🏗️ The Purdue Model: ICS Network Architecture for SCADA Engineers

What Is the Purdue Model?

The Purdue Reference Model for Computer Integrated Manufacturing was developed at Purdue University in the 1990s and later standardized as ISA-95. It defines a hierarchical model for organizing industrial control system networks into distinct levels, each with specific functions and communication relationships. The Purdue Model has become the foundational reference for ICS network architecture and OT cybersecurity segmentation.

The Five Levels

Level 0 — Physical Process: The actual physical process being controlled — pumps, valves, conveyors, tanks, compressors. Not a network level; this is the real-world plant floor.

Level 1 — Basic Control: Sensors, actuators, and the field devices that interface directly with the physical process. PLCs (Programmable Logic Controllers), RTUs (Remote Terminal Units), and DCS controllers live at this level. Communication is typically fieldbus protocols: Modbus RTU, PROFIBUS, Foundation Fieldbus, or Ethernet-based equivalents. Response times are milliseconds to seconds.

Level 2 — Process Supervisory Control: SCADA servers, HMI workstations, historian servers, and operator consoles. This is the human interface layer where operators monitor process data and issue control commands. Alarms, setpoints, and real-time process graphics are managed here. Communication with Level 1 may be Modbus TCP, EtherNet/IP, OPC-UA, or proprietary protocols.

Level 3 — Manufacturing Operations Management: Manufacturing Execution Systems (MES), Laboratory Information Management Systems (LIMS), maintenance management, batch record systems, and production scheduling. This level sits between the real-time control world and the business world. Data from Level 2 is aggregated, contextualized, and made available to business systems.

Level 4–5 — Enterprise and Internet: ERP systems (SAP, Oracle), corporate networks, and internet connectivity. Business functions like procurement, logistics, finance, and customer management operate at these levels.

The DMZ: Where OT and IT Meet

Between Level 3 (OT) and Level 4 (IT), best practice dictates a Demilitarized Zone (DMZ) — a network segment containing data historians, file transfer servers, and remote access gateways that sit between the OT and IT networks with firewalls on both sides. Data flows from OT to the DMZ (historian reads SCADA data), and from the DMZ to IT (ERP reads production totals from historian). Direct communication between IT and OT is not permitted.

Why the Purdue Model Matters for Security

The Purdue Model's layered architecture provides a framework for OT network segmentation. Each level boundary is a security control point where firewall rules enforce communication policies:

• Level 1 ↔ Level 2: Control traffic only; no internet access; limited protocols
• Level 2 ↔ Level 3: Read-only data export upward; commands only from authorized systems downward
• Level 3 ↔ DMZ: Only specific data flows on specific ports; all remote access terminates in the DMZ

Modern Challenges to the Purdue Model

Cloud connectivity (IIoT), remote monitoring, and software-as-a-service historian platforms are creating direct paths between field devices and the cloud that bypass the Purdue hierarchy. While these technologies deliver real value, they require careful security design — a cloud-connected PLC without the traditional DMZ architecture represents a direct internet exposure of a Level 1 control device. Zero-trust network access (ZTNA) and cloud security gateways are emerging approaches to securing these modern architectures.