Implementing Purdue Model Network Segmentation

When to Use

• When designing or retrofitting network architecture for an ICS/SCADA environment
• When implementing IEC 62443 zone and conduit requirements in a brownfield plant
• When creating the IT/OT DMZ (Level 3.5) to control data flow between enterprise and control networks
• When remediating audit findings about flat OT networks or direct IT-to-OT connectivity
• When segmenting a converged IT/OT network after an acquisition or merger

Do not use for micro-segmentation within a single Purdue level (see implementing-zone-conduit-model-for-ics), for cloud-native environments without traditional ICS networks, or for network segmentation in purely IT environments.

Prerequisites

• Complete OT asset inventory with Purdue level classification for each device
• Network architecture diagram showing current topology, VLANs, and firewall placements
• Industrial firewalls capable of deep packet inspection for OT protocols (Palo Alto, Fortinet, Cisco)
• Understanding of required data flows between Purdue levels (historian replication, remote access, patch distribution)
• Change management approval from plant operations for network modifications