Typical OT network
Operational Technology

The Purdue Model's Risky Blindspot

George V. Hulme
Dec 13, 2023

With the rise of the extended Internet of Things (XIoT) across industrial, healthcare, commercial, and other environments come the sought-after efficiency of delivery and reliability improvements — but so does the increased risk of attacks from malicious actors. It's within the places where operational technology (OT) and traditional IT systems converge where attackers find themselves ample opportunity to inflict harm.

While the Purdue Model has proven to be an effective way to frame the security of OT/IT environments, as it defines the best practices associated with managing the relationship between industrial control systems and IT networks, the model may have a blind spot. The model has six levels, starting with level 0, which consists of physical components and processes and runs up through level 5, representing enterprise networks. It's level 3, the manufacturing operational control level, where experts pin the most significant risks. 

Typical OT network

The Purdue Model is based on the concept of separation between IT and industrial infrastructure and control systems (ICS) to keep these environments secure, with the notion being that by supporting the critical industrial processes isolated from the less secure IT networks, ICS security is enhanced. However, this can prove risky if enterprises fail to view their environments in their totality.

Digital Transformation Erased ICS Air Gaps 

The model's original assumption that ICS devices are "air-gapped" and isolated is no longer valid, following the rapid digital transformation that's occurred in recent years. In modern environments, IT, IoT, and OT systems have converged, and focusing on segmentation can lead to blind spots. This is especially true at Level 2 and Level 3. Here, attackers attempt to exploit various weaknesses:

  • Unauthorized System Access: Attackers often exploit weaknesses in authentication, such as poor username/password combinations, to gain unauthorized access to management systems, human/machine interfaces, manufacturing execution systems, and endpoint XIoT devices. 

  • Unauthorized Data Access: Attackers attempt to access or manipulate data as it's shared among different levels of the ICS environment. This could be for reconnaissance to understand the targeted organization, or to disrupt or stop production processes.

  • Social Engineering: Attackers employ phishing attacks to entice operators to click on malware so they can introduce malware into level 3 to gain operational control over devices. 

  • Movement Down the Purdue Model Levels: Once access is gained to level 3, attackers will often try to move to level 2 of the model to gain local control of systems. This could be to initiate the planned attack, steal data from local systems, or remain dormant for potential future attacks.

  • Exploit Software and Firmware Vulnerabilities: Attackers will target known vulnerabilities, such as those published by the CVE, to attempt to gain control over XIoT/ICS systems.

While these threats, experts say, are more acute at levels 2 and 3, it's critical that organizations don't myopically focus on these two levels and put defenses into place that protect the entire stack. 

Sagi Berco, CTO at zero trust security firm NanoLock Security, says the standard approach to ICS security is to concentrate on Level 3 of the Purdue Model and adds that alone "inadequately addresses the interconnectedness between OT and IT infrastructures, rendering them more vulnerable to attacks originating from external or internal sources." Attacks on level 3 networks can go further down to the level 1 devices, and when successful, the impact on production lines and business continuity can be enormous.

One way enterprises attempt to protect their OT/ICS systems is through air gapping level 0 and level 1. However, experts say it's not enough to protect these devices. "Air-gapping of network environments by itself falls short in preventing unauthorized access and changes to OT asset programming. It is necessary to treat OT assets themselves, such as programmable logic controllers (PLCs), as distinct segments. This can be achieved by implementing a device-level zero-trust approach specifically designed to prevent unauthorized changes made to the PLCs, which can significantly damage the operational integrity of production lines and affect business continuity or even endanger lives," says NanoLock's Berco. 

Integrated Monitoring, Segmentation Keep Level 1 Devices Safe

Experts also contend that ensuring adequate monitoring levels is essential to securing devices on levels 0 and 1. However, Robin Berthier, CEO at Network Perception, agrees that continuous monitoring is crucial at layer three and advises network owners to deploy cybersecurity tools that can effectively monitor IT and OT environments. "This involves using integrated monitoring tools that can detect anomalies and potential threats across both domains, ensuring that the communication layer between IT and OT remains secure," Berthier says.

"The use of network access modeling to complement threat detection mechanisms is especially important in these interconnected environments to quickly understand the network segmentation context around alerts and assess how attacks could propagate," Berthier says.

Dustin Luther, founder at Spinnio, says that successful monitoring requires a combination of strategies and technologies, including:

  • Network Segmentation: Implementing network segmentation within Level 3 can help isolate different network parts, reducing the risk of a widespread attack. This can be achieved through firewalls, virtual LANs (VLANs), or other network partitioning methods.

  • Intrusion Detection Systems (IDS): Deploying IDS solutions for industrial environments can help detect unusual network traffic patterns or known attack signatures. As wireless IoT / IIoT becomes more prevalent for convenience, leveraging wireless vulnerabilities to backdoor the wired side of the network is a huge problem.

  • Anomaly Detection: Advanced anomaly detection systems use machine learning and artificial intelligence to identify deviations from normal network behavior, which could indicate an attack. Anomaly detection in the context of IT/OT security, especially at Level 3 of the Purdue Model, is a crucial aspect of modern cybersecurity strategies. 

While the segmentation principles in the Purdue Model are crucial for ICS security, in modern hyper-connected environments — where IT, IoT, and OT systems converge — too narrow of a focus on segmentation may create blind spots in security defenses, and it's essential to keep a close on activity within Level 3 and 2 to help keep all connected systems secure.

Operational Technology
George V. Hulme

George V. Hulme is an award-winning journalist and internationally recognized information security and business technology writer. He has covered business, technology, and IT security topics for more than 20 years. His work has appeared in CSOOnline, ComputerWorld, InformationWeek, Security Boulevard, and dozens of other technology publications. He is also a founding editor at DevOps.com.

Stay in the know

Get the Nexus Connect Newsletter

Latest on Nexus Podcast