What the heck is... the Purdue Model in ICS/OT cyber security? The Purdue Model is often where cyber security starts at an ICS/OT site. The model was designed as a structured and layered approach to describing how OT interacts with IT - which can then in turn be used as a starter for cyber security. It focuses on functional segmentation, very much like network segmentation works in IT networks, as the primary way for breaking up the ICS/OT environment into logical levels. Between some, if not all, of these levels, the asset owners and operators can place firewalls to restrict which traffic is allowed to flow in and out of each level. By restricting network traffic, we can make the environment much more challenging, though not impossible, for cyber attackers to move through. The more difficult we make life on the attackers in the ICS/OT network, the more opportunity we have to be able to detect their activity and respond appropriately. The Purdue Model separates the ICS/OT network into seven levels (starting from the top): Level 4 & 5: IT Enterprise Network The top two levels represent the IT network. While there can be some technical differences between the two, these are almost always treated as a single level. Level 3.5: OT/IT DMZ Like a traditional IT DMZ that many might be familiar with, this level acts as a secure border between the OT and the IT networks. Level 3: Site Operations In larger environments, you could have multiple areas under supervisory control (see Level 2). When multiple systems of systems exist within the entire site, all roll up to be monitored and controlled as a single entity. This level can also be responsible for collecting all of the relevant process data within the site to provide to the business in the IT network. Level 2: Supervisory Control This level allows those responsible for operating and maintaining a portion of the facility, such as a particular process, to monitor how the control systems are running in that particular section and to make adjustments as necessary. Level 1: Basic Control This is where we see the control systems which act as a gateway or translator between the digital and physical worlds. For example, here is where we have the Programmable Logic Controller (PLC) that has a network connection to receive instructions and at the same time is hardwired into the physical equipment such as a combustion chamber. Level 0: Process At the lowest level, this is where field devices and equipment implement the processes which control physical activity in the real world. For example, in a power plant, this is where we would ignite a combustion chamber, to spin a turbine and in turn spin a generator. Any other thoughts on what the Purdue Model includes or offers from a cyber security perspective? #CyberSecurity #Power #Safety #Petrochemical #Refinery #Cyber #UtilsSec #ICSSecurity #OTSecurity #Technology #Engineering #Rail
Gordon Powell
9mo
Mike, The Purdue Model is a functional model. It’s origin has nothing to do with Cyber. It was adopted for Cyber but not as a “Zone” model. It is used to define the functional layers where different methods and tools would be used. You don’t just use IT types tools down at the lower layers! The DMZ was added much later on as it evolved towards a Cyber model. "Additional segmentation can be done using the concept of zones and conduits outlined in ISA 62443.” The layers aren’t intended to define a Zone in and of itself. Anyone who doesn’t break down the layers into discrete security zones based on analysis aught not be playing in this realm!
Puneet Tambi
9mo
The Purdue Model serves as a fundamental framework for delineating the functional aspects of Operational Technology (OT) and aids in establishing a multi-layered defense strategy to safeguard OT Infrastructures from potential threats that may arise from enterprise connectivity. Moreover, individuals have the flexibility to design their own segregation,segmentation and Zone setup within any architecture, taking into account specific functional and application needs. This approach enables the creation of a robust defense in depth, leveraging the Purdue Model as a guide while allowing for customization as required, without rigid adherence.
Luis M P.
9mo
My long story short version about the model is to introduce it as a hierarchical framework used in ICS and OT to help people understand the different layers of a control system. Each level has its distinct functions, from controlling physical machinery to managing business-related processes and from the security perspective the model aids in isolating different layers, crucial for preventing potential cyber threats from spreading throughout the entire network. i.e A threat that infiltrates the enterprise network should be isolated and prevented from reaching the lower levels that control the physical processes. I like your post, thanks for the contribution.
Venkatesh S
9mo
Explained in a crisp manner and ease to understand the things which is in OT environment. As highlighted the technical controls of firewall/switches should be more stringent. What about the domain controller role in Level 3.5 in order to control the user access.
Robert LaRocco
9mo
Great post! Mike Holcomb - The Purdue Model is a fundamental framework in ICS/OT cybersecurity. It provides a layered approach to network segmentation, enhancing control over traffic and creating multiple lines of defense. This makes it significantly more challenging for potential threats to navigate and compromise the system. The model's focus on protecting Levels 3 to 0 - encompassing site operations, supervisory control, basic control, and the process level - is particularly crucial. These levels are where the digital meets the physical, making them vital to operational integrity. At TXOne Networks, we recognize the importance of this model and align our solutions to enhance its effectiveness. Our aim is to fortify these critical layers, thereby contributing to the resilience and security of ICS/OT environments.
Armando S.
9mo
The forgotten model by those that focus only on IT. Just discussed the model the other day with a bunch of students who were not familiar with it in a lecture I did for a university. You are a bastion of knowledge. I cannot wait to see you in person in a few months. The asset owners and subject matter experts are starting to pour in. I hope you speak Portuguese and Spanish ;😀, as we have a growing list of international experts and asset owners headed to ICS Miami. Keep up the excellent work Mike Holcomb.
Jamison Utter
9mo
Bradford Hegrat what’s Purdue = dead
Marek Juszczak
9mo
Thanks Mike for this post, it is very interesting. On the picture boundary are marked on red. It could be difficult or impossible to separate L0 from L2 where communication could use serial data protocols or/and require both direction communication. Any advice how to isolate L2 from L1 when using instruments or IIoT require both direction comms? Is that make sense at all? As an example could be a wireless mesh structured network of IIoT controllers placed in L1 monitored and controlled from panel and database placed in L2. Should I search for the answer in 62443?
Helping You Secure ICS/OT | Fellow, ICS/OT Cybersecurity Global Lead
9moOne thing to consider is that the Purdue Model is often seen just as a starting point. Additional segmentation can be done using the concept of zones and conduits outlined in ISA 62443.