A major cyber attack on critical national infrastructure (CNI) is a matter of “when”, not “if”, according to the National Cyber Security Centre (NCSC), hence the need for CNI cyber security has never been greater. That leaves many IT and business leaders in CNI firms wondering when the “big one” will arrive. Their efforts at mitigating cyber risk are complicated by the existence of operational technologies and IoT systems which are exposed through their connectivity, whilst lacking sufficient protection due to problems around availability, testing and implementation of the latest patches.
As state-sponsored attackers become ever bolder in their attempts to target this sector, regulators have responded with the NIS Directive, imposing new requirements on CNI firms for improvements in baseline security. The furor surrounding Huawei as a supplier of 5G network equipment illustrates just how high the stakes are, and how serious the scrutiny, for organizations operating in this sector.
The journey to more secure CNI
From transport to healthcare, water to energy, digital transformation is having a major impact on the organizations providing critical infrastructure. They’re spending billions globally on emerging technologies like the IoT, to drive improved efficiencies, cost savings, productivity and business agility. Yet these same investments are also exposing organizations to new cyber risk.
CNI organizations are particularly exposed to the threat of service outages. WannaCry is perhaps the best example, causing widespread disruption to the NHS when it struck. In fact, that threat was enabled by exploits developed by the NSA to support information-stealing campaigns. This kind of cyber-espionage is also a major risk to CNI firms, which may hold highly sensitive customer data and IP of interest to both nation states like China, Russia, North Korea and Iran, and financially motivated cyber criminals.
In short, CNI firms must be capable of detecting and blocking a range of threats, in order to protect user accounts, access to confidential data and control over operational systems. This means tactics such as phishing and its variants; trojans, spyware, keyloggers and other info-stealing malware; data exfiltration; and attacks like ransomware and crypto-jacking that, although rarely targeted, are still a threat.
Unfortunately, the growing corporate attack surface, the fast pace of innovation from a well-resourced adversary and escalating volumes of cyber threats are making the CISO’s job increasingly difficult. Nominet research reveals many don’t have enough resources, they feel disconnected from their boards and stress levels are soaring as a result.
CNI cyber security
Find out how Nominet NTX uses DNS as a protective shield to help CNI organizations
CNI cyber security – time to focus on DNS
DNS plays a key role in every CNI provider’s IT system, converting domain names to IP addresses so staff can find the right sites and applications they need to do their jobs. However, the system was designed with usability rather than security in mind, and system administrators often simply leave it running in the background. But DNS is used in the vast majority of cyber attacks at some stage in the kill chain, and cyber criminals are increasingly able to exploit its vulnerabilities.
By changing the answers to the queries stored by a CNI provider’s DNS server, attackers could redirect users to a malicious website, leading to infection with ransomware, information-stealing trojans, or exposing a user to a phishing page, for example. DNS traffic is also typically whitelisted by firewalls, meaning it could be used to smuggle stolen data out of an organization.
Organizations offering CNI services know that the stakes couldn’t be higher when it comes to dealing with cyber threats. That makes finding the right security partner extremely important.
Nominet has been securely running DNS for the critical infrastructure of the .uk domain for over two decades and provides a full DNS management service to protect the UK government from online threats. Our NTX platform has therefore been designed from the ground-up with CNI cyber security needs in mind.
By applying machine learning to outbound DNS traffic, we detect malicious behavior in real time — even single malicious packets hidden in vast quantities of legitimate data. This means CNI organizations can instantly detect and block:
- Communications between infected clients and command-and-control (C2) domains
- Users being redirected to phishing/malicious domains
- Data being smuggled out of the organisation via DNS tunnelling.
CNI providers are well aware of the increasing scrutiny their IT systems are coming under, from both nation states and financially motivated hackers alike. They know what’s at stake if attacks can’t be stopped. That’s why these firms are increasingly looking for new ways to manage risk to acceptable levels, driving visibility and control. That’s the value of DNS-based analytics.