OT Network Security for the Purdue Model and IEC 62443 Zone Architecture.
The Purdue Reference Model describes how almost every industrial OT network is laid out. IEC 62443 defines the security zones and conduits that should protect it. Access Gate implements both across multi-site OT estates, with no agents on OT equipment, no VLAN redesign, and no production downtime.
The Purdue Reference Model and the OT security problem.
The Purdue Reference Model organises an industrial network into levels. Level 0 is the physical process: the sensors and actuators on the line. Level 1 is basic control, the PLCs and RTUs that drive that process. Level 2 is supervisory control, the SCADA servers and HMIs. Level 3 is site operations, where the historian and MES live. Levels 4 and 5 are the enterprise: ERP, email, and the rest of corporate IT.
The IT/OT boundary sits at Level 3, and it is the junction attackers aim for. Most industrial intrusions do not start on a PLC. They start on a compromised Level 4 workstation, or a Level 3 historian exposed to the enterprise, and work down into the control network. On a flat network that collapses these levels, a single phished laptop has a direct path to the safety controllers and field devices.
For large industrial groups running heterogeneous OT across many sites, that Level 3/4 junction is the primary risk surface. The fix is not another firewall. It is control over which zones can talk to which, with an identity behind every session.
IEC 62443 Zones and Conduits.
IEC 62443 turns the Purdue model into an enforceable standard. A zone is a grouping of assets that share the same security requirements and a common Security Level. The standard defines four, from SL1 (protection against casual or coincidental violation) to SL4 (protection against a state-level actor with extended resources). A conduit is the controlled communication path between two zones. It sets, and enforces, exactly which traffic may cross a boundary and under what conditions.
Without conduits, a zone diagram is just a drawing. Naming the zones is the easy part. The hard part is implementing the conduits on a network that is already running, which traditionally means a VLAN redesign: re-addressing equipment, reconfiguring switches, and taking production down for the cutover. For most operators, that downtime is the blocker that keeps a flat network flat for another year.
Zone architecture without a network redesign.
Adjacent deployment, zero disruption.
Access Gate deploys alongside the existing network at the Level 3 / DMZ boundary and creates a Zero Trust overlay across the Purdue zones. No VLAN changes. No agents on PLCs or OT endpoints. No production downtime. Visibility and identity-based access control are immediate. The overlay is live in hours.
Zero Trust consolidation.
The overlay becomes the new Zero Trust fabric. Migration runs at about 10 systems per hour through the Access Gate proxy, so a 100-system site is done in a single day. IT admins and OT operators manage policy through role-based access in a shared UI, and Access Gate becomes the OT firewall, with a Zero Trust network underneath. Days, not the months a traditional consolidation project takes.
NIS2 Article 21 and IEC 62443 compliance.
The two-phase model maps directly onto NIS2 Article 21. The overlay delivers network segmentation (zones and conduits without rewiring), access control (identity-based, MFA enforced at the proxy, least privilege per asset and protocol), and logging (every cross-zone session recorded with user, timestamp, and protocol, in a tamper-evident audit trail).
IEC 62443 zone-and-conduit architecture is the recognised technical implementation standard for those obligations. Building to it is how an OT operator demonstrates Article 21 segmentation to an auditor. And Access Gate produces that evidence continuously, instead of reconstructing it the week before an inspection.
Deployment scenarios.
Multi-site industrial group
A large group with heterogeneous OT (Siemens at one plant, Rockwell at the next, Schneider at a third) cannot standardise on any one vendor's tooling. The overlay is vendor-agnostic: it enforces zones and conduits at the network layer above whatever PLCs and protocols each site runs, and centralises policy across all of them.
Single-site manufacturer under NIS2
An Important Entity under NIS2 needs to demonstrate Article 21 segmentation and access control without a capital project. Phase 1 brings the site into scope in hours; Phase 2 consolidates to a full Zero Trust fabric over the following days, with audit evidence generated from the first session.
Utility with legacy SCADA
A utility operator running legacy SCADA at Levels 1-2 cannot put agents on RTUs or accept active scanning near safety systems. The adjacent overlay observes passively and brokers access without touching the field devices, then becomes the enforcement point as the estate migrates behind it.
OT network security, answered.
Purdue, IEC 62443 zones, multi-site policy, and the two-phase Access Gate deployment
The Purdue Reference Model (part of ISA-95) is the standard architecture for industrial control systems. It defines six logical levels, from Level 0 (the physical process: sensors and actuators) up through Level 1 (basic control: PLCs and RTUs), Level 2 (supervisory control: SCADA and HMIs), Level 3 (site operations and MES), to Levels 4 and 5 (enterprise IT). In OT security the model matters because it locates the IT/OT boundary at Level 3 and defines which systems should never talk directly to which. That is the basis for segmentation.
IEC 62443 formalises Purdue-style segmentation into two constructs. A zone is a grouping of assets that share the same security requirements and a common Security Level (SL1 to SL4). A conduit is the controlled communication path between zones. It sets and enforces exactly which traffic may cross a zone boundary, and under what conditions. Without conduits, a zone diagram is theoretical: any device can still reach any other.
Access Gate deploys in two phases. In Phase 1 it sits adjacent to the existing network at the Level 3 / DMZ boundary and creates a Zero Trust overlay across the Purdue zones. No VLAN reconfiguration, no agents on PLCs or OT endpoints, no production downtime. Visibility and identity-based access control are immediate. In Phase 2 that overlay becomes the new Zero Trust fabric as systems migrate behind the gate, with no forklift replacement of switches.
Phase 1, the adjacent overlay, is live in hours, not months. Phase 2 migration runs at about 10 systems per hour through the Access Gate proxy, so a 100-system OT environment is done in roughly a single working day. Compare that with the months a traditional VLAN redesign and consolidation project takes, most of which is change-control and validation, not the cutover itself.
NIS2 Article 21 does not name IEC 62443 explicitly, but its technical measures (network segmentation, access control, logging) map directly onto the zone-and-conduit model. National guidance for OT operators, including ANSSI guidance in France, treats IEC 62443 as the recognised technical implementation standard for those obligations, so building to IEC 62443 zones is the practical route to demonstrating Article 21 segmentation.
Access Gate provides central policy management across every site from a single role-based UI. Each site deploys independently in Phase 1, with no cross-site interdependency and no big-bang cutover. From day one of Phase 2, the sites roll up into one unified Zero Trust fabric. IT admins set enterprise-wide policy while OT operators keep site-level control, so a 50-site group runs a consistent IEC 62443 zone posture without sending a network team to every plant.