The Purdue Model was designed as a reference model for data flows in computer-integrated manufacturing (CIM). CIM is a manufacturing approach of using computers to control the entire production process — allowing operations to be faster and less error-prone. This model later came to define the standard for building an ICS network architecture that supports OT security by separating the layers of the network. This separation allows for the maintenance of a hierarchical flow of the data between said layers. If implemented correctly, organizations can establish an “air gap” between ICS/OT systems and IT systems. This isolation between IT and OT allows organizations to enforce effective access controls without hindering operations.
In this article, we will discuss three ways that the Purdue Model can help organizations limit the scope of what an adversary can do or access within their converged enterprise and how they can enable industrial operational resilience.
NotPetya is still widely regarded as the costliest and most destructive cyberattack in history. However, it also served as a warning for organizations to prioritize industrial operational resilience, which NIST defines as: “The ability of systems to resist, absorb, and recover from or adapt to adverse occurrence during operation that may cause harm, destruction, or loss of the ability to perform mission-related functions.” Operations came to a standstill at multinational corporations across a wide swath of sectors including healthcare, energy, and transportation, resulting in an estimated $10 billion in damages. It was only a matter of time for cybercriminals to realize that operational technology (OT) networks are critical to operations, and therefore extremely valuable.
Industrial operational resilience is crucial because revenue is generated and customers’ lives are improved when OT networks are up and running. If an attack such as NotPetya specifically targeted industrial environments, the outcome could be loss of availability of those systems, thus impacting the core business of the company. Even a partial lack of visibility for human operators into network activity would necessitate a shutdown of the process due to product quality or safety concerns. Ultimately, any risk of disruption to physical processes can lead to reduced productivity and revenue and, in some cases, could lead to loss of life as well.
Government alerts enumerate some common tactics and techniques adversaries use to infiltrate organizations, including spearphishing to obtain access to IT network and then pivoting to the OT network, directly connecting to internet-accessible controllers that require no user or device authentication, or exploiting known vulnerabilities for IT and OT devices and system software. From there, the door is open to malicious activity. In many cases, the adversary can traverse the OT network without being noticed for months or even years due to the limited number of security controls on those networks.
This is where the Purdue Model (Image 1) comes in, predicated on the concept of separation between IT and industrial infrastructure to keep the OT crown jewels disconnected from and inaccessible to the IT network and the internet.
That separation is now blurred as OT networks are increasingly interconnected to IT infrastructure and the Extended Internet of Things (XIoT), which includes devices across industrial, medical, and commercial environments. Digitization and hyper-connectivity have improved efficiency, reliability, responsiveness, quality, and delivery, but it has also created more opportunities for threat actors. The urgency now is to make connections and communication more secure, particularly as critical infrastructure networks are in the bullseye of geopolitical conflict. The aim is to reduce the chance of an attack on the IT network or an XIoT device spreading to the OT network.
Purdue Model depicts best practices for segmenting the IT network (Levels 4 and 5) from the OT environment (Levels 0-3). Lack of segmentation was a major contributing factor behind NotPetya’s ability to spread like wildfire across organizations’ IT and OT environments, and effective segmentation is more crucial than ever. With effective segmentation in place, a firewall between Levels 3 and 4 can control network communication in and out of the ICS network — and, will only permit the minimum required communication. To mitigate the risk of an attacker gaining unfettered access to the network from a single point of entry, audit your network segmentation regularly to ensure you have the proper IT/OT segmentation.
This process can be a drawn out and costly endeavor. But, Claroty’s Continuous Threat Detection (CTD) is here to help, with a unique feature called Virtual Zones, which enables virtual segmentation within the OT environment. Claroty’s CTD maps out network communications to provide behavioral baselines. It also uses these baselines and leverages AI to segment the entire network into Virtual Zones, which are policy-defined groups of assets that communicate with one another under normal circumstances. This can include micro segmentation for XIoT, creating even smaller groups of assets with which these devices can communicate. CTD’s Virtual Zones feature is a cost-effective and efficient way to establish what “normal” looks like and be alerted to lateral movement from malicious actors as they try to establish a presence, jump zones, and move across the environment.
The Zero Trust cybersecurity model has steadily gained traction as a cybersecurity model over the past two decades. And while it initially pertained mainly to IT assets, the rapid digitization of OT and the XIoT have made Zero Trust a fundamental best practice for operational resilience of today’s modern, connected industrial environments and a complement to the Purdue Model. In a nutshell, Zero Trust seeks to ensure that any given user has a legitimate reason to be performing the actions they are conducting. By requiring all users to be continuously authenticated, authorized, and validated, properly implemented Zero Trust architecture prevents adversaries from gaining carte-blanche access to a victim’s network from a single point of entry. Taking a Zero trust approach is the most effective way to ensure robust OT and ICS security — and, if carried out effectively, any user can only access the applications and systems they need, without the addition of complex firewalls or VPNs.
Claroty xDome Secure Access is the only remote access tool designed specifically for OT, and helps support Zero Trust while aligning with the Purdue Model. xDome Secure Access minimizes the risks of unauthorized OT remote access by empowering administrators to control access based on roles and policies, centrally manage user credentials, gain visibility into all remote connections and activities, and terminate sessions or view recordings in retrospect for forensic purposes if needed. xDome Secure Access leverages a single, highly secure encrypted tunnel for intra-facility communications. This greatly simplifies network firewall configurations and is consistent with segmentation best practices as required in the Purdue Model — ensuring that one connection point does not provide broad network access.
You can’t prevent every attack, but you can get ahead of certain threats by assessing your security posture and prioritizing patching known exploited vulnerabilities. In instances where patching isn’t possible or practical, such as with legacy systems or XIoT devices you don’t control, compensating controls and smart best practices enabled through the Purdue Model will bridge the gaps and strengthen operational resilience.
An effective vulnerability management plan is dependent on having an accurate and up to date understanding of your organization’s network components. Claroty’s solutions for industrial control systems provide comprehensive visibility, which extends to not only knowing what you have but also to the characteristics and activities of what you have. This provides the foundation for preventing attacks similar to NotPetya, but administering security patches is disruptive and costly — especially in OT environments. As such, in order to manage and patch the vulnerabilities that matter most, security teams must have the visibility needed to identify which security flaws are present within OT assets, as well as the ability to accurately assess the level of risk posed by each vulnerability. Then, they can prioritize patching known exploited vulnerabilities. Claroty provides expert-defined remediate guidance with all alerts, and delivers strategic insight into your organizations risk posture, recommendations for strengthening it, and the KPIs you need to track the efficiency of tour risk management program.
Understanding the above three ways the Purdue Model can protect your organization from today’s advanced cyberthreats is key to successfully securing your industrial control systems. A strong network architecture, similar to that of the Purdue Model, improves overall ICS security and provides a foundation for additional security measures to be incorporated overtime. As we’ve established, securing your industrial environment starts with strong architectural defenses. Establishing network segmentation, implementing a Zero Trust architecture, and an effective vulnerability management strategy are essential concepts the Purdue Model supports. By partnering with a ICS security provider, like Claroty, organizations can successfully implement these concepts allowing for cyber and operational resilience.
Ultimate Guide to Industrial Control Systems (ICS) Cybersecurity
Turning Public Data into Public Knowledge: Behind the Scenes of Claroty’s Biannual Report
Q&A: Team82’s Chen Fradkin on the ICS Risk and Vulnerability Landscape
Interested in learning about Claroty's Cybersecurity Solutions?