How Low Can You Go with the Purdue Model Operational Technology for Cybersecurity

Author: Paul D. Robertson, Director, Cyber Security

At Mission Secure, we utilize the Purdue Model for Operational Technology.  

Purdue Enterprise Reference Architecture (commonly known as the Purdue Model, or PERA) for control systems is a commonly used architectural reference model from the 1990’s.  Like many reference architectures, it may not adequately define today’s complex networks, but it is still useful.

The key question, both for engineers and management, when it comes to visibility and protection is “How low can you go?”  The lower on the Purdue model you go, the closer to actual, trusted information you get, the better informed and protected you become.

The Purdue Model contains five levels, labeled zero through four.  From the top (four) down to the bottom (zero,) the layers are:

Level 4 — Business logistics systems — Managing the business-related activities of the manufacturing operation. ERP is the primary system; establishes the basic plant production schedule, material use, shipping and inventory levels. Time frame: months, weeks, days, shifts.

Level 3 — Manufacturing operations systems — Managing production work flow to produce the desired products.Batch management; manufacturing execution/operations management systems (MES/MOMS); laboratory, maintenance and plant performance management systems; data historians and related middleware. Time frame: shifts, hours, minutes, seconds.

Level 2 — Control systems — Supervising, monitoring and controlling the physical processes. Real-time controls and software; DCS, human-machine interface (HMI); supervisory and data acquisition (SCADA) software.

Level 1 — Intelligent devices — Sensing and manipulating the physical processes. Process *sensors, analyzers, actuators and related instrumentation.

Level 0 — The physical process — Defines the actual physical processes.

Many attacks high in the architecture attempt to mask or fake data from the lower levels to cover the manipulation of systems and processes.  

In the early days of process automation, operators were on site, and mistrustful of Human Machine Interfaces.  They would often go out on the plant floor to check readings.  Today’s operation control rooms may not even be on site, and operators have learned to trust their HMI’s readings.

This is why modern attackers spoof the HMI, to keep operators from noticing fatal changes. If your protections and monitoring are repurposed IT equipment, there is no way to detect malfunction or malice at the lower levels, especially if it’s because of an adversary in control of an operator or engineering workstation.

Ask your vendors about Level 0 monitoring and protection.  If that elevator can’t get to the ground floor, the protection gap and information gap may be your next problem.  

Contact us for a demo today.