The Reality of OT Security and Control System Hierarchy Dilemma

Every OT security professional in modern manufacturing faces a common dilemma: how to practically implement hierarchical control system models in real-world environments. Countless security vendors and consultants present the Purdue Model as a silver bullet for OT security, yet practitioners often experience unexpected results in actual deployments. Why do security incidents continue to occur even after traditional framework implementation?

Manufacturing OT security environments are fundamentally different from IT environments. In settings where production lines operate 24/7, real-time control systems function continuously, and decades of legacy equipment are interconnected in complex ways, simple hierarchical approaches inevitably reveal their limitations. This article presents five critical limitations of the traditional control system hierarchy discovered through hands-on field experience, along with effective OT security strategies that practitioners can immediately apply.

Essential Limitations and Misunderstandings of the Purdue Model

The greatest misunderstanding about hierarchical control system models is thinking they’re frameworks designed for OT security architecture. In reality, the Purdue Model developed by Purdue University in the 1990s was originally intended for hierarchical understanding and education of factory automation equipment, not network security design.

Root Causes of Traditional Model Misunderstanding

A common mistake observed in many OT security projects is treating the framework’s Levels 0 through 5 as absolute criteria for network segmentation. However, applying traditional models in this manner creates the following serious problems:

Particularly, the fact that Level 5 definition varies across different documents demonstrates how flexible and context-dependent these frameworks are. Some documents define the internet as Level 5, while others define enterprise networks as Level 5. This ambiguity contributes to confusion during practical implementation.

Critical Issues with Horizontal Segmentation

The most serious problem when directly applying traditional hierarchical models to network segmentation is their emphasis on horizontal (Layer-based) separation only. This approach doesn’t align with actual OT security threat propagation patterns.

Risks of Traditional Horizontal Separation

In actual production environments, multiple PLCs in Level 1 are located in the same network segment, and various HMI systems at Level 2 communicate with each other. If one workcell’s PLC becomes infected, horizontal separation alone cannot prevent propagation to other workcells at the same level.

Analysis of Traditional Implementation Failure Cases

This problem arises from inadequate consideration of the most important principles in OT security design: ‘threat propagation prevention’ and ‘minimizing downtime.’ Horizontal separation can control North-South traffic (between upper-lower levels) but is powerless against East-West traffic (within the same level).

Beyond Traditional Models: Micro-Segmentation Strategy

Effective OT security requires not simple level-based separation but functional unit-based micro-segmentation. This strategy reflects the logical structure of actual production processes while overcoming traditional framework limitations.

Leveraging ISA-95 Model Integration

To supplement traditional model limitations and effectively implement micro-segmentation, we must utilize the functional hierarchy of the ISA-95 standard. While the Purdue Model presents only simple vertical layers, ISA-95 provides methods for dividing networks into the following functional units:

• Work Cell Units: Equipment groups performing specific tasks
• Production Line Units: Workcells handling continuous processes
• Production Area Units: Collections of related production lines

Essential Need for Control Engineer Collaboration

OT security experts alone cannot achieve proper network segmentation. Through close collaboration with control engineers and production technology teams, the following must be clarified:

An IT-only perspective can harm production process continuity, while considering only OT perspectives may result in inadequate security effectiveness. Balanced approach is key to successful OT security implementation.

DMZ Design: Critical Defense Line at IT/OT Boundary

The truly valuable concept in traditional control system architecture is Level 3.5 DMZ (Demilitarized Zone). Despite various limitations of hierarchical models, the DMZ configuration concept serves as a neutral zone between IT and OT networks and acts as a critical defense line preventing large-scale security incident propagation.

Strategic Importance of DMZ Design

DMZ means more than simple network separation. It clearly defines trust boundaries between IT and OT domains, enabling independent operation of respective security policies and governance.

Effective DMZ Components

Field-proven OT security DMZ should consist of the following elements:

Real-time performance is particularly important in OT security DMZ. Delays of several seconds acceptable in IT environments can be fatal in control systems. Therefore, finding the balance between security and performance is crucial.

Overcoming Traditional Limitations: Practical Design Guidelines

Based on the limitations examined so far, I’ll present OT security design guidelines that practitioners can immediately apply. While acknowledging educational value of traditional frameworks, this methodology has been verified through years of field experience and projects across various industrial sectors, demonstrating that different approaches are needed for actual security design.

Priority-Based Approach for Moving Beyond Traditional Dependencies

Don’t try to perfectly replace everything from traditional models at once. Moving away from conventional approaches through the following step-by-step approach based on priorities is effective:

Practical Application of East-West Segmentation Beyond Traditional Models

Focus on East-West segmentation rather than conventional horizontal separation. Unlike the vertical hierarchical structure presented by traditional frameworks, this method aligns with actual threat propagation patterns while maintaining operational efficiency:

• VLAN separation and ACL configuration by workcells
• Allowing only essential communication between production lines
• Avoiding excessive firewall insertion at Level 0-2
• Functional grouping of PLCs, sensors, and HMIs

Finally, remember that OT security is not a one-time project but a continuous improvement process. Security strategies must evolve together with changes in production environments, emergence of new threats, and technological advancement. There’s no guarantee that today’s perfect solution will remain perfect tomorrow.