The Purdue Enterprise Reference Architecture — usually just called "the Purdue Model" — is the mental map most ICS/OT security work is built on. If you've seen a diagram with "Level 0" through "Level 5" stacked on top of each other, this is it. Here's what each level actually means.
The physical layer: sensors, actuators, motors, valves — the equipment that directly measures or acts on your process. These devices typically can't run security software of their own; protecting them means protecting the network layers around them.
PLCs, DCS controllers, and other devices that directly control Level 0 equipment in real time. This is the layer where a cyber incident has the most direct path to a physical, safety-relevant consequence — which is why it typically warrants the highest security level and the most restrictive conduits.
HMIs, SCADA servers, and the systems operators use to monitor and supervise Level 1 controllers. This layer needs to communicate with Level 1 in real time, but shouldn't be directly reachable from your enterprise network.
Site-wide manufacturing operations systems — historians, MES, batch management. This is often where a demilitarized zone (DMZ) sits: a buffer that lets data move between OT (Levels 0–2) and IT (Levels 4–5) without giving either side direct access to the other.
Standard corporate IT: ERP, email, enterprise applications, general business networking. Familiar territory for most IT teams — and exactly why problems happen when enterprise IT gets a direct, unmanaged path down into Levels 0–2. What's normal security hygiene at Level 5 can be actively dangerous if applied carelessly at Level 1.
Why the model matters in practice: Most real-world ICS incidents don't start with a sophisticated attack on a PLC directly — they start with a compromised enterprise IT asset that had an unmanaged path down into the control layers. The Purdue Model gives you the vocabulary and structure to make sure that path doesn't exist, or if it must, that it runs through a monitored, deliberate conduit instead of a flat, trusted network.
Cloud connectivity, remote access, and IIoT devices have made the classic six-level Purdue Model less of a clean hierarchy than it was when it was first published. Many current architectures (including guidance referenced in IEC 62443 updates) treat it as a starting reference rather than a rigid requirement. What hasn't changed: the underlying discipline of knowing exactly what talks to what, and why.
See our IEC 62443 guide for how these levels map to zones, conduits, and security levels in practice.