Critical infrastructure should think DNS

3rd April 2018

Simon Whitburn
Senior Vice President Cyber Security Services

Cyber attacks no longer happen to other businesses. The Government’s Cyber Security Breaches Survey 2017 found that almost half of all businesses experienced at least one breach in the previous year. For any business, the damage to finances and reputation can be destabilising; for those running critical national infrastructure (CNI), the ramifications are far more serious.

As an incentive to tighten up their systems, the public and private sector organisations that run the UK’s essential services will soon be required to improve their cybersecurity posture in line with the new EU NIS Directive. This would be challenging at any time, but especially during a period of heightened state-sponsored activity.

CNI firms must therefore look to bolster cyber-defences at the much-overlooked domain name system (DNS) layer, linked to the majority of attacks, in order to minimise risk. As a CNI provider itself, Nominet knows better than anyone what it takes to maximise threat protection for the sector, and we have been actively monitoring our DNS to mitigate attacks for many years.

CNI under attack

When it comes to securing CNI, IT leaders must remember the old adage that an attacker need only get lucky once to be successful. Defenders must be on the alert 24/7, yet the sheer breadth and complexity of the UK’s critical infrastructure inevitably leaves gaps in protection that are ripe for exploitation. Major threats include data and IP theft, ransomware, and sophisticated attacks designed to manipulate industrial control systems (ICS).

This may have been dismissed as scare-mongering a few years back, but not today. CNI firms increasingly come under active attack from financially motivated cybercriminals and nation states. WannaCry ransomware is said to have caused disruption for more than a third of NHS England, with an estimated 19,000 operations and appointments cancelled. Suspected Russian hackers launched sophisticated attacks on Ukrainian power stations in December 2015 and 2016, causing blackouts for hundreds of thousands.

Last year, head of the National Cyber Security Centre (NCSC) Ciaran Martin, called out Russia for attacks on the UK’s telecommunciations, energy and media sectors. Defence secretary Gavin Williamson ramped up the tension by warning such attacks could cause “thousands and thousands and thousands of deaths”.

Part of the challenge for CNI operators lies with the problem of securing mission critical but legacy ICS and supervisory control and data acquisition (SCADA) systems. IT managers are understandably reluctant to take them offline to update and patch, fearing service outages. However, this leaves them more vulnerable by the day. Communications protocols can lack suitable authentication or encryption. With security by obscurity no longer a suitable strategy for protecting these systems, CNI firms must think more holistically about threat protection, starting at the DNS layer.

The importance of DNS

The DNS is used to translate host names into numerical IP addresses, enabling computers on local networks and the public internet to communicate with each other. It’s often overlooked by security administrators, despite evidence that two-thirds of DNS traffic logs reveal signs of malicious activity. Whitelisting DNS, as many organisations do, only plays into the hands of the black hats, allowing them a free hand to craft attacks and undermining efforts to air-gap critical systems.

DNS tunnelling is a particularly popular tactic, enabling attackers to use DNS queries and responses to communicate with malware inside targeted systems and exfiltrate sensitive data. That’s not to mention the threat of DDoS, phishing, IP hijacking and much more – all enabled at the DNS layer. Closer monitoring and proactive defence at this level could make a huge difference to the resilience of the organisation in the face of cyber attacks. This is something the Government are doing already, with Nominet helping to protect the Public Service Network (PSN0 by monitoring their systems with our DNS networks analytics tool, as we do continuously within our own operations.

The financial incentive is fast approaching. From early May 2018, the NIS Directive will mandate long overdue, minimum security standards and best practice processes for providers of “essential services”. Those that ignore it could face non-compliance penalties of up to £17m, or 4% of global annual turnover. That said, fines are the least of their worries if a serious breach knocks critical services offline.

It’s time to accept the risks and meet them head on, with careful, thorough and proactive monitoring of the DNS to protect your systems and maintain the pillars that hold up our country. Find out more about our PSN contract and the DNS and security services we provide here.