Module 1: The Purdue Reference Model(1/5)
The five levels and the demilitarised zone
title: "The five levels and the demilitarised zone" duration: "35 min"
Why a reference model matters
Before you can secure a control system, you need a shared vocabulary for where things are. The Purdue Enterprise Reference Architecture (PERA) — originally developed by Theodore J. Williams at Purdue University in the 1990s — gives you that vocabulary.
IEC 62443-1-1 adopts Purdue as the canonical reference model for describing industrial network architecture. Every zone diagram, every conduit definition, every SL-T assignment in the rest of this program is anchored to Purdue levels.
The five levels
Diagram
| Level | Name | What lives here | Typical protocols |
|---|---|---|---|
| 4 | Enterprise | ERP, email, corporate apps | HTTPS, SMTP, SQL |
| 3 | Site Operations | Historian, patch server, AV server | OPC-UA, SQL, SMB |
| IDMZ | Demilitarised Zone | Data diode, reverse proxy, jump host | Varies — broker/relay only |
| 2 | Supervisory | HMI, SCADA server, engineering workstation | OPC-DA, Modbus/TCP, proprietary |
| 1 | Control | PLC, RTU, DCS controller | EtherNet/IP, Profinet, S7comm |
| 0 | Field | Sensors, actuators, drives, relays | 4-20 mA, HART, IO-Link |
The IDMZ: the most misunderstood layer
The Industrial Demilitarised Zone sits between Level 3 and Level 4. Its job is simple: nothing passes through it directly. Every data flow must be brokered — copied, relayed, or proxied — so that no direct IP session spans the boundary.
Key takeaway
IDMZ rule of thumb
If you can ping from the corporate LAN to any device on Level 2 or below, you do not have an IDMZ. You have a firewall rule that someone will eventually misconfigure.
What belongs in the IDMZ
- Historian mirror / relay — Level 3 historian pushes data up; a relay in the IDMZ copies it to a corporate-accessible read replica.
- Patch staging server — patches are pulled from the internet into the IDMZ, scanned, then pushed down to Level 3.
- Remote-access jump host — engineers RDP into a hardened bastion in the IDMZ, then connect down. No direct tunnel.
- Data diode (hardware-enforced unidirectional gateway) — for the highest-security segments.
What does NOT belong in the IDMZ
- Active Directory domain controllers (move them to Level 3 or 4).
- Shared file servers accessible from both sides.
- Any device that initiates sessions in both directions simultaneously.
Why Purdue still matters
Critics argue that cloud-connected IIoT devices, edge computing, and remote monitoring have made Purdue obsolete. They are wrong — but they have a point.
Purdue was designed for a world where OT networks were physically isolated. Today, many Level 2 and Level 3 devices have outbound connectivity to cloud dashboards, vendor telemetry, and remote-support tools.
Analogy
Purdue is not a floor plan — it is a fire code. The code still applies even if you have renovated the building. You may add new rooms, but you still need fire doors between them.
IEC 62443 extends Purdue by adding zones and conduits (covered in the Risk Assessment track). A zone can span multiple Purdue levels if the devices share the same security requirements, and a conduit is any communication path between zones — wired or wireless, local or cloud.
Key Takeaways
- The Purdue model defines five levels (0–4) plus an IDMZ.
- Level 0/1 is the physical process; Level 2 is supervisory; Level 3 is site operations; Level 4 is enterprise.
- The IDMZ brokers all traffic between IT and OT — no direct sessions allowed.
- Purdue is still the canonical reference in IEC 62443 even in cloud-connected environments.
- Zones and conduits extend Purdue to handle modern architectures.
Knowledge Check
3 questions — test your understanding before moving on.
Q1.How many levels does the Purdue Enterprise Reference Architecture define, including the IDMZ?
- Three levels (IT, DMZ, OT)
- Five levels (0–4)
- Five levels (0–4) plus the IDMZ
- Seven levels (0–6)
The Purdue model defines five levels (0 through 4) plus the Industrial Demilitarised Zone (IDMZ) between Level 3 and Level 4, for a total of six distinct segments.
Q2.What is the primary design principle of the IDMZ?
- All traffic between IT and OT must be encrypted.
- No direct IP session may traverse the IDMZ — every data flow must be brokered, relayed, or copied.
- Only HTTP/HTTPS traffic is permitted through the IDMZ.
- The IDMZ must contain at least one Active Directory domain controller.
The IDMZ's core rule is that no direct IP session spans the boundary. Every data flow must be brokered by a service inside the IDMZ (historian relay, jump host, data diode, etc.).
Q3.Which of the following should NOT be placed in the IDMZ?
- A historian relay that copies data to a corporate read replica.
- A remote-access jump host for engineers.
- An Active Directory domain controller shared between IT and OT.
- A patch staging server that scans updates before forwarding to Level 3.
Active Directory domain controllers should not be in the IDMZ. Shared DCs allow a single compromised admin account to control both IT and OT authentication. OT should have its own domain controller at Level 3, with no forest trust or a one-way trust from OT to IT.