Every week, I plan to share with you the vulnerabilities and solution suggestions that I encounter most in Industrial control systems. In this week’s article, I will share Internet Small Computer Systems Interface (iSCSI) service vulnerability with you.

iSCSI: It is a protocol developed for computers to reach storage products, namely storage, over IP network. In summary, you can access the disks assigned to you with the ip provided to you over an ethernet cable. Storage does not need to be directly connected to your computer or server.

iSCSI Target: Devices that respond to iSCSI requests. It is a term generally used in Storage Devices. It handles the connection between the iSCSI initiator and the LUN when connecting LUNs to Servers.

iSCSI Initiator: In the storage architecture, the concepts of target and initiator are used for the source that provides the data and the client that wants to connect to the data. For example, if a Windows server accesses data on the storage with ISCSI protocol, in this structure, Windows becomes ISCSI Initiator and storage becomes ISCSI Target.

Vulnerability Name: Detecting Internet Small Computer Systems Interface (iSCSI) Service

Vulnerability Description: Active Internet Small Computer Systems Interface (iSCSI) Service with port number 3260 on ICS components.

Attack Vector: ICS Network

ICS MITRE ATT&CK ID: T0886

ICS MITRE ATT&CK Tactics: Initial Access, Lateral Movement

ICS MITRE ATT&CK Platforms: Control Server, Engineering Workstation, Human-Machine Interface (HMI)

Detecting vulnerability: As a result of Nmap discovery scan in IP blocks in the network, it can be determined that iSCSI service port 3260 is open.

Detection Tools and Command: NMAP Tools, #nmap -sV –script=iscsi-info -p 3260 {IP Address}

Suggested Solution: Remote access services increase the attack surface on the local network. If the relevant service is not used, it must be disabled. If its use is necessary, it should be ensured that access is provided only from allowed IP blocks, and it should be hardened by applying access list rules on the switch to which it is connected, or by firewall rules. Another solution is to implement access control on the host.

Related Documentation of Mitigation Actions:

https://www.blackhat.com/presentations/bh-usa-05/bh-us-05-Dwivedi-update.pdf

https://support.zadarastorage.com/hc/en-us/articles/115001837743-Using-IPsec-With-Windows-and-iSCSI-Volumes

https://www.netapp.com/media/19829-tr-3338.pdf