It can be a complex issue to discuss security problems and security solutions for industrial information and control systems based on a model. If the model has a high level of abstraction, it will be difficult to concretize related problems and solutions. At the same time, it may be inappropriate to model existing systems in too high a degree of detail since these types of systems often differ between installations, which means that the model will then not be sufficiently generalizable. In addition, a detailed model risks containing sensitive information that can be used by third parties. To solve this problem, a model that is sufficiently detailed to enable discussions about security problems and security solutions is required. At the same time, the model needs to be at a sufficiently general level to be able to describe industrial information and control systems for a large number of different industries that use these types of systems. This report describes a theoretical reference environment in the form of a model with the goal that it can be used publicly to discuss threats, vulnerabilities and security measures for industrial information and control systems. The purpose of the report is to increase the understanding of these systems and to simplify the dissemination of knowledge in the area without compromising information security for a specific installation. In addition to the model, the report also describes different types of industrial information and control systems, processes and applications as well as exposure areas and examples of previous attacks. The model is also demonstrated in the form of two case examples with the purpose of providing the reader with an understanding of how the model can be used in practice.