[](https://www.paloaltonetworks.com/?ts=markdown) * Sign In * Customer * Partner * Employee * [Login to download](https://www.paloaltonetworks.com/login?ts=markdown) * [Join us to become a member](https://www.paloaltonetworks.com/login?screenToRender=traditionalRegistration&ts=markdown) * EN * [USA (ENGLISH)](https://www.paloaltonetworks.com) * [AUSTRALIA (ENGLISH)](https://www.paloaltonetworks.com.au) * [BRAZIL (PORTUGUÉS)](https://www.paloaltonetworks.com.br) * [CANADA (ENGLISH)](https://www.paloaltonetworks.ca) * [CHINA (简体中文)](https://www.paloaltonetworks.cn) * [FRANCE (FRANÇAIS)](https://www.paloaltonetworks.fr) * [GERMANY (DEUTSCH)](https://www.paloaltonetworks.de) * [INDIA (ENGLISH)](https://www.paloaltonetworks.in) * [ITALY (ITALIANO)](https://www.paloaltonetworks.it) * [JAPAN (日本語)](https://www.paloaltonetworks.jp) * [KOREA (한국어)](https://www.paloaltonetworks.co.kr) * [LATIN AMERICA (ESPAÑOL)](https://www.paloaltonetworks.lat) * [MEXICO (ESPAÑOL)](https://www.paloaltonetworks.com.mx) * [SINGAPORE (ENGLISH)](https://www.paloaltonetworks.sg) * [SPAIN (ESPAÑOL)](https://www.paloaltonetworks.es) * [TAIWAN (繁體中文)](https://www.paloaltonetworks.tw) * [UK (ENGLISH)](https://www.paloaltonetworks.co.uk) * ![magnifying glass search icon to open search field](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/search-black.svg) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [What's New](https://www.paloaltonetworks.com/resources?ts=markdown) * [Get Support](https://support.paloaltonetworks.com/SupportAccount/MyAccount) * [Under Attack?](https://start.paloaltonetworks.com/contact-unit42.html) ![x close icon to close mobile navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/x-black.svg) [![Palo Alto Networks logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)](https://www.paloaltonetworks.com/?ts=markdown) ![magnifying glass search icon to open search field](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/search-black.svg) * [](https://www.paloaltonetworks.com/?ts=markdown) * Products ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Products [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [AI Security](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise Device Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical Device Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [OT Device Security](https://www.paloaltonetworks.com/network-security/ot-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex AgentiX](https://www.paloaltonetworks.com/cortex/agentix?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Exposure Management](https://www.paloaltonetworks.com/cortex/exposure-management?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Cortex Advanced Email Security](https://www.paloaltonetworks.com/cortex/advanced-email-security?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Unit 42 Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * Solutions ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Solutions Secure AI by Design * [Secure AI Ecosystem](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [Secure GenAI Usage](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) Network Security * [Cloud Network Security](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Data Center Security](https://www.paloaltonetworks.com/network-security/data-center?ts=markdown) * [DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Intrusion Detection and Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Device Security](https://www.paloaltonetworks.com/network-security/device-security?ts=markdown) * [OT Security](https://www.paloaltonetworks.com/network-security/ot-security-solution?ts=markdown) * [5G Security](https://www.paloaltonetworks.com/network-security/5g-security?ts=markdown) * [Secure All Apps, Users and Locations](https://www.paloaltonetworks.com/sase/secure-users-data-apps-devices?ts=markdown) * [Secure Branch Transformation](https://www.paloaltonetworks.com/sase/secure-branch-transformation?ts=markdown) * [Secure Work on Any Device](https://www.paloaltonetworks.com/sase/secure-work-on-any-device?ts=markdown) * [VPN Replacement](https://www.paloaltonetworks.com/sase/vpn-replacement-for-secure-remote-access?ts=markdown) * [Web \& Phishing Security](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) Cloud Security * [Application Security Posture Management (ASPM)](https://www.paloaltonetworks.com/cortex/cloud/application-security-posture-management?ts=markdown) * [Software Supply Chain Security](https://www.paloaltonetworks.com/cortex/cloud/software-supply-chain-security?ts=markdown) * [Code Security](https://www.paloaltonetworks.com/cortex/cloud/code-security?ts=markdown) * [Cloud Security Posture Management (CSPM)](https://www.paloaltonetworks.com/cortex/cloud/cloud-security-posture-management?ts=markdown) * [Cloud Infrastructure Entitlement Management (CIEM)](https://www.paloaltonetworks.com/cortex/cloud/cloud-infrastructure-entitlement-management?ts=markdown) * [Data Security Posture Management (DSPM)](https://www.paloaltonetworks.com/cortex/cloud/data-security-posture-management?ts=markdown) * [AI Security Posture Management (AI-SPM)](https://www.paloaltonetworks.com/cortex/cloud/ai-security-posture-management?ts=markdown) * [Cloud Detection \& Response](https://www.paloaltonetworks.com/cortex/cloud-detection-and-response?ts=markdown) * [Cloud Workload Protection (CWP)](https://www.paloaltonetworks.com/cortex/cloud/cloud-workload-protection?ts=markdown) * [Web Application \& API Security (WAAS)](https://www.paloaltonetworks.com/cortex/cloud/web-app-api-security?ts=markdown) Security Operations * [Cloud Detection \& Response](https://www.paloaltonetworks.com/cortex/cloud-detection-and-response?ts=markdown) * [Security Information and Event Management](https://www.paloaltonetworks.com/cortex/modernize-siem?ts=markdown) * [Network Security Automation](https://www.paloaltonetworks.com/cortex/network-security-automation?ts=markdown) * [Incident Case Management](https://www.paloaltonetworks.com/cortex/incident-case-management?ts=markdown) * [SOC Automation](https://www.paloaltonetworks.com/cortex/security-operations-automation?ts=markdown) * [Threat Intel Management](https://www.paloaltonetworks.com/cortex/threat-intel-management?ts=markdown) * [Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Attack Surface Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/attack-surface-management?ts=markdown) * [Compliance Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/compliance-management?ts=markdown) * [Internet Operations Management](https://www.paloaltonetworks.com/cortex/cortex-xpanse/internet-operations-management?ts=markdown) * [Extended Data Lake (XDL)](https://www.paloaltonetworks.com/cortex/cortex-xdl?ts=markdown) * [Agentic Assistant](https://www.paloaltonetworks.com/cortex/cortex-agentic-assistant?ts=markdown) Endpoint Security * [Endpoint Protection](https://www.paloaltonetworks.com/cortex/endpoint-protection?ts=markdown) * [Extended Detection \& Response](https://www.paloaltonetworks.com/cortex/detection-and-response?ts=markdown) * [Ransomware Protection](https://www.paloaltonetworks.com/cortex/ransomware-protection?ts=markdown) * [Digital Forensics](https://www.paloaltonetworks.com/cortex/digital-forensics?ts=markdown) [Industries](https://www.paloaltonetworks.com/industry?ts=markdown) * [Public Sector](https://www.paloaltonetworks.com/industry/public-sector?ts=markdown) * [Financial Services](https://www.paloaltonetworks.com/industry/financial-services?ts=markdown) * [Manufacturing](https://www.paloaltonetworks.com/industry/manufacturing?ts=markdown) * [Healthcare](https://www.paloaltonetworks.com/industry/healthcare?ts=markdown) * [Small \& Medium Business Solutions](https://www.paloaltonetworks.com/industry/small-medium-business-portfolio?ts=markdown) * Services ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Services [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Assess](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [AI Security Assessment](https://www.paloaltonetworks.com/unit42/assess/ai-security-assessment?ts=markdown) * [Attack Surface Assessment](https://www.paloaltonetworks.com/unit42/assess/attack-surface-assessment?ts=markdown) * [Breach Readiness Review](https://www.paloaltonetworks.com/unit42/assess/breach-readiness-review?ts=markdown) * [BEC Readiness Assessment](https://www.paloaltonetworks.com/bec-readiness-assessment?ts=markdown) * [Cloud Security Assessment](https://www.paloaltonetworks.com/unit42/assess/cloud-security-assessment?ts=markdown) * [Compromise Assessment](https://www.paloaltonetworks.com/unit42/assess/compromise-assessment?ts=markdown) * [Cyber Risk Assessment](https://www.paloaltonetworks.com/unit42/assess/cyber-risk-assessment?ts=markdown) * [M\&A Cyber Due Diligence](https://www.paloaltonetworks.com/unit42/assess/mergers-acquisitions-cyber-due-diligence?ts=markdown) * [Penetration Testing](https://www.paloaltonetworks.com/unit42/assess/penetration-testing?ts=markdown) * [Purple Team Exercises](https://www.paloaltonetworks.com/unit42/assess/purple-teaming?ts=markdown) * [Ransomware Readiness Assessment](https://www.paloaltonetworks.com/unit42/assess/ransomware-readiness-assessment?ts=markdown) * [SOC Assessment](https://www.paloaltonetworks.com/unit42/assess/soc-assessment?ts=markdown) * [Supply Chain Risk Assessment](https://www.paloaltonetworks.com/unit42/assess/supply-chain-risk-assessment?ts=markdown) * [Tabletop Exercises](https://www.paloaltonetworks.com/unit42/assess/tabletop-exercise?ts=markdown) * [Unit 42 Retainer](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown) * [Respond](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Cloud Incident Response](https://www.paloaltonetworks.com/unit42/respond/cloud-incident-response?ts=markdown) * [Digital Forensics](https://www.paloaltonetworks.com/unit42/respond/digital-forensics?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond/incident-response?ts=markdown) * [Managed Detection and Response](https://www.paloaltonetworks.com/unit42/respond/managed-detection-response?ts=markdown) * [Managed Threat Hunting](https://www.paloaltonetworks.com/unit42/respond/managed-threat-hunting?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Unit 42 Retainer](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown) * [Transform](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [IR Plan Development and Review](https://www.paloaltonetworks.com/unit42/transform/incident-response-plan-development-review?ts=markdown) * [Security Program Design](https://www.paloaltonetworks.com/unit42/transform/security-program-design?ts=markdown) * [Virtual CISO](https://www.paloaltonetworks.com/unit42/transform/vciso?ts=markdown) * [Zero Trust Advisory](https://www.paloaltonetworks.com/unit42/transform/zero-trust-advisory?ts=markdown) [Global Customer Services](https://www.paloaltonetworks.com/services?ts=markdown) * [Education \& Training](https://www.paloaltonetworks.com/services/education?ts=markdown) * [Professional Services](https://www.paloaltonetworks.com/services/consulting?ts=markdown) * [Success Tools](https://www.paloaltonetworks.com/services/customer-success-tools?ts=markdown) * [Support Services](https://www.paloaltonetworks.com/services/solution-assurance?ts=markdown) * [Customer Success](https://www.paloaltonetworks.com/services/customer-success?ts=markdown) [![](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/logo-unit-42.svg) UNIT 42 RETAINER Custom-built to fit your organization's needs, you can choose to allocate your retainer hours to any of our offerings, including proactive cyber risk management services. Learn how you can put the world-class Unit 42 Incident Response team on speed dial. Learn more](https://www.paloaltonetworks.com/unit42/retainer?ts=markdown) * Partners ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Partners NextWave Partners * [NextWave Partner Community](https://www.paloaltonetworks.com/partners?ts=markdown) * [Cloud Service Providers](https://www.paloaltonetworks.com/partners/nextwave-for-csp?ts=markdown) * [Global Systems Integrators](https://www.paloaltonetworks.com/partners/nextwave-for-gsi?ts=markdown) * [Technology Partners](https://www.paloaltonetworks.com/partners/technology-partners?ts=markdown) * [Service Providers](https://www.paloaltonetworks.com/partners/service-providers?ts=markdown) * [Solution Providers](https://www.paloaltonetworks.com/partners/nextwave-solution-providers?ts=markdown) * [Managed Security Service Providers](https://www.paloaltonetworks.com/partners/managed-security-service-providers?ts=markdown) * [XMDR Partners](https://www.paloaltonetworks.com/partners/managed-security-service-providers/xmdr?ts=markdown) Take Action * [Portal Login](https://www.paloaltonetworks.com/partners/nextwave-partner-portal?ts=markdown) * [Managed Services Program](https://www.paloaltonetworks.com/partners/managed-security-services-provider-program?ts=markdown) * [Become a Partner](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerregistration?type=becomepartner) * [Request Access](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerregistration?type=requestaccess) * [Find a Partner](https://paloaltonetworks.my.site.com/NextWavePartnerProgram/s/partnerlocator) [CYBERFORCE CYBERFORCE represents the top 1% of partner engineers trusted for their security expertise. Learn more](https://www.paloaltonetworks.com/cyberforce?ts=markdown) * Company ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Company Palo Alto Networks * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Management Team](https://www.paloaltonetworks.com/about-us/management?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com) * [Locations](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Ethics \& Compliance](https://www.paloaltonetworks.com/company/ethics-and-compliance?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Military \& Veterans](https://jobs.paloaltonetworks.com/military) [Why Palo Alto Networks?](https://www.paloaltonetworks.com/why-paloaltonetworks?ts=markdown) * [Precision AI Security](https://www.paloaltonetworks.com/precision-ai-security?ts=markdown) * [Our Platform Approach](https://www.paloaltonetworks.com/why-paloaltonetworks/platformization?ts=markdown) * [Accelerate Your Cybersecurity Transformation](https://www.paloaltonetworks.com/why-paloaltonetworks/nam-cxo-portfolio?ts=markdown) * [Awards \& Recognition](https://www.paloaltonetworks.com/about-us/awards?ts=markdown) * [Customer Stories](https://www.paloaltonetworks.com/customers?ts=markdown) * [Global Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Trust 360 Program](https://www.paloaltonetworks.com/resources/whitepapers/trust-360?ts=markdown) Careers * [Overview](https://jobs.paloaltonetworks.com/) * [Culture \& Benefits](https://jobs.paloaltonetworks.com/en/culture/) [A Newsweek Most Loved Workplace "Businesses that do right by their employees" Read more](https://www.paloaltonetworks.com/company/press/2021/palo-alto-networks-secures-top-ranking-on-newsweek-s-most-loved-workplaces-list-for-2021?ts=markdown) * More ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) More Resources * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Unit 42 Threat Research](https://unit42.paloaltonetworks.com/) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Tech Insider](https://techinsider.paloaltonetworks.com/) * [Knowledge Base](https://knowledgebase.paloaltonetworks.com/) * [Palo Alto Networks TV](https://tv.paloaltonetworks.com/) * [Perspectives of Leaders](https://www.paloaltonetworks.com/perspectives/?ts=markdown) * [Cyber Perspectives Magazine](https://www.paloaltonetworks.com/cybersecurity-perspectives/cyber-perspectives-magazine?ts=markdown) * [Regional Cloud Locations](https://www.paloaltonetworks.com/products/regional-cloud-locations?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Security Posture Assessment](https://www.paloaltonetworks.com/security-posture-assessment?ts=markdown) * [Threat Vector Podcast](https://unit42.paloaltonetworks.com/unit-42-threat-vector-podcast/) * [Packet Pushers Podcasts](https://www.paloaltonetworks.com/podcasts/packet-pusher?ts=markdown) Connect * [LIVE community](https://live.paloaltonetworks.com/) * [Events](https://events.paloaltonetworks.com/) * [Executive Briefing Center](https://www.paloaltonetworks.com/about-us/executive-briefing-program?ts=markdown) * [Demos](https://www.paloaltonetworks.com/demos?ts=markdown) * [Contact us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) [Blog Stay up-to-date on industry trends and the latest innovations from the world's largest cybersecurity Learn more](https://www.paloaltonetworks.com/blog/) * Sign In ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Sign In * Customer * Partner * Employee * [Login to download](https://www.paloaltonetworks.com/login?ts=markdown) * [Join us to become a member](https://www.paloaltonetworks.com/login?screenToRender=traditionalRegistration&ts=markdown) * EN ![black arrow pointing left to go back to main navigation](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/arrow-right-black.svg) Language * [USA (ENGLISH)](https://www.paloaltonetworks.com) * [AUSTRALIA (ENGLISH)](https://www.paloaltonetworks.com.au) * [BRAZIL (PORTUGUÉS)](https://www.paloaltonetworks.com.br) * [CANADA (ENGLISH)](https://www.paloaltonetworks.ca) * [CHINA (简体中文)](https://www.paloaltonetworks.cn) * [FRANCE (FRANÇAIS)](https://www.paloaltonetworks.fr) * [GERMANY (DEUTSCH)](https://www.paloaltonetworks.de) * [INDIA (ENGLISH)](https://www.paloaltonetworks.in) * [ITALY (ITALIANO)](https://www.paloaltonetworks.it) * [JAPAN (日本語)](https://www.paloaltonetworks.jp) * [KOREA (한국어)](https://www.paloaltonetworks.co.kr) * [LATIN AMERICA (ESPAÑOL)](https://www.paloaltonetworks.lat) * [MEXICO (ESPAÑOL)](https://www.paloaltonetworks.com.mx) * [SINGAPORE (ENGLISH)](https://www.paloaltonetworks.sg) * [SPAIN (ESPAÑOL)](https://www.paloaltonetworks.es) * [TAIWAN (繁體中文)](https://www.paloaltonetworks.tw) * [UK (ENGLISH)](https://www.paloaltonetworks.co.uk) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [What's New](https://www.paloaltonetworks.com/resources?ts=markdown) * [Get support](https://support.paloaltonetworks.com/SupportAccount/MyAccount) * [Under Attack?](https://start.paloaltonetworks.com/contact-unit42.html) * [Demos and Trials](https://www.paloaltonetworks.com/get-started?ts=markdown) Search All * [Tech Docs](https://docs.paloaltonetworks.com/search) Close search modal [Deploy Bravely --- Secure your AI transformation with Prisma AIRS](https://www.deploybravely.com) [](https://www.paloaltonetworks.com/?ts=markdown) 1. [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) 2. [Network Security](https://www.paloaltonetworks.com/cyberpedia/network-security?ts=markdown) 3. [What Is the Purdue Model for ICS Security? | A Guide to PERA](https://www.paloaltonetworks.com/cyberpedia/what-is-the-purdue-model-for-ics-security?ts=markdown) Table of contents * [How does the Purdue Model for ICS Security work?](#perdue-work) * [What are the Purdue Model layers?](#perdue-layers) * [What are industrial control systems?](#perdue-systems) * [What are the main ICS architecture security challenges?](#perdue-challenges) * [What kinds of cyberthreats commonly impact ICS?](#perdue-commonly) * [What is the history of the Purdue Model?](#purdue-history) * [Examining the Purdue Model's role in modern ICS security](#purdue-modern) * [Purdue Model for ICS Security FAQs](#perdue-faq) # What Is the Purdue Model for ICS Security? | A Guide to PERA 14 min. read Table of contents * [How does the Purdue Model for ICS Security work?](#perdue-work) * [What are the Purdue Model layers?](#perdue-layers) * [What are industrial control systems?](#perdue-systems) * [What are the main ICS architecture security challenges?](#perdue-challenges) * [What kinds of cyberthreats commonly impact ICS?](#perdue-commonly) * [What is the history of the Purdue Model?](#purdue-history) * [Examining the Purdue Model's role in modern ICS security](#purdue-modern) * [Purdue Model for ICS Security FAQs](#perdue-faq) 1. How does the Purdue Model for ICS Security work? * [1. How does the Purdue Model for ICS Security work?](#perdue-work) * [2. What are the Purdue Model layers?](#perdue-layers) * [3. What are industrial control systems?](#perdue-systems) * [4. What are the main ICS architecture security challenges?](#perdue-challenges) * [5. What kinds of cyberthreats commonly impact ICS?](#perdue-commonly) * [6. What is the history of the Purdue Model?](#purdue-history) * [7. Examining the Purdue Model's role in modern ICS security](#purdue-modern) * [8. Purdue Model for ICS Security FAQs](#perdue-faq) ![An image that says "What is the Purdue Model for ICS Security"](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/what-is-the-purdue-model-for-ics-security/purdue-video-thumbnail.png) close The Purdue Model for ICS Security is a framework that organizes industrial control systems into distinct layers, separating operational technology (OT) from information technology (IT). It helps manage communication between systems by isolating different functions across layers and implementing network segmentation. While originally designed for operational purposes, it can be adapted to limit exposure and improve network control. ## How does the Purdue Model for ICS Security work? The Purdue Model for [industrial control systems (ICS) security](https://www.paloaltonetworks.com/cyberpedia/what-is-ics-security) works by dividing an industrial control system into multiple layers, each with specific roles and communication boundaries. The model is designed to isolate different parts of an organization's operations. Today, it's adapted to limit network exposure and improve control over both OT and information technology. At its core, the Purdue Model segments the network into levels, ranging from 0 to 5: * Levels 0 to 3 represent the OT side, which is responsible for the actual physical processes, such as manufacturing equipment, sensors, and real-time control systems. * Levels 4 and 5 represent the IT side, including enterprise systems like databases, planning, and data analysis. When applied correctly, the model creates separation between ICS/OT and IT systems. The isolation allows organizations to enforce strong access controls without impacting business operations. **For example:** Today, a key aspect of the Purdue Model is the implementation of [firewalls](https://www.paloaltonetworks.com/cyberpedia/what-is-a-firewall) between Levels 3 and 4, which separate the OT and IT environments. The firewall prevents direct communication between the two environments, reducing the risk of unauthorized access or cyberattacks affecting critical industrial processes. Also, the Purdue Model emphasizes the use of DMZs (demilitarized zones) at key junctions in the network---particularly between the OT and IT layers. DMZs effectively work as a buffer zone. So data can flow between systems, but with filtering and monitoring in place to ensure security protocols are followed. Like this: !\[Purdue Model architecture diagram, showing how industrial control systems are segmented into layers from Level 0 to Level 5. Level 0 at the bottom displays physical process components like actuators, pumps, and sensors linked to PLCs through Ethernet switches. Level 1 depicts more PLCs connected to industrial PCs and Local HMIs. Level 2 features Distributed Control Systems (DCS) connected via Ethernet switches. Level 3, labeled as Operations Administration, includes historians, domain controllers, and monitoring systems connected through an Ethernet switch. Level 4, named Enterprise Administration, shows authentication services, desktops, databases, and file servers connected through Ethernet switches. The topmost layer, Level 5, labeled Internet DMZ, shows connections to the internet, web servers, and email, all protected by firewalls depicted as red bars across various connection points.\](https://www.paloaltonetworks.com/content/dam/pan/en\_US/images/cyberpedia/what-is-the-purdue-model-for-ics-security/ICS-2024\_6 -Purdue.png) By clearly defining and segmenting the different layers of ICS and IT systems, the Purdue Model offers a structured approach to managing both operational efficiency and [cybersecurity](https://www.paloaltonetworks.com/cyberpedia/what-is-cyber-security). While it was originally designed as an architecture framework, it's since become an influential tool for delineating where to implement security controls and monitor for threats effectively. ***Note:*** *The Purdue Model is often referred to as the Purdue Reference Model (PRM) and the Purdue Enterprise Reference Architecture (PERA) interchangeably. It's worth mentioning that in its first iteration, the Purdue Model included three components: Purdue Enterprise Reference Architecture, Purdue Reference Model, and the Purdue Implementation Procedures Manual.* | ***Further reading:*** * [*What Is OT Security?*](https://www.paloaltonetworks.com/cyberpedia/what-is-it-ot-convergence) * [*What Is IT/OT Convergence?*](https://www.paloaltonetworks.com/cyberpedia/what-is-ot-security) * [*What Are the Differences Between OT, ICS, \& SCADA Security?*](https://www.paloaltonetworks.com/cyberpedia/ot-vs-ics-vs-scada-security) * [*What Is the Difference Between IT and OT? | IT vs. OT*](https://www.paloaltonetworks.com/cyberpedia/it-vs-ot) ## What are the Purdue Model layers? ![Flowchart diagram representing the Purdue Model layers, focusing on the data flow and processing times in a manufacturing environment. It shows a sequence of operations and interactions among various components. A](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/what-is-the-purdue-model-for-ics-security/ICS-2024_7-Purdue.png "Flowchart diagram representing the Purdue Model layers, focusing on the data flow and processing times in a manufacturing environment. It shows a sequence of operations and interactions among various components. A ") As noted, the Purdue Model organizes industrial networks into distinct layers representing different functions. Specifically, the model clearly defines which devices and systems reside within particular points, and what their role is in the overall architecture. Each layer separates critical systems and processes. | Purdue Model layer | Description | Function | Significance | | Level 0: Physical process | Represents physical devices like sensors and actuators. | Gathers and relays real-time data about the process (pressure, temperature, etc.). | Critical for operational data, vulnerable to physical attacks or system faults. | | Level 1: Intelligent devices | Consists of devices like PLCs and RTUs that monitor and manage processes. | Interprets data from Level 0 and executes commands for safe and efficient operation. | Crucial for control but vulnerable to cyberattacks due to age and limited computing power. | | Level 2: Local control and supervision | Includes supervisory control systems like HMIs and SCADA. | Oversees the process, manages alarms, and allows real-time adjustments by operators. | Links human operators with automated systems, responsible for specific facility sections. | | Level 3: Site-wide control and management | Encompasses site-wide systems such as historians and alarm servers. | Manages broader functions like production scheduling and operational analysis. | First line of defense between process control and enterprise IT networks. | | Level 3.5: Demilitarized zone (DMZ) | Acts as a buffer zone between IT and OT environments. | Filters and regulates traffic between IT and OT areas, protecting critical OT systems. | Essential for modern ICS security, ensuring controlled data flow while protecting systems. | | Level 4: Business logistics systems | Focuses on systems like ERP and CRM that connect to the enterprise network. | Integrates industrial data to aid in decision-making and business planning. | Crucial for aligning industrial operations with business strategies. | | Level 5: Enterprise network | Handles overall corporate IT functions such as email and file storage. | Requests data from lower levels for business analytics and supports corporate operations. | Most removed from ICS but essential for supporting business functions. | |-------------------------------------------|-----------------------------------------------------------------------------|-------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------| Let's break down each one. ### Level 0 - Physical process At the foundation of the Purdue Model, we have Level 0, which includes the actual physical devices like sensors and actuators. These devices gather and relay data about the process in real time, including things like pressure, temperature, or flow rates. Devices interact directly with the process, feeding crucial information to the controllers in the next layer. Since these devices are critical for operational data, they're highly vulnerable to direct physical attacks or system faults. ### Level 1 - Intelligent devices The next layer, Level 1, consists of intelligent devices, which monitor and manage the physical processes. This includes systems like programmable logic controllers (PLCs) and remote terminal units (RTUs), which are essential for interpreting data from Level 0 and executing commands to maintain safe and efficient operation. While crucial to maintaining control, their age and limited computing power can make them vulnerable to cyberattacks. ### Level 2 - Local control and supervision Level 2 involves the supervisory control and monitoring systems, such as HMIs (human machine interfaces) and SCADA (supervisory control and data acquisition) systems. Operators use these components to oversee the process, manage alarms, and make real-time adjustments. Level 2 is responsible for controlling specific sections of the facility. It acts as a link between human operators and automated systems. ### Level 3 - Site-wide control and management At Level 3, we have site-wide control systems, which support larger operations across the plant or site. Systems like historians, alarm servers, and plant-level analytics are found here. Level 3 typically handles broader functions like production scheduling and operational analysis. It serves as the first line of defense in the transition between the process control environment and the IT network. ### Level 3.5 - Demilitarized zone (DMZ) Although not originally part of the Purdue Model, the introduction of Level 3.5, or the DMZ, is considered essential for modern ICS security. The DMZ acts as a buffer zone between the IT and OT environments. It regulates and filters traffic between the two areas. Its primary role is to protect critical OT systems from unauthorized access while still allowing necessary data flow to and from enterprise networks. ### Level 4 - Business logistics systems Level 4 focuses on the business side of operations, including business logistics systems such as ERP (enterprise resource planning), CRM (customer relationship management), and other systems crucial for business operations. These systems connect to the broader enterprise network. Data from the industrial environment is integrated here to aid in decision-making and planning. ### Level 5 - Enterprise network At the top of the Purdue Model is Level 5, which handles overall corporate IT functions, like email, file storage, and other enterprise services. This level typically has no direct contact with the industrial control system components but may request data from lower levels for business analytics. Level 5 is the most removed from the operational aspects of ICS but critical for supporting business operations. ## What are industrial control systems? !\[Industrial Control System (ICS) Security Architecture diagram, illustrating a hierarchical layout across three levels: Level 0, Level 1, and Level 2. Level 0, labeled\](https://www.paloaltonetworks.com/content/dam/pan/en\_US/images/cyberpedia/what-is-the-purdue-model-for-ics-security/ICS-2024\_1 -ICS.png "Industrial Control System (ICS) Security Architecture diagram, illustrating a hierarchical layout across three levels: Level 0, Level 1, and Level 2. Level 0, labeled ") To better understand how the Purdue Model applies to securing critical infrastructure, let's walk through what industrial control systems actually are and how they work. Industrial control systems manage and automate operational processes across numerous industries, including manufacturing, energy, and transportation. Essentially, ICSs are composed of devices, systems, networks, and controls used to operate and/or automate industrial processes. At the core of an ICS, you'll find the controllers mentioned earlier, like PLCs or RTUs that direct processes based on sensor inputs and pre-defined conditions. As explained, controllers execute commands that adjust machinery and production processes so that operations run smoothly and efficiently. ![Architecture diagram illustrating a complex industrial control system architecture, featuring multiple levels of integration and security layers. At the top, connected via Ethernet, are the engineering, administration, and accounting departments, each secured by firewalls. The Internet connection is protected by a VPN/firewall setup. Below this level, a database is also secured by a firewall. In the central section, various components like an application server, operations HMI, printer, and other servers are connected via Ethernet and include a VPN/firewall for additional security. This area links to a DCS process manager through a proprietary network, with connections to field I/O components for digital and analog control and monitoring. At the bottom, auxiliary PLC systems handle tasks like ship loading/unloading, catalyst loading, vibration monitoring, tank monitoring/control, and a safety system for emergency shutdown and area monitoring.](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/what-is-the-purdue-model-for-ics-security/ICS-2024_13-Example.png) ICSs work by collecting data from the field via sensors that monitor physical process variables (like temperature, pressure, etc.), process the data, and trigger actions to control equipment. !\[ICS control loop flowchart diagram. It shows a human-machine interface where parameters are set, leading to a controller that processes controlled and manipulated variables. The controller influences an actuator, which interacts directly with a controlled process; this process outputs signals that are picked up by sensors. These sensors feed information back to the controller, completing the loop. Additionally, there is a link from the controller to a remote diagnostics and maintenance service, indicating the system's capability for external oversight and adjustment. The components are connected by lines, some dashed, indicating the direction and flow of information and control throughout the system.\](https://www.paloaltonetworks.com/content/dam/pan/en\_US/images/cyberpedia/what-is-the-purdue-model-for-ics-security/ICS-2024\_ -ICS.png "ICS control loop flowchart diagram. It shows a human-machine interface where parameters are set, leading to a controller that processes controlled and manipulated variables. The controller influences an actuator, which interacts directly with a controlled process; this process outputs signals that are picked up by sensors. These sensors feed information back to the controller, completing the loop. Additionally, there is a link from the controller to a remote diagnostics and maintenance service, indicating the system's capability for external oversight and adjustment. The components are connected by lines, some dashed, indicating the direction and flow of information and control throughout the system.") Essentially, ICSs maintain optimal conditions for industrial operations. They're designed to manage everything from assembly lines to power generation with precision and reliability. Here's why this matters. The automation provided by ICSs increases productivity and safety---but it also plays a crucial role in critical infrastructure sectors, including: * Energy * Water and wastewater systems * Transportation * Manufacturing * Food and agriculture * Healthcare | Critical infrastructure sector | Role of ICS | Potential risks | | Energy | Manages power grids, oil and gas pipelines, and renewable energy plants | Power outages and energy supply disruptions | | Water and wastewater systems | Controls the flow, treatment, and distribution of clean water, and wastewater | Public health risks and access to clean water | | Transportation | Oversees traffic control, rail networks, and aviation operations | Safety and delays in the movement of goods and people | | Manufacturing | Automates and monitors production lines across industries | Production inefficiencies and supply chain issues | | Food and agriculture | Controls processing plants and food distribution systems | Food shortages and safety concerns | | Healthcare | Manages medical devices, hospital HVAC systems, and pharmaceutical production | Compromised patient care and public health | |--------------------------------|-------------------------------------------------------------------------------|-------------------------------------------------------| So by automating routine tasks and responses, ICSs minimize human errors, reduce operational costs, and increase the overall efficiency of industrial operations. Originally, ICSs were isolated systems. But with advancements in technology, they've become more interconnected with business networks and the internet. Which does increase efficiency but also exposes them to cybersecurity risks. Modern ICSs integrate sophisticated cybersecurity measures to mitigate risks and ensure continuous, safe operations. ## How are industrial control systems different from general computing systems? Industrial control systems differ from general computing systems because they're designed to control and monitor physical processes in real time, while general computing systems handle data processing and software applications. As explained, ICSs include components like PLCs, which control equipment and processes. These controllers execute the instructions for keeping the machinery running smoothly. Basically, ICSs work in the background to automate physical processes. ![Architecture diagram comparing industrial control systems to general computing systems. On the left, the ICS components include SCADA, HMIs, PLCs, sensors, robotics, and conveyor belts, all interconnected. On the right, the general computing system is represented by components such as the internet, a firewall, an SD-WAN router, a branch, and a data center. The diagram visually outlines the differences in structure and components between ICS and general computing systems, emphasizing the specialized nature of ICS.](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/what-is-the-purdue-model-for-ics-security/ICS-2024_12-ICS.png "Architecture diagram comparing industrial control systems to general computing systems. On the left, the ICS components include SCADA, HMIs, PLCs, sensors, robotics, and conveyor belts, all interconnected. On the right, the general computing system is represented by components such as the internet, a firewall, an SD-WAN router, a branch, and a data center. The diagram visually outlines the differences in structure and components between ICS and general computing systems, emphasizing the specialized nature of ICS.") General computing systems, on the other hand, are typically more versatile, able to run a range of software for different purposes---but they aren't built for controlling industrial equipment. Here's where the Purdue Model provides structure. By segmenting industrial and general computing systems into distinct layers, the model ensures that these fundamentally different systems can coexist without compromising operational efficiency or safety. The segmentation reduces the likelihood of delays or disruptions in ICS processes because it minimizes interference by isolating real-time systems from general computing activities. Here's another key difference: ICSs work in real time. Which means they need to respond to changes immediately to keep things running. If an ICS fails to act on time, it could lead to safety issues or operational downtime. The Purdue Model addresses this challenge by maintaining strict boundaries between IT and OT systems, using security tools to regulate communication and protect critical real-time processes from interference. While modern business environments also demand real time, fast processing to avoid delays and financial losses, the stakes are different for ICSs. When it comes to an industrial control system, delays can lead to immediate physical risks, such as equipment damage or safety hazards. Which are more critical than the financial or operational setbacks caused by slow general computing systems. Also, industrial control systems often operate in harsh environments. They might be exposed to high temperatures, dust, or electromagnetic interference. For this reason, they're built to withstand these conditions. General computing systems usually don't need the same level of protection since they're used in cleaner environments, like offices or homes. Plus: ICSs have unique security needs. Again, a breach in an ICS system could lead to disruptions in power grids, manufacturing lines, or water treatment plants---posing real-world risks. General computing systems, while still vulnerable to cyberattacks and their consequences, don't typically pose the same level of physical danger when compromised. The Purdue Model's layered structure ensures not only the protection of ICS components but also operational continuity, enabling secure communication between IT and OT without compromising either system. ## What are the main ICS architecture security challenges? !\[Graphic outlining the main security challenges in Industrial Control System (ICS) architecture. It features a central orange header labeled\](https://www.paloaltonetworks.com/content/dam/pan/en\_US/images/cyberpedia/what-is-the-purdue-model-for-ics-security/ICS-2024\_2- ICS.png "Graphic outlining the main security challenges in Industrial Control System (ICS) architecture. It features a central orange header labeled ") Industrial control systems face unique security challenges due to their purpose, structure, and the environments in which they operate, including but not limited to: * Real-time operational demands * Outdated infrastructure * Environmental constraints * Proprietary systems and protocols * Lack of cybersecurity expertise in ICS environments Unlike general IT systems, ICSs manage real-time processes that effectively power industries like manufacturing, energy, and utilities. Which adds several layers of complexity to securing these environments. It's worth noting: The Purdue Model provides a foundational blueprint for addressing a lot of the challenges listed below. Let's take a look at ICS architecture security challenges in detail. ### Real-time operational demands One of the main challenges with ICS security is the real-time operational requirements. ICS environments control physical processes that cannot afford delays. For example: If an ICS is responsible for regulating the temperature of machinery or controlling a power grid, any latency or disruption could cause damage to equipment, loss of production, or even endanger public safety. Security measures, like updates or scans, could potentially interfere with real-time demands. And that makes introducing security solutions more complex than in traditional IT systems. ### Outdated infrastructure Many ICSs still run on legacy infrastructure that wasn't built with modern cybersecurity in mind. When industrial control systems were originally designed, they were isolated from the internet and often physically separated from external threats. However: As organizations increasingly connect ICSs to their corporate networks for remote monitoring and management, the outdated infrastructure presents major vulnerabilities. Legacy systems often don't support modern security protocols or patches. And retrofitting them with cybersecurity measures can be difficult, costly, or impossible without replacing the entire system. ### Environmental constraints As explained, industrial environments are often harsh---electrically noisy, dirty, or subject to extreme temperatures. And these kinds of physical conditions definitely impact how security solutions can be deployed. Network security tools, like firewalls or [intrusion detection systems](https://www.paloaltonetworks.com/cyberpedia/what-is-an-intrusion-detection-system-ids), are typically designed for cleaner, more controlled environments if they're hardware-based. Which makes them harder to implement in ICS settings. Not to mention, the need for uninterrupted service in these environments means there's very little room for downtime. And that makes regular security maintenance or updates difficult. ### Proprietary systems and protocols ICS environments are built using a wide variety of proprietary systems and communication protocols. Which means applying standardized security practices is no easy feat. Each vendor may use its own software, hardware, and network protocols, which complicates integration with existing security tools. Also: Many ICS protocols---like Modbus or DNP3---were designed with functionality, not security, in mind. As a result, protocols often lack features like encryption or authentication. ### Lack of cybersecurity expertise in ICS environments Another significant challenge is the gap in cybersecurity knowledge among ICS professionals. ICS environments are typically managed by engineers and operators who specialize in controlling physical processes but may not have cybersecurity expertise. Conversely, cybersecurity professionals may not fully understand industrial processes. This divide can lead to misaligned priorities, where keeping the system running efficiently is prioritized over implementing robust security practices. The Purdue Model's layered structure can work as a guide for tackling the unique technology challenges of ICS environments. While the Purdue Model cannot solve all challenges outright, its emphasis on network segmentation and controlled interactions can offer a starting point for designing an effective ICS security strategy. ## What kinds of cyberthreats commonly impact ICS? ![Diagram illustrating common cyber threats to Industrial Control Systems (ICS). It features a central header labeled](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/what-is-the-purdue-model-for-ics-security/ICS-2024_3-Common.png "Diagram illustrating common cyber threats to Industrial Control Systems (ICS). It features a central header labeled ") ICS cyberthreats continue to grow in frequency and sophistication. These systems, once isolated from external networks, are now more interconnected than ever, making them vulnerable to a variety of cyberattacks. While industrial control systems have made great strides in operational efficiency, they now face many cybersecurity challenges. This is where the Purdue Model for ICS security is often considered particularly relevant. The model provides a template for identifying where specific threats are most likely to occur. It also helps determine the appropriate defenses for each layer. Let's explore some of the most prominent threats that ICS environments are up against, including: * Indirect attacks on ICSs * Direct attacks targeting ICS components * Denial of service (DoS) attacks * Manipulation of data and commands * Vulnerabilities in outdated systems ### Indirect attacks on ICS Many ICS cyberattacks are indirect, meaning they often target IT systems but ultimately affect the OT side. For instance, [malware](https://www.paloaltonetworks.com/cyberpedia/what-is-malware) designed for general-purpose computing environments, like Windows, can penetrate the corporate IT network and later find its way to ICS systems. ![Flowchart detailing the stages of the NotPetya cyberattacks, segmented into two network levels: Level 5 and Level 4. The first step at Level 5 involves](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/what-is-the-purdue-model-for-ics-security/ICS-2024_4-NotPetya.png "Flowchart detailing the stages of the NotPetya cyberattacks, segmented into two network levels: Level 5 and Level 4. The first step at Level 5 involves ") **Example:** NotPetya (2017) is another prominent case where malware, initially targeting IT environments, caused widespread disruption to OT operations. This [ransomware](https://www.paloaltonetworks.com/cyberpedia/what-is-ransomware)spread through corporate networks and indirectly affected critical infrastructure sectors, highlighting how vulnerabilities in IT can cascade into OT environments. ### Direct attacks targeting ICS components Unlike indirect attacks, direct attacks intentionally target PLCs and RTUs. These attacks focus on the critical components that control and monitor industrial processes. The objective is to disrupt or manipulate their operation. In many cases, attackers are looking to compromise physical safety or cause operational damage by manipulating the control systems at the heart of ICS environments. ![Architecture diagram depicting the stages of a Triton cyber attack across various levels of an industrial control system network. At the highest level, labeled](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/what-is-the-purdue-model-for-ics-security/ICS-2024_8-Triton.png "Architecture diagram depicting the stages of a Triton cyber attack across various levels of an industrial control system network. At the highest level, labeled ") **Example:** Triton/Trisis (2017) targeted Schneider Electric's Triconex safety controllers, which are responsible for shutting down industrial processes in case of dangerous conditions. The malware aimed to manipulate these safety systems and could have disabled critical safety mechanisms, potentially leading to catastrophic physical damage or compromised safety. While the attack was stopped before causing real harm, it underscored the ongoing evolution of ICS threats, showing that advanced, targeted attacks remain a significant concern for critical infrastructure. ### DoS and DDoS attacks [Denial of service (DoS)](https://www.paloaltonetworks.com/cyberpedia/what-is-a-denial-of-service-attack-dos) and [distributed denial of service (DDoS)](https://www.paloaltonetworks.com/cyberpedia/what-is-a-ddos-attack) attacks aim to overwhelm ICS networks with illegitimate traffic, disrupting or shutting down operations. These attacks can be highly disruptive, particularly in sectors where ICS must run continuously, such as energy and water. DoS attacks typically involve a single source, while DDoS uses multiple compromised systems to flood the target, making it more difficult to mitigate. Both types of attacks can prevent industrial control systems from functioning, leading to halted production, service outages, or delayed processes. Although recent cases are less frequent, both types are still a risk for critical infrastructure security. ![Image displaying a computer screen capturing the effects of a Denial of Service (DoS) attack on a Programmable Logic Controller (PLC), presented in the format of a network traffic log. The table on the screen lists multiple rows of network traffic data, each containing details such as time, source IP address, destination IP address, protocol used, and length of the data packet. Many of the entries are highlighted to indicate repetitive requests to the same IP addresses, characteristic of a DoS attack, which overwhelms the network device with excessive data traffic, potentially leading to service disruption. The data shown illustrates the type of network congestion and system stress caused by such cybersecurity threats.](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/what-is-the-purdue-model-for-ics-security/ICS-2024_9-DoS.png "Image displaying a computer screen capturing the effects of a Denial of Service (DoS) attack on a Programmable Logic Controller (PLC), presented in the format of a network traffic log. The table on the screen lists multiple rows of network traffic data, each containing details such as time, source IP address, destination IP address, protocol used, and length of the data packet. Many of the entries are highlighted to indicate repetitive requests to the same IP addresses, characteristic of a DoS attack, which overwhelms the network device with excessive data traffic, potentially leading to service disruption. The data shown illustrates the type of network congestion and system stress caused by such cybersecurity threats.") **Example:** According to a study titled "[Cyber Security in Industrial Control Systems: Analysis of DoS Attacks against PLCs and the Insider Effect](https://ieeexplore.ieee.org/document/8408947)" (Yılmaz et al., 2018), researchers conducted controlled simulations of DoS attacks on PLC devices. The attacks led to increased latency, with response times rising to 5280 ms, and caused significant disruptions to system operations, demonstrating how these attacks could delay critical control functions in real-world ICS environments. The rise of IoT devices has also introduced new potential vulnerabilities for DDoS attacks to exploit in ICS environments, making defense strategies essential for critical operations. ### Manipulation of data and commands Attackers can also put false data into ICS systems or issue malicious commands to disrupt operations. This is particularly dangerous because the operators might not immediately notice the issue. In some cases, the ICS might continue to function under erroneous data, leading to inefficiencies, equipment damage, or unsafe conditions. For instance, an attacker could send false signals to modify pressure levels in a pipeline, causing it to rupture or malfunction. This type of attack puts both the integrity and safety of the process at risk. ![Architecture diagram presenting two flowcharts describing the deployment and impact of the Industroyer/Industroyer2 malware on industrial control systems (ICS). The upper flowchart details the sequence of actions within the malware operation: starting with the installation of a main backdoor, managing additional tools, and executing two modules—a wipe module and a charge module—that target specific functionalities. It also shows that the main backdoor can install additional backdoors and interact with various industrial communication standards such as IEC101, IEC104, IEC61850, and OPC DA. The lower flowchart maps out the spread of Industroyer2 malware variants such as CaddyWiper, OrcShred, Soloshred, and AwfulShred deployed by attackers into the ICS and IT networks, indicating their progression toward compromising an electrical substation. Each malware variant is represented by a distinct box connected to network icons, illustrating the flow from the attackers' deployment to the operational disruption within the network.](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/what-is-the-purdue-model-for-ics-security/ICS-2024_11-Industroyer.png "Architecture diagram presenting two flowcharts describing the deployment and impact of the Industroyer/Industroyer2 malware on industrial control systems (ICS). The upper flowchart details the sequence of actions within the malware operation: starting with the installation of a main backdoor, managing additional tools, and executing two modules—a wipe module and a charge module—that target specific functionalities. It also shows that the main backdoor can install additional backdoors and interact with various industrial communication standards such as IEC101, IEC104, IEC61850, and OPC DA. The lower flowchart maps out the spread of Industroyer2 malware variants such as CaddyWiper, OrcShred, Soloshred, and AwfulShred deployed by attackers into the ICS and IT networks, indicating their progression toward compromising an electrical substation. Each malware variant is represented by a distinct box connected to network icons, illustrating the flow from the attackers' deployment to the operational disruption within the network.") **Example:** Industroyer/Industroyer2 (2016) malware targeted Ukraine's power grid, manipulating data and sending unauthorized commands to remote terminal units (RTUs). These commands altered the state of critical infrastructure, such as turning circuit breakers on and off. The attack led to power outages and disrupted essential services, making clear the dangers of ICS data manipulation. The consequences of this kind of attack can be severe, as the manipulation can go unnoticed for an extended period, allowing attackers to cause substantial damage and service disruptions before detection. ### Vulnerabilities in outdated systems Many ICS environments rely on legacy systems that weren't designed with cybersecurity in mind. These systems often run outdated software and have little to no protection against modern cyberthreats. Additionally, patching legacy systems can be risky since updates may disrupt their operations. Which is why attackers often exploit these vulnerabilities, knowing that older systems lack the advanced defenses common in modern IT environments. ![Diagram detailing three linked cyber incidents across different sites in Oldsmar. Site 1 features](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/what-is-the-purdue-model-for-ics-security/ICS-2024_10-Oldsmar.png "Diagram detailing three linked cyber incidents across different sites in Oldsmar. Site 1 features ") **Example:** In 2021, attackers exploited vulnerabilities in the Oldsmar water treatment plant, a facility using outdated systems with minimal cybersecurity measures. By remotely accessing the control systems, the attackers attempted to raise the level of sodium hydroxide in the water to dangerous levels. Luckily, the manipulation was caught in time by a plant operator, preventing potential harm. This incident highlights how legacy systems, which were not designed with modern cyber defenses, can be vulnerable to serious attacks that put public safety at risk. The Purdue Model for ICS Security is considered relevant in addressing these threats by delineating the boundaries between IT and OT systems, ensuring clear communication controls, and emphasizing network segmentation. By segmenting systems into distinct layers and establishing clear communication boundaries, it helps limit the spread and impact of the cyberthreats we just described. ## What is the history of the Purdue Model? The Purdue Model was originally developed in the early 1990s by the Purdue Laboratory for Applied Industrial Control (PLAIC) at Purdue University to provide best practices for organizing and managing ICS and their relationship with business networks. Its primary goal was to define structured approaches for segmenting OT systems from corporate IT systems. The model outlined a framework for managing the integration between industrial environments and business operations. The objective was to isolate OT processes from IT systems, which had begun to play a more significant role in industrial operations at the time. The Purdue Model was initially based on the concept of "air-gapping," which involved keeping ICS and OT systems disconnected from the internet and corporate networks to avoid disruptions. Over time, the Purdue Model became a foundational reference for industrial control systems and was adopted in various cybersecurity frameworks, including NIST 800-82 and API 1164. ## Examining the Purdue Model's role in modern ICS security The Purdue Model has been a cornerstone of ICS architecture for decades, but today its application is being reexamined. Again, it was initially developed to create a clear separation between OT and IT. However, as technologies have evolved, so have business needs. Both of which have made aspects of the model seem outdated to some. In fact, [a discussion on this topic titled "Is the Purdue Model Dead?" on the Unsolicited Response Podcast](https://dale-peterson.com/2019/02/11/is-the-purdue-model-dead/) took place between Brad Hegrat, Joel Langill, and Dale Peterson in 2019. Brad Hegrat argued that the model is outdated, largely because IT/OT convergence has made the separation the model once emphasized irrelevant. Joel Langill, however, acknowledged that while the network architecture might no longer be applicable, the model's approach to layering and hierarchy still holds value for understanding system interactions and risks. Langill suggested that the model remains useful for helping map information flows and identifying potential security threats. It's not surprising, then, that one of the key debates on the Purdue Model's current role centers around the increased demand for real-time data from ICS environments. Organizations are now integrating more cloud-based solutions and remote access systems. Which challenges the Purdue Model's concept of rigid segmentation. Again, some argue that the model was designed for an era when the idea of a closed, air-gapped system was feasible. Today, many systems no longer operate in isolation, potentially making the rigid hierarchy less applicable. On the other hand, proponents of the Purdue Model often contend that while its network architecture may be evolving, the model still serves an important purpose. More specifically, its layered approach provides structure for network segmentation. Which ensures that industrial networks remain manageable and secure. Supporters suggest that the model doesn't need to be entirely replaced, but rather adapted to suit modern requirements---such as Industrial IoT and edge computing---which obviously demand more flexible data flows. Plus, the rise of the IoT and edge devices has further blurred the lines between traditional IT and OT environments. Devices at the lowest levels of the Purdue Model---like sensors---are now capable of directly sending data to the cloud. They bypass the hierarchy that the model established. Some suggest that a hybrid approach, which maintains key security principles while accommodating new technologies, could strike the right balance between the old and the new. Ultimately, while the Purdue Model may no longer fit perfectly into today's dynamic, interconnected environments, its foundational principles remain valuable. The debate around the Purdue Model's role in ICS security continues, with many agreeing that adaptation, rather than total abandonment, is the way forward. [![](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/cyberpedia/what-is-the-purdue-model-for-ics-security/FW-2024-CTAs_Review.png)](https://www.paloaltonetworks.com/resources/guides/asset-visibility-and-security-for-industrial-control-systems) ## Purdue Model for ICS Security FAQs #### What is the Purdue Model of ICS security? The Purdue Model of ICS security organizes industrial control systems into hierarchical layers, separating operational technology (OT) from information technology (IT). It defines communication boundaries to protect critical processes and maintain security. #### What is the Purdue Model of ISO? The Purdue Model isn't specifically referenced in ISO standards, but it aligns with industrial cybersecurity frameworks that influence ISO's guidance on segmenting and securing industrial environments. #### What is the Purdue Model in IEC 62443? IEC 62443 incorporates concepts from the Purdue Model to define cybersecurity requirements and best practices for industrial control systems (ICS), emphasizing network segmentation and layered defenses. #### What is the difference between the OSI model and the Purdue Model? The OSI model defines network communication layers for data transmission. The Purdue Model focuses on segmenting industrial control systems and business networks to enhance security and operational control. #### What is the Purdue Model standard? The Purdue Model serves as a reference framework for industrial control system security, often integrated into standards like NIST 800-82 and API 1164 to guide segmentation and security. #### Why use the Purdue Model? The Purdue Model provides a structured approach to isolating industrial and business systems, protecting critical operations from cyber threats and maintaining control over IT/OT environments. Recommended for you [Podcast: The Air Gap Is Dead. It's Time for Industrial Organizations to Embrace the ... Debunk the misconception that critical infrastructure organizations still have an air gap.](https://www.paloaltonetworks.com/cybersecurity-perspectives/the-air-gap-is-dead) [CXO perspectives: Securing Critical Infrastructure with Zero Trust Find out about the importance of Zero Trust in critical infrastructure.](https://www.paloaltonetworks.com/cybersecurity-perspectives/zero-trust-for-critical-infrastructure) [White paper: Secure OT-IT Convergence to Keep the Production Lines Working See how to implement the principles of Zero Trust for a resilient OT security framework.](https://www.paloaltonetworks.com/resources/whitepapers/ot-security-insights-secure-ot-it-convergence-to-keep-the-production-lines-working) [eBook: Zero Trust Security to Protect All OT Environments Learn how to gain all of the benefits of Zero Trust for industrial networks.](https://www.paloaltonetworks.com/resources/ebooks/zero-trust-security-to-protect-all-ot-environments) ![Share page on facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/facebook-circular-icon.svg) ![Share page on linkedin](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/linkedin-circular-icon.svg) [![Share page by an email](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/resources/email-circular-icon.svg)](mailto:?subject=What%20Is%20the%20Purdue%20Model%20for%20ICS%20Security%3F%20%7C%20A%20Guide%20to%20PERA&body=The%20Purdue%20Model%20for%20ICS%20Security%20is%20a%20framework%20that%20organizes%20industrial%20control%20systems%20into%20distinct%20layers%2C%20separating%20OT%20from%20IT.%20at%20https%3A//www.paloaltonetworks.com/cyberpedia/what-is-the-purdue-model-for-ics-security) Back to Top {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language