The rise of the extended Internet of Things (XIoT) across industrial (IIoT), healthcare (IoMT), commercial (OT, BMS/EMS/ACS/iBAS/FMS), and other sectors has brought remarkable efficiency and reliability improvements. This has also dramatically increased the risk of attacks, especially in environments where Industrial Control Systems (ICS) / Operational Technology (OT) data aligns with or in some cases converges with traditional IT systems.

This convergence isn’t new! Decades ago, manufacturing floors and utilities began connecting ICS/OT devices to the internet via ISPs or integrating them with IT systems. The intent wasn’t all malicious but practical —facilitating updates to PLCs, measurement devices, regulatory instrumentation, and control systems while enjoying internet conveniences like having your business email at your plant, field site(s) and vehicles.

Reflecting on those early challenges, such as the Y2K scramble, it’s clear that while we’ve made technological strides, history risks repeating itself as IoT adoption proliferates, AI rapidly advances and we are still playing through Industry 3.0 to 5.0+.

These intersections between OT and IT have created fertile ground for attackers to exploit vulnerabilities, just as they did years ago. Unfortunately, we’re often slow to learn from the past. Let’s avoid falling into the same pitfalls.

Y2K gave us a better understanding that we didn’t know what ICS/OT assets we had. No Data Mapping to see where Control Commands or Data Acquisition was going. (Before Privacy Laws and now very important in the ICS/OT environments, so add another box to check CISOs!)

This was a start to what we all need to perform now in our ICS/OT environments, assessments. Speaking across all critical infrastructures with ICS/OT systems and equipment it’s best to start with a framework assessment to understand where you are at in your security journey, whether you have a security program or not for your ICS/OT and associated IT environments.

One of the foundational referencing frameworks for ‘OT + IT = ICS’ environments is the Purdue Model. Spanning six (6) levels of industrial control systems (ICS)—from physical processes at Level 0 to enterprise networks at Level 5—the Purdue Model provides best practices for managing the interplay between industrial and IT networks. However, its focus on segmentation, while valuable, may obscure critical vulnerabilities, particularly at Level 3: the manufacturing operational control level.

The Purdue Model (Version 1): Strengths and Blind Spots

The Purdue Model was designed with the principle of separating IT from industrial infrastructure and a frame of reference to work to enhance ICS security. By isolating critical industrial processes from less secure IT networks, it sought to reduce the attack surface. Yet, with hyper-connected environments, the model’s reliance on air-gapped ICS devices no longer holds true, let alone the model doesn’t incorporate risk which is a major failure. The rapid pace of digital transformation has blurred these boundaries, introducing new risks that demand holistic strategies beyond traditional segmentation.

Key Security Vulnerabilities at Levels 2 and 3

Levels 2 and 3 of the Purdue Model represent critical zones where attackers frequently target vulnerabilities:

1. Unauthorized System Access: Weak authentication mechanisms provide entry points to management systems, HMIs, MESs, and endpoint XIoT devices.
2. Unauthorized Data Access: Attackers may intercept or manipulate data shared across ICS levels, gathering intelligence or disrupting production processes.
3. Social Engineering: Phishing schemes lure operators into introducing malware into Level 3 systems, enabling attackers to gain operational control.
4. Lateral Movement: Once inside Level 3, attackers may move down to Level 2 to compromise local systems, steal data, or stage dormant attacks.
5. Exploitation of Software and Firmware Vulnerabilities: Known vulnerabilities, such as those listed in CVE databases, are prime targets for attackers seeking control over XIoT and ICS systems.

Rethinking ICS Security Beyond Segmentation

While the Purdue Model’s segmentation principles remain relevant, a narrow focus on isolating systems can leave blind spots in interconnected environments. Experts argue for a more comprehensive approach that includes:

• Integrated Monitoring: Deploying tools to continuously monitor activity across IT and OT environments helps identify threats early.
• Zero-Trust at the Device Level: Traditional air-gapping strategies for Levels 0 and 1 are no longer sufficient. Most Industrial Security consultants advocate for implementing device-level zero-trust mechanisms to prevent unauthorized changes to critical assets like PLCs. In some sectors, it’s mandatory.

Advanced Security Strategies for Level 3

To mitigate risks at Level 3, organizations should adopt a layered defense approach:

• Network Segmentation: Isolate network segments using firewalls, VLANs, or other methods to limit attack spread.
• Intrusion Detection Systems (IDS): Deploy IDS solutions tailored for industrial environments to detect unusual traffic patterns or known attack signatures.
• Anomaly Detection: Leverage ML or machine learning first, then look at AI options to identify deviations from normal behavior, offering a proactive defense against emerging threats. There are tons of software that are able to do this fairly well at this level for these environments.

The Path Forward: Holistic Security Across the Purdue Stack

The Purdue Model 2.0 is an evolution of the original Purdue Enterprise Reference Architecture (PERA), designed to address the shortcomings of the traditional model in modern, hyper-connected industrial environments. As the original model was built with assumptions about air-gapped networks and strict segmentation, it falls short in protecting against contemporary threats brought by IT/OT convergence, cloud integration, and the rise of the extended Internet of Things (XIoT).

Here’s what Purdue 2.0 does differently:

1. Focus on IT/OT Alignment/Convergence – Industry 4.0, 5.0+

Purdue 2.0 acknowledges that the traditional separation between IT and OT environments is no longer feasible. It redefines the boundaries and relationships between levels, reflecting the interconnected nature of today’s industrial systems. This allows for a more integrated approach to security and operations, bridging the gap between traditionally siloed environments.

2. Enhanced Emphasis on Zero Trust

The traditional Purdue Model relied heavily on segmentation as a defense strategy. Purdue 2.0 incorporates Zero Trust Architecture (ZTA) principles, emphasizing identity verification, continuous monitoring, and least-privilege access controls at all levels. This addresses the reality that threats often bypass perimeter defenses, such as firewalls.

3. Built for Cloud and XIoT Integration

Purdue 2.0 explicitly incorporates cloud services, Industrial IoT (IIoT) devices, and other XIoT systems into its framework. It recognizes that many modern OT environments rely on cloud-based solutions for analytics, monitoring, and management, and adapts security recommendations to accommodate these technologies without compromising operational integrity.

4. Prioritizing Real-Time Threat Detection

Unlike the static assumptions of the original Purdue Model, Purdue 2.0 incorporates real-time monitoring and anomaly detection as essential components of the architecture. This ensures that deviations from expected behavior can be identified and mitigated quickly across all levels.

5. Granular Security at Every Layer

Purdue 2.0 advocates for granular security measures at each level of the model, including:

• Device-Level Security: Protection mechanisms directly on endpoints like PLCs and IoT devices.
• Network Segmentation and Micro-Segmentation: Further dividing traditional levels into smaller segments to limit lateral movement.
• Enclaves: Defining value streams and building out enclaves with safe restart zones.
• Application-Level Protections: Ensuring secure development and operation of industrial applications.

6. Resilience to Modern Threats

Purdue 2.0 addresses new threat vectors like ransomware, supply chain attacks, and insider threats. It highlights the importance of backup and recovery planning, secure remote access solutions, and industrial-grade intrusion detection systems (IDS) tailored for OT environments.

7. Alignment with Modern Standards

The updated model aligns more closely with modern security frameworks such as:

• NIST CPG (Cybersecurity Performance Goals)
• NIST CSF (Cybersecurity Framework)
• IEC 62443 (Global Standard for ICS cybersecurity with plant/product certifications)
• Zero Trust Frameworks

This alignment ensures that organizations following Purdue 2.0 are also meeting regulatory and compliance requirements.

8. Recognition of the Flattened Network Reality

While the original model assumed strict hierarchical control and air-gapped layers, Purdue 2.0 accounts for the flattened and interconnected nature of many modern OT networks. It adapts security strategies to reflect the fact that data often flows bi-directionally across all levels, and attackers may exploit these pathways.

The Takeaway

Purdue 2.0 is not a radical departure from the original model but an evolution to meet the demands of today’s connected world. It blends the traditional strengths of the Purdue Model—like structured segmentation—with modern strategies to protect against the complex threats posed by IT/OT convergence, cloud adoption, and the proliferation of XIoT devices. By doing so, it helps organizations secure their critical infrastructure without sacrificing the operational benefits of modern technologies.

Recommendations

For smaller organizations with limited resources, it’s best to start with the NIST Cybersecurity Performance Goals (CPGs). These provide a practical, prioritized set of actions tailored to improve your cybersecurity posture without overwhelming your capabilities.

Once the foundational elements are in place, the NIST Cybersecurity Framework (CSF) serves as a comprehensive framework for assessing and enhancing your organization’s overall cybersecurity strategy.

From there, you can conduct Security Architecture Reviews of your ICS/OT environments, identifying vulnerabilities and opportunities for improvement. By mapping and cross walking your findings to the NIST frameworks, you can align your efforts with industry best practices and ensure a cohesive, strategic approach to securing your critical infrastructure.