InprOTech Guardian and the Purdue Model: OT Segmentation in Practice

3 days ago

Segmenting an OT network well is not just about separating teams. It consists of understanding functions, dependencies and real flows to reduce risk without losing operability.

OT Network Map with Purdue Tiering in Guardian

In industrial cybersecurity, seeing the network is not enough. What is relevant, from a technical and risk management point of view, is to understand what function each asset fulfills, at what operational level it works and what impact unforeseen communication between areas would have. In this context, the Purdue Model continues to be a useful reference for structuring OT environments, and InprOTech Guardian allows this conceptual framework to be transferred to an observable and maintained inventory.

Guardian allows you to maintain a structured device list, classify assets by Purdue tier, differentiate authorized and unauthorized equipment, and flag critical devices to avoid unnecessary active interactions. This foundation is especially valuable when the organization needs to move from an OT network that is difficult to govern to an architecture that can be technically and normatively analyzed, justified, and improved, especially in projects aligned with IEC 62443. The Purdue view of the network map organizes devices by tier, allowing you to identify at a glance the actual structure of the environment and communications between tiers.

Why is the Purdue Model still useful?

The Purdue Model was developed at Purdue University in the early 1990s as a framework for integrated manufacturing (PERA), and is the conceptual basis adopted by IEC 62443 and ISA-95. Today it is still a clear way of ordering the industrial environment by function and exposure. It’s not just about drawing layers, it’s about reducing risk, limiting lateral movement, and establishing coherent communication rules that can be sustained in operation.

In practical terms, Guardian helps translate that model into the organization’s actual inventory:

Level 0: sensors, actuators and field devices.
Level 1: PLC, RTU, basic controllers, I/O devices and first layer of control.
Level 2: HMI, SCADA, monitoring stations, and historization servers.
Level 3: MES, operation servers, plant databases and production management.
Level 4: ERP, CRM, SCM and business systems connected to operations.

Visual diagram of levels 0-4 with examples of assets detected by Guardian

The Guardian’s own manual already contemplates this organization and reminds us of something important: some devices can change levels depending on their function and location. That nuance is essential. The same technology can occupy different positions if it acts as an engineering station, plant server, or gateway between environments.

In other words, Purdue should not be applied as a rigid template, but as a guide to classification with technical and operational criteria.

How to classify devices in a useful way

One of the most common mistakes in OT is to classify assets only by their trade name or by the manufacturer. To segment well, you need a functional classification. With Guardian, the recommendation is to assign each asset at least these parameters:

- Purdue Level.
- Authorized/unauthorized.
- Critical / non-critical.

Risk scoring (low, medium, high) automatically assigned by Guardian.

Customizable fields (key-value): process, line, cell, location, owner…

This classification allows the inventory to stop being a static list and become a decision tool.

For example:

A line PLC should appear at Level 1 and should typically only communicate with defined supervisory or engineering systems.
A SCADA or historian fits into Level 2, with expected communications to controllers and some plant services.
An MES or operations server is located at Level 3, where segmentation should be stricter with respect to Level 4 and remote access.
An ERP belongs to Level 4 and should not maintain direct and indiscriminate relationships with control assets.

Guardian helps validate this organization by providing network mapping, device listing, communications visibility, and detection of nodes that have not been recognized as legitimate. This crossover between inventory and observed traffic is what turns a theoretical classification into a verifiable classification, useful both for operation and for technical review.

Segmentation according to IEC 62443: from theory to operational control

The IEC 62443 series doesn’t just ask for visibility. What it requires is segmentation based on zones and ducts, with separation between functions, access control, minimization of communications and risk traceability. In that context, Purdue does not replace IEC 62443, but it does provide a useful reference structure for defining zones that make operational sense and turning a regulatory requirement into a maintainable practice.

In addition, this approach fits in with widely used recommendations in industrial safety, such as those contained in NIST SP 800-82 Rev. 3 and in CISA’s ICS Recommended Practices, where reliable inventory, segmentation, and communication control appear as structural measures to reduce exposure and improve resilience. They are also applicable in frameworks such as ISO 27001, ENS and the NIS2 Directive for operators of essential services.

With Guardian, this approach can be landed in a practical way:

Discover real assets and remove blind spots from inventory.
Assign Purdue level to each device based on its function automatically.
Identify in the Purdue view communications between non-adjacent levels, marked as compliance warnings (IEC 62443).
Flag critical devices to prevent unwanted active actions.
Detect unauthorized equipment and connections that break the segmentation policy.

Inventory view in Guardian with asset classification by level

This approach helps answer questions that appear in any audit or bastioning project:

Which assets are part of each zone?
Which systems cross levels without clear justification?
What unauthorized devices are present on the network?
Which assets are so sensitive that they should be excluded from active interaction?

When that information is maintained in Guardian, compliance moves away from scattered spreadsheets to a living inventory, with context and exportable evidence.

Regulatory compliance and evidence that does work

Talking about compliance in OT should not be reduced to “having segmentation”, but to being able to demonstrate it. Guardian enables you to do just that: up-to-date inventory, Purdue tiering, communications visibility, and exportable reports for auditing, technical governance, and decision-making.

This makes it easier to prepare evidence for regulatory frameworks, internal audits, sectoral requirements and projects aligned with IEC 62443, especially in aspects related to asset identification, segmentation, communications control and operational risk management. It also supports internal initiatives that reference guides such as NIST SP 800-82 for secure OT architecture and hardening of the industrial environment. It also supports compliance initiatives with ISO 27001, ENS and the NIS2 Directive, which require verifiable evidence on network health and access control in critical environments.

Useful segmentation is not the one that is best drawn, but the one that can be justified with current data from the network.

From drawn segmentation to governed segmentation

Many organizations believe they have segmentation because there is a theoretical architecture in a document. The problem arises when actual traffic, uninventoried assets, or operational changes contradict that design.

With Guardian, the Purdue Model is no longer a static figure and becomes a way to organize inventory, review communications, and detect real deviations. This step is key to maturing industrial safety: it is not enough to define levels, they must be governed.

In practice, good OT segmentation starts with something very specific: knowing what is there, where it is, what function it fulfills and what it should communicate with. When that foundation is well built, alignment with IEC 62443 ceases to be a documentary exercise and becomes a tangible improvement for plant resilience.