The Role of DNS in SCADA System Security

Supervisory Control and Data Acquisition (SCADA) systems are the most important networks you’ve never heard of.

Supervisory Control and Data Acquisition (SCADA) systems are the most important networks you’ve never heard of.

SCADA systems power most industrial processes. Using sensors to collect data on anything from temperatures to pressure to RPMs, these systems allow centralized monitoring of machines in the field. This field data is then analyzed and turned into instructions, controlling the operating parameters of complicated industrial systems.

In a nuclear power plant, for example, a SCADA system monitors and controls temperatures inside the reactor. SCADA systems are also responsible for guiding vehicles through robotically-enabled assembly lines and remotely controlling oil and gas pipelines.

Most of these systems are now part of the so-called internet of things, a development which increases their functionality but also comes with the risk of compromise through a cyberattack. The well-documented challenges of securing critical infrastructure are primarily due to the network architecture associated with SCADA systems.

DNS and SCADA security

DNS offers a particularly intriguing way to secure SCADA systems. Any SCADA-connected device has an IP address which allows it to be monitored and controlled through the core DNS infrastructure. With a client-facing DNS security mechanism in place, a that device can be identified as the source of malicious network activity and regulated through policies that dictate the boundaries of appropriate action.

Current cyber security tools do not have the granularity of insights or control that SCADA systems require. Since they sit higher up in the network architecture, firewalls and filters do not have the ability pinpoint the exact source of malicious activity. Client-facing DNS security systems, on the other hand, sit at the device level – right at the source of network  traffic. This enables direct control of individual sensors and regulators – something current cyber security systems cannot do.

DNS resilience

Resilience is another area where DNS-based security can enhance the use of SCADA systems. Today, when cyberattacks impact critical infrastructure, it can take weeks to pinpoint the cause and purge the network of malicious software. DNS-based security systems that monitor SCADA network traffic at the device level and patrol internal gateways make it far easier and faster to pinpoint “patient zero”, isolate it, and get vital the system up and running again.

How DNS security can prevent SCADA hacks

Last March, investigators discovered that Syrian hackers had breached the network of a water treatment plant in the United States. The hackers were mainly there to steal the banking information of the utility’s 2.5 million customers – which they managed to do.

While they were in the neighborhood, the hackers poked around to see what else they could find. The SCADA systems were assumed to be isolated from the front end network, which left the system vulnerable to infiltration. Thankfully, the hackers did not appear to have the technical knowledge necessary to truly cause harm. They probably also lacked the intent – this was an ancillary action.

Even without intent, however, the hackers managed to change the settings in valves controlled by the SCADA system. They changed settings resulting in potentially unsafe levels of treatment chemicals being dumped into the water supply. Fortunately, the utility noticed the change and took corrective action in time. A broader hack, one that took active control of the system, would have resulted in a far worse outcome.

A DNS-based security system would have monitored network traffic to that system, flagging the initial intrusion as abnormal activity, both as it searched for critical files and as it accessed the SCADA system. With a policy engine in place, access to those critical valves would have been blocked, preventing both the harmful action and further infiltration into the network.

A new toolset

Securing critical infrastructure like SCADA systems against cyberattacks is an enormous undertaking; with all of the many architectures out there, no single strategy or tool will offer 100 percent protection. Yet client-facing DNS firewalls offer a new perspective on SCADA protection, cutting through complicated layers of proprietary and even closed-system software to offer insight that can lead to action.

With so much at stake, securing SCADA systems is a global priority for governments, industry, and the military. Advanced persistent threats, like the one used in the treatment plant, are notoriously difficult to detect and counter. DNS-based security offers a unique way to monitor activity, disrupt attacks, and promote resilience in our most vulnerable and impactful critical infrastructure system.

 

Critical conversations on critical infrastructure

Find out how your peers are managing their networks through profound change. Watch this series of live interactive discussions with IT pros & join the debate in Slack.

Join the conversation

Read more

SUNBURST/Solorigate Situation Briefing

BlueCat leaders discuss how the malware attack via SolarWind’s Orion platform exploited DNS and how BlueCat Edge could have helped to detect it.

Read more
Yes, IT should see what developers do in the cloud

Errors and outages occur when admins lack visibility into DNS and IP allocation in the cloud. With Bluecat, central DDI visibility is within reach.

Read more
Customer situation brief on SUNBURST/Solorigate

Learn more about the attack via the SolarWinds Orion platform and how BlueCat products use DNS to help protect customers against compromises like it.

Read more
On the road to platform hardening, consider a STIG

Security Technical Implementation Guides standardize security configuration on networks, servers, and devices. BlueCat uses them and you can, too.

Read more