Purdue Enterprise Reference Architecture
What is Purdue Enterprise Reference Architecture?
Purdue Enterprise Reference ArchitectureA layered reference model for industrial networks that segments business IT from process control, widely used to design ICS network segmentation.
The Purdue Enterprise Reference Architecture (PERA), commonly called the Purdue model, organises industrial systems into hierarchical levels: Level 0 (field devices), Level 1 (basic control PLCs/RTUs), Level 2 (supervisory SCADA/HMI), Level 3 (site operations, MES, historians), a DMZ (Level 3.5), and Levels 4-5 (enterprise IT and external services). Traffic between levels is restricted by firewalls and DMZs to ensure that lower control levels remain isolated from corporate networks. The model underpins ICS guidance from ISA-99/IEC 62443 and is the conceptual basis for OT segmentation and detection programmes. Modern variants extend Purdue to address cloud connectivity, remote support, IIoT gateways, and OT/IT convergence while preserving the principle of strict zone-to-zone control.
● Examples
- 01
A manufacturer placing an OT DMZ at Level 3.5 to broker historian replication to the corporate cloud.
- 02
An audit checklist mapping each PLC, HMI, and ERP server to a Purdue level for segmentation review.
● Frequently asked questions
What is Purdue Enterprise Reference Architecture?
A layered reference model for industrial networks that segments business IT from process control, widely used to design ICS network segmentation. It belongs to the OT / ICS / IoT category of cybersecurity.
What does Purdue Enterprise Reference Architecture mean?
A layered reference model for industrial networks that segments business IT from process control, widely used to design ICS network segmentation.
How does Purdue Enterprise Reference Architecture work?
The Purdue Enterprise Reference Architecture (PERA), commonly called the Purdue model, organises industrial systems into hierarchical levels: Level 0 (field devices), Level 1 (basic control PLCs/RTUs), Level 2 (supervisory SCADA/HMI), Level 3 (site operations, MES, historians), a DMZ (Level 3.5), and Levels 4-5 (enterprise IT and external services). Traffic between levels is restricted by firewalls and DMZs to ensure that lower control levels remain isolated from corporate networks. The model underpins ICS guidance from ISA-99/IEC 62443 and is the conceptual basis for OT segmentation and detection programmes. Modern variants extend Purdue to address cloud connectivity, remote support, IIoT gateways, and OT/IT convergence while preserving the principle of strict zone-to-zone control.
How do you defend against Purdue Enterprise Reference Architecture?
Defences for Purdue Enterprise Reference Architecture typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Purdue Enterprise Reference Architecture?
Common alternative names include: Purdue model, PERA, Purdue reference architecture.
● Related terms
- ot-iot№ 529
Industrial Control System (ICS)
An umbrella term for systems that automate and supervise industrial processes, including SCADA, DCS, PLCs, RTUs, and safety controllers.
- ot-iot№ 513
IEC 62443
The IEC family of standards for the cybersecurity of industrial automation and control systems, addressing asset owners, integrators, and product suppliers.
- ot-iot№ 762
Operational Technology (OT)
Hardware and software that monitor and control physical processes, devices, and infrastructure such as factories, power plants, and utilities.
- network-security№ 723
Network Segmentation
The practice of splitting a network into multiple zones with controlled traffic between them to contain breaches and enforce least privilege.
- ot-iot№ 972
SCADA
Supervisory Control and Data Acquisition systems that gather telemetry from remote field devices and let operators monitor and command large industrial processes.
- ot-iot№ 038
Air-Gapped Network
A network that is physically and logically isolated from other networks, especially the internet, to protect highly sensitive systems such as ICS, classified networks, or vaults.