The Purdue Model for
OT and ICS Security
The Purdue Enterprise Reference Architecture is still the vocabulary IEC 62443 assessors, cyber underwriters and OT engineers use to describe an industrial estate. This is where every level sits, and where a physical air gap belongs.
A Reference Architecture, Not a Product
The Purdue Model is a shared vocabulary for OT and IT. It is not a security control on its own, but every serious OT programme still uses it.
A reference architecture, not a product
The Purdue Model is a reference architecture for industrial control systems, originally published as PERA by Theodore Williams at Purdue University in the 1990s. It splits an industrial estate into levels so that engineers, IT and security can agree on where a system sits and what may talk to it.
Six zones from field to cloud
The model runs from Level 0 (field devices) up to Level 5 (enterprise). Between the plant and the enterprise sits Level 3.5, the industrial DMZ, where OT talks to IT under strict rules. Modern OT security programmes treat those level boundaries as the primary segmentation policy.
Still the reference in 2026
The model is regularly declared obsolete, then quietly reused. IEC 62443, NIST SP 800-82 and the NCSC CAF for essential services all reference Purdue levels when they describe zones and conduits. It is the shorthand assessors, insurers and auditors expect in scoping documents.
Level by Level, What Sits Where
Level 0 field devices up to Level 5 enterprise, with the industrial DMZ at Level 3.5. The boundary between the plant and the enterprise always sits at 3.5.
Level 0 to 2, the plant
Level 0 is the physical process: valves, motors, sensors, actuators. Level 1 is the controllers that drive them: PLCs, RTUs, safety instrumented systems. Level 2 is the local supervision: HMI, engineering workstations and site historians. This is where uptime is measured in years and where ransomware translates directly into a stopped plant.
Level 3 and 3.5, operations and DMZ
Level 3 hosts site operations: MES, batch, site historians and asset management. Level 3.5 is the industrial DMZ where OT publishes data to IT and receives updates back. Almost every OT ransomware incident enters at this boundary, which is why the Firevault gold copy sits at Level 3.5, isolated from Levels 4 and 5.
Level 4 and 5, IT and enterprise
Level 4 is site-level IT: business systems that live in the same building as the plant. Level 5 is the wider enterprise: corporate identity, cloud, SaaS. These layers carry the majority of the attack surface and the majority of destructive incidents originate here, which is why a physical air gap between L4/L5 and the OT gold copy is the boundary of last resort.
Firevault at Level 3.5 or a Dedicated Bunker
Ransomware enters at Level 5, moves through Level 4, then pivots at Level 3.5. A Layer 1 physical air gap breaks that chain for the gold copy.
Where ransomware enters the model
The dominant attack pattern is compromise at Level 5 (phished corporate identity, exposed VPN, exploited SaaS), lateral movement to Level 4, then a pivot through Level 3.5 into the plant. Every published post-incident report on a large OT ransomware event follows this shape. The mitigation is not more segmentation rules, it is a copy the attacker cannot reach at all.
Firevault at Level 3.5 or a dedicated bunker
The Firevault gold copy sits at Level 3.5, or in a dedicated bunker adjacent to the OT estate. It has no network interface enabled while offline. Connection windows are switched out of band, logged on a separate management plane, and closed the moment the sync ends. That is a Layer 1 boundary, not a firewall rule.
Layered with existing ICS backup
The Firevault pattern does not replace Veeam, Rubrik, Commvault or native ICS backup platforms. Those handle fast operational recovery for the ordinary failure modes. Firevault provides the one offline copy the 3-2-1-1-0 rule requires, and the tamper evident evidence the insurer requires.
Common mistakes
Eight Ways a Purdue Diagram Is Misused
A Purdue diagram on the wall is not a security control. These are the failure modes we see most often in OT assessments.
- Treating Purdue as a security control on its own, it is a reference architecture and needs enforcement
- Placing the industrial DMZ (Level 3.5) inside the same identity domain as Levels 4 and 5
- Running the OT backup platform on a VM in the corporate hypervisor, reachable from Level 5
- Assuming a firewall between levels is equivalent to physical isolation for the gold copy
- Skipping Level 3.5 entirely and letting Level 3 talk directly to Level 5 for reporting
- Buying an immutable appliance and describing it as an air gap in insurer paperwork
- Not testing a restore from the offline copy across a Level 3.5 boundary at least annually
- Losing chain of custody by moving the offline copy through an ordinary courier rather than an escorted collection
Continue with the diagram reference, the segmentation guide and the wider OT pillar.
The Purdue Model, Common Questions



Put the gold copy at Level 3.5, not on the corporate domain
Talk to the Firevault team about a Layer 1 air-gapped copy that sits at the industrial DMZ, isolated from the enterprise identity ransomware targets first.
Takes about 2 minutes. No account needed.