Browse Skills

Purdue Level Mapper (CISA CPG 2.2)

    CISA CPG Critical Infrastructure OT Purdue Model Network Segmentation
    Get Started with This Skill

    Overview

    IT/OT network segmentation aligned to CISA CPG 2.2 and the Purdue Model. Map assets to Levels 0–5, draft security requirements per transition, and validate no direct Business-to-PLC without DMZ. The skill helps critical infrastructure (water, energy, healthcare) prove implementation logic—not just having a policy, but documenting the specific boundaries, conduits, and firewall rules tailored to the site.

    Example Conversation

    You: We need an IT/OT Network Segmentation Strategy for our water treatment site (CISA CPG 2.2). I have a list of our main systems—PLCs, HMIs, SCADA, MES, and ERP. Can you map them to Purdue levels and give us the security requirements for each boundary?

    Agent: I’ll run purdue_level_mapper on your asset list to assign each system to Levels 0–5 and output the transition requirements. Then I’ll copy the strategy template and fill the zone boundaries and conduits.

    Agent: Running purdue_level_mapper on plant-assets.md

    Agent: Mapping done: PLCs and RTUs → Level 1, HMIs and SCADA → Level 2, MES and data historian → Level 3, ERP and email → Level 4. I’ve created segmentation-strategy.md from the template with the level table and security requirements for each transition. The key rule for CPG 2.2 is L3↔iDMZ↔L4—all business-to-OT traffic must go through the Industrial DMZ. Running lateral_movement_blocker on the draft…

    Agent: Lateral movement check: PASS. No direct Business-to-PLC path in the narrative. The strategy explicitly states that IT–OT exchange goes through the iDMZ (jump host). You can use this as CPG 2.2 evidence; re-run lateral_movement_blocker after any edit to the narrative.

    What the Tools Do

    purdue_level_mapper categorizes assets and outputs transition requirements:

    • Input: Path to a Markdown or text file with an asset list (one asset per line or bullet). Keywords (PLC, RTU, HMI, SCADA, MES, ERP, etc.) are matched to Purdue Levels 0–5.
    • Output: An asset→level table and the security requirements for each transition (L0→L1 … L4→L5 and L3↔iDMZ↔L4) aligned to CPG 2.2. Use this to scope firewall rules and conduits when drafting the strategy.

    lateral_movement_blocker validates the segmentation narrative:

    • Input: Path to the segmentation strategy or configuration narrative (Markdown or text).
    • Checks: Scans for phrases that imply direct Business (Level 4/5) to PLC/Level 0–1 communication without a DMZ or conduit. Flags violations (e.g. “ERP to PLC”, “direct L4 to OT control”) and confirms when the document states that all IT–OT traffic passes through an intermediary (iDMZ, jump host, data diode).
    • Output: PASS or FAIL plus a short report. On FAIL, lists each violation with guidance (e.g. “Document the DMZ or conduit between IT and OT; name the intermediary and allowed data flows”).
    • Use after drafting or editing the strategy so CPG 2.2 evidence stays consistent.

    Output Excerpt

    Excerpt from a generated IT/OT Network Segmentation Strategy (zone boundaries and validation note):

    ## 2. Zone boundaries and conduits

### 2.4 Level 3 ↔ Industrial DMZ (iDMZ) ↔ Level 4

- **iDMZ components:** Jump host (bastion) for operator and engineering access; data diode for L3→L4 reporting only.
- **Allowed traffic (L3→iDMZ):** Aggregated alarms and production metrics; recipe and batch data for reporting.
- **Allowed traffic (iDMZ→L4):** Reporting and dashboards; patch management and updates via jump host only. No direct L4/L5 to L0/L1/L2.
- **Rule:** All business/enterprise access to OT traverses the iDMZ. No direct path from ERP or corporate network to PLCs or HMIs.

## 3. Validation

Run `lateral_movement_blocker` on this document to confirm no direct Business-to-PLC (or L0/L1) communication without an iDMZ intermediary.
    • The mapper output drives the level table and transition text; the template provides the structure. After any change to zones or conduits, re-run lateral_movement_blocker so the narrative remains valid for CPG 2.2.

    Getting Started

    Add your asset list (and any existing segmentation notes) to the project workspace, then activate the Purdue Level Mapper (CISA CPG 2.2) skill. The agent will map assets to Purdue levels, draft the strategy from the template, and run the lateral-movement check so the document is ready for CPG 2.2 evidence.

    Ready to let your expertise drive the workflow?

    Stop wrestling with rigid templates and complex tooling. Write your process in markdown, let the agent handle the rest.

    Get Started