monitoring solution, organizations can identify and classify the assets connected across all network segments and Levels 1 through 5 without worrying about connectivity disruptions. With these solutions, the organization can create an asset inventory containing information about:

• Hardware: manufacturer, model, serial number
• Software: operating system, version, firmware revisions
• Device type and function
• Security assessment: vulnerabilities and risks

Segment by Device Risk Profile

Targeted segmentation takes the Purdue Model one step further by isolating devices with similar exploit vectors. By categorizing devices based on security risk profile, the security team can implement targeted risk activities like:

• Security governance 
• Patching 
• Device configuration management 
• Upgrading or replacing insecure devices

Scan for Vulnerabilities and Prioritize Remediation Activities

Using a passive scanning solution, organizations can improve their vulnerability and patch management programs across all Levels 1 through 5 by:

• Identifying exploitable vulnerabilities for each device within the environment
• Using threat intelligence to prioritize remediation activities based on real-time exploitability 
• Leveraging actional remediation recommendations that may include applying security updates or implementing compensating controls to minimize risk

Implement and Maintain Secure Configurations

OT, IoT, and IIoT devices often come with unnecessary features. By disabling these functionalities, organizations can improve their overall security. Additionally, even after hardening devices, organizations need to monitor for configuration drift that can occur whenever they:

• Add new devices to networks
• Update software and/or firmware

With solutions that can review metadata, like version numbers or settings, organizations can monitor for configuration drift and maintain secure configurations better. 

Monitor for Anomalous Traffic and Collect Forensic Data 

Incorporating OT, IoT, and IIoT into the overarching security monitoring program enables organizations to identify threats across Levels 1 through 5. A solution that analyzes traffic and captures packet data not only identifies abnormal connections but also helps with recovery activities.

Asimily: Defense In Depth Across the Purdue Model’s Levels 1- 5

Purpose-built to manage IoT devices, Asimily provides organizations with the necessary visibility into and control over their fleets. Our platform provides context, taking into account vulnerabilities and the IT environment, so organizations can mitigate risk more effectively. 

Our passive network monitoring solution enables organizations to gain insights into their converged OT/IT environments by helping them manage IoT and IIoT risks across Levels 1 through 5 of the Purdue Model. 

Organizations efficiently identify high-risk vulnerabilities with our proprietary, patented algorithm that cross-references vast amounts of data from resources like EPSS (Exploit Prediction Scoring System), Software Bills of Material (SBOMs), Common Vulnerability and Exposure (CVE) lists, the MITRE ATT&CK Framework, and NIST Guidelines. It understands your unique environment, so our deep contextual recommendation engine can provide real-time, actionable remediation steps to reduce risk and save time.

To learn more about Asimily, download our IoT Device Security in 2024: The High Cost of Doing Nothing whitepaper or contact us today.