GrassMarlin – An Industrial Control System (ICS)/Supervisory Controls and Data Acquisition (SCADA) Situational Awareness Tool

ICS and SCADA networks are often the most critical components of an organization’s IT environment. Unfortunately, for a variety of reasons, these systems do not often undergo comprehensive, active security testing. One of SeNet’s approaches to assessing the security posture of ICS/SCADA environments is to perform a passive security review using a tool such as GrassMarlin.

GrassMarlin was developed by the National Security Agency (NSA) to provide situational awareness for ICS/SCADA system environments. It is a lightweight Java-based graphical tool that passively sniffs traffic on an ICS/SCADA network to create logical and physical graphs. GrassMarlin runs both in Windows and Linux-based operating systems. Graphs in GrassMarlin can be generated by pointing it to already captured packet files (PCAPs). Once the traffic is captured, the generated logical layout can be grouped in various ways in order to obtain an in-depth understanding of the flow of traffic and the protocols being utilized. Analysis on ICS/SCADA traffic can be done by grouping as:

·        Network

·        Country

·        Manufacturer

·        Role

·        Category

·        ICS Protocol

By grouping traffic in various ways as mentioned above, a great deal of awareness can be achieved. GrassMarlin consists of a GeoIP database, various fingerprints, and vendor IDs. It displays a country’s flag if the traffic is reaching out to any public IP in the USA or to any other country in the world. The Vendor ID identifies the vendor of the network interface cards on the devices.

                                                  Traffic Grouped by Manufacturer

                                                  Traffic Grouped by Manufacturer

                                                        GrassMarlin Logical Graph

                                                        GrassMarlin Logical Graph

For example, ICS/SCADA system misconfigurations can be detected along with a careful analysis of traffic which may provide a clue if any of the components of the ICS/SCADA system is infected with malware and is trying to communicate outside of the network where it has no business communicating.  

GrassMarlin also allows the user to view all frames being transferred between two hosts on the network. By simply right-clicking on any host and then selecting the “view frames option,” you will be provided with a great deal of communication information as shown in the figure below:

                                                              View Frame Interface

                                                              View Frame Interface

GrassMarlin can be downloaded for free from through the following link:

A collection of sample ICS/SCADA network PCAP files are available through the following link:

Feel free to download and import the above mentioned files in GrassMarlin in order to obtain a deeper understanding of the tool and/or perhaps find a way to use it in your next testing assignment.


The General Services Administration (GSA) Federal Acquisition Service (FAS) announced in September 2016 that in support of the President’s Cybersecurity National Action Plan (CNAP), GSA’s IT Schedule 70 established four (4) new Highly Adaptive Cybersecurity Services (HACS) Special Item Numbers (SINs). These new SINs provide organizations seeking specialized IT Security services with faster and more reliable access to pre-vetted support vendors for their cybersecurity needs.

SeNet International Corporation (SeNet), one of the leading cybersecurity services firms, announces that it has been qualified and approved by GSA to add these four new SINs. As such, we have become one of the select few companies to offer these services to federal, state, local, and tribal agencies.

SIN 132-45A Penetration Testing - The Penetration Testing SIN provides for:

• Conducting authorized “white hat” penetration testing; 

• Analyzing enterprise computer network defense policies andconfigurations and assessment of compliance with regulations and enterprise; and

• Assisting with the selection of cost-effective security controls to mitigate risk (e.g., protection of information, systems, and processes) directives.

SIN 132-45B Incident Response - The Incident Response SIN will allow organizations impacted by cyberattacks to obtain support in determining the extent of the damage and restoring networks to a secure state. Tasks include:

• Collecting intrusion artifacts (e.g., source code, malware, and Trojans), and use discovered data to enable mitigation of potential Computer Network Defense incidents within the enterprise;

• Performing command and control functions in response to incidents; and

• Correlating incident data to identify specific vulnerabilities and make recommendations that enable expeditious remediation.

SIN 132-45C Cyber Hunt - Cyber Hunt activities, in times of crisis, require that SeNet utilize global cyber intelligenceinformation to identify undiscovered attacks and mitigate further attacks by threat actors. Tasks include but are not limited to:

• Collecting intrusion artifacts (e.g., source code, malware, and Trojans) and use discovered data to enable mitigation of potential Computer Network Defense incidents within the enterprise;

• Coordinating with and providing expert technical support to enterprise-wide Computer Network Defense technicians to resolve Computer Network Defense incidents; and

• Correlating incident data to identify specific vulnerabilities and making recommendations that enable expeditious remediation.

SIN 132-45D Risk and Vulnerability Assessment - Risk and Vulnerability Assessments must identify threats and vulnerabilities, assess the level of risk, and develop mitigation recommendations. Tasks include but are not limited to: network mapping, vulnerability scanning, and database assessment. Knowledge areas include but are not limited to: access management, network protocols, and application security.

• Network Mapping - consists of identifying assets on an agreed upon IP address space or network range(s).

• Vulnerability Scanning - comprehensively identifies IT vulnerabilities associated with agency systems that are potentially exploitable by attackers.

• Phishing Assessment - includes activities to evaluate the level of awareness of the agency workforce with regard to the digital form of social engineering that uses authentic looking, but bogus, emails requesting information from users or directing them to a fake Website that requests information. Phishing assessments can include scanning, testing, or both,and can be conducted as a one- time event or as part of a larger campaign to be conducted over several months.

• Wireless Assessment - includes Wireless Access Point (WAP) detection, penetration testing, or both, and is performed while onsite at a customer’s facility.

• Web Application Assessment - includes scanning, testing, or both of outward facing web applications for defects in Web service implementation that may lead to exploitable vulnerabilities. Provides report on how to implement Web services securely, and that traditional network security tools and techniques are used to limit access to the Web Service to only those networks and systems that should have legitimate access.

• Operating System Security Assessment (OSSA) - assesses the configuration of select host Operating Systems (OS) against standardized configuration baselines.

These SINs are now available on SeNet’s GSA Schedule 70 contract

World Game Protection Conference

The World Game Protection Conference is taking place this February 21st-23rd in Las Vegas.  This will be the 12th year for the show that debuted in 2006.  In previous years the focus of the show has been on physical security, surveillance, and protecting the casinos from cheaters.  However, in recent years with the rise of technology in the gaming industry the focus has been expanded to include these components.  This year there are sessions on OSINT for surveillance operators, technical breakdown of how slot machines work, and a panel on “How Computers are Taking the Luck Out of Gambling”.

This is a timely discussion as there was a recent Wired article on a sophisticated “hack” where a criminal organization reverse engineered slot machine’s random number generator (RNG) in order to gain an advantage over the casinos.  SeNet has experience with RNGs and fraud from our work in the Hot Lotto and MUSL criminal case in Iowa.  SeNet’s CTO contacted Willy Allison, the conference organizer, and even at this late stage Willy extended an offer to Gus Fritschie to participate in the panel and discuss what regulators and gaming operators need to be aware of as it relates to RNG security.

SeNet is looking forward to participating in this conference and continuing research into RNG and slot security.