Today's OT/ICS operators face a changed reality: Purdue 1.0 can't handle modern connected networks. Remote vendors fixing gear from afar. Cloud dashboards crunching production data. Wireless sensors phoning home for diagnostics. These cases are the norm. And they're leaving gaping holes Purdue never envisioned.
"The traditional Purdue Model assumed isolated layers and data flows that flowed only in one direction," Christopher Warner, OT security lead at GuidePoint Security, said in an interview. "That doesn't match reality anymore. Attackers are exploiting remote access paths and flattened networks we never planned for."
The challenges are piling up fast. OT cybersecurity incidents are surging, per SANS' latest survey, fueled by ransomware slipping through remote access and vendor links. Only one in eight organizations see the full threat path from IT breach to physical damage. The SANS survey found inventory and visibility to be the top area of investment and will remain the top priority at least through 2027. One of the primary reasons threat actors succeed is that too many OT/IT networks are not adequately segmented, making it a snap for attackers to move freely about.
Purdue 2.0 is designed as a retrofit for networks that were not properly secured from the outset. Identity sits at the center of Purdie 2.0. Not just firewalls blocking ports, but verifying who or what gets in. "We're not abandoning Purdue, but rather, we're admitting it was never implemented correctly and that we now must retrofit security onto networks built for convenience," says Terry Keeling, IT security and infrastructure manager at InfraNet Solutions, Inc.
"Traditional Purdue has zero concept of user identity. If your laptop was plugged into the Level 3 network, you could access anything on that level. Now we're seeing jump hosts with MFA, privileged access management for PLC programming sessions, and session recording," Keeling says.
"Purdue 2.0 means applying IEC 62443 zone and conduit logic using identity-based attributes rather than physical network boundaries," says Dana Yanch, director of product management at Elisity. It's a move from "topology-defined security to identity-defined security."
Why Now? Connectivity Killed the Air Gap
Three culprits proved Purdue 1.0's assumptions insufficient. First, remote access went from rare to essential. "Remote access became mandatory. COVID was the catalyst, but this was inevitable," Keeling explains. He adds that he's witnessed vendor VPNs directly connected to an OT network, sometimes with split-tunneling, as well as vendor laptops with active malware on client OT networks. Purdue 2.0 provides potential fixes, with a catch, including controls such as DMZ jump hosts with just-in-time access, multi-factor authentication, and full session recording. The catch, Keeling says, is that such controls slow repairs but do help prevent malware.
Second culprit: the thirst for data. "Manufacturing operations want real-time production data in Tableau, Power BI, and cloud analytics," per Terry. Historians now bridge levels, becoming attacker pivots. "The original Purdue assumed historians sat at Level 3 and stopped there. Now we need unidirectional gateways… In practice, they're expensive and finicky," Keeling says.
, and CYBR.SEC.Media
Third, the Internet is everywhere. The rise of cloud computing, IIoT, and IT/OT convergence forced a change in IT/OT security models, explains Greg Sullivan, founding partner at CIOSO Global. And that all these changes require zero-trust principles and cloud-aware controls.
Increasingly, Internet access is required. Kneeling recounts a client with a $2 million machine that wouldn't run without internet access. "No internet, no warranty," Kneeling says. "Most just connect and hope vendor clouds hold up," he says.
Modernizing Without Mayhem: The Roadmap
Operators can't afford downtime; that's why Purdue 2.0 demands a phased, low-disruption implementation that proves value quickly.
Start with visibility over control. "Do not rip out networks and deploy firewalls first," Kneeling warns. "Deploy passive monitoring—network TAPs or SPAN ports at key boundaries—and watch traffic for 2-4 weeks minimum."
The payoff? You'll uncover undocumented flows like "engineering laptops talking to PLCs you didn't know existed."
Elisity's Yanch agrees that visibility comes first. "Get real asset visibility before you write a single policy. A power utility thought it had 1,200 OT assets. Passive discovery found 3,400," Yanch says Without this baseline, you're flying blind.
Next, lock down identity. Getting identity correct is the quickest path to identifiable wins. "Secure identity first, because remote access, engineering workstations, and administrative accounts are now the most common entry points," says Kevin Surace, CEO at Token. Deploy jump hosts with MFA, credential vaults, and session recording. These deliver audit trails and block credential-stuffing attacks without touching production systems.
Segment smart. Shift from VLAN labels to risk-based zones. "Define zones based on asset identity and function, not network topology," Yanch adds. "Group your Triconex safety controllers together regardless of which closet they're in." Simulate policies against real traffic first—prove they won't break operations—then enforce one high-risk boundary at a time.
Bill Brenner
CIOSO Global's Sullivan adds that smart microsegmentation "moves from implicit trust to continuous revalidation of every session, application, and device."
This roadmap turns security from a roadblock into an enabler—starting with wins operators can see and measure.
