Engineering·11 min read·June 17, 2026

🔒 OT Network Segmentation and the Purdue Model

A deep-dive into Purdue/ISA-95 architecture, DMZ and IDMZ design, data diodes, industrial firewalls, and IEC 62443 zone and conduit design for securing operational technology networks against IT-borne threats.

The Purdue Reference Model: Levels 0 Through 5

The Purdue Enterprise Reference Architecture (PERA), formalized in the ISA-95 standard and widely adopted in ICS security as the "Purdue Model," organizes industrial systems into hierarchical levels to limit the blast radius of a network compromise. Understanding these levels is foundational to any OT segmentation design:

Level 0 — Physical Process: Sensors, actuators, motors, valves. Communication is typically analog (4–20 mA) or simple digital. No IP networking at this layer.
Level 1 — Basic Control: PLCs, RTUs, DCS controllers. Protocols include Modbus RTU/TCP, PROFIBUS, DeviceNet, EtherNet/IP, DNP3. Devices at this level have limited or no authentication.
Level 2 — Supervisory Control: HMIs, SCADA servers, DCS engineering stations. Windows-based systems running FactoryTalk, Wonderware, or Inductive Automation Ignition.
Level 3 — Site Operations: Historians (OSIsoft PI, AspenTech), Manufacturing Execution Systems (MES), batch management. The boundary between Levels 3 and 4 is where the IT/OT divide historically occurs.
Level 4 — Site Business Planning: ERP systems, corporate Active Directory, email. Traditional IT domain.
Level 5 — Enterprise Network: Corporate WAN, cloud connectivity, remote access infrastructure.

The critical security insight: a flat network that bridges Levels 1 through 5 means a phishing email in corporate email (Level 5) can reach a PLC (Level 1) with no barrier. This is not hypothetical — it is the propagation path of NotPetya in 2017, which crossed from IT to OT in multiple industrial companies.

The Industrial DMZ (IDMZ) Architecture

A standard DMZ places a single firewall between the internet and the internal network. The IDMZ (Industrial DMZ) uses a dual-firewall DMZ architecture: one firewall faces the IT network (Level 4/5) and a second firewall faces the OT network (Level 3/2). The IDMZ zone sits between them and hosts services that must be shared: remote desktop gateway, historian replication servers, file transfer hosts, patch management servers, and antivirus update mirrors. Neither firewall permits direct connectivity through to the other side — all traffic terminates in the IDMZ. This architecture, recommended by Cisco in its "SAFE for Industrial" guide and by Rockwell Automation in its CPwE (Converged Plantwide Ethernet) design guides, ensures that even a full compromise of the IT network cannot establish a direct session to a Level 2 SCADA server.

Firewall rule design for the IDMZ follows a deny-all default with explicit permits only for required flows. A typical IDMZ ruleset permits: TCP 443 from IT historian replication client to IDMZ historian mirror (never to Level 3 directly), TCP 3389 from jump server in IDMZ to Level 2 HMI (not from IT network directly), and ICMP from IT monitoring to IDMZ servers only. All OT protocol traffic — Modbus TCP (port 502), EtherNet/IP (port 44818), DNP3 (port 20000), BACnet (port 47808/UDP) — should be blocked at the IT-facing firewall entirely.

Data Diodes for Unidirectional Communication

For the highest-security OT environments — nuclear, military, critical infrastructure — even a dual-firewall IDMZ is considered insufficient because firewall software can have vulnerabilities. A data diode is a hardware-enforced unidirectional gateway: data flows in one direction only, enforced by physical optical fiber with a transmitter on one side and only a receiver on the other — no return path is physically possible. Waterfall Security Solutions and OWL Cyber Defense are the leading vendors. A typical deployment replicates historian data from Level 3 to the IDMZ: the OT historian sends data out through the data diode to an IDMZ replica historian, which IT systems then query. There is no path for a command to flow back into OT through the diode. NERC CIP-005-6 Electronic Security Perimeter requirements and IEC 62443-3-3 SR 5.1 (network segmentation) both recognize data diodes as a compensating or enhancing control for the highest security levels.

VLAN Design, Industrial Firewalls, and Micro-Segmentation

Within OT zones, VLANs provide logical separation between device classes: a VLAN for PLCs, a separate VLAN for HMIs, a separate VLAN for engineering workstations. This limits the scope of ARP spoofing and broadcast storms and enables firewall rules between zones. Industrial firewalls designed for OT — Cisco Industrial Ethernet (IE) series with Cisco Firepower, Fortinet FortiGate Rugged, and Palo Alto PA-400 Series — support deep packet inspection (DPI) of industrial protocols. A next-generation industrial firewall can, for example, permit Modbus TCP on port 502 but block any Modbus write function codes (FC 5, 6, 15, 16) while allowing read function codes (FC 1, 2, 3, 4) — this is critical for enforcing read-only access from historian interface nodes to PLCs.

Micro-segmentation takes this further by applying policy at the individual device or workload level rather than the network segment level. In OT, micro-segmentation is typically implemented via managed switch ACLs or host-based firewall rules on Windows engineering stations, since most PLCs have no built-in firewall capability. The goal is to ensure a compromised HMI cannot reach PLCs in a different process unit — an attacker who compromises the compressor HMI should not be able to pivot to the reactor control PLCs.

Zone and Conduit Design per IEC 62443-3-3

IEC 62443-3-3 formalizes the concept of zones and conduits. A zone is a grouping of assets with a common security level requirement and trust level. A conduit is the communication path between zones, which must be explicitly defined and controlled. Every inter-zone data flow must be documented as a conduit with: source and destination zones, protocols, ports, direction, and required security controls (encryption, authentication, protocol filtering). The Security Level (SL) assigned to a zone determines the countermeasures required: SL-1 (protection against casual or coincidental violation), SL-2 (protection against intentional violation using simple means — the minimum for most OT zones), SL-3 (protection against sophisticated intentional attack), SL-4 (protection against state-sponsored attack with extended resources). The zone and conduit model is the design artifact that drives firewall rulesets, network diagrams, and risk assessments in a compliant IEC 62443 program.

Historian Replication Without Direct OT-IT Connectivity

One of the most common architecture mistakes is allowing ERP or corporate BI systems to query the OSIsoft PI server directly over the OT network. The correct pattern is: Level 3 PI server (OT) replicates tags one-way to a PI server in the IDMZ using PI-to-PI interface or PI Replication, and IT systems query only the IDMZ replica. The OT PI server's PI Interface nodes should be configured with read-only PI identities. No IT user or system should have a PI identity with write access to the OT historian. This architecture, combined with the dual-firewall IDMZ, means IT network compromise cannot write falsified process data to the OT historian — a critical integrity control for industries where historian data drives safety decisions.

Topics covered

Purdue modelOT segmentationISA-95DMZdata diodeindustrial firewallIEC 62443IDMZOT network designGICSP

🛠️ Related Free Tools

Put this knowledge to work on your iPhone

Browse our full catalog of professional iOS apps — from electrical code tools to AI builders.

Browse All 95+ Apps