GrassMarlin – An Industrial Control System (ICS)/Supervisory Controls and Data Acquisition (SCADA) Situational Awareness Tool

ICS and SCADA networks are often the most critical components of an organization’s IT environment. Unfortunately, for a variety of reasons, these systems do not often undergo comprehensive, active security testing. One of SeNet’s approaches to assessing the security posture of ICS/SCADA environments is to perform a passive security review using a tool such as GrassMarlin.

GrassMarlin was developed by the National Security Agency (NSA) to provide situational awareness for ICS/SCADA system environments. It is a lightweight Java-based graphical tool that passively sniffs traffic on an ICS/SCADA network to create logical and physical graphs. GrassMarlin runs both in Windows and Linux-based operating systems. Graphs in GrassMarlin can be generated by pointing it to already captured packet files (PCAPs). Once the traffic is captured, the generated logical layout can be grouped in various ways in order to obtain an in-depth understanding of the flow of traffic and the protocols being utilized. Analysis on ICS/SCADA traffic can be done by grouping as:

·        Network

·        Country

·        Manufacturer

·        Role

·        Category

·        ICS Protocol

By grouping traffic in various ways as mentioned above, a great deal of awareness can be achieved. GrassMarlin consists of a GeoIP database, various fingerprints, and vendor IDs. It displays a country’s flag if the traffic is reaching out to any public IP in the USA or to any other country in the world. The Vendor ID identifies the vendor of the network interface cards on the devices.

                                                    Traffic Grouped by Manufacturer

                                                  Traffic Grouped by Manufacturer

                                                          GrassMarlin Logical Graph

                                                        GrassMarlin Logical Graph

For example, ICS/SCADA system misconfigurations can be detected along with a careful analysis of traffic which may provide a clue if any of the components of the ICS/SCADA system is infected with malware and is trying to communicate outside of the network where it has no business communicating.  

GrassMarlin also allows the user to view all frames being transferred between two hosts on the network. By simply right-clicking on any host and then selecting the “view frames option,” you will be provided with a great deal of communication information as shown in the figure below:

                                                                View Frame Interface

                                                              View Frame Interface

GrassMarlin can be downloaded for free from through the following link:

A collection of sample ICS/SCADA network PCAP files are available through the following link:

Feel free to download and import the above mentioned files in GrassMarlin in order to obtain a deeper understanding of the tool and/or perhaps find a way to use it in your next testing assignment.