IndustryHub
LEARN / CYBERSECURITY

The Purdue model: the layered architecture of an industrial system

← Cybersecurity
Discovery Lesson 2/2 6 min

The Purdue model: the layered architecture of an industrial system

From the sensor to the ERP, the Purdue model organises industrial systems into hierarchical levels. It is the reference map for segmenting and securing an OT network.

In one sentence

The Purdue model is the hierarchical map of an industrial system: it places each piece of equipment at a level, from closest to matter to closest to management. This map is the basis of network segmentation and OT cybersecurity.

Where it comes from

The model derives from the Purdue Enterprise Reference Architecture (1990s), taken up by the ISA-95 standard on enterprise-control integration. It describes how information flows, from the sensor to the ERP, through every control layer.

The levels

4–5Enterprise — ERP, cloud 3.5Industrial DMZ 3Operations — MES, historian 2Supervision — SCADA, DCS, HMI 1Control — PLC, safety 0Process — sensors, actuators IT OT
LevelNameWhat you find
0ProcessSensors, actuators, valves, motors — the physical world
1ControlControllers (PLC), regulators, safety systems
2SupervisionSCADA, DCS, operator interfaces (HMI)
3Site operationsMES, historian, production management
3.5Industrial DMZBuffer zone between OT and IT
4-5EnterpriseERP, office IT, cloud, Internet

Levels 0 to 3 form the OT world; levels 4-5 the IT world (see OT and IT). The lower you go, the closer you are to physical danger and real time.

The demilitarised zone (DMZ)

The central element for security is level 3.5: the industrial DMZ. It is a buffer zone inserted between the plant floor (OT) and the office (IT). No flow crosses directly from IT to OT: everything passes through the DMZ, where it is inspected and filtered. So a compromise on the office side does not propagate down to the controllers.

This is the principle that was missing in famous attacks, where an infected office workstation eventually reached the production network.

What it is for in practice

The Purdue model is not just a theoretical diagram. It guides three decisions:

  1. Segment: each level is a separate network, with strict crossing rules between them.
  2. Order the flows: data goes up (level 0 to 4), commands go down, never short-circuited.
  3. Prioritise defence: the lower a level, the more critical and protected it is.

It is the basic grammar of industrial cybersecurity, formalised by the IEC 62443 standard.

Its limits

The model was designed before the cloud and the IIoT. Today, connected sensors sometimes report directly to the cloud, short-circuiting the levels. The model remains the pedagogical and architectural reference, but modern architectures relax it — without ever abandoning its founding principle: never expose the physical process directly to the Internet.

Go further

OT and IT: the two worlds of industrial computing OT IT ICS SCADA DMZ PLC IEC 62443 ISA 95