OT Network Segmentation Using the Purdue Model

Industrial Cybersecurity Admin 2026-05-13 11:58:29 Updated 2026-05-13 16:23:31

The Purdue Enterprise Reference Architecture, also known as the ISA-95 / IEC 62264 functional hierarchy, provides the foundational model for OT network segmentation. Proper segmentation is the single most effective cybersecurity control for industrial environments, limiting the blast radius of any security incident.

Detailed Purdue Model Levels

The Purdue Enterprise Reference Architecture (PERA) defines the following functional levels for industrial control system networks:

Level 0 — Field Devices

This level includes all physical field devices: sensors (pressure, temperature, flow, level), actuators (valves, dampers, variable frequency drives), and final control elements. Communication is typically 4–20 mA analog, HART, or fieldbus (PROFIBUS PA, FOUNDATION Fieldbus). These devices are generally not IP-addressable and connect directly to I/O modules at Level 1.

Level 1 — Local Control

PLCs, RTUs, DCS controllers, and motion controllers reside at Level 1. They execute the control logic, scan I/O, and close control loops with deterministic timing. Communication between controllers (peer-to-peer) and to Level 2 uses industrial protocols: PROFINET, EtherNet/IP, Modbus TCP, OPC UA. Level 1 devices are the most critical to protect because unauthorised access can directly affect physical processes.

Level 2 — Supervisory Control

SCADA servers, HMI stations, alarm management systems, data historians, and engineering workstations operate at Level 2. These systems provide operator visibility and manual control capability. Level 2 devices communicate with Level 1 controllers over OPC UA, proprietary drivers, or direct protocol connections. Segmenting Level 2 from Level 1 using a firewall or ACLs prevents compromised HMIs from directly manipulating controllers.

Level 3 — Operations Management

Manufacturing Execution Systems (MES), batch management, laboratory information management (LIMS), and plant-level reporting systems. Level 3 systems operate at a slower time scale (seconds to hours) and aggregate data from multiple Level 2 sources. They connect to Level 4 (ERP) for production scheduling and material planning.

Level 3.5 — Demilitarised Zone (DMZ)

The DMZ (sometimes called the Industrial DMZ) is a separate network zone that sits between Level 3 (OT) and Level 4 (IT). It hosts shared services that both domains need: patch management servers, remote access gateways, antivirus update servers, time synchronisation (NTP), and data diodes or historians for one-way data transfer. The DMZ architecture uses dual firewalls: one between Level 3 and DMZ, another between DMZ and Level 4. No direct traffic flows between OT and IT; all cross-domain communication passes through DMZ services.

Level 4 — Enterprise / IT

Corporate enterprise network hosting ERP, CRM, email, file servers, and business analytics. Level 4 has no direct connectivity to OT networks; all data exchange is mediated through DMZ services.

DMZ Design and Dual-Firewall Architecture

The Industrial DMZ is the cornerstone of OT network security. A typical reference architecture includes:

  • OT-Facing Firewall (Firewall A): Connects Level 3 to the DMZ. Rule set: allow OT-to-DMZ initiated traffic only (e.g., OPC UA client on Level 3 connecting to OPC UA server in DMZ). Block all DMZ-to-OT initiated traffic except specific management protocols (e.g., patch deployment from DMZ update server to Level 3).
  • IT-Facing Firewall (Firewall B): Connects DMZ to Level 4. Rule set: allow IT-to-DMZ initiated traffic for specific services (e.g., historian queries, remote access VPN). Block all DMZ-to-IT initiated traffic by default.
  • Services hosted in the DMZ: OPC UA gateway (aggregation server), data historian read-only replica, patch management server, antivirus management, jump server (bastion host), remote access VPN gateway, NTP server, syslog collector.

Firewall Rule Patterns

Industrial firewall rules should follow the principle of least privilege. Common patterns include:

  • Explicit allow for specific protocols: Permit OPC UA (TCP 4840), Modbus TCP (502), PROFINET (TCP 34964, UDP 34964), EtherNet/IP (TCP 44818, UDP 2222) only between specific source-destination pairs. Use deep packet inspection (DPI) where available to validate protocol conformance.
  • Deny all else: A default-drop rule at the end of each firewall ACL ensures that unapproved traffic is blocked. This includes web browsing, email, DNS (except authorised), and ICMP from untrusted zones.
  • Stateful inspection: Enable stateful packet inspection to allow return traffic for established outbound connections while blocking unsolicited inbound connections.

Jump Host / Bastion Host Deployment

A jump host (bastion host) provides a secured, audited gateway for remote access to OT devices. Architecture:

  • The jump host is deployed in the DMZ with two network interfaces: one facing the IT network (for incoming SSH/RDP from authorised administrators) and one facing the OT network (for outbound RDP/SSH to Level 2 and Level 3 hosts).
  • All administrative sessions are recorded (video or command log) and stored for forensic analysis.
  • Multi-factor authentication (MFA) is mandatory for jump host access.
  • The jump host runs a hardened OS with no unnecessary services. Security updates are applied from the DMZ patch server.

IEC 62443 Zones and Conduits

IEC 62443-3-2 introduces the concept of zones and conduits to complement the Purdue model:

  • Zone: A grouping of assets that share common security requirements (same criticality, same threat profile). Each Purdue level may be further divided into zones (e.g., a "Safety-Critical Zone" for SIL-rated controllers, a "Non-Critical Zone" for ancillary equipment).
  • Conduit: A communication path between zones. Conduits have defined security policies: authentication, encryption, access control lists, and intrusion detection. A physical firewall port is one type of conduit; a VPN tunnel is another.

The combination of Purdue levels (vertical segmentation) and IEC 62443 zones/conduits (horizontal segmentation within a level) provides defence-in-depth. For example, within Level 1, a conformance zone (critical process control) may be isolated from a legacy zone (older PLCs with unpatched firmware) using a conduit with strict ACLs.

Industrial DMZ Reference Architecture

A typical reference architecture for mid-to-large industrial facilities:

    IT / Corporate (Level 4)
           |
    [Firewall B — allow: HTTPS, VPN, SQL]
           |
    +-------- DMZ (Level 3.5) --------+
    | OPC UA GW | JumpHost | Patch    |
    | Historian | NTP     | AV Mgmt  |
    +---------------------------------+
           |
    [Firewall A — allow: OPC UA, historian collect, RDP from Jump]
           |
    OT Operations (Level 3) — MES, Batch, LIMS
           |
    [OT VLAN Firewall / ACL]
           |
    SCADA / HMI / Historian (Level 2)
           |
    [Control VLAN Firewall / ACL]
           |
    PLC / DCS / RTU (Level 1)
           |
    Field I/O / Instruments (Level 0)

This architecture ensures that a compromise at any level is contained and cannot directly reach adjacent levels without passing through a controlled firewall conduit.

ASP OTOMASYON A.Ş. and its subsidiaries OPCTurkey and ASP Dijital provide end-to-end industrial engineering solutions for process automation, data operations and AI.

References & Further Reading

  1. ISA-95 / IEC 62264 — Enterprise-Control System Integration — International standard formalising the Purdue Enterprise Reference Architecture (PERA) functional hierarchy from Level 0 (field) to Level 5 (enterprise).
  2. IEC 62443-3-2 — Security Risk Assessment and System Design — International standard defining zones and conduits based on the Purdue model for industrial automation and control system security.
  3. NIST SP 800-82 Rev.2 — Guide to Industrial Control System (ICS) Security — Official NIST guide referencing the Purdue Model for network segmentation and security architecture in OT environments.
  4. ISA-99 / IEC 62443 — Industrial Automation and Control Systems Security — ISA standards committee responsible for the IEC 62443 series, including zones and conduits methodology for network segmentation.
  5. SANS — Implementing the Purdue Model for OT Network Segmentation — Authoritative technical guide providing practical implementation guidance for Purdue Model-based network architecture in industrial facilities.

Related Articles

IEC 62443 Industrial Cybersecurity Standards
The IEC 62443 series of standards, developed jointly by the International Electrotechnical Commissio…
OT Security Architecture: Defense in Depth for Industrial Networks
Operational Technology (OT) environments — including industrial control systems (ICS), SCADA, DCS, a…