Likelihood: LOW
Impact: HIGH
Treatment: AVOID
Confidence: Moderate
Exploitation is unconfirmed and GRASSMARLIN is end-of-life software unlikely to be widely deployed in 2026, reducing the realistic attacker-reachable population; however, any organization still running the tool exposes OT network topology data — a high-value reconnaissance asset that materially accelerates adversary planning for operational disruption, sabotage, or targeted ICS attack, elevating impact disproportionately above the likelihood rating.
Treatment rationale: No patch will be released for an EOL tool, there is no remediation path other than removal, and the data exfiltrated (OT network maps) cannot be unexposed once stolen — avoidance through immediate decommissioning is the only viable primary treatment.
Third-Party / Supply-Chain Risk
If GRASSMARLIN is or was deployed by a managed security service provider, OT integrator, or industrial consulting partner with network access to the organization's ICS environment, that third party's instance of the tool may contain topology data covering the organization's infrastructure without the organization's direct visibility — consistent with NIST SP 800-161 Tier 2 (mission/business process) and Tier 3 (system) supply-chain exposure. Organizations should verify whether any contracted OT service providers have ever run GRASSMARLIN against their environment.
Loss Exposure (illustrative)
Magnitude: high — illustrative $500K–$5M+ per incident if OT network maps are exfiltrated and subsequently used to enable a targeted operational disruption; magnitude is driven by potential production downtime, OT incident response costs, and regulatory exposure, not the vulnerability itself
Frequency: low — illustrative 1-in-10 to 1-in-20 annual probability for an organization confirmed to be running GRASSMARLIN in a reachable network position, given unconfirmed exploitation and limited active attacker targeting signal at this time
Annualized: illustrative $25K–$500K ALE for an actively exposed organization; wide range reflects high uncertainty in both attacker targeting probability and whether exfiltrated maps would be operationalized
Basis: Loss magnitude anchored to OT incident response complexity, potential production loss from a subsequent infrastructure attack enabled by exfiltrated topology data, and regulatory notification costs — not to any third-party benchmark report. Frequency anchored to KEV-absent status, unconfirmed exploitation, and the narrow realistic population of organizations still running a 2017-EOL tool in a network-reachable configuration.
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• Exfiltration of OT network topology data may constitute a reportable security event under cyber insurance policy incident-notification clauses — verify with broker before removing the tool to preserve coverage posture.
• If GRASSMARLIN data includes network maps of systems subject to NERC CIP, CFATS, or sector-specific OT security obligations, the vulnerability and any confirmed exposure may trigger regulatory incident reporting requirements — verify with counsel.
• Contracts with industrial customers or operators that include network security or data-handling obligations may be implicated if topology data covering their infrastructure was stored in the tool — verify with counsel.
