Beyond the Purdue Model: ICS Security in Modern, Complex Network Architectures

For decades, the Purdue Enterprise Reference Architecture—more commonly known as the Purdue Model for ICS—has served as the framework for securing industrial control systems (ICS). This hierarchical workflow has been the go-to for organizations looking to visualize and implement robust network controls, particularly for “flat” or contained networks within operational technology (OT).

However, the digital landscape is changing. The rapid transformation of IT and OT and the many complexities it brings has forced organizations to rethink how they’re approaching cybersecurity. And while it remains a solid foundational element to protect industrial networks, some CISOs are discovering that the Purdue Model is no longer a one-size-fits-all solution. 

At its core, the Purdue Model provides a clear, layered approach to securing cyber-physical systems (CPS). It’s a guide for dividing an ICS network into a logical hierarchy of segmented networks and zones, below.

For organizations that have fully flat networks, where their IT and OT assets are communicating together without any segmentation—or those that are just starting their cybersecurity journey, the Purdue Model remains a viable option for network controls. The model helps asset owners clearly visualize how a DMZ implementation can effectively separate IT and OT segments

How Modern Connectivity Challenges the Purdue Model

While the Purdue Model can be an excellent starting point for flat networks or less mature organizations, it struggles to keep up with more modern operational networks. Widespread connectivity of OT is making flat network architecture less and less common. Modern requirements for network architecture are rapidly changing the way organizations map out and segment networks, which can throw a wrench in the strict segmentation guidelines set by the Purdue Model. 

Some modern networking capabilities include:

Cloud Integration

Operational data is increasingly being sent to the cloud in order to produce advanced analytics, derive predictive maintenance, and enable enterprise-wide visibility. 

SaaS Services

Software-as-a-service (SaaS) offerings are now becoming more prevalent in OT, which also require additional secure connections to third-party vendors.

Third-party Access

To expand on the previous point, remote access is becoming a more common requirement for contractors, vendors, and other third parties that need network access to perform support, updates, and maintenance.

Security Tools

As the threat landscape expands, modern security tools that feed information to centralized platforms for threat detection are becoming less of an edge case and more commonplace. 

To meet critical business needs, new firewall rules and configurations must be implemented to support these diverse services and third-party connections. While necessary, these exceptions can inadvertently create pathways that compromise the strict segmentation the Purdue Model advocates, potentially undermining current security implementations if not managed carefully.

Moving Beyond Traditional Network Layers 

As modern networks evolve, security strategies have to follow suit. And while the core principles of network segmentation and management might remain largely intact, modern approaches that emphasize more granular controls must be explored. Here are some examples of how organizations can start down this path:

Microsegmentation

For new greenfield installations or significant network redesigns, microsegmentation offers a more granular and robust segmentation strategy. Instead of broad layers, microsegmentation allows for the creation of smaller, isolated security zones around individual assets or groups of assets.

For context, consider a factory floor where an attacker compromises a packing line PLC. In a loosely segmented network, this compromise could allow the attacker to move laterally across the entire facility. With microsegmentation, a breach of the packing line would be strictly contained, preventing a disruptive impact to critical production lines or other independent systems. This isn't about segmenting every single PLC, but rather segmenting by system or function with highly restrictive access controls.

Vendor Practices 

It's also important to acknowledge that many modern OT vendors are building solutions with cloud connectivity as a default. Their architectures may not inherently adhere to a strict Purdue Model layering, emphasizing the need for robust controls around these external connections.

Controlling  Remote Services

Microsegmentation can also assist in controlling networks that require more connectivity to remote services.  It allows security teams to make highly specific, context-aware security decisions for each defined service, including granular access controls and precise oversight of the connection itself. This shifts focus from broad network segments to specific communication flows and their associated risks.

Supporting Your Cybersecurity Journey

Make no mistake: The digital transformation that’s affecting so many OT and IT networks is showing no signs of slowing down. As a result, traditional network architecture approaches such as the Purdue Model are finding themselves at a crossroads as industrial networks continue to become more and more complex. 

At the same time, threats are continuing to proliferate. Threat actors, including those sponsored by or acting on behalf of a nation-state, are threatening the availability and safety of critical systems and asset operators. This necessitates finding the right vendor for addressing both the right network architecture and security strategy.

With a diverse portfolio of offerings tailor-made to fit almost any environment, Claroty is uniquely equipped to handle your organization’s evolving needs. Claroty can support organizations in maintaining strong network controls within established Purdue Model deployments, helping to visualize traffic flows and enforce boundaries. But crucially, Claroty can also equip you to take the next step beyond the traditional model, providing the granular insights and control necessary for secure microsegmentation and managing complex cloud-connected environments. With Claroty, you can confidently navigate the evolving OT threat landscape, securing your operations both today and into the future. 

To learn more about the Claroty Platform, request a demo

Explore the Claroty Platform