Ready to try it out yourself? You can experience ZPA up close with a 7-day test-drive.
You can also check out these video case studies to see what made ZPA the clear choice for our customers' OT environments:
The Purdue model is a structural model for industrial control system (ICS) security that concerns segmentation of physical processes, sensors, supervisory controls, operations, and logistics. Long regarded as a key framework for ICS network segmentation to protect operational technology (OT) from malware and other attacks, the model persists alongside the rise of edge computing and direct-to-cloud connectivity.
Learn about secure access for ICS and OTThe Purdue model, part of the Purdue Enterprise Reference Architecture (PERA), was designed as a reference model for data flows in computer-integrated manufacturing (CIM), where a plant’s processes are completely automated. It came to define the standard for building an ICS network architecture in a way that supports OT security, separating the layers of the network to maintain a hierarchical flow of data between them.
The model shows how the typical elements of an ICS architecture interconnect, dividing them into six zones that contain information technology (IT) and OT systems. Implemented correctly, it helps establish an “air gap” between ICS/OT and IT systems, isolating them so an organization can enforce effective access controls without hindering business.
OT systems occupy the lower levels of the model while IT systems occupy the upper levels, with a “demilitarized zone” of convergence between them.
Let’s take a look at each of the zones in the Purdue reference model, top to bottom.
Figure 1: A basic render of the Purdue model
These zones house the typical IT network, where the primary business functions occur, including the orchestration of manufacturing operations. Enterprise resource planning (ERP) systems here drive plant production schedules, material use, shipping, and inventory levels.
Disruptions here can lead to prolonged downtime, with the potential for economic damage, failure of critical infrastructure, or revenue loss.
This zone includes security systems such as firewalls and proxies, used in an effort to prevent lateral threat movement between IT and OT. The rise of automation has increased the need for bidirectional data flows between OT and IT systems, so this IT-OT convergence layer can give organizations a competitive edge—but it can also increase their cyber risk if they adopt a flat network approach.
This zone contains customized OT devices that manage production workflows on the shop floor:
As with Levels 4 and 5, disruptions here can lead to economic damage, failure of critical infrastructure, risk to people and plant safety, or lost revenue.
This zone contains systems that supervise, monitor, and control physical processes:
This zone contains instruments that send commands to the devices at Level 0:
This zone contains sensors, actuators, and other machinery directly responsible for assembly, lubrication, and other physical processes. Many modern sensors communicate directly with monitoring software in the cloud via cellular networks.
Figure 2 shows the workflow and the interactions between the different zones and systems.
Figure 2: Purdue model workflow and interactions
When the Purdue model was introduced in 1992 by Theodore J. Williams and the Purdue University Consortium, few other models had yet outlined a clear information hierarchy for CIM, which began to take hold of the industry in the mid-to-late 1980s.
Today, with the industrial internet of things (IIoT) blurring the line between IT and OT, experts often wonder whether the Purdue model still applies to modern ICS networks. Its segmentation framework is often set aside, after all, as data from Level 0 is sent directly to the cloud. However, many suggest it’s not yet time to discard the model.
In 2020, Litmus CEO Vatsal Shah said, “The Purdue Model still serves the segmentation requirements for both wireless and wired networks and protects the operational technology (OT) network from unwarranted traffic and exploits.”¹
SANS Institute took a similar position in 2021, saying, “Even if its hierarchical layers can no longer be uniformly applied to modern architectures, sorting ICS and IT devices and systems into distinct functional layers helps administrators and security practitioners determine where to apply security measures effectively.”²
Forbes maintained that perspective in 2022: “The Purdue Model is dead. Long live the Purdue Model.”³
Industrial uptime requirements and budgets often mean that the new can’t yet replace the old, and that holds true for the Purdue model despite the rise of IoT. Instead, many are advocating for a hybrid approach of applying macro segmentation with zero trust to overcome the unique challenges of modern ICS security.
1. AutomationWorld, “Is the Purdue Model Still Relevant?,” May 2020.
2. SANS Institute, “Introduction to ICS Security Part 2,” July 2021.
3. Forbes, “A Reimagined Purdue Model For Industrial Security Is Possible,“ January 2022.
Let’s take a look at a few of those challenges:
OT environments tend to use flat networks and equipment from multiple vendors. Yet deploying network-level microsegmentation with physical devices can mean significant downtime—especially if the ICS and SCADA systems are too outdated. Moreover, most OT professionals don’t know IT best practices or advanced network security concepts, and their job is to prioritize uptime and people safety, not security.
Ethernet is still the backbone of most factories and warehouses, but wireless connectivity is gaining traction as private cellular brings mobility, reliability, deterministic networking, and standardized technology. This will enable autonomous mobile robots, cobots, asset tracking, smart glasses, and other Industry 4.0 applications.
Today, manufacturers can collect data in real time and use it to run analytics in the cloud for immediate results. Applications and data-generating activities once reserved for local operations—PLCs, SCADA, and DCS for manufacturing, and warehouse management systems for logistics—are finding their way to the cloud as well, increasing OT network complexity.
Zero trust can simplify security for OT environments and solve key challenges such as secure remote access for ICS systems without requiring physical segmentation at each layer. The National Institute of Standards and Technology (NIST) proposed the zero trust architecture for industrial and enterprise networks, stating, “Perimeter-based network security has also been shown to be insufficient since once attackers breach the perimeter, further lateral movement is unhindered.”
Applying the zero trust guiding principles of IT networks for workflow, system design, and operations can simplify and improve OT network security posture and help accelerate digital transformation.
A zero trust approach is the most effective way to ensure robust OT and ICS security, with adaptive, context-based application access that doesn’t depend on network access. With an effective zero trust architecture in place, any user can only access the applications and systems they need, with no complex firewall stacks or VPNs required, all while your apps and network stay invisible to the internet.
Zscaler Private Access™ (ZPA™) is the world’s most deployed zero trust network access (ZTNA) platform, providing:
Ready to try it out yourself? You can experience ZPA up close with a 7-day test-drive.
You can also check out these video case studies to see what made ZPA the clear choice for our customers' OT environments:
Why Proxies and Firewalls Are Essential in the Modern Threat Landscape
Read the blogSecuring Cloud Transformation with a Zero Trust Approach
Read the white paperIt’s Time to Take Your Partners Off Your Network
Learn moreZscaler Cloud Firewall
Learn more