The Role of DNS in SCADA System Security

Supervisory Control and Data Acquisition (SCADA) systems are the most important networks you’ve never heard of.

BlueCat

October 4, 2017

Supervisory Control and Data Acquisition (SCADA) systems are the most important networks you’ve never heard of.

SCADA systems power most industrial processes. Using sensors to collect data on anything from temperatures to pressure to RPMs, these systems allow centralized monitoring of machines in the field. This field data is then analyzed and turned into instructions, controlling the operating parameters of complicated industrial systems.

In a nuclear power plant, for example, a SCADA system monitors and controls temperatures inside the reactor. SCADA systems are also responsible for guiding vehicles through robotically-enabled assembly lines and remotely controlling oil and gas pipelines.

Most of these systems are now part of the so-called internet of things, a development which increases their functionality but also comes with the risk of compromise through a cyberattack. The well-documented challenges of securing critical infrastructure are primarily due to the network architecture associated with SCADA systems.

DNS and SCADA security

DNS offers a particularly intriguing way to secure SCADA systems. Any SCADA-connected device has an IP address which allows it to be monitored and controlled through the core DNS infrastructure. With a client-facing DNS security mechanism in place, a that device can be identified as the source of malicious network activity and regulated through policies that dictate the boundaries of appropriate action.

Current cyber security tools do not have the granularity of insights or control that SCADA systems require. Since they sit higher up in the network architecture, firewalls and filters do not have the ability pinpoint the exact source of malicious activity. Client-facing DNS security systems, on the other hand, sit at the device level – right at the source of network  traffic. This enables direct control of individual sensors and regulators – something current cyber security systems cannot do.

DNS resilience

Resilience is another area where DNS-based security can enhance the use of SCADA systems. Today, when cyberattacks impact critical infrastructure, it can take weeks to pinpoint the cause and purge the network of malicious software. DNS-based security systems that monitor SCADA network traffic at the device level and patrol internal gateways make it far easier and faster to pinpoint “patient zero”, isolate it, and get vital the system up and running again.

How DNS security can prevent SCADA hacks

Last March, investigators discovered that Syrian hackers had breached the network of a water treatment plant in the United States. The hackers were mainly there to steal the banking information of the utility’s 2.5 million customers – which they managed to do.

While they were in the neighborhood, the hackers poked around to see what else they could find. The SCADA systems were assumed to be isolated from the front end network, which left the system vulnerable to infiltration. Thankfully, the hackers did not appear to have the technical knowledge necessary to truly cause harm. They probably also lacked the intent – this was an ancillary action.

Even without intent, however, the hackers managed to change the settings in valves controlled by the SCADA system. They changed settings resulting in potentially unsafe levels of treatment chemicals being dumped into the water supply. Fortunately, the utility noticed the change and took corrective action in time. A broader hack, one that took active control of the system, would have resulted in a far worse outcome.

A DNS-based security system would have monitored network traffic to that system, flagging the initial intrusion as abnormal activity, both as it searched for critical files and as it accessed the SCADA system. With a policy engine in place, access to those critical valves would have been blocked, preventing both the harmful action and further infiltration into the network.

A new toolset

Securing critical infrastructure like SCADA systems against cyberattacks is an enormous undertaking; with all of the many architectures out there, no single strategy or tool will offer 100 percent protection. Yet client-facing DNS firewalls offer a new perspective on SCADA protection, cutting through complicated layers of proprietary and even closed-system software to offer insight that can lead to action.

With so much at stake, securing SCADA systems is a global priority for governments, industry, and the military. Advanced persistent threats, like the one used in the treatment plant, are notoriously difficult to detect and counter. DNS-based security offers a unique way to monitor activity, disrupt attacks, and promote resilience in our most vulnerable and impactful critical infrastructure system.

 


Published in:


An avatar of the author

BlueCat is the Adaptive DNS company. The company’s mission is to help organizations deliver reliable and secure network access from any location and any network environment. To do this, BlueCat re-imagined DNS. The result – Adaptive DNS – is a dynamic, open, secure, scalable, and automated DDI management platform that supports the most challenging digital transformation initiatives, like adoption of hybrid cloud and rapid application development.

Related content

Detect anomalies and CVE risks with Infrastructure Assurance 8.4 

The Infrastructure Assurance 8.4 release features an anomaly detection engine for outliers and a CVE analysis engine to uncover device vulnerabilities.

Read more

Get fast, resilient, and flexible DDI management with Integrity 9.6

With Integrity 9.6, network admins can get support for new DNS record types, architect and configure multi-primary DNS, and automate IP assignments.

Read more

Deepen your security insight with Infrastructure Assurance 8.3

BlueCat Infrastructure Assurance 8.3, with an enhanced analytics dashboard, including interactive widgets and top 10 alerts, is now available.

Read more

Security, automation, cloud integration keys to DDI solution success

Only 40% of enterprises believe they are fully successful with their DDI solution. Learn how to find greater success with new research from EMA and BlueCat.

Read more

Our commitment to Micetro customers and product investment

From CEO Stephen Devito, a word on BlueCat’s ongoing commitment to supporting Micetro customers and Micetro’s evolution as a network management tool.

Read more

Seven reasons to rethink firewall monitoring and boost automation 

With BlueCat Infrastructure Assurance, you can better protect your network with automated alerts and suggested remedies for hidden issues in your firewalls.

Read more