Skip to content

Deploying network probes within Operational Technology (OT) environments

The Purdue model is a reference architecture for industrial networks, typically used in Operational Technology (OT) environments. Network probes are primarily used for monitoring network traffic in areas where the SenseOn endpoint cannot be feasibly deployed for technical and administrative reasons. This guide explains when and where to place network probes to protect OT environments.

The Purdue Model Overview

The Purdue model is a hierarchical representation of network architecture splitting the IT and OT zones into different levels.

  1. Level 5 - Enterprise Zone: Wider Corporate IT systems.
  2. Level 4 - OT Business Planning and Logistics: Enterprise systems used in the management of OT environments.
  3. Level 3 - Manufacturing Operations: Systems used to manage the manufacturing process within a single site or process.
  4. Level 2 - Control Systems: Process control systems for real time management.
  5. Level 1 - Basic Control: Direct manipulation of the physical process in logic systems.
  6. Level 0 - Physical Process: Sensors and actuators directly interfacing with machinery.

Purdue Model Diagram

When to Deploy a Network Probe

Network probes should be deployed to monitor network traffic in areas where the SenseOn endpoint cannot be deployed, such as:

  • Where the endpoint software can't be deployed for technical reasons, such as legacy systems or devices with low compute resources.
  • Where the endpoint software can't be deployed for administrative reasons, such as certification requirements or where systems are controlled by a third party.

Where to Place Network Probes

Using the Purdue model as a guide, probes should be strategically deployed to capture network telemetry at key points. Below are some specific recommendations for each level:

Level 4 - Site Business Planning and Logistics

  • Purpose: We recommend deploying the endpoint sensor on all traditional IT systems. Network probes can be used to monitor communications between plant business systems and enterprise IT.
  • Network probe placement:
    • Between Level 4 and Level 5 (Enterprise Zone).
    • Capture mirrored traffic at SPAN or TAP locations on firewalls, switches, or routers separating these zones.

Level 3 - Operations

  • Purpose: We would recommend the endpoint sensor be deployed to systems which support it in this domain. Network probes can be used to provide visibility into communication flows covering the operations of a manufacturing process and detect potential attackers attempting to pivot from IT environments to OT.
  • Network probe placement:
    • Capture mirrored traffic at SPAN or TAP locations on firewalls, switches, or routers in these zones.

Level 2 - Area Supervisory Control

  • Purpose: The endpoint sensor may be able to be deployed to HMI (Human Machine Interface) or EWS (Engineering Work Station) systems. Network probes can be used to extend coverage and are commonly deployed in this system to monitor, PLC (Programmable Logic Controller), and supervisory control communications on industrial switches.
  • Network probe placement:
    • Capture traffic from switches connected to HMIs and PLCs.

Additional details

For more details on network probes and their installation, refer to Network Probe Installation.