Recent Breaches
Breaches
2026PowerSchool62.4M stolen62.4M records stolen2026DISA Global Solutions3.3M stolen3.3M records stolen2026Globe Life850K stolen850K records stolen2026HertzUndisclosed stolenUndisclosed records stolen2026NHS ScotlandUndisclosed stolenUndisclosed records stolen2025Marks & Spencer9.4M stolen9.4M records stolen2025PayPal35K stolen35K records stolen2025Co-operative GroupUndisclosed stolenUndisclosed records stolen2025Jaguar Land RoverUndisclosed stolenUndisclosed records stolen2024National Public Data2.9B stolen2.9B records stolen2026HertzUndisclosed stolenUndisclosed records stolen2026NHS ScotlandUndisclosed stolenUndisclosed records stolen2025Marks & Spencer9.4M stolen9.4M records stolen2025PayPal35K stolen35K records stolen2025Co-operative GroupUndisclosed stolenUndisclosed records stolen2025Jaguar Land RoverUndisclosed stolenUndisclosed records stolen2024National Public Data2.9B stolen2.9B records stolen2026PowerSchool62.4M stolen62.4M records stolen2026DISA Global Solutions3.3M stolen3.3M records stolen2026Globe Life850K stolen850K records stolen
View All →
Why OSS

The Purdue Model for
OT and ICS Security

The Purdue Enterprise Reference Architecture is still the vocabulary IEC 62443 assessors, cyber underwriters and OT engineers use to describe an industrial estate. This is where every level sits, and where a physical air gap belongs.

R6
What the Purdue Model actually is

A Reference Architecture, Not a Product

The Purdue Model is a shared vocabulary for OT and IT. It is not a security control on its own, but every serious OT programme still uses it.

01
Purdue Enterprise Reference Architecture (PERA)

A reference architecture, not a product

The Purdue Model is a reference architecture for industrial control systems, originally published as PERA by Theodore Williams at Purdue University in the 1990s. It splits an industrial estate into levels so that engineers, IT and security can agree on where a system sits and what may talk to it.

Published as PERA, 1990sShared vocabulary for OT and ITNot a product or a standard
02
Levels 0 to 5 plus an industrial DMZ

Six zones from field to cloud

The model runs from Level 0 (field devices) up to Level 5 (enterprise). Between the plant and the enterprise sits Level 3.5, the industrial DMZ, where OT talks to IT under strict rules. Modern OT security programmes treat those level boundaries as the primary segmentation policy.

L0 field devices, sensors, actuatorsL3.5 industrial DMZ boundaryL5 enterprise, cloud, SaaS
03
IEC 62443 and NIST SP 800-82 both use it

Still the reference in 2026

The model is regularly declared obsolete, then quietly reused. IEC 62443, NIST SP 800-82 and the NCSC CAF for essential services all reference Purdue levels when they describe zones and conduits. It is the shorthand assessors, insurers and auditors expect in scoping documents.

Referenced by IEC 62443Referenced by NIST SP 800-82Assumed by cyber underwriters
The six levels, from field to cloud

Level by Level, What Sits Where

Level 0 field devices up to Level 5 enterprise, with the industrial DMZ at Level 3.5. The boundary between the plant and the enterprise always sits at 3.5.

01
Field devices, controllers and supervision

Level 0 to 2, the plant

Level 0 is the physical process: valves, motors, sensors, actuators. Level 1 is the controllers that drive them: PLCs, RTUs, safety instrumented systems. Level 2 is the local supervision: HMI, engineering workstations and site historians. This is where uptime is measured in years and where ransomware translates directly into a stopped plant.

L0 sensors and actuatorsL1 PLC, RTU, SISL2 HMI, engineering workstations
02
Where OT meets IT under strict rules

Level 3 and 3.5, operations and DMZ

Level 3 hosts site operations: MES, batch, site historians and asset management. Level 3.5 is the industrial DMZ where OT publishes data to IT and receives updates back. Almost every OT ransomware incident enters at this boundary, which is why the Firevault gold copy sits at Level 3.5, isolated from Levels 4 and 5.

L3 MES, batch, site historianL3.5 industrial DMZHighest attacker footfall
03
Corporate estate, cloud and SaaS

Level 4 and 5, IT and enterprise

Level 4 is site-level IT: business systems that live in the same building as the plant. Level 5 is the wider enterprise: corporate identity, cloud, SaaS. These layers carry the majority of the attack surface and the majority of destructive incidents originate here, which is why a physical air gap between L4/L5 and the OT gold copy is the boundary of last resort.

L4 site business systemsL5 corporate cloud and SaaSOrigin of most OT incidents
Where a physical air gap belongs

Firevault at Level 3.5 or a Dedicated Bunker

Ransomware enters at Level 5, moves through Level 4, then pivots at Level 3.5. A Layer 1 physical air gap breaks that chain for the gold copy.

01
L5 to L3.5, then downward

Where ransomware enters the model

The dominant attack pattern is compromise at Level 5 (phished corporate identity, exposed VPN, exploited SaaS), lateral movement to Level 4, then a pivot through Level 3.5 into the plant. Every published post-incident report on a large OT ransomware event follows this shape. The mitigation is not more segmentation rules, it is a copy the attacker cannot reach at all.

Entry at L5, corporate identityLateral to L4 and Level 3.5Air gap breaks the chain
02
Layer 1 isolation, not VLAN separation

Firevault at Level 3.5 or a dedicated bunker

The Firevault gold copy sits at Level 3.5, or in a dedicated bunker adjacent to the OT estate. It has no network interface enabled while offline. Connection windows are switched out of band, logged on a separate management plane, and closed the moment the sync ends. That is a Layer 1 boundary, not a firewall rule.

No live network interfaceOut-of-band switchingTamper evident connection log
03
Not a replacement, an addition

Layered with existing ICS backup

The Firevault pattern does not replace Veeam, Rubrik, Commvault or native ICS backup platforms. Those handle fast operational recovery for the ordinary failure modes. Firevault provides the one offline copy the 3-2-1-1-0 rule requires, and the tamper evident evidence the insurer requires.

Layers over existing toolsHandles the one offline copyProvides audit evidence

Common mistakes

Eight Ways a Purdue Diagram Is Misused

A Purdue diagram on the wall is not a security control. These are the failure modes we see most often in OT assessments.

  • Treating Purdue as a security control on its own, it is a reference architecture and needs enforcement
  • Placing the industrial DMZ (Level 3.5) inside the same identity domain as Levels 4 and 5
  • Running the OT backup platform on a VM in the corporate hypervisor, reachable from Level 5
  • Assuming a firewall between levels is equivalent to physical isolation for the gold copy
  • Skipping Level 3.5 entirely and letting Level 3 talk directly to Level 5 for reporting
  • Buying an immutable appliance and describing it as an air gap in insurer paperwork
  • Not testing a restore from the offline copy across a Level 3.5 boundary at least annually
  • Losing chain of custody by moving the offline copy through an ordinary courier rather than an escorted collection

Continue with the diagram reference, the segmentation guide and the wider OT pillar.

The Purdue Model, Common Questions

Mark Fermor
David Bailey
Kenny Phipps
Online Now
Concierge

Put the gold copy at Level 3.5, not on the corporate domain

Talk to the Firevault team about a Layer 1 air-gapped copy that sits at the industrial DMZ, isolated from the enterprise identity ransomware targets first.

Takes about 2 minutes. No account needed.

Free2 minsNo sign-up
    Get started

    Your privacy matters

    We use cookies to keep the site running smoothly and to understand how you use it. You are in control. Privacy Charter · Cookie Policy