Threat Modeling Using the Purdue Model for ICS Security

By admin
December 1, 2022
Threat Modeling Using the Purdue Model for ICS Security

or organizations today, it’s essential to use the right threat modeling methodology for network defense and risk management. The Purdue Model for ICS (Industrial Control Systems) Security is a great solution for threat modeling. Threat modeling for ICS security is a challenging task. As a solution, the Purdue Common Model for ICS Security provides structure, but it’s important to understand its implementation.

This article aims to define and clarify the Purdue model for securing ICS from modern cyber threats.

What Is the Purdue Model for ICS Security?

The perdue model

The Purdue industrial control system (ICS) security model is a segmented approach to protecting physical processes, supervisory controls and operations, sensors, and logistics. Despite the rise of edge computing and direct-to-cloud connectivity, the ICS network segmentation model remains a crucial framework for protecting operational technology (OT) from attacks like malware.

Industrial Control System (ICS) security has a lot to consider. Security professionals have to put processes and procedures in place based on the general risks involved in the industry. However, it is recommended that organizations specializing in ICS security should implement best practices as outlined by NSA and CISA for the Purdue Model for ICS Security.

The model is a reference model for manufacturing data flows. As part of the Purdue Enterprise Reference Architecture (PERA), it helps organizations more efficiently transition to completely automated processes.

It maintains a hierarchical flow of data throughout interconnected layers of the network. Six zones isolate ICS/OT from industrial technology (IT) systems, enabling improved access controls. Today the model is the standard for ICS network architecture that supports OT security.

Breaking Down the Zones of the Purdue Model

The OT system resides at the lower levels of the model, and the IT system takes up the higher levels. The systems interact in a “demilitarized zone” (DMZ).

Let’s examine each zone of the Purdue reference model:

Enterprise Zone: Levels 4 and 5

This is where you’ll find the IT network. These levels include storage, databases, and servers used to run manufacturing operations. In this zone, enterprise resource planning (ERP) systems control inventory levels, shipping, plant production schedules, and material use. Disruptions at this location can lead to extended downtime, which can cause damage to the economy, infrastructure failure, and loss of critical resources.

Demilitarized Zone (DMZ): Level 3.5

Here you find security systems like proxies and firewalls. They protect against attacks on both the OT and IT environments. With increased automation and the need for bidirectional data flow between IT and OT systems, organizations can have new cybersecurity vulnerabilities in their system. However, the convergence layer can help mitigate this risk and increase organizational efficiency.

Manufacturing Operations Systems Zone: Level 3

Here you find OT devices that manage workflows on the shop floor. Manufacturing operations management (MOM) systems provide a platform for companies to manage their production operations, while manufacturing execution systems collect real-time data. This can then be used to optimize production.

Also on this level are data historians, which collect and store process data and conduct a contextual analysis.

Disruptions at Levels 4 and 5 can lead to economic damage, infrastructure failures, and revenue loss.

Control Systems Zone: Level 2

On this level, you’ll find systems that control physical processes and monitor their status. These include supervisory control and data acquisition (SCADA) software that monitors physical processes. The software collects this data and sends it to historians or other users.

Distributed control systems (DCS) are on this level, and they perform SCADA functions locally. These systems are less expensive than other methods of implementing SCADA. Finally, human-machine interfaces connect directly to DCSs and PLCs. This allows for primary equipment control and monitoring.

Intelligent Devices Zone: Level 1

This level contains instruments that transmit instructions to the devices at Level 0. These include programmable logic controllers (PLCs) that help monitor automated or human input in industrial processes and adjust output. And remote terminal units (RTUs) that connect hardware in Level 0 to systems in Level 2. This provides a reliable conduit for data to pass from one level to another.

Physical Process Zone: Level 0

Here you’ll find sensors, actuators, and other machinery that monitor the assembly line’s condition and suggest adjustments in real-time. Many modern sensors use cellular networks to communicate directly with monitoring software in the cloud.

How the Purdue Model Applies Today

Since it was introduced by the Purdue University Consortium in the 1990s, the Purdue model has been used as an information hierarchy for CIM.

At that time, few other models had outlined a straightforward way to organize CIM. Today, with IT and OT networks integrated through the industrial internet of things (IIoT), it would be reasonable to doubt if the Purdue model applies to modern ICS networks.

For example, its data segmentation framework is irrelevant, as Level 0 data is sent directly to the cloud. But it isn’t time to throw out this model just yet.

One advantage of the Purdue model that makes it still relevant today is its hierarchical structure. The model divides system components into distinct layers and clearly defines each component. Network segmentation is a logical way to control access between the layers in an OT network. Although the model won’t necessarily fit your current OT network, it still presents a good starting point for securing such a network.

As new cybersecurity risks continually emerge, methods that have proven to be effective — even if they don’t perfectly match today’s systems — continue to have value. The Purdue model is a worthy asset to keep in your arsenal of cybersecurity tools.

Final Thoughts

Segmenting an OT network into layers allows you to control access between the layers. The model may not fit your current OT network exactly, but starting from the model is still an excellent way to secure an OT network.

While historically the Purdue model has been used to secure ICS technology, as more of these systems have been connected to the internet they have become less resistant to intrusion.

At Sectrio, we provide a service that helps fill the gaps in the Purdue model opened by internet traffic and enables the processing of large amounts of data collected by IIoT devices.

We are giving away threat intelligence for free for the next 2 weeks. Find out how you can sign up and try out our threat intelligence feeds

Defence in depth without contextual threat intelligence is an unlit alley 1
Threat Modeling Using the Purdue Model for ICS Security – Sectrio

Find out what is lurking in your network. Go for a comprehensive 3-layer threat assessment now

Comprehensive Asset Discovery with Vulnerability and Threat Assessment 1200 Ă— 630px
Comprehensive Asset Discovery with Vulnerability and Threat Assessment See our IoT and OT Security solution in action through a free demo

Key Points

Get the latest news and insights beamed directly to you


Key Points

Get the latest news and insights beamed directly to you


Threat Modeling Using the Purdue Model for ICS Security

Read More

Protecting your critical assets is only a few steps away

Scroll to Top