Medigate by Claroty is named 2023 Best in KLAS for Healthcare IoT Security for the 3rd year in a row!

Learn More

ENG Menu

Blog / 8 min read

ICS Security: The Purdue Model

The Claroty Team / March 2nd, 2023

Share:

Featured Articles

Claroty & Medigate:

Securing the XIoT

Claroty Joins IT-SCC to

Enhance Critical
Infrastructure
Cybersecurity
What is the Purdue Model? Essentials of Zero Trust
Adoption & Secure
The Purdue Model was designed as a reference model for data flows
Remote Access
in computer-integrated manufacturing (CIM). CIM is a manufacturing
approach of using computers to control the entire production
process — allowing operations to be faster and less error-prone. This
model later came to define the standard for building an ICS network
architecture that supports OT security by separating the layers of the Resource Library
network. This separation allows for the maintenance of a hierarchical
flow of the data between said layers. If implemented correctly, Blog
organizations can establish an “air gap” between ICS/OT systems Reports
and IT systems. This isolation between IT and OT allows
White Papers
organizations to enforce effective access controls without hindering
operations. Datasheets

Case Studies
In this article, we will discuss three ways that the Purdue Model can
Podcasts
help organizations limit the scope of what an adversary can do or
access within their converged enterprise and how they can enable
industrial operational resilience.

Interested in learning
Essentials of the Purdue Model about Claroty's
Cybersecurity
NotPetya is still widely regarded as the costliest and most Solutions?
destructive cyberattack in history. However, it also served as a
warning for organizations to prioritize industrial operational
resilience, which NIST defines as: “The ability of systems to resist, Request a Demo
absorb, and recover from or adapt to adverse occurrence during
operation that may cause harm, destruction, or loss of the ability to
perform mission-related functions.” Operations came to a standstill at
multinational corporations across a wide swath of sectors including
healthcare, energy, and transportation, resulting in an estimated $10
billion in damages. It was only a matter of time for cybercriminals to
realize that operational technology (OT) networks are critical to
operations, and therefore extremely valuable.

Industrial operational resilience is crucial because revenue is

generated and customers’ lives are improved when OT networks are
up and running. If an attack such as NotPetya specifically targeted
industrial environments, the outcome could be loss of availability of
those systems, thus impacting the core business of the company.
Even a partial lack of visibility for human operators into network
activity would necessitate a shutdown of the process due to product
quality or safety concerns. Ultimately, any risk of disruption to
physical processes can lead to reduced productivity and revenue
and, in some cases, could lead to loss of life as well.

Government alerts enumerate some common tactics and techniques

adversaries use to infiltrate organizations, including spearphishing to
obtain access to IT network and then pivoting to the OT network,
directly connecting to internet-accessible controllers that require no
user or device authentication, or exploiting known vulnerabilities for
IT and OT devices and system software. From there, the door is open
to malicious activity. In many cases, the adversary can traverse the
OT network without being noticed for months or even years due to
the limited number of security controls on those networks.

This is where the Purdue Model (Image 1) comes in, predicated on

the concept of separation between IT and industrial infrastructure to
keep the OT crown jewels disconnected from and inaccessible to the
IT network and the internet.

Image 1: This diagram shows the standard architecture of an industrial network

configured according to the Purdue Model. Industrial devices are located at
levels 0 through 3.

That separation is now blurred as OT networks are increasingly

interconnected to IT infrastructure and the Extended Internet of
Things (XIoT), which includes devices across industrial, medical, and
commercial environments. Digitization and hyperconnectivity have
improved efficiency, reliability, responsiveness, quality, and delivery,
but it has also created more opportunities for threat actors. The
urgency now is to make connections and communication more
secure, particularly as critical infrastructure networks are in the
bullseye of geopolitical conflict. The aim is to reduce the chance of
an attack on the IT network or an XIoT device spreading to the OT
network.

1. Informs network segmentation

Purdue Model depicts best practices for segmenting the IT network

(Levels 4 and 5) from the OT environment (Levels 0-3). Lack of
segmentation was a major contributing factor behind NotPetya’s
ability to spread like wildfire across organizations’ IT and OT
environments, and effective segmentation is more crucial than ever.
With effective segmentation in place, a firewall between Levels 3 and
4 can control network communication in and out of the ICS network
— and, will only permit the minimum required communication. To
mitigate the risk of an attacker gaining unfettered access to the
network from a single point of entry, audit your network
segmentation regularly to ensure you have the proper IT/OT
segmentation.

This process can be a drawn out and costly endeavor. But, Claroty’s
Continuous Threat Detection (CTD) is here to help, with a unique
feature called Virtual Zones, which enables virtual segmentation
within the OT environment. Claroty’s CTD maps out network
communications to provide behavioral baselines. It also uses these
baselines and leverages AI to segment the entire network into
Virtual Zones, which are policy-defined groups of assets that
communicate with one another under normal circumstances. This
can include micro segmentation for XIoT, creating even smaller
groups of assets with which these devices can communicate. CTD’s
Virtual Zones feature is a cost-effective and efficient way to establish
what “normal” looks like and be alerted to lateral movement from
malicious actors as they try to establish a presence, jump zones, and
move across the environment.

2. Complements Zero Trust

The Zero Trust cybersecurity model has steadily gained traction as a

cybersecurity model over the past two decades. And while it initially
pertained mainly to IT assets, the rapid digitization of OT and the
XIoT have made Zero Trust a fundamental best practice for
operational resilience of today’s modern, connected industrial
environments and a complement to the Purdue Model. In a nutshell,
Zero Trust seeks to ensure that any given user has a legitimate
reason to be performing the actions they are conducting. By
requiring all users to be continuously authenticated, authorized, and
validated, properly implemented Zero Trust architecture prevents
adversaries from gaining carte-blanche access to a victim’s network
from a single point of entry. Taking a Zero trust approach is the most
effective way to ensure robust OT and ICS security — and, if carried
out effectively, any user can only access the applications and
systems they need, without the addition of complex firewalls or
VPNs.

Claroty’s Secure Remote Access (SRA) is the only remote access

tool designed specifically for OT, and helps support Zero Trust while
aligning with the Purdue Model. SRA minimizes the risks of
unauthorized OT remote access by empowering administrators to
control access based on roles and policies, centrally manage user
credentials, gain visibility into all remote connections and activities,
and terminate sessions or view recordings in retrospect for forensic
purposes if needed. SRA leverages a single, highly secure encrypted
tunnel for intra-facility communications. This greatly simplifies
network firewall configurations and is consistent with segmentation
best practices as required in the Purdue Model — ensuring that one
connection point does not provide broad network access.

3. Bridges the vulnerability management gap

You can’t prevent every attack, but you can get ahead of certain
threats by assessing your security posture and prioritizing patching
known exploited vulnerabilities. In instances where patching isn’t
possible or practical, such as with legacy systems or XIoT devices
you don’t control, compensating controls and smart best practices
enabled through the Purdue Model will bridge the gaps and
strengthen operational resilience.

An effective vulnerability management plan is dependent on having

an accurate and up to date understanding of your organization’s
network components. Claroty’s solutions for industrial control
systems provide comprehensive visibility, which extends to not only
knowing what you have but also to the characteristics and activities
of what you have. This provides the foundation for preventing
attacks similar to NotPetya, but administering security patches is
disruptive and costly — especially in OT environments. As such, in
order to manage and patch the vulnerabilities that matter most,
security teams must have the visibility needed to identify which
security flaws are present within OT assets, as well as the ability to
accurately assess the level of risk posed by each vulnerability. Then,
they can prioritize patching known exploited vulnerabilities. Claroty
provides expert-defined remediate guidance with all alerts, and
delivers strategic insight into your organizations risk posture,
recommendations for strengthening it, and the KPIs you need to
track the efficiency of tour risk management program.

Successfully Securing Your ICS

Understanding the above three ways the purdue model can protect
your organization from today’s advanced cyberthreats is key to
successfully securing your industrial control systems. A strong
network architecture, similar to that of the purdue model, improves
overall ICS security and provides a foundation for additional security
measures to be incorporated overtime. As we’ve established,
securing your industrial environment starts with strong architectural
defenses. Establishing network segmentation, implementing a Zero
Trust architecture, and an effective vulnerability management
strategy are essential concepts the purdue model supports. By
partnering with a ICS security provider, like Claroty, organizations can
successfully implement these concepts allowing for cyber and
operational resilience.

Share:

STAY IN THE KNOW

Get the Claroty Newsletter

Work email Subscribe

SOLUTIONS THREAT RESEARCH PARTNERS

Industrial Cybersecurity Team82 Home Partners

Healthcare Cybersecurity Vulnerability Disclosure Technology Alliance Partners

Dashboard
Commercial Cybersecurity Channel Partners
Research Become a Partner
PGP Key Find a Partner

Partner Login

RESOURCES COMPANY

Resource Library About Us

Blog Careers

White Papers Leadership

Reports Newsroom

Case Studies Trust Center

Datasheets Events

Integration Briefs Contact Us

Podcasts

Videos

© 2023 Claroty. All rights reserved. Terms & Conditions / Privacy Policy