Summary

This paper addresses the critical need for specialized cybersecurity measures to protect

Operational Technology (OT) environments within power utilities and organisations with large

OT environments. The Purdue model segments industrial control (OT/ICS) systems from enterprise Information Technology (IT) to protect safety-critical processes that cannot tolerate downtime. It defines Levels 0–2 for field devices, Level 3 for operations management (e.g.,

SCADA), and Levels 4–5 for business/corporate networks and possible cloud environments, with a DMZ (De-Militarised Zone) between level 3 and 4 buffering OT from IT.

As OT/IT converge and threats evolve, a static DMZ can become a bottleneck lacking granular controls. The traditional Purdue model, designed when OT and IT were separate, is no longer sufficient due to their convergence. Shared cyber threats now exploit both domains, and the simple DMZ at Level 3.5 lacks the flexibility and control needed for modern, integrated environments. A more dynamic security architecture with clear IT/OT accountability is required.

The modified model introduces a conceptual “Security Zone” splitting the DMZ into OT and

IT DMZs with an interconnected space for critical security functions. Connectivity is managed via temporary session-based links (e.g., for patching) or tightly controlled and managed continuous channels (e.g., secure remote access or data sharing), ensuring explicit OT/IT stakeholder ownership.

1 Core components may include OT-specific IAM (Identity and Access Management), deep inspection monitoring, secure jump servers, patch servers, OT PKI solutions and honeypots.

Zero Trust underpins this design, Policy Enforcement Points authenticate, authorize, encrypt, and monitor all cross-domain requests, while also enforcing least privilege and logging traffic to prevent lateral movement. Benefits include stronger centralized controls, improved threat detection, and scalability while balancing OT’s real-time needs.

However, this concept adds complexity, demands careful tuning and requires extensive testing of all components with granular architecture to avoid latency, availability and access issues. It also requires clear and robust governance with high investments in specialized tools, equipment and skilled personnel. As a concept/reference framework, it guides organizations in tailoring adaptive OT/IT security architectures rather than prescribing a fixed deployment.

Additional informations

Publication type Session Materials
Reference D2_11176_2026
Publication year
Publisher CIGRE
Country South Africa
Study committees
File size 351 KB
Price for non member 30 €
Price for member 30 €

Authors

VALA Meenal; MOCKE Pieter

Keywords

Demilitarized Zones (DMZ), IT/OT Convergence, Policy Enforcement Points (PEPs), Purdue Model, Zero Trust Architecture (ZTA)

Modified Purdue Model: Introducing the security zone concept for enhanced IT/OT convergence