Knowledge/Fundamentals/1.2

Module 1: The Purdue Reference Model(2/5)

Level 0 / Level 1: sensors, actuators, controllers

40 min4 min readRef: ISA-95

title: "Level 0 / Level 1: sensors, actuators, controllers" duration: "40 min"

The bottom of the stack

Levels 0 and 1 are where the physical world meets the digital world. Everything above — HMIs, historians, enterprise dashboards — exists to observe and command what happens here. If you lose Level 0/1, you lose the process.

Level 0: field devices

Level 0 devices are the hands and eyes of the control system. They measure physical quantities and act on the process directly.

Device classExamplesWhat it does
SensorsRTDs, thermocouples, pressure transmitters, flow meters, level switchesConverts a physical measurement into an electrical signal
ActuatorsMotor starters, control valves, solenoid valves, variable-frequency drives (VFDs)Converts an electrical signal into a physical action
RelaysProtective relays, safety relaysSwitches circuits based on a condition

Communication at Level 0

Most Level 0 devices communicate with Level 1 controllers using analogue signals (4–20 mA current loops) or low-level digital protocols:

  • HART — digital signal superimposed on a 4–20 mA loop.
  • IO-Link — point-to-point serial for smart sensors.
  • Foundation Fieldbus / PROFIBUS PA — digital fieldbus for process instruments.

Key takeaway

Security implication

Level 0 devices typically have no authentication, no encryption, and no firmware-update mechanism. Security must be enforced at the network boundary — you protect Level 0 by protecting the conduit from Level 1.

Level 1: controllers

Level 1 is where the logic lives. Controllers read sensor inputs, execute a control programme, and drive actuator outputs on a deterministic scan cycle.

Controller types

  • PLC (Programmable Logic Controller) — the workhorse. Rockwell ControlLogix, Siemens S7-1500, Schneider M340.
  • RTU (Remote Terminal Unit) — hardened for field deployment. Common in water/wastewater, oil & gas pipelines.
  • DCS controller — embedded in a Distributed Control System. Honeywell Experion, ABB 800xA, Yokogawa CENTUM.
  • Safety controller — SIL-rated for safety functions. Triconex, HIMA, Pilz.

The scan cycle

A PLC executes a three-step loop thousands of times per second:

  1. Read inputs — sample every connected sensor.
  2. Execute logic — run the programme (ladder, structured text, function blocks).
  3. Write outputs — send commands to actuators.

The entire cycle must complete within a deterministic time window — typically 5–50 ms. If the scan overruns, the controller faults and the process may trip.

Analogy

A PLC is a metronome. It does the same thing at exactly the same tempo, forever. Anything that disrupts the tempo — a network scan, an antivirus agent, a firmware update — is a threat to the process.

Communication at Level 1

Controllers talk to each other and to Level 2 devices using industrial Ethernet protocols:

ProtocolVendor ecosystemTransport
EtherNet/IP + CIPRockwell / Allen-BradleyTCP/UDP port 44818
PROFINETSiemensEthernet Layer 2 + TCP
S7comm / S7comm+Siemens (legacy / TIA)TCP port 102
Modbus/TCPOpen standardTCP port 502
OPC-UAVendor-neutralTCP port 4840

Worked example

Modbus/TCP is the most widely deployed industrial protocol and has zero authentication. Any device that can reach TCP port 502 can read or write any register on the controller. This is why zone separation at the network level is the primary security control for Level 1.

Security considerations for Level 0/1

What you CAN do

  • Network segmentation — place Level 0/1 devices in a dedicated zone with a restrictive conduit to Level 2.
  • Access control lists — allow only the engineering workstation and HMI to reach the PLC.
  • Port security — disable unused switch ports; enable 802.1X where supported.
  • Change detection — monitor PLC programme checksums and alert on any modification.

What you usually CANNOT do

  • Install endpoint protection (no OS, no filesystem).
  • Apply patches on a regular cadence (vendor qualification required).
  • Enable encryption (protocol doesn't support it, or latency is unacceptable).

Key Takeaways

  1. Level 0 is sensors and actuators; Level 1 is controllers (PLCs, RTUs, DCS).
  2. Level 0 devices have no inherent security; protection is enforced at the network boundary.
  3. PLC scan cycles are deterministic — any disruption is a process-safety risk.
  4. Modbus/TCP has zero authentication; zone separation is the primary defence.
  5. You protect Level 0/1 by controlling who and what can reach it, not by hardening the devices themselves.

Knowledge Check

3 questions — test your understanding before moving on.

  1. Q1.Why is active network scanning (e.g. Nmap) dangerous on an OT network?

    • It consumes too much bandwidth for the corporate IT team.
    • A SYN scan on a legacy PLC can cause a watchdog fault and trip the process.
    • Active scanning is illegal in all jurisdictions.
    • PLCs automatically block all scanned ports permanently.

    Legacy PLCs have limited network stacks that can crash or fault when receiving unexpected traffic patterns. A SYN scan or service-enumeration scan can trigger a watchdog fault, causing the controller to stop executing its control programme and potentially tripping the process.

  2. Q2.Which protocol is the most widely deployed industrial protocol and has zero authentication?

    • OPC-UA
    • PROFINET
    • Modbus/TCP
    • EtherNet/IP with CIP Security

    Modbus/TCP is the most widely deployed industrial protocol and has zero authentication. Any device that can reach TCP port 502 can read or write any register on the controller. Zone separation at the network level is the primary security control.

  3. Q3.What is the primary way to protect Level 0 field devices that have no inherent security features?

    • Install antivirus on each sensor.
    • Apply firmware patches monthly.
    • Protect them at the network boundary by controlling the conduit from Level 1.
    • Replace all Level 0 devices with IT-grade endpoints.

    Level 0 devices (sensors, actuators) typically have no authentication, no encryption, and no firmware-update mechanism. Security must be enforced at the network boundary — you protect Level 0 by protecting the conduit from Level 1 using segmentation and access control lists.