ICS/OT Security & the evolution of the Purdue Model: Integrating Industrial and Business Networks

In this recording of a presentation by NCC Group’s Damon Small at Hou.Sec.Con in October 2020, he outlines the evolution of the Purdue Reference Model in ICS/OT security, which draws the security boundaries between users, ICS networks, and business networks, and shows the dramatic ways in which these boundaries have blurred in recent years, necessitating a new approach to thinking about OT security.

The Purdue Enterprise Reference Architecture (PERA) was developed in the 1990’s. The associated Purdue Reference Model describes the relationship between end-users, business networks, control systems networks, and the security boundaries between them. In the decades since its creation, the manner in which computing resources are used in industrial settings has changed dramatically. As a result, the lines between Operational Technology (OT) and Information Technology (IT) continue to blur, and are often being broken outright. The speaker will share his observations of this evolution through real-world case studies, and provide insight into how successful organizations can embrace these changes in a manner that improves efficiency without increasing risk unnecessarily.

The target audience is professionals who manage or integrate with Industrial Control Systems (ICS) networks, and the speaker will provide examples of why the discussion should not focus on the concepts of OT vs IT, but rather the careful utilization of data.

Specific topics include: 

  • History of the Purdue Model
  • Limitations of the Model
  • Economic forces driving change
  • Technological forces driving change
  • Case studies of modified L3/L4 integration
  • Similarities to other industries with critical infrastructure
  • How we can use the Model to valuate and ultimately protect information assets