What is the Purdue Model in OT security?

The Purdue Model is a reference architecture that organizes an industrial environment into hierarchical levels, from field devices and basic control at the bottom, up through supervisory control and site operations, to the enterprise network at the top. A DMZ separates the OT levels from corporate IT. Segmenting a network along these levels limits how far an attacker can move laterally and forms the foundation of an industrial cybersecurity program.

Why is the OT/IT DMZ so important?

The DMZ ensures OT systems and IT systems never communicate directly. Any data that must flow between them — such as historian replication, patches, or reports — passes through intermediary systems in the DMZ. This means a compromise on the corporate network, such as ransomware, has a place to be stopped before it can reach the controllers that run the physical process. It is the single most important boundary in the Purdue architecture.

How do I segment an existing OT network?

Begin by mapping every device, the Purdue level it belongs to, and how it communicates. Group assets into zones by function and risk, then establish an OT/IT DMZ so the two environments exchange data only through intermediary systems. Apply default-deny rules at each boundary and permit only required flows, route remote access through a controlled monitored path, and watch the boundaries for unexpected traffic. Plan carefully to avoid disrupting the live process.

How to Segment an OT Network: The Purdue Model and Security Zones

Quick Answer

The Purdue Model is the reference architecture most teams use to segment OT networks. It organizes systems into levels — from field devices at the bottom, up through basic control, supervisory control, operations, and the enterprise network — with a DMZ separating the OT environment from corporate IT. Segmenting along these levels limits how far an attacker can move laterally and is the foundation of any credible industrial security program.

Why Segmentation Matters

Many industrial networks grew organically and ended up flat: a PLC, an engineering workstation, a historian, and a corporate file share all reachable from the same network. In a flat network, a single compromised laptop can reach the controllers that run the process. Segmentation breaks the environment into zones with controlled boundaries so that a breach in one area is contained rather than spreading to the equipment that moves physical materials. It is the practical expression of the zones-and-conduits idea in IEC 62443.

The Purdue Model Levels

The Purdue Enterprise Reference Architecture organizes an industrial environment into a hierarchy. The exact labels vary between sources, but the levels are commonly described as:

Level 0 — Physical process and field devices: sensors, actuators, valves, and the equipment that directly touches the process.
Level 1 — Basic control: PLCs, RTUs, and controllers that read inputs and drive outputs.
Level 2 — Supervisory control: HMIs, SCADA servers, and local supervisory systems operators interact with.
Level 3 — Operations and site management: historians, engineering workstations, and production management systems for the site.
Level 4/5 — Enterprise: business systems, corporate IT, and internet-facing services.

Between the operations layer (around Level 3) and the enterprise layer sits a demilitarized zone (DMZ). This is the single most important boundary in the architecture.

The OT/IT DMZ: The Critical Boundary

The DMZ exists so that OT systems and IT systems never communicate directly. Instead, data that needs to flow between the two — historian replication, patch distribution, reporting feeds — passes through intermediary systems in the DMZ. Nothing on the corporate network reaches a controller directly, and a controller never reaches the internet directly. If corporate IT is compromised — for example by ransomware — the DMZ gives defenders a place to stop the spread before it touches the process.

Conduits: Controlling What Crosses the Boundaries

Segmentation is not just about drawing zones; it is about controlling what crosses between them. Each conduit between zones should permit only the specific, necessary communication — particular protocols, particular hosts, particular directions — and deny everything else. Default-deny boundaries with explicit allowed flows turn the network diagram into an actual security control rather than a drawing.

Practical Steps to Segment an Existing Network

Map what you have. Identify every device, what level it belongs to, and how it currently communicates. You cannot segment an undocumented network.
Define your zones. Group assets by function and risk along the Purdue levels, and decide where boundaries belong.
Establish the OT/IT DMZ. Stand up intermediary systems so OT and IT exchange data only through the DMZ, never directly.
Lock down conduits. Apply default-deny rules at each boundary and explicitly permit only required flows.
Address remote access. Route all external access through a controlled, monitored path rather than ad hoc connections — see secure remote access for SCADA.
Monitor the boundaries. Watch the conduits for unexpected traffic, which is often the first sign of a problem.

Modern Realities: Cloud, IIoT, and "Level 3.5"

The classic model assumed a clean separation that modern operations sometimes blur — cloud historians, industrial IoT sensors, and vendor connections can cross levels in ways the original architecture did not anticipate. The Purdue Model remains a useful organizing framework, but it should be applied thoughtfully: the goal is controlled, intentional data flow, not rigid adherence to a diagram. Where new connections are needed, they should pass through well-defined, monitored conduits.

Segmenting a live OT network without disrupting production takes careful planning. NFM Consulting designs and implements segmented control architectures as part of our SCADA and control system engineering. Contact NFM Consulting to plan a segmentation roadmap for your facility.