Inferensys

Glossary

Purdue Model

A reference architecture for industrial control system security that segments the network into hierarchical levels, from physical processes to the enterprise demilitarized zone.
ML engineer managing model versions on laptop, version history visible, technical Git-like workflow.
INDUSTRIAL CONTROL SYSTEM ARCHITECTURE

What is the Purdue Model?

The Purdue Model is a reference architecture for industrial control system (ICS) security that segments the network into hierarchical levels, from physical processes to the enterprise demilitarized zone (DMZ).

The Purdue Enterprise Reference Architecture (PERA), commonly called the Purdue Model, defines a strict hierarchical framework of six logical levels (0 through 5) that partition industrial networks. Level 0 represents physical processes like actuators and sensors, while Level 1 contains basic control devices such as Programmable Logic Controllers (PLCs). Level 2 encompasses supervisory systems including SCADA and HMI panels that manage localized production workflows.

The architecture mandates unidirectional data flow from lower to higher levels, with a critical Industrial Demilitarized Zone (IDMZ) separating Operational Technology (OT) at Levels 0-3 from Information Technology (IT) at Levels 4-5. This segmentation enforces the principle that enterprise systems like ERP and MES can never directly command physical processes, creating a foundational security boundary that aligns with the ISA-95 standard for control system integration.

HIERARCHICAL SEGMENTATION

The Six Levels of the Purdue Model

A reference architecture segmenting industrial control system networks into six hierarchical levels, from physical processes to the enterprise demilitarized zone.

LevelNameFunctionTypical DevicesData Flow

Level 0

Physical Process

Sensing and actuation of the physical world

Sensors, actuators, motors, valves, transmitters

Raw analog/digital signals to Level 1

Level 1

Basic Control

Real-time control and data acquisition from physical devices

PLCs, RTUs, VFDs, safety instrumented systems

Deterministic control signals to Level 0; process data to Level 2

Level 2

Area Supervisory Control

Supervisory monitoring and operator control of a defined physical area

HMIs, SCADA servers, operator workstations, engineering stations

Aggregated area data to Level 3; operator commands to Level 1

Level 3

Site Manufacturing Operations

Site-wide production management, scheduling, and workflow execution

MES, batch management, historian servers, OPC UA gateways

Production orders from Level 4; site KPIs and batch records to Level 4

Level 4

Business Logistics

Enterprise-level planning, logistics, and supply chain management

ERP, CRM, PLM, data warehouses, business intelligence tools

Production schedules to Level 3; inventory and cost data from Level 3

Level 5

Enterprise Demilitarized Zone

Secure boundary between enterprise and external networks

Firewalls, reverse proxies, jump servers, VPN concentrators

Filtered external access; no direct OT-to-internet connectivity

ARCHITECTURAL FOUNDATIONS

Core Principles of the Purdue Model

The Purdue Enterprise Reference Architecture (PERA), commonly known as the Purdue Model, is the definitive framework for segmenting Industrial Control System (ICS) networks into hierarchical levels. It establishes a logical separation between operational technology (OT) and information technology (IT) domains to enforce security boundaries and manage data flow from physical processes to the enterprise cloud.

01

Hierarchical Level Segmentation

The model partitions the industrial network into six distinct levels (0 through 5), with a critical air-gapped or firewalled DMZ separating the OT domain (Levels 0-3) from the IT domain (Levels 4-5). This segmentation ensures that a compromise in the corporate network cannot directly propagate to safety-critical physical controllers.

  • Level 0: Physical process (sensors, actuators, motors)
  • Level 1: Basic control (PLCs, RTUs, VFDs)
  • Level 2: Area supervisory control (HMI, SCADA)
  • Level 3: Site manufacturing operations (MES, Historian)
  • Level 3.5: Industrial Demilitarized Zone (IDMZ)
  • Level 4: Business logistics (ERP, CRM)
  • Level 5: Enterprise network (Cloud, Internet)
6
Defined Levels
ISA-95/IEC 62264
Standard Basis
02

The Industrial Demilitarized Zone (IDMZ)

Level 3.5, the IDMZ, acts as a buffer zone between OT and IT. No direct communication is permitted between Level 4/5 and Level 0-3. All data exchange must terminate in the IDMZ using intermediary servers and reverse proxies. This prevents external actors from establishing direct TCP sessions with PLCs.

  • Core Function: Breaks direct IP routing between IT and OT
  • Key Services: Patch management servers, AV servers, remote jump hosts, and mirrored historians
  • Security Posture: Implements strict ingress/egress filtering and deep packet inspection
Zero Trust
Architectural Model
03

Data Flow Directionality

The Purdue Model enforces a unidirectional data flow principle. Data originates at the physical process (Level 0) and flows upward through aggregation and contextualization layers to the enterprise (Level 4/5). Control commands flow downward but must traverse strict authorization checkpoints at each boundary.

  • Southbound: Control commands (high risk, heavily restricted)
  • Northbound: Telemetry and status data (low risk, continuous streaming)
  • Enforcement: Physical data diodes are often deployed between Level 3 and Level 4 to guarantee unidirectional traffic for the most critical assets
05

Security Zone and Conduit Model

The Purdue Model is intrinsically linked to the IEC 62443 cybersecurity standard. Each Purdue Level is treated as a distinct security zone with specific risk profiles and protection requirements. Conduits are the controlled communication channels between zones.

  • Zone Properties: Each zone has defined security policies, asset inventories, and risk assessments
  • Conduit Controls: Firewalls, intrusion detection systems (IDS), and application-layer gateways manage traffic between zones
  • Critical Rule: A conduit connecting a high-security zone (Level 0) to a lower-security zone (Level 3) must never allow the lower zone to initiate a connection
IEC 62443
Cybersecurity Standard
06

Evolution to Software-Defined Perimeters

While the physical Purdue Model remains foundational, modern Software-Defined Manufacturing is evolving it into a logical architecture. Virtualized controllers and edge computing nodes collapse traditional hardware layers, requiring micro-segmentation and identity-aware proxies to enforce the same hierarchical security principles in software.

  • Challenge: Virtual PLCs at the edge blur the lines between Level 1 and Level 2
  • Solution: Policy-driven network overlays that enforce Purdue-level security zones based on device identity and application fingerprint, not just IP address
  • Outcome: A dynamic, zero-trust Purdue Model that adapts to containerized workloads and cloud-based SCADA
PURDUE MODEL CLARIFIED

Frequently Asked Questions

Clear, technically precise answers to the most common questions about the Purdue Enterprise Reference Architecture, its levels, and its role in modern industrial cybersecurity.

The Purdue Enterprise Reference Architecture (PERA) is a structural framework that segments industrial control system (ICS) networks into hierarchical, functional levels to enforce security boundaries. It works by defining six distinct levels—from Level 0 (physical process) through Level 5 (enterprise demilitarized zone)—and mandating that data flows only between adjacent levels through controlled conduits. This creates a defense-in-depth posture where a compromise at the enterprise IT layer cannot directly pivot to safety-critical controllers. The model is formally documented in the ISA-95 / IEC 62264 international standards, which map the Purdue levels to specific equipment, activities, and data exchange requirements. In practice, firewalls, industrial demilitarized zones (IDMZs), and unidirectional gateways enforce the segmentation, ensuring that manufacturing execution systems (MES) at Level 3 are isolated from business networks at Level 4.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.