According to the Purdue model and best practices outlined in GICSP, Level 4 corresponds to the enterprise or business network, often containing management and security monitoring infrastructure such as Security Information and Event Management (SIEM) systems.
Placing the SIEM on a management subnet in Level 4 (B) keeps monitoring tools separated from the operational control network (Level 3), reducing the risk that a compromised Level 3 device could affect the security infrastructure itself. It also allows the SIEM to collect logs from multiple network segments securely and apply enterprise-wide analysis.
This segregation supports defense-in-depth and aligns with GICSP’s emphasis on secure network segmentation and monitoring.
[Reference:, , GICSP Official Study Guide, Domain: ICS Security Architecture & Design, , NIST SP 800-82 Rev 2, Section 5.5 (Network Architecture), , GICSP Training Materials on Network Segmentation and SIEM Deployment]
Submit