When most organizations talk about the Purdue Model—a foundational framework that segments industrial control systems into distinct layers for improved security and operational clarity—the conversation often stops at security.
As industrial environments rapidly adopt edge computing—deploying compute, storage, and analytics closer to where data is generated—the boundaries between traditional Purdue Model levels are becoming more dynamic. Edge devices now frequently sit at Levels 1, 2, and 3, enabling real-time decision-making, local data processing, and more flexible architectures. This evolution makes it critical to revisit how the Purdue Model’s segmentation, security, and management principles are applied at the edge, where new risks and opportunities emerge.
But what if that’s only half the story?
At ZEDEDA, we believe the Purdue Model is more than a checklist for cybersecurity—it’s a blueprint for operational excellence, flexibility, and future-proofing your industrial edge. Not only do we deliver industry-leading security at every level, but we also empower you to consolidate workloads, manage and orchestrate applications seamlessly, and modernize legacy systems—all while keeping everything isolated and protected.
Here’s how ZEDEDA’s edge orchestration and management platform unlocks the full potential of the Purdue Model, from the physical process to the cloud—and why that matters for your business:
Level 0: Physical Process
This level represents the physical process itself, including sensors, actuators and other field devices that directly interact with the physical environment.
ZEDEDA does not directly interact with the physical process itself. However, ZEDEDA’s EVE-OS, an open source, lightweight edge virtualization layer, provides secure infrastructure for running applications that can perform security and data transfer functions, offering application isolation, management, and zero-trust deployment (ZTD). This ensures that any software operating near the physical layer is protected and managed securely, even if ZEDEDA is not directly controlling the process. Significantly, Level 0 environments often require an airgap for security, and ZEDEDA uniquely addresses this critical need through capabilities like ZEDEDA Edge Sync—a key differentiator enabling robust management and updates even in isolated conditions.
Level 1: Intelligent Devices
Intelligent devices such as PLCs, sensors and actuators that monitor and manipulate the physical process operate at this level.
ZEDEDA manages edge nodes that collect and process data from intelligent devices like PLCs, sensors, and actuators. Edge Sync, as mentioned in Level 0, enables full management and orchestration even in air-gapped environments (no internet required). For example, ZEDEDA can run controller software for devices in isolated environments like an offshore oil platform, using either a dedicated local server or a ruggedized laptop for updates and management. This flexibility is critical for industrial sites where connectivity is intermittent or deliberately restricted for security reasons.
Level 2: Control Systems
Control systems like SCADA and HMIs that supervise and coordinate the activities of Level 1 devices are found here.
ZEDEDA enables edge nodes at the control level to securely host a miz of industrial applications, including PLC function software, IoT gateways, and legacy systems, such as Windows XP-based controllers. By virtualizing hardware, ZEDEDA supports the simultaneous execution of containerized, modern workloads and older applications within isolated, secure environments. This enables organizations to modernize at their own pace, supporting both legacy and new systems side by side, while maintaining strong separation and security.
Level 3: Site Operations
Site-wide operations including production scheduling, data aggregation and local analytics are managed at this level.
ZEDEDA excels at Level 3, enabling deployment of applications for data aggregation, monitoring, and local analysis directly at the edge. The edge orchestration platform supports workload consolidation—multiple applications can run on a single device, with full isolation and security. Airgap support is available but not strictly required, providing operational flexibility. ZEDEDA’s orchestration and lifecycle management features allow for seamless updates and management, even in distributed or disconnected environments.
Level 3.5: DMZ
The Demilitarized Zone (DMZ) acts as a buffer between operational technology and information technology networks, ensuring secure communication and data flow.
At Level 3.5 (DMZ), ZEDEDA can run on edge devices in the DMZ, providing a secure and isolated environment for hosting critical applications such as data brokers, proxy servers, and historians. This supports IT/OT convergence without compromising security, enabling organizations to bridge data flows between operational and enterprise networks safely.
Level 4: Enterprise Integration
Enterprise IT systems such as Manufacturing Execution Systems (MES), Enterprise Resource Planning (ERP) and business logistics platforms that integrate industrial data with broader business processes reside here.
While it is uncommon to run enterprise workloads, such as MES, ERP, or other business logistics applications, directly at the edge, ZEDEDA supports this consolidation if required. Processed data from Level 3 and below can be securely forwarded to Level 4 systems, always ensuring application isolation and security. This flexibility allows organizations to choose where processing occurs, with assurance that edge devices remain secure and manageable.
Level 5: Cloud and External Access
This level covers external vendor support and cloud access, enabling secure communication between edge devices and cloud or external systems.
ZEDEDA enables secure communication from edge devices to the cloud or external vendors when internet connectivity is available by encrypting all data in transit and requiring mutual authentication between devices and the cloud. If further network control is required, firewall and SD-WAN solutions from any vendor can be installed as containers or OS images. The platform’s cloud controller and secure data forwarding ensure organizations retain full control over data flows and access permissions.
Our Expanded Approach: Consolidation, Management, and Orchestration
While security is a core focus, ZEDEDA offers significant operational benefits:
- Consolidation: Multiple applications—gateways, analytics, even select enterprise workloads—can be consolidated onto a single edge device, reducing hardware sprawl and simplifying management.
- Lifecycle Management: ZEDEDA provides robust tools for application deployment, updates, and orchestration, supporting both connected and air-gapped environments.
- Application Isolation: Each workload runs in a fully isolated environment, preventing lateral movement and ensuring a compromise in one application does not affect others.
- Zero Trust Security: ZEDEDA enforces per-application firewall rules, default-deny networking, and network segmentation, aligning with zero-trust principles to minimize attack surfaces and ensure compliance.
ZEDEDA is well-positioned to support the Purdue Model, delivering not just layered security but also the management, orchestration, and consolidation capabilities that modern industrial environments demand. Whether modernizing legacy systems, deploying new edge workloads, or bridging OT and IT, ZEDEDA provides the secure, flexible foundation to make it happen—at every level of the Purdue Model.
Ready to learn more? Check out this whitepaper to discover how ZEDEDA’s solution is architected for security from the ground up.
