GRASSMARLIN stores detailed maps of industrial control system networks — exactly the reconnaissance data an adversary needs to plan a targeted attack on operational technology. If an attacker exploits this vulnerability before the tool is removed, they gain a ready-made blueprint of the organization's industrial infrastructure, significantly reducing the time and effort required to cause operational disruption. For organizations in critical infrastructure sectors, exposure of this data could trigger regulatory notification obligations and increase the likelihood of a follow-on ICS-targeted attack.
You Are Affected If
You are running any version of NSA GRASSMARLIN on hosts within or with visibility into ICS/OT network segments
GRASSMARLIN is deployed on engineering workstations, jump servers, or analyst systems that store network topology exports or session capture data
The host running GRASSMARLIN has outbound network connectivity — even limited — that an attacker could use to stage exfiltrated files
GRASSMARLIN has not been inventoried or reviewed since its 2017 end-of-life date, leaving it potentially present in legacy OT environments without active tracking
Your OT asset inventory does not include open-source or NSA-provided tooling, meaning GRASSMARLIN may be present but untracked
Board Talking Points
A critical vulnerability in an NSA-built network mapping tool — which reached end-of-life in 2017 and will never receive a patch — can allow attackers to steal detailed maps of our industrial control systems.
Any instance of this tool must be identified and removed within 24 to 48 hours; no workaround exists other than full removal per the CISA advisory.
If this tool remains in place and is exploited, an attacker gains a detailed blueprint of our operational infrastructure, materially increasing the risk of a targeted industrial systems attack.
NERC CIP — OT network topology data in scope for CIP-002 (BES Cyber System categorization) and CIP-011 (information protection); exfiltration of topology maps may constitute a reportable security incident for electric utility operators
TSA Pipeline Security Directives — ICS/OT network mapping data for pipeline operators falls under TSA cybersecurity incident reporting requirements if compromised
