The Purdue Model and IEC 62443: Two Frameworks, Different Jobs

Part 1 of a 2-part series detailing what IEC 62443 and the Purdue Model actually do, and why conflating them may cost you clarity.

In OT security, two frameworks come up in almost every serious conversation about network segmentation: the Purdue Model and IEC 62443. They get compared. They get conflated. They get pitched as alternatives. They are neither alternatives nor interchangeable. They do different jobs, and using them well starts with understanding what each one actually is.

Think of it in building terms. Purdue is the architectural reference, the blueprint convention that everyone in the industry recognizes. IEC 62443 is the building code, the detailed rulebook for how the building must be constructed and protected. Same project, different documents, both necessary.

Purdue in One Paragraph

The Purdue Model, formally the Purdue Enterprise Reference Architecture (PERA), organizes an industrial enterprise into functional levels from physical processes at Level 0 up through enterprise IT at Levels 4 and 5. It tells you what kinds of things exist in an OT environment and where they sit functionally. When someone says “Level 2,” every OT engineer in the room knows they mean HMIs and SCADA supervision. That shared vocabulary is Purdue’s quiet superpower. We covered the level-by-level walkthrough and the “is Purdue dead” conversation in an earlier post. The short answer: very much not dead, though it has evolved.

The important distinction is this: Purdue was never designed as a security framework. It was developed in the 1990s as a reference model for computer-integrated manufacturing. It became the default language for OT security because it was the best functional model available when the security standards started getting written.

What Purdue does not do is tell teams how to protect any of it.

What IEC 62443 Does

IEC 62443 is the building code for OT security. Developed by the International Society of Automation (ISA) and the International Electrotechnical Commission (IEC), it is a family of standards specifically designed for securing industrial automation and control systems. Where Purdue describes what exists and where, 62443 tells you how to protect it and at what level of rigor.

The standard family breaks into four groups:

• Group 1 (General): Terminology, concepts, and models.
• Group 2 (Policies and Procedures): What asset owners and integrators need to do programmatically.
• Group 3 (System): Architecture, risk assessment, and system-level security requirements. This is where zones and conduits live, in 62443-3-2.
• Group 4 (Component): How vendors should build secure products.

At the center of the security methodology are two key concepts: zones and conduits.

Zones are groups of assets that share common security requirements. They are defined by risk and function, not by where something sits in the Purdue hierarchy. A safety system that spans Purdue Levels 1 and 2 can be a single zone. Multiple zones can exist inside a single Purdue level when different systems have different risk profiles. Zones are the functional rooms of the building, sized and walled off based on what is inside them.

Conduits are the controlled communication paths between zones. They are not just cables. They are the specification for what traffic is allowed, what authentication is required, what filtering happens, and what monitoring is in place. If zones are rooms, conduits are the doors and hallways, with locks, cameras, and rules for who gets through.

On top of zones and conduits, 62443 layers Security Levels (SL 0 through 4) that define how much protection each zone or conduit needs:

• SL 1: Protection against casual or accidental breach.
• SL 2: Protection against intentional attack with limited resources.
• SL 3: Protection against advanced attack by skilled attackers with moderate resources.
• SL 4: Protection against well-resourced, state-level adversaries.

You set the target Security Level based on a risk assessment. A production line in a general manufacturing facility might target SL 2 for its control zone. An oil and gas pipeline pump station handling critical flow control might target SL 3. An energy generation control center responsible for grid stability often targets SL 3 or higher. The structure exists so that you apply the level of rigor that matches the risk, rather than applying the same rigor everywhere.

The Honest Cost of IEC 62443

One practical point is worth naming before going further. The IEC 62443 standards are not free. Individual documents cost several hundred dollars per license, and the full family runs into thousands. For a well-resourced enterprise this is a rounding error. For a rural co-op, a small manufacturer, or a municipal operator, it is a real barrier.

The standards also leave a lot of the implementation detail to the organization adopting them. The methodology is rigorous, but 62443-3-2 tells you to conduct a risk assessment; it does not hand you a templated risk assessment for your specific plant. You will still need expertise, internal or contracted, to translate “do a risk assessment” into an assessment your environment can actually use.

This isn’t a criticism of 62443. It is an accurate description of what organizations take on when they adopt it. Plan for the licensing. Plan for the expertise. Plan for the time.

How They Fit Together

The two frameworks have overlapping history. Early editions of 62443 leaned on PERA-derived functional models. More recent editions have pulled back from that direct reliance in favor of zone-and-conduit thinking that does not assume a hierarchical structure. In practice, most OT architects today use both: Purdue for the reference vocabulary that lets teams talk to each other, 62443 for the security methodology that determines how protection actually gets implemented.

Back to the building metaphor. The architect draws the blueprint using conventional language anyone in the industry recognizes. The engineer then applies the building code to specify fire doors, wall ratings, egress paths, and sprinkler coverage. Same building. Different documents. Both necessary.

Where This Goes Next

Understanding what each framework is gives you the vocabulary. Understanding what matters underneath them gives you the strategy.

The deeper truth, which we will take on in Part 2, is that the frameworks themselves are servants of something more fundamental: the discipline of segmentation. Purdue and IEC 62443 are two good ways to think about segmentation. They are not the only ways. And the quality of your segmentation matters more than the label on the framework you used to get there.

We’ll share more on that in Part 2 of this series next week.