The Purdue Enterprise Reference Architecture (PERA), commonly called the Purdue Model, defines a strict hierarchical framework of six logical levels (0 through 5) that partition industrial networks. Level 0 represents physical processes like actuators and sensors, while Level 1 contains basic control devices such as Programmable Logic Controllers (PLCs). Level 2 encompasses supervisory systems including SCADA and HMI panels that manage localized production workflows.
Glossary
Purdue Model

What is the Purdue Model?
The Purdue Model is a reference architecture for industrial control system (ICS) security that segments the network into hierarchical levels, from physical processes to the enterprise demilitarized zone (DMZ).
The architecture mandates unidirectional data flow from lower to higher levels, with a critical Industrial Demilitarized Zone (IDMZ) separating Operational Technology (OT) at Levels 0-3 from Information Technology (IT) at Levels 4-5. This segmentation enforces the principle that enterprise systems like ERP and MES can never directly command physical processes, creating a foundational security boundary that aligns with the ISA-95 standard for control system integration.
The Six Levels of the Purdue Model
A reference architecture segmenting industrial control system networks into six hierarchical levels, from physical processes to the enterprise demilitarized zone.
| Level | Name | Function | Typical Devices | Data Flow |
|---|---|---|---|---|
Level 0 | Physical Process | Sensing and actuation of the physical world | Sensors, actuators, motors, valves, transmitters | Raw analog/digital signals to Level 1 |
Level 1 | Basic Control | Real-time control and data acquisition from physical devices | PLCs, RTUs, VFDs, safety instrumented systems | Deterministic control signals to Level 0; process data to Level 2 |
Level 2 | Area Supervisory Control | Supervisory monitoring and operator control of a defined physical area | HMIs, SCADA servers, operator workstations, engineering stations | Aggregated area data to Level 3; operator commands to Level 1 |
Level 3 | Site Manufacturing Operations | Site-wide production management, scheduling, and workflow execution | MES, batch management, historian servers, OPC UA gateways | Production orders from Level 4; site KPIs and batch records to Level 4 |
Level 4 | Business Logistics | Enterprise-level planning, logistics, and supply chain management | ERP, CRM, PLM, data warehouses, business intelligence tools | Production schedules to Level 3; inventory and cost data from Level 3 |
Level 5 | Enterprise Demilitarized Zone | Secure boundary between enterprise and external networks | Firewalls, reverse proxies, jump servers, VPN concentrators | Filtered external access; no direct OT-to-internet connectivity |
Core Principles of the Purdue Model
The Purdue Enterprise Reference Architecture (PERA), commonly known as the Purdue Model, is the definitive framework for segmenting Industrial Control System (ICS) networks into hierarchical levels. It establishes a logical separation between operational technology (OT) and information technology (IT) domains to enforce security boundaries and manage data flow from physical processes to the enterprise cloud.
Hierarchical Level Segmentation
The model partitions the industrial network into six distinct levels (0 through 5), with a critical air-gapped or firewalled DMZ separating the OT domain (Levels 0-3) from the IT domain (Levels 4-5). This segmentation ensures that a compromise in the corporate network cannot directly propagate to safety-critical physical controllers.
- Level 0: Physical process (sensors, actuators, motors)
- Level 1: Basic control (PLCs, RTUs, VFDs)
- Level 2: Area supervisory control (HMI, SCADA)
- Level 3: Site manufacturing operations (MES, Historian)
- Level 3.5: Industrial Demilitarized Zone (IDMZ)
- Level 4: Business logistics (ERP, CRM)
- Level 5: Enterprise network (Cloud, Internet)
The Industrial Demilitarized Zone (IDMZ)
Level 3.5, the IDMZ, acts as a buffer zone between OT and IT. No direct communication is permitted between Level 4/5 and Level 0-3. All data exchange must terminate in the IDMZ using intermediary servers and reverse proxies. This prevents external actors from establishing direct TCP sessions with PLCs.
- Core Function: Breaks direct IP routing between IT and OT
- Key Services: Patch management servers, AV servers, remote jump hosts, and mirrored historians
- Security Posture: Implements strict ingress/egress filtering and deep packet inspection
Data Flow Directionality
The Purdue Model enforces a unidirectional data flow principle. Data originates at the physical process (Level 0) and flows upward through aggregation and contextualization layers to the enterprise (Level 4/5). Control commands flow downward but must traverse strict authorization checkpoints at each boundary.
- Southbound: Control commands (high risk, heavily restricted)
- Northbound: Telemetry and status data (low risk, continuous streaming)
- Enforcement: Physical data diodes are often deployed between Level 3 and Level 4 to guarantee unidirectional traffic for the most critical assets
Security Zone and Conduit Model
The Purdue Model is intrinsically linked to the IEC 62443 cybersecurity standard. Each Purdue Level is treated as a distinct security zone with specific risk profiles and protection requirements. Conduits are the controlled communication channels between zones.
- Zone Properties: Each zone has defined security policies, asset inventories, and risk assessments
- Conduit Controls: Firewalls, intrusion detection systems (IDS), and application-layer gateways manage traffic between zones
- Critical Rule: A conduit connecting a high-security zone (Level 0) to a lower-security zone (Level 3) must never allow the lower zone to initiate a connection
Evolution to Software-Defined Perimeters
While the physical Purdue Model remains foundational, modern Software-Defined Manufacturing is evolving it into a logical architecture. Virtualized controllers and edge computing nodes collapse traditional hardware layers, requiring micro-segmentation and identity-aware proxies to enforce the same hierarchical security principles in software.
- Challenge: Virtual PLCs at the edge blur the lines between Level 1 and Level 2
- Solution: Policy-driven network overlays that enforce Purdue-level security zones based on device identity and application fingerprint, not just IP address
- Outcome: A dynamic, zero-trust Purdue Model that adapts to containerized workloads and cloud-based SCADA
Frequently Asked Questions
Clear, technically precise answers to the most common questions about the Purdue Enterprise Reference Architecture, its levels, and its role in modern industrial cybersecurity.
The Purdue Enterprise Reference Architecture (PERA) is a structural framework that segments industrial control system (ICS) networks into hierarchical, functional levels to enforce security boundaries. It works by defining six distinct levels—from Level 0 (physical process) through Level 5 (enterprise demilitarized zone)—and mandating that data flows only between adjacent levels through controlled conduits. This creates a defense-in-depth posture where a compromise at the enterprise IT layer cannot directly pivot to safety-critical controllers. The model is formally documented in the ISA-95 / IEC 62264 international standards, which map the Purdue levels to specific equipment, activities, and data exchange requirements. In practice, firewalls, industrial demilitarized zones (IDMZs), and unidirectional gateways enforce the segmentation, ensuring that manufacturing execution systems (MES) at Level 3 are isolated from business networks at Level 4.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Explore the foundational concepts that extend and interact with the Purdue Model for modern industrial control system security.
Network Segmentation
The core security principle of the Purdue Model. It divides the network into isolated zones and conduits to limit the lateral movement of threats and contain breaches.
- Zones: Logical groupings of assets with similar security requirements (e.g., all PLCs on Level 1).
- Conduits: The strictly controlled communication paths between zones, secured by firewalls and managed switches.
- Defense-in-Depth: A breach in the enterprise web server (Level 4) cannot directly access a safety controller (Level 1).

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us