# Purdue Level Mapper (CISA CPG 2.2) > IT/OT network segmentation aligned to CISA CPG 2.2 and the Purdue Model. Map assets to Levels 0–5, draft security requirements per transition, and validate no direct Business-to-PLC without DMZ. Tags: CISA, CPG, Critical Infrastructure, OT, Purdue Model, Network Segmentation ## Example Prompts - Draft an IT/OT Network Segmentation Strategy for our water utility - Map our plant assets to Purdue levels and get security requirements for each boundary - Check our segmentation narrative for direct Business-to-PLC paths (CPG 2.2) - Document firewall rules and conduits between our business network and production (Purdue Model) URL: https://rakenne.app/skills/purdue-level-mapper/index.md Try this skill: https://rakenne.app/a/?skill=purdue-level-mapper ## Overview IT/OT network segmentation aligned to CISA CPG 2.2 and the Purdue Model. Map assets to Levels 0–5, draft security requirements per transition, and validate no direct Business-to-PLC without DMZ. The skill helps critical infrastructure (water, energy, healthcare) prove implementation logic—not just having a policy, but documenting the specific boundaries, conduits, and firewall rules tailored to the site. ## Example Conversation > **You:** We need an IT/OT Network Segmentation Strategy for our water treatment site (CISA CPG 2.2). I have a list of our main systems—PLCs, HMIs, SCADA, MES, and ERP. Can you map them to Purdue levels and give us the security requirements for each boundary? > **Agent:** I'll run `purdue_level_mapper` on your asset list to assign each system to Levels 0–5 and output the transition requirements. Then I'll copy the strategy template and fill the zone boundaries and conduits. > **Agent:** Running `purdue_level_mapper` on `plant-assets.md`... > **Agent:** Mapping done: PLCs and RTUs → Level 1, HMIs and SCADA → Level 2, MES and data historian → Level 3, ERP and email → Level 4. I've created `segmentation-strategy.md` from the template with the level table and security requirements for each transition. The key rule for CPG 2.2 is L3↔iDMZ↔L4—all business-to-OT traffic must go through the Industrial DMZ. Running `lateral_movement_blocker` on the draft... > **Agent:** Lateral movement check: **PASS**. No direct Business-to-PLC path in the narrative. The strategy explicitly states that IT–OT exchange goes through the iDMZ (jump host). You can use this as CPG 2.2 evidence; re-run `lateral_movement_blocker` after any edit to the narrative. ## What the Tools Do **`purdue_level_mapper`** categorizes assets and outputs transition requirements: - **Input:** Path to a Markdown or text file with an asset list (one asset per line or bullet). Keywords (PLC, RTU, HMI, SCADA, MES, ERP, etc.) are matched to Purdue Levels 0–5. - **Output:** An asset→level table and the security requirements for each transition (L0→L1 … L4→L5 and L3↔iDMZ↔L4) aligned to CPG 2.2. Use this to scope firewall rules and conduits when drafting the strategy. **`lateral_movement_blocker`** validates the segmentation narrative: - **Input:** Path to the segmentation strategy or configuration narrative (Markdown or text). - **Checks:** Scans for phrases that imply direct Business (Level 4/5) to PLC/Level 0–1 communication without a DMZ or conduit. Flags violations (e.g. "ERP to PLC", "direct L4 to OT control") and confirms when the document states that all IT–OT traffic passes through an intermediary (iDMZ, jump host, data diode). - **Output:** PASS or FAIL plus a short report. On FAIL, lists each violation with guidance (e.g. "Document the DMZ or conduit between IT and OT; name the intermediary and allowed data flows"). - Use after drafting or editing the strategy so CPG 2.2 evidence stays consistent. ## Output Excerpt Excerpt from a generated IT/OT Network Segmentation Strategy (zone boundaries and validation note): ```markdown ## 2. Zone boundaries and conduits ### 2.4 Level 3 ↔ Industrial DMZ (iDMZ) ↔ Level 4 - **iDMZ components:** Jump host (bastion) for operator and engineering access; data diode for L3→L4 reporting only. - **Allowed traffic (L3→iDMZ):** Aggregated alarms and production metrics; recipe and batch data for reporting. - **Allowed traffic (iDMZ→L4):** Reporting and dashboards; patch management and updates via jump host only. No direct L4/L5 to L0/L1/L2. - **Rule:** All business/enterprise access to OT traverses the iDMZ. No direct path from ERP or corporate network to PLCs or HMIs. ## 3. Validation Run `lateral_movement_blocker` on this document to confirm no direct Business-to-PLC (or L0/L1) communication without an iDMZ intermediary. ``` - The mapper output drives the level table and transition text; the template provides the structure. After any change to zones or conduits, re-run `lateral_movement_blocker` so the narrative remains valid for CPG 2.2. ## Getting Started Add your asset list (and any existing segmentation notes) to the project workspace, then activate the *Purdue Level Mapper (CISA CPG 2.2)* skill. The agent will map assets to Purdue levels, draft the strategy from the template, and run the lateral-movement check so the document is ready for CPG 2.2 evidence. --- Back to [Skill Library](https://rakenne.app/skills/index.md)