The State of XIoT Security Report: 1H 2022
Download the Report
Claroty Logo


How the Purdue Model Enables Industrial Operational Resilience

The Claroty Team
/ July 28th, 2022

NotPetya is still widely regarded as the costliest and most destructive cyberattack in history. However, it also served as a warning to prioritize industrial operational resilience, which NIST defines as: “The ability of systems to resist, absorb, and recover from or adapt to adverse occurrence during operation that may cause harm, destruction, or loss of the ability to perform mission-related functions.” Operations came to a standstill at multinational corporations across a wide swath of sectors including healthcare, energy, and transportation, resulting in an estimated $10 billion in damages. It was only a matter of time for cybercriminals to realize that operational technology (OT) networks are critical to operations, and therefore extremely valuable.

Industrial operational resilience is crucial because revenue is generated and customers’ lives are improved when OT networks are up and running. If an attack such as NotPetya specifically targeted industrial environments, the outcome could be loss of availability of those systems, thus impacting the core business of the company. Even a partial lack of visibility for human operators into network activity would necessitate a shutdown of the process due to product quality or safety concerns. Ultimately, any risk of disruption to physical processes can lead to reduced productivity and revenue and, in some cases, could lead to loss of life as well.

Government alerts enumerate some common tactics and techniques adversaries use to infiltrate organizations, including spearphishing to obtain access to IT network and then pivoting to the OT network, directly connecting to internet-accessible controllers that require no user or device authentication, or exploiting known vulnerabilities for IT and OT devices and system software. From there, the door is open to malicious activity. In many cases, the adversary can traverse the OT network without being noticed for months or even years due to the limited number of security controls on those networks.

This is where the Purdue Model (Image 1) comes in, predicated on the concept of separation between IT and industrial infrastructure to keep the OT crown jewels disconnected from and inaccessible to the IT network and the internet.

Image 1: This diagram shows the standard architecture of an industrial network configured according to the Purdue Model. Industrial devices are located at levels 0 through 3.

That separation is now blurred as OT networks are increasingly interconnected to IT infrastructure and the Extended Internet of Things (XIoT), which includes devices across industrial, medical, and commercial environments. Digitization and hyperconnectivity have improved efficiency, reliability, responsiveness, quality, and delivery, but it has also created more opportunities for threat actors. The urgency now is to make connections and communication more secure, particularly as critical infrastructure networks are in the bullseye of geopolitical conflict. The aim is to reduce the chance of an attack on the IT network or an XIoT device spreading to the OT network.

Following are three ways the Purdue Model can help organizations limit the scope of what an adversary can do or access in today’s converged enterprise and enable industrial operational resilience.

1. Informs Network Segmentation

Purdue Model depicts best practices for segmenting the IT network (Levels 4 and 5) from the OT environment (Levels 0-3). Lack of segmentation was a major contributing factor behind NotPetya’s ability to spread like wildfire across organizations’ IT and OT environments, and effective segmentation is more crucial than ever. To mitigate the risk of an attacker gaining unfettered access to the network from a single point of entry, audit your network segmentation to ensure you have IT/OT segmentation.

This can be a drawn out and costly endeavor, so Claroty Continuous Threat Detection (CTD) includes a unique feature called Virtual Zones to enable virtual segmentation within the OT environment. Mapping out network communications to provide behavioral baselines, it also uses these baselines and leverages AI to segment the entire network into Virtual Zones, which are policy-defined groups of assets that communicate with one another under normal circumstances. This can include micro segmentation for XIoT, creating even smaller groups of assets with which these devices can communicate. CTD’s Virtual Zones feature is a cost-effective and efficient way to establish what “normal” looks like and be alerted to lateral movement as malicious actors try to establish a presence, jump zones, and move across the environment.

2. Complements Zero Trust

The Zero Trust cybersecurity model has steadily gained traction as a cybersecurity model over the past two decades. And while it initially pertained mainly to IT assets, the rapid digitization of OT and the XIoT have made Zero Trust a fundamental best practice for operational resilience of today’s modern, connected industrial environments and a complement to the Purdue Model. In a nutshell, Zero Trust seeks to ensure that any given user has a legitimate reason to be doing whatever they’re doing. By requiring all users to be continuously authenticated, authorized, and validated, properly implemented Zero Trust architecture prevents adversaries from gaining carte-blanche access to a victim’s network from a single point of entry.

Claroty Secure Remote Access (SRA) is the only remote access tool designed for OT and helps support Zero Trust while aligning with the Purdue Model. For example, SRA minimizes the risks of unauthorized OT remote access by empowering administrators to control access based on roles and policies, centrally manage user credentials, gain visibility into all remote connections and activities, and terminate sessions or view recordings in retrospect for forensic purposes if needed. SRA leverages a single, highly secure encrypted tunnel for intra-facility communications. This greatly simplifies network firewall configurations and is consistent with segmentation best practices as required in the Purdue Model.

3. Bridges the Vulnerability Management Gap

You can’t prevent every attack, but you can get ahead of certain threats by assessing your security posture and prioritizing patching known exploited vulnerabilities. In instances where patching isn’t possible or practical, such as with legacy systems or XIoT devices you don’t control, compensating controls and smart best practices enabled through the Purdue Model will bridge the gaps and strengthen operational resilience.

An effective vulnerability management plan is dependent on having an accurate and up to date understanding of your organization’s network components. The Claroty CTD solution provides comprehensive visibility, which extends to not only knowing what you have but also to the characteristics and activities of what you have. This provides the foundation for preventing attacks similar to NotPetya, but administering security patches is disruptive and costly—especially in OT environments. As such, in order to manage and patch the vulnerabilities that matter most, security teams must have the visibility needed to identify which security flaws are present within OT assets, as well as the ability to accurately assess the level of risk posed by each vulnerability. Then, they can prioritize patching known exploited vulnerabilities.

The watchword for today’s industrial organizations is “operational resilience,” and the Purdue Model serves as a framework to enable that, guiding network segmentation, complementing Zero Trust, and compensating for unpatched vulnerabilities.

To learn more, request a demo.


Featured Articles

Interested in learning about Claroty's Cybersecurity Solutions?

Claroty Logo
LinkedIn Twitter Facebook