Critical infrastructure

Situational awareness and ICS Using GRASS MARLIN

Introduction

Situational awareness within the industrial control system (ICS) realm is a hot topic, with the recent release of commercial products targeting this niche market. However, there may be a U.S. Government-sponsored program that meets the necessary criteria for the needs of your organization.

What is it?

First, what is situational awareness? The definition of situational awareness is as follows:

Learn ICS/SCADA Security

Explore realistic critical infrastructure scenarios and build your security skills with hands-on labs, on-demand courses and live boot camps.

Start Learning

"Situational awareness or situation awareness (SA) is the perception of environmental elements with respect to time or space, the comprehension of their meaning, and the projection of their status after some variable has changed, such as time, or some other variable, such as a predetermined event."¹

In the ICS realm, this can be expressed as knowing how a change in one of the process variables affects the other process variables within the overall, complete process, and reacting in a proactive manner to avert undesirable outcomes.

How do you get it?

In the past, situational awareness was developed by on-the-job training and experience with the given process. Large ICS networks were informally divided into discrete processes over the length of the network. This could make situational awareness difficult for a single operator if the ICS network was particular large or complex, especially given the supposition that knowledge transfer for the processes were difficult to accomplish to less experienced operators.

As computer modeling and analysis become more available, computerized solutions to situational awareness were developed.

GRASS MARLIN

Developed by the National Security Agency (NSA), GRASS MARLIN is a passive network mapper dedicated to industrial network. The tool is open-source and is directly available on GitHub https://github.com/iadgov/GRASS MARLIN).

GRASS MARLIN gives a snapshot of the ICS network including:

• Devices part of the network;
• Communications between these devices;
• Metadata extracted from these communications.

Why it's good

Maintaining ICS availability is an overriding stipulation. In fact, any failure can lead to dire consequences going from loss of product or service to loss of life. Thus, in order to not disrupt the availability of the networked industrial devices, all the mapping is done passively by GRASS MARLIN. GRASS MARLIN record and analyze passively the communications unlike active mapping tools, such as nmap or Nessus, which send packets over the network and analyze the potential answers.

• Passive Network Mapping Tool
• Lightweight, Java Based graphical tool
• Can be used to do some initial analysis work but is not an analysis engine
• Runs in Windows and some versions of Linux
• Two views: Logical and Physical

Where to get it

Currently GRASS MARLIN is available on Windows and some versions of Linux. It can be downloaded from: https://github.com/iadgov/GRASS MARLIN/releases/latest.

How to use it

GRASS MARLIN gives two types of views:

• The "Logical View": lists all the devices and the communications between them.
• The "Physical View": lists the physical links between the industrial and network devices.

Passive detection

The passive nature of GRASS MARLIN means that the detection method does not generate any traffic on the network. Therefore, this necessitates the need to obtain the results of the logical view by employing a classic packet analyzer. This means also that GRASS MARLIN can only analyze traffic that it is actually able to sniff on the host machine. This implies that one would want to install GRASS MARLIN on the server(s) that is polling the ICS network or obtain the data from the principal router.

Sample GRASS MARLIN's visibility scope2

Either a live capture or capture files (PCAP files) can be used to generate a logical view.

Logical View

In this view, the network topology is presented as follows:

Sample Logical view with 2 Siemens PLC2

As stated earlier, the logical topology is generated from a packet capture. In this example, this capture consists of traffic between two (2) industrial devices that use the S7Comm industrial communication protocol. (This test PCAP files and others can be downloaded from: https://wiki.wireshark.org/S7comm.)

The main map (at the right of Figure 2) shows the devices on the network and the communication between the devices and sub-networks, each device is identified by its IP address.

Moreover, GRASS MARLIN can recognize industrial devices and protocols thanks to over fifty-four (54) integrated signatures.

Sample Logical View and details provided by GRASS MARLIN2

In this illustration, the industrial protocol that is used is S7Comm. Beside the role of devices is detailed information: the master (Human Machine Interface - HMI) provides commands whereas the slave (Programmable Logical Controller - PLC) executes them. The Vendor Name is also displayed, in an effort to assist ICS personnel locate the field devices.

All this information is generated after the comparison between the captured packets and GRASS MARLIN's signatures. The attribute confidence ranges from 1 (not confident) to 5 (confident), giving the user a rating on the confidence or trust that user can attribute to the provided details.

It is also possible to isolate communications linked to a particular device and get a first analysis: packets' size, instant of emission, packets' origin (if more than one PCAP file is used):

Sample Analysis data provided by GRASS MARLIN2

Physical View

This view gives the physical links existing between devices:

Sample Physical view²

Focused on the networking aspects, this view informs the user of the physical connection between the industrial devices and network equipment. The current version of GRASS MARLIN only supports Cisco routers; the physical view is generated from the output of 3 commands:

• "show running-config"
• "show ip arp" (OU) "show mac address-table"
• "show interfaces"

GRASS MARLIN can generate the physical view from the saved text file containing the results of the aforementioned commands.

Data export

Data can be exported from GRASS MARLIN thanks to three (3) types of export:

• Views export on PNG format
  • Data export on XML format:
  • Save the data of the entire connection tree on the logical view.
• This data can then be used as session data by GRASS MARLIN.
• Data export on an archive; including: the data on XML format and the PCAP files generated during the live captures.

Tests

After a live capture, GRASS MARLIN has generated the following view:

Sample Logical view of the test bench2

And, after manually reorganizing the data, the view becomes:

Sample Reorganized logical view2

Devices appear on the map quickly after communications are intercepted. GRASS MARLIN has correctly identified all the devices and correctly given the protocols used. Moreover, the XML file given on output is also well generated with all the information extracted by GRASS MARLIN and allows to re-use them later:

Sample XML file output

Nevertheless, some limitations have been observed:

1. Non-concurrence of signatures
2. If a device matches more than one signature only one is chosen by GRASS MARLIN. This can be an issue for an HMI which potentially communicates with more than one PLC using different communication protocols.
3. Lack of verbosity of some signatures:
4. Most signatures have description fields on their payload in order to describe the identified device. It is possible that these fields are left blank or poorly documented which can complicate the identification of industrial devices.
5. Limited analysis function
6. GRASS MARLIN only gives the first elements for communication analysis such as: packets' size, received time with no function that performs communication pattern recognition between the HIM and PLCs.

Conclusion

Before investing in a commercial situational awareness program, it would be prudent to perform a pilot project using GRASS MARLIN. Since the current version of GRASS MARLIN has fifty-four (54) fingerprints of industrial protocols, one might be surprised that it meets all of the desired criteria.

References

¹Wikipedia contributors. "Situation awareness." Wikipedia, The Free Encyclopedia. Wikipedia, The Free Encyclopedia, 24 Jul. 2017. Web. 4 Sep. 2017

Learn ICS/SCADA Security

Explore realistic critical infrastructure scenarios and build your security skills with hands-on labs, on-demand courses and live boot camps.

Start Learning

²"[EN] GRASS MARLIN, an Open-Source Tool for Passive ICS Network Mapping." [EN] GRASS MARLIN, an Open-Source Tool for Passive ICS Network Mapping - Wavestone SecurityInsider, 4 Sep. 2017, www.securityinsider-wavestone.com/2016/03/en-GRASS MARLIN-open-source-tool-for.html.