It is very hard to protect your control systems if you don’t know what to protect. Even though you may have idea about what you have, the visibility problem goes beyond asset management issues. You need to have visibility not only in OS, firmware, software but also in network communications in the environment. On top of that you cannot use regular IT tools i.e. nmap to scan your control systems safely. You need to use passive methodologies that are safe for the control environments.
GRASSMARLIN is an open-source software tool that provides a method for discovering and cataloging Supervisory Control & Data Acquisition (SCADA) and Industrial Control System (ICS) hosts on IP-based networks. GRASSMARLIN uses a variety of sources to generate this data, including PCAP files, router and switch configuration files, CAM tables, and live network packet captures. The tool can automatically determine the available networks and generate the network topology as well as visualize the communication between hosts.
GRASSMARLIN is not an analysis tool. GRASSMARLIN exists to facilitate further analysis by a system administrator, auditor, or other individual. The focus is not on drawing conclusions from data, but on organizing large sums of data to allow people to quickly make informed decisions.
Microsoft Windows (64-bit 7, 8, and 10)
Ubuntu (14.04, 15.10, and Security Onion)
CentOS (6, 7)
How To Set Up
I used Kali to install the tool. You can download debian .deb package and install it by following command:
$dpkg -i FileName.deb
After you install it you can open it
GrassMarlin has a poweful fingerprinting function:
Let’s import some ICS pcaps. We can use File->Import File feature. You can find some examples of ICS packets at
We can group the nodes by network, country, MAC, Manufacturer, MODBUS Role etc…
Grassmarlin provides a way for us to get visibility into ICS environments. We can know asset types, communication protocols, end points’ relationships etc… Next step should be analyzing this traffic in snort, or Kibana to find out any malicious activity in the network.