ACSC to deploy protective DNS service for govt, critical infrastructure

The Australian Cyber Security Centre is preparing to deploy a protective domain name system (DNS) service that it hopes could be adopted by all level of the Australia government and critical infrastructure.

Yesterday the government’s lead cyber security agency approached the market for the defensive capability to cover both its internal and external customers, under a project it has dubbed WINTEROSE.

The capability will block known and likely malicious threats based on threat feeds and provide information to customers and the ACSC to “uplift the whole of Australia security posture”.

While there is current no centrally managed protective DNS capability that provides government-wide coverage, the Australian Signals Directorate (ASD) has identified the introduction of such capability “a strategic priority”.

“The ACSC currently has limited visibility of the government DNS environment and does not have a centralised, responsive method to identity and protect government agencies from malware using DNS as part of  the compromise vector,” ACSC documents state.

The protective DNS will initially be deployed to between 10 to 15 organisations for a three months feasibility study, which the ACSC will use to provide qualitative data for the wider rollout.

This pilot – which could run for 12 months in total – will allow the agency to “determine the feasibility, costs and benefits of upscaling these efforts to protect all levels of Australian government and key systems, including critical infrastructure”.

“Expansion of the service will involve the non-mandatory adoption/takeup of the service by all levels of government and select industry partners,” ACSC documents state, adding that a “scaled per user pricing model” is being proposed.

Those select industry partners could be the operators of Australia’s 165 highest-risk electricity water, gas and port infrastructure, which have been required to provide information to government since critical infrastructure legislation was passed last year.

However the ACSC stressed that this was very much dependent on the outcome of the first phase of the project, as well as the “government’s decision to proceed and [the] provision of sufficient funding”.

If phase two goes ahead it would go a long way to uplifting the security posture of federal government agencies and put Australia in step with UK, which launched its own protective DNS service for the public sector back in August 2017.

The last count of compliance with the ASD’s mandatory information security controls revealed that almost forty percent of agencies were struggling to fully-implement the top four.

The ACSC expects the protective DNS capability, which it wants built by the end of September, will “operate on premises and on ICT infrastructure”, but with personnel provided by the service provider.

An “analytics engine that can validate threat feeds, and report on logs” will also be built as part of the project.

An internet facing self-service portal that allows users to “sign up, configure and receive reports on the service” will also be required if the project progresses to phase two.