What is the Purdue Model for ICS Security?
Developed in the 1990s, the Purdue Reference Model, a part of Purdue Enterprise Reference Architecture (PERA), is a reference data flow model for Computer-Integrated Manufacturing (CIM), i.e., using computers to control the entire production process.
Purdue Reference Model, “95” provides a model for enterprises where end-users, integrators, and vendors can collaborate in integrating applications at key layers of the enterprise network and process infrastructure.
The Purdue Reference Model was adopted by ISA-99 and used as a concept model for ICS network segmentation. It shows the interconnections and interdependencies of all of the main components of a typical Industrial Control System (ICS), dividing the ICS architecture into two zones – Information Technology (IT) and Operational Technology (OT) – and subdividing these zones into six levels starting at level 0.
At the base of the Purdue model is the OT, the systems used in critical infrastructures and manufacturing to monitor and control physical equipment and operational processes. In the Purdue Model, this is separate from the IT zone, which can be found at the top of the model. In between, we find a DMZ to separate and control access between the IT and OT zones. Within the zones, we find separate layers describing the industrial control components found in each layer, including:
- Level 0: Level 0 includes the physical components that build products. Level 0 devices include motors, pumps, sensors, valves, etc.
- Level 1: Level 1 is composed of systems that monitor and send commands to the devices at Level 0. Examples include Programmable Logic Controllers (PLCs), Remote Terminal Units (RTUs), and Intelligent Electronic devices (IEDs).
- Level 2: At Level 2 are devices that control the overall processes within the system. For example, human-machine interfaces (HMAs) and SCADA software enable humans to monitor and manage the process.
- Level 3: Level 3 supports management of production workflows. Examples include batch management, manufacturing operations management/manufacturing execution systems (MOMS/MES), and data historians.
- Industrial DMZ (iDMZ) Zone: The iDMZ creates a barrier between the IT and OT networks. Solutions like jump boxes can provide limited access to ICS systems from IT environments, but this buffer can also help prevent infections within the IT environment from spreading to OT systems and vice versa.
- Level 4: At Level 4, systems like Enterprise Resource Planning (ERP) software, databases, email servers and other systems manage the logistics of the manufacturing operations and provide communications and data storage.
- Level 5: Level 5 is the enterprise network. While not an ICS environment, this network collects data from ICS systems for business decisions.
Is the Purdue Reference Model Still Relevant?
Is a model that was initially developed in the 1990s still relevant for securing ICS networks? What’s relevant and what is not for OT security today? The answer is: it depends. How much of your OT network still uses the technology described in the model? Are you now using newer systems that are Industrial Internet of Things (IIoT) devices?
One advantage of the Purdue model is its hierarchy. System components are clearly defined and components are grouped into distinct layers. Borders between the layers are logical places for network segmentation to control access between the layers. The model may not exactly fit your current OT network but is still a good starting point for securing an OT network.
One challenge for the traditional Purdue Reference Model is IIoT devices. Modern ICS networks are becoming more digitally connected, and the border between IT and OT may not be as distinct as it used to be.
Instead of the 6 layers in the Purdue model, IIoT environments may have a 3 component architecture, e.g., devices, field or cloud gateways, and a services backend. At the edge, IIoT devices may be wirelessly connected to the network and to a control hub or a field or cloud gateway. Field and cloud gateways are connected to backend services running on-premises or in the cloud for managing, monitoring, and analyzing IIoT data and providing an interface for remote user management access.
The Purdue model may not match an IIoT network architecture. However, it can still be used to create a hierarchical topology similar to that of the Purdue model to secure today’s ICS. See IoT Security Architecture for more information.
The Need for Zero Trust in ICS
ICS network operators are focused on delivering products, so uptime and availability may be more important than security. However, cyberattacks such as Stuxnet in 2010 and, more recently, the ransomware attacks on critical infrastructures are raising awareness of the risks of cyber threats to OT and ICS.
In addition to availability and uptime concerns, other challenges to securing ICS networks are the inherent lack of security in both legacy and newer IIoT devices. These products and the protocols that they use may not be secure by design. They may lack basic security features such as encrypted transport, have lax or no access controls, and may be running on vulnerable operating systems that have not been patched.
A zero trust security model approach can help. A zero trust approach to security starts with zero trust for anything inside or outside of the perimeter. Cyber threat defense is not just limited to creating a strong perimeter defense. Once threats have made their way inside an organization, internal protections are needed to prevent their lateral movement. Security must verify anything and everything trying to connect to its systems before granting access.
With zero trust, perimeter defenses are replaced with micro-segmented borders around data and assets. In complex ICS environments with thousands of devices, implementing zero trust can help create a security overlay to secure vulnerable legacy and IIoT devices and systems.
Check Point ICS Security Solution
Check Point secures ICS systems by applying a zero trust approach to allow least privileged access controls across zone boundaries like the layers defined in the Purdue model for securing ICS. This approach allows security to be applied without impacting OT operations.
Transitioning to zero trust starts with working in concert with ICS discovery vendors to find and categorize assets by manufacturer, function, network protocol usage, and cyber threat risk. Obtaining a behavioral baseline of normal ICS asset communications enables the detection of anomalies.
Segment the IT network from the OT network to prevent lateral movement and lateral infection. This includes:
- Monitoring east-west communication between ICS assets.
- Applying granular security rules to control traffic across zones based on device attributes, risks, and OT protocols.
- Creating security rules that ensure systems use only communication protocols they were designed to use and that are based on the dynamic grouping of devices.
- Only allow secure remote access to ICS assets and OT networks.
Take steps to prevent threats to vulnerable systems and devices. With Check Point, organizations can virtually patch OT devices running unpatched firmware and legacy operating systems from known exploits without the need to physically patch them.
Finally, apply advanced threat prevention in IT networks such as sandboxing and anti-phishing.
Also, deploy endpoint anti-ransomware and EDR solutions to prevent sophisticated and targeted ransomware attacks. This automatically restores files from ransomware file encryption attempts and monitors the full attack process to protect endpoint and user devices.
In short, by securing both IT and OT networks, you prevent lateral movement from IT to OT and vice versa. To learn more, we invite you to ask for an ICS security demo.
Feedback