IE Domain Registry Annual Report 2019

IE Domain Registry  Annual Report & Review  2019 28 Business and Market Review Technical Excellence Operating the national registry for the .ie namespace requires the highest levels of security, stability and resilience of networks and infrastructure. Our Technical Services team manages and maintains the Company’s high availability systems, mission-critical services and infrastructure in accordance with international best practices. 2019 – The summer of network outages Global services providers who experienced network outages during the Summer of 2019 included China Telecom, Google Cloud, Whatsapp, Cloudflare, Apple Services and Wikipedia. Some related to malicious actors and some related to human error. A common theme however, was BGP leaks. A BGP route leak can happen when an AS (Autonomous system) announces itself as a route which is outside of its scope or policy. In essence, BGP could be likened to a postal service and an AS record could be likened to a post office. In the case of a BGP route leak, such a ‘post office’ would maliciously or accidentally advertise itself as being the best place to route post to say, Spain. The basic issue is that this particular ‘post office’ will have problems, as it can’t reroute to Spain, even though it is taking the post. In a malicious case it might also be forwarding the post to Spain but reading it beforehand. Resource Public Key Infrastructure (RPKI) can help prevent BGP leaks. During 2019, ISPs and international registries adopted RPKI as a way of securely signing routes with the original AS record. At IE Domain Registry, our team successfully built a lab, completed testing and commenced implementation planning for an expected 2020 launch. Internationally, there was also a large rise in attacks which used the DNS. A group named Sea Turtle facilitated DNS poisoning of several large companies and government websites by infiltrating the DNS systems at registries in order to damage the credibility of those companies and governments. In Ireland, our national .ie registry system supports Two Factor Authentication (2FA), Registry Lock and Domain Name System Security Extensions (DNSSEC) which helps reduce the risk to our .ie customers. In 2019, we completed an upgrade on our Hardware Security Module (HSM) infrastructure, which facilitates signing DNS records using DNSSEC. This will also provide the ability to support newer signing algorithms in the near future. We also commissioned an independent 3rd party audit of our Information Security Management System (ISMS) in 2019 and an ISO gap analysis was undertaken to assess the degree of ISO alignment. In cooperation with our Registrars we carried out a full scan of all the Authoritative DNS servers in the .ie zone during the DNS Flag Day in February 2019. The internet community worked together and fixed problems which were causing delays and other problems for internet users worldwide. DNS Flag Day passed without incident in the .ie zone. EU Network and Information Security directive (NIS) This EU Directive designated country code top-level domains (ccTLDs) as Operators of Essential Services (OES) under the NIS Directive. The EU Network and Information Security directive (NIS) is the first EU-wide cyber-security measure designed to enhance cyber-security across all member states. Organisations covered by the NIS directive are required to: „ Implement necessary and appropriate cyber-security protections for their network and information systems. „ Ensure continuity of service by having proper measures in place to respond to any cyber-attack incidents. „ Notify their CSIRT of any security incident that has a significant impact on any of the designated essential sectors. This has to be done no later than 72 hours after an incident has occurred. Critical service areas include energy generation and distribution, public transport systems, water distribution systems, public healthcare delivery, and finance systems. Core internet infrastructure components that provide the backbone for the networks within member states and across the EU are also designated as critical: Internet exchange points, core network links, DNS systems, and large Cloud Service providers. Most organisations who provide these essential services should have robust and current cyber-security protections in place already, however the NIS aims to harmonise and raise the level of cyber-security preparedness in essential physical and virtual infrastructure providers.