The Purdue model in 2026: why flat IT-OT networks are the real risk

The Purdue model still guides OT design, but flat IT-OT networks are the real risk in 2026. How to enforce zone boundaries without downtime.
Control room operator monitoring SCADA systems at a European industrial facility.

The Purdue model has organised industrial networks for three decades by separating the factory floor from the business systems above it. In 2026 the assumptions that made it work, hierarchical separation and a genuine air gap, no longer hold on most production sites.

The model itself is not wrong. It remains the reference frame every OT engineer reaches for when describing where a controller sits or where a historian belongs. The problem is the gap between the diagram on the wall and the network as it actually runs. IIoT sensors, cloud analytics and remote maintenance have flattened the layers the model assumes are kept apart. This post explains what the Purdue model is, why its boundaries are eroding, what that means for security, and how to enforce those boundaries again on a network that no longer respects them.

What is the Purdue model?

The Purdue model is a reference architecture that organises industrial control systems into hierarchical levels, from the physical process at the bottom to enterprise IT and cloud at the top, with data flowing only between adjacent levels. It was developed from the Purdue Enterprise Reference Architecture in the 1990s and became the default way to describe IT and OT separation.

The levels break down as follows:

Level Function Typical assets
Level 5 Enterprise and cloud Public cloud, SaaS, central SIEM and SOC
Level 4 Enterprise IT ERP, CRM, Active Directory, mail servers
Level 3.5 Industrial DMZ Screened firewalls, historian replicas, jump hosts
Level 3 Site operations MES, site historians, local analytics
Level 2 Supervisory control SCADA servers, HMIs, engineering workstations
Level 1 Basic control PLCs, RTUs, safety controllers
Level 0 Physical process Sensors, actuators, pumps, valves

The Industrial DMZ at Level 3.5 is the part that matters most for security. In the original design no traffic runs directly between Level 4 and Level 3. Everything terminates in the DMZ, where it is validated and translated. That boundary was the model’s single most important control.

What the model assumed and why it made sense

The Purdue model rested on two assumptions that were entirely reasonable when it was written. The first was hierarchical separation: data and commands move vertically between adjacent levels, never directly between a Level 1 controller and an external network. The second was physical isolation, the air gap, reinforced by the fact that OT ran on proprietary, non-routable serial protocols that were physically incompatible with ethernet-based IT.

Under those conditions the design worked well. Security came largely from the absence of connectivity. A PLC could not be reached from the corporate network because there was no path and no shared protocol. The priority on the factory floor was availability and deterministic performance, and the architecture protected both by keeping the process systems sealed off.

That world has gone. The serial protocols have given way to ethernet and the air gap has been bridged for reasons that are commercially unavoidable. The model still describes how a plant should be organised, but it no longer describes how most plants are wired.

Why the Purdue model is breaking down

The strict layer separation is eroding because the business now depends on data flowing straight between the factory floor and the cloud. Digital transformation and real-time analytics require connectivity that the model was designed to prevent. According to the Terrazone Threat Report (December 2025), around 70% of operational systems are now directly connected to IT networks for data aggregation and cloud analytics.

Four pressures flatten the hierarchy in practice. IIoT sensors increasingly ship with their own wireless links and send telemetry straight to Level 5 analytics, skipping every intermediate control and DMZ layer. Machine builders expect permanent remote access to SCADA and PLCs, often over persistent VPNs that run straight into production subnets instead of terminating in the Level 3.5 DMZ. Many mid-market manufacturers have merged Active Directory and DNS across IT and OT to cut cost, so a breach at Level 4 can translate into administrative control over the floor. And just-in-time production needs Level 4 ERP talking to Level 3 MES, which in practice means broad firewall ports that dissolve the DMZ boundary.

The result is a plant that still uses Purdue as its reference diagram while running, underneath, as a complex interwoven network where the old dividing lines have blurred.

The security consequence of a flat network

When the Purdue hierarchy collapses without anything replacing it, you get a flat network: no internal segmentation between the operational subnets at Levels 1 to 3, and no control over east-west traffic, the traffic between devices on the same level. That is the single biggest cyber risk facing industrial firms in 2026.

On a flat network, compromising any machine in the IT environment, a laptop or even a printer, leads almost inevitably to fast lateral spread into the operational systems. Traditional perimeter firewalls inspect only north-south traffic entering and leaving the network, so they see nothing of malicious activity moving east-west inside the plant. Dragos data cited via Opsio (April 2026) found that 96% of OT incidents in 2024 originated in enterprise IT network connections, and the Terrazone analysis puts the share of OT attacks that begin as an IT breach and then move laterally at around 75%.

The economics have shifted too. Ransomware groups have adapted to flat infrastructure. Where encrypting IT data was once the goal, attackers now aim straight at halting physical production, because unplanned downtime for a mid-sized manufacturer can run to hundreds of thousands of euros a day, which sharply raises the pressure to pay. Check Point’s Manufacturing Threat Landscape 2026 (April 2026) recorded a 56% rise in global ransomware attacks on the manufacturing sector, 1,466 incidents in 2025 against 937 in 2024.

Losing the Industrial DMZ removes the last effective barrier. Without that controlled buffer, attackers can abuse industrial protocols such as Modbus/TCP or S7Comm directly to overwrite PLC firmware, manipulate physical parameters or disable safety systems.

What this looks like in practice

The Jaguar Land Rover attack in late 2025 shows the cost when IT compromise reaches production. Administrators detected suspicious activity on 31 August 2025, and the next day the company deliberately shut down central IT systems to stop the malware reaching the physical lines. The PLCs were not encrypted, but pulling the IT systems halted everything. Without the IT-OT links handling parts sequencing, logistics tracking and quality control, the plants at Solihull, Halewood and Wolverhampton could not run.

Production stood still for more than five weeks, losing roughly 1,000 vehicles a day. The Cyber Monitoring Centre estimated the total hit to the UK economy at £1.9 billion (around $2.5 billion), with more than 5,000 suppliers affected, and the Bank of England later named the attack as a factor in slower UK GDP growth in the third quarter of 2025. The flat-network lesson is blunt: the controllers survived, yet the lost boundary between IT and production cost five weeks of output.

A different failure mode appeared at Stryker on 11 March 2026, where the attack targeted the cloud identity plane rather than the floor. Attackers linked to the Iran-aligned group Handala obtained Global Administrator rights in Stryker’s Microsoft environment using compromised credentials, then abused the company’s own Microsoft Intune device-management platform to issue a mass remote-wipe command. Investigators put the verified count near 80,000 devices, including BYOD phones, factory-reset in a single morning, with no malware deployed. The destruction of administrative IT alone forced Stryker to halt production, order processing and global shipping for around two weeks.

Mid-market manufacturers face the same pattern at smaller scale. As reported, the Belgian metal and construction firm Van Eycken was hit by Akira ransomware in January 2026, where a lack of internal segmentation between office and production let the operational network seize up directly. The Centre for Cybersecurity Belgium recorded a steep rise in incident reports through 2025, averaging around 275 cyberattacks a day.

Purdue versus Zero Trust: replace or complement?

The fast-moving threat picture has opened a genuine debate among network architects. Should the Purdue model be replaced outright by a Zero Trust architecture, or do the two work together? Three positions have emerged, and they disagree in instructive ways.

Position Core idea What happens to Purdue
Complementary Zero Trust modernises Purdue rather than replacing it Kept as a functional reference, with continuous verification layered on
Two-layer abstraction (US DoD) Collapse Purdue into operational and control layers for practical Zero Trust Retained as a classification method, simplified for enforcement
Protect surfaces Abandon horizontal layers for vertical per-process microsegments Discarded as the organising principle

The mainstream view among industrial security practitioners is that Zero Trust complements Purdue. The model stays valuable as a functional way to understand operational hierarchy, response times and process dependencies. Where the traditional model assumed every device inside a given level was inherently trustworthy, location-based trust, Zero Trust holds that no implicit trust should exist anywhere. The hierarchy still defines policy boundaries, but every communication across or within levels is subject to continuous identity verification, device checks and least-privilege access.

A pragmatic variant is the two-layer abstraction model in the US Department of Defense Zero Trust for Operational Technology guidance. It keeps the Purdue classification but splits the infrastructure into an operational layer, Purdue Levels 3, 3.5 and 4, where ZTNA replaces legacy VPNs, and a control layer, Levels 0, 1 and 2, where legacy controllers without native identity are protected through external inline isolation and strict east-west blocking. It accepts that you cannot deploy modern identity agents onto thirty-year-old PLCs, and concentrates on sealing off access to those devices from the layers above.

A more radical school argues the horizontal layers are unsuited to cloud-connected factories and proposes dropping the hierarchy in favour of vertical protect surfaces, isolating each individual process in its own microsegment with everything outside it blocked by default.

You do not have to pick a camp to act. All three agree on the practical point: identity-aware boundaries have to be enforced somewhere, because the network layout alone no longer enforces them.

Modern segmentation in practice

Mitigating flat-network risk without disrupting uptime comes down to three techniques that work together. The goal is not to rebuild the air gap. It is to enforce Purdue-like boundaries on a network that has already been flattened.

Zones and conduits under IEC 62443. The IEC 62443 series formalises segmentation through its zones-and-conduits concept in IEC 62443-3-2. Zones group assets that share security requirements and risk profiles, for example a separate safety zone for Safety Instrumented Systems and a distinct process-control zone. Communication between zones is forbidden unless it runs through an explicitly defined and monitored conduit, secured to the level of the most critical zone it connects. That usually means firewalls with deep packet inspection or hardware data diodes passing only approved industrial protocols.

Software-defined microsegmentation. Traditional segmentation leans on configuring VLANs and static IP routing on physical switches, which in industrial settings often causes configuration errors and unplanned downtime. Modern microsegmentation uses software-defined overlays keyed to cryptographic device identities rather than physical ports. Two devices on the same switch can be fully isolated from each other, removing VLAN complexity and letting teams adjust rules based on a device’s actual function. Our guide to network segmentation in 2026 covers that shift from VLANs to identity-based isolation in more depth.

Agentless inline isolation, the IT-OT bridge. The biggest obstacle to Zero Trust on the factory floor is that legacy, business-critical devices such as PLCs, SCADA servers and old Windows terminals physically cannot run software agents and cannot be patched without halting production. Agentless inline isolation answers this by placing a specialised hardware appliance directly inline in front of the vulnerable device. The appliance acts as a transparent enforcement layer that inspects traffic at packet level. Without installing anything on the legacy system and without re-architecting the network, it enforces the boundary rules of the IEC 62443 conduits, blocking unauthorised east-west traffic at source while production continues.

This is where Jimber fits. You cannot air-gap a modern plant, so the goal shifts to enforcing the boundaries the flattened network lost. Jimber’s NIAC hardware sits inline with agentless devices and enforces zone boundaries without touching the device or stopping the line, giving each controller the equivalent of its own microsegment. It does not implement the full Purdue model for you. It enforces the separation the model assumes but that your network can no longer provide on its own. The same approach extends to distributed estates such as water utility SCADA, where the devices are the same but the sites are spread across a region.

Common myths worth dropping

Four assumptions still circulate on factory floors and each one quietly raises risk.

The air gap is safe. In 2026 a physical air gap is largely an illusion. Almost every plant has connections to the outside world through IIoT sensors, vendor maintenance tunnels or integrated ERP-MES links, and even a network that looks isolated picks up infections through USB sticks and contractor laptops.

Active vulnerability scanning protects OT. Running active IT-style scans is risky on operational networks. Many older PLCs have fragile network stacks that were never built to handle unexpected traffic, and a scan can hang a Level 1 controller and cause physical damage. Passive monitoring is the safe way to map assets on the floor.

NIS2 compliance equals security. Compliance with NIS2 or the Belgian CyberFundamentals framework is a legal requirement, not a guarantee of resilience. Audits mainly check that policies and procedures exist on paper. An organisation can meet the documentation requirements while the factory floor still runs flat and unsegmented.

EDR everywhere fixes the floor. Endpoint detection is powerful in IT but limited in OT. A large share of factory-floor devices run proprietary firmware that cannot host an agent, and OEM vendors often withdraw support if uncertified software is installed on their SCADA servers. Protection has to be network-based and agentless inline.

Frequently asked questions

Is the Purdue model still relevant in 2026?

Yes, as a reference framework. The Purdue model remains the clearest way to describe where industrial assets sit and how processes depend on one another. What has changed is that its strict layer separation no longer matches how plants are wired, so it needs modern enforcement layered on top.

Why is a flat network so dangerous for a manufacturer?

A flat network has no east-west segmentation between levels. Once ransomware or an attacker enters through a compromised IT endpoint or a vendor VPN account, the threat can spread laterally within minutes to engineering workstations and PLCs. That expands the blast radius to the entire production environment.

Does Zero Trust replace the Purdue model?

No, the two are complementary. Purdue stays useful as a functional, hierarchical design model. Zero Trust modernises it by rejecting the assumption that devices within a level are inherently trustworthy, enforcing continuous identity-based verification on every session that crosses a defined boundary.

What is the difference between zones and conduits in IEC 62443?

A zone is a logical or physical grouping of assets that share the same security level and risk tolerance. A conduit is the only permitted, secured and monitored communication route between zones. Zones set the boundaries; conduits control what traffic is allowed to cross them.

Why can’t we just install security software on our PLCs?

Most Level 1 PLCs and Level 0 sensors run proprietary firmware and real-time operating systems that cannot run antivirus or EDR, have very limited memory, and can be destabilised by the added latency. Protection has to be enforced at the network level using agentless inline isolation.

How does inline isolation enforce Purdue boundaries without downtime?

An inline appliance sits between the legacy device and the switch and enforces an explicit allow-list of permitted traffic. It learns normal patterns in monitoring mode first, then switches to enforcement, so legitimate flows are never interrupted while unauthorised east-west traffic is blocked at the device.

Flat IT-OT networks are now the dominant risk in industrial environments, and rebuilding the air gap is not an option. The realistic path is to enforce the boundaries the Purdue model assumes, using zones and conduits, microsegmentation and agentless inline isolation that respects production uptime. To see how inline isolation enforces those zone boundaries on your own plant without halting a single line, book a Jimber demo.

Find out how we can protect your business

In our demo call we’ll show you how our technology works and how it can help you secure your data from cyber threats.

Cybersecurity
Are you an integrator or distributor?

Need an affordable cybersecurity solution for your customers?

We’d love to help you get your customers on board.

checkmark

White glove onboarding

checkmark

Team trainings

checkmark

Dedicated customer service rep

checkmark

Invoices for each client

checkmark

Security and Privacy guaranteed