Is It Time to Rethink the Purdue Model?

As organizations accelerate digital transformation and blur the boundaries between IT and OT, the Purdue Model—the foundational framework that has guided industrial control system security for roughly three decades—is facing its most significant challenge yet: it's starting to show its age.

The convergence of IT and OT systems, primarily driven by the deployment of IIoT (industrial Internet of Things), cloud computing, and the need for remote monitoring, has fundamentally altered the OT architecture that the Purdue Model was initially designed to help manage. Indeed, there's no doubt that the framework continues to provide valuable structure for understanding industrial networks; yet, its rigid hierarchy and assumption of air-gapped isolation do not align with modern operational realities.

"The Purdue Model, while foundational and still useful as a conceptual framework, is showing its age in increasingly converged IT/OT environments," agreed Trevor Young, chief product officer at Security Compass. "Its strict hierarchical layers, designed for isolated operational technology, struggle to accommodate the fluid, interconnected nature of modern industrial systems. We now have sensors pushing data directly to cloud analytics platforms, remote maintenance access, and IT applications directly influencing OT processes, which weren't envisioned when the model was first conceived," Young added.

Beyond Air Gaps, and the Purdue Model

The Purdue Model emerged in the 1990s with a straightforward premise: industrial control systems would remain isolated from business networks, creating distinct security boundaries. Using air-gaps was somewhat effective at the time, particularly when OT systems operated in complete isolation, with physical separation serving as the primary security control.

However, the fact remains that nearly every modern device has an IP address and enterprise digital transformation has rendered this assumption obsolete. Modern industrial environments increasingly rely on connectivity to achieve efficiency gains, facilitate remote monitoring, enable predictive maintenance, and inform data-driven decisions. The SANS 2024 ICS/OT Survey found that only 8.2% of organizations maintain 100% isolated systems, indicating the pervasive nature of IT/OT convergence.

This convergence creates what experts describe as a "blind spot" in the Purdue Model's security framework. Robin Berthier, CEO at Network Perception, emphasizes that "in integrated IT/OT environments, especially considering the Purdue Model's emphasis on separation, compensating controls are key when standard security measures are not feasible.”

"The limitations of the original Purdue Model are significantly impacting the security of today's industrial control systems by creating blind spots and hindering effective segmentation. Its rigid boundaries can lead to a false sense of security, as attacks can now bypass traditional choke points," added Young. For example, Young explained that an IIoT device operating at a lower level might have vulnerabilities that, if exploited, could directly impact the enterprise network without traversing the expected "DMZ" layers, making incident response and threat containment more complex.

When IT and OT Security Boundaries Blur

IT and OT system integration introduces complexities that the hierarchical Purdue Model struggles to address. At Levels 2 and 3—where supervisory control and manufacturing operations occur—attackers exploit convergence opportunities in traditionally separate systems.

Digital transformation fundamentally changed data flows within industrial environments. Where hierarchical communications between layers once dominated, hyper-convergence now rules. Systems communicate across layers to enterprise and cloud environments as easily as to global supply chain partners. This lateral communication directly contradicts the Purdue Model's vertical, hierarchical structure.

The challenge intensifies because IT and OT environments operate with different priorities. IT systems prioritize data confidentiality and tolerate planned downtime, while OT systems prioritize availability and safety, running continuously for months without interruption. This operational divide creates friction when applying traditional security frameworks across converged environments.

Modern Threats Exploit Traditional Boundaries

The threat landscape facing industrial control systems has evolved dramatically since the inception of the Purdue Model. Sophisticated malware, such as Stuxnet, Triton, and Industroyer, demonstrates that attackers can target industrial processes with surgical precision, exploiting convergence points between IT and OT systems.

The SANS 2024 Survey also showed that almost 50% of OT asset attack vectors trace to IT network breaches. This underscores how traditional IT/OT separation has become a liability. Malware originating in corporate networks now traverses to operational systems through integration points established for efficiency and data access.

Recent campaigns, such as Volt Typhoon, demonstrate that attackers are using valid credentials and network traversal to remain undetected within converged environments. These persistent threats specifically target the intersections of IT and OT, exploiting trust relationships and communication pathways that enable digital transformation.

Hierarchical Rigidity Limitations

The Purdue Model's strictly defined hierarchy presents significant limitations in modern industrial environments that require flexibility and agility. Real-world applications necessitate quick adaptations and cross-level interactions that the rigid structure cannot accommodate effectively.

One significant limitation is the model's lack of integration with real-time data and analytics. Modern operations rely heavily on continuous data flows, machine learning, and predictive analytics, which require dynamic communication across traditional hierarchical boundaries. The model's vertical emphasis conflicts with the horizontal data sharing requirements of Industry 4.0.

Network segmentation remains a cornerstone of security, but it requires more sophisticated approaches than simple level-based boundaries. Traditional firewalls, which focus on monitoring north-south traffic, present gaps when handling east-west communication patterns common in modern OT environments.

Securely Bridging the OT Architectural Gap

Recognition of the limitations of the Purdue Model has spurred the development of alternative security frameworks. Zero trust architecture (ZTA) has emerged as a leading alternative, challenging the assumption that network location determines trustworthiness.

Young said that when considering the security of their IT/OT converged environments, organizations should prioritize a few key principles. These include the shift from perimeter-centric security to data-centric security, the adoption of a zero-trust mindset where no entity is inherently trusted, and a focus on continuous monitoring and threat detection. "It's also crucial to emphasize strong identity and access management for both human and machine identities across the entire converged stack, along with robust vulnerability management programs that span both IT and OT assets," he added.

Zero trust principles—"never trust, always verify"—align more effectively with the converged realities of IT/OT. Rather than relying solely on network segmentation, Zero Trust implements continuous verification, least privilege access, and contextual policy enforcement. This addresses advanced persistent threat (APT) lateral movement while accommodating the dynamic requirements of industrial operations.

However, implementing zero trust in OT environments presents challenges. Many critical infrastructure organizations rely on legacy systems that lack the authentication and encryption capabilities required for a comprehensive zero-trust implementation.

Young explained that zero trust and micro-segmentation fundamentally change the day-to-day operations of OT security teams by shifting from implicit trust to explicit verification for every access request, regardless of the location within the network. This means more granular control over traffic flow, a reduced attack surface, and easier containment of breaches. "While it initially requires more effort in defining policies and segmenting networks, it ultimately leads to more proactive security, fewer widespread incidents, and a clearer understanding of network traffic, making threat hunting and forensic analysis more efficient," he said.

Industry 4.0 frameworks and Unified Namespace architectures provide additional alternatives. The Unified Namespace enables interconnected horizontal data flows, replacing traditional vertical hierarchies with a flexible, event-driven architecture that accommodates the modern requirements of industrial operations.

The Path Forward for OT Security Architecture

Core Purdue principles—segmentation, defense-in-depth, and risk management—remain essential for mitigating industrial cyber risks. However, implementation must evolve, addressing digital transformation realities, cloud integration, and IIoT.

Success lies not in discarding the Purdue Model entirely, but in recognizing its limitations and implementing complementary approaches that address the complexities of IT/OT convergence. Organizations that successfully bridge traditional frameworks with modern architectures will best protect industrial operations while capitalizing on the benefits of digital transformation.

The future demands frameworks that accommodate both operational requirements and sophisticated threat landscapes, whether as Purdue extensions or entirely new paradigms that address the fundamental changes to industrial security assumptions brought about by digital transformation. "Organizations that fail to adapt their security architectures to modern, interconnected industrial environments face severe risks, including increased exposure to cyberattacks, potential operational downtime, safety hazards, and significant financial losses," warned Young.