Securing Critical Infrastructures in the Finance Sector: The Top Five Challenges
In the era of globalization, the finance sector comprises some of the most critical infrastructures that underpin our societies and the global economy. In recent years, the critical infrastructures of the financial sector have become more digitalized and interconnected than ever before. Indeed, recent advances in leading edge ICT technologies like BigData, Internet of Things (IoT), Artificial Intelligence (AI) and blockchains, coupled with a wave of financial technology (FinTech) innovations has resulted in an explosion of the number of financial transactions. As a result, the critical assets of financial institutions are no longer only physical (e.g., bank branches, buildings, ATM machines), but comprise many different cyber assets (e.g., computers, networks, IoT devices) as well.
However, the increased digitization and sophistication of the critical infrastructures of the finance sector has also raised the importance of cybersecurity in the finance sector. Nevertheless, despite significant investments in cybersecurity, recent incidents demonstrate that financial organizations remain vulnerable against cyberattacks. As a prominent example, the fraudulent SWIFT (Society for Worldwide Interbank Financial Telecommunication) transactions cyberattack back in February 2016 resulted in $81 million being stolen from the Bangladesh Central Bank. Likewise, the famous “Wannacry” ransomware attacked financial institutions and had a significant adverse impact on Russian and Ukranian banks. As another example, in 2017 a data breach at Equifax created a turmoil in the global markets and affected more than 140 million consumers. In general, the finance sector suffers from security attacks more than other sectors, especially from cyber security attacks. In particular, in 2016 financial services customers suffered over 60% more cyberattacks than customers in any other sector, while cyberattacks against financial services firms increased by over 70% in 2017. Moreover, a June 2018 analysis from the IMF (International Monetary Fund) estimates that emerging cyber-attacks could put at risk a significant percentage of the financial institutions’ profits, which ranges from 9% to even 50% in worst case scenarios.
In response to these notorious attacks against financial institutions and their cyber assets, finance sector organizations are allocating more money and effort in increasing their cyber-resilience. According to Netscribes, the global cybersecurity market for in financial services is expected to expand at a CAGR (Compound Annual Growth Rate) of 9.81%, leading to a global revenue of USD 42.66 billion by 2023. Other studies reflect a similar estimation e.g., a Compound Annual Growth Rate (CAGR) of 10.2% during 2018–2023 and a cybersecurity market growth from USD 152.71 billion in 2018 to USD 248.26 billion by 2023.
Through their security investments financial organizations are striving to confront the following challenges.
1. Limited integration between Physical Security and Cybersecurity
Even though the critical infrastructures of the finance sector comprise both physical and cyber assets, physical security and cyber security are in most cases handled in isolation from one another. In particular, cyber and physical security processes in financial organizations remain “siloed” and fragmented. The latter fragmentation concerns both the technical and the organizational levels i.e. physical and cyber security are handled by different security technologies and different security teams. For instance, physical security systems ch as CCTV (Closed Circuit Television) systems, intelligent visual surveillance, security lighting, alarms, access control systems and biometric authentication, are not integrated with cybersecurity platforms like SIEM (Security Information and Event Management) and IDS (Intrusion Detection Systems). Likewise, processes like vulnerability assessment, threat analysis, risk mitigation and response activities are carried out separately by physical security officers and cybersecurity teams.
This “siloed” nature of systems and process leads to several inefficiencies, including:
- Inefficient security measures, that take into account the state of the cyber or the physical assets alone, instead of considering the global security context. There are specific types of security attacks (e.g., ATM Network attacks), where security processes like risk assessment and mitigation should consider the status of both types of assets.
- Inability to cope with combined cyber/physical attacks, which are will be proliferating in the near future. For example, a physical security attack (e.g., unauthorized access to a device or data centre) is nowadays one of the best ways to gain access to internal resources and launch a cybersecurity attack as an insider. Indeed, the recent cyberattack against the Bangladesh Central Bank exploited access to physical assets of the bank like SWIFT computing devices.
- Increased costs as several processes are duplicated and overlapping. In this context, an integrated approach to security could help financial organizations streamline their cyber and physical security resources and processes, towards achieving greater efficiencies at a lower cost.
2. Poor Stakeholders’ Collaboration in Securing Financial Services
In an era where financial infrastructures are more connected than ever before, their vulnerabilities are likely to impact other infrastructures and systems in the financial chain, having cascading effects. In this context, stakeholders’ collaboration can be a key towards identifying and alleviating issues in a timely manner. However, collaboration is currently limited to exchanging data as required by relevant security regulations and do not extend to join security processes like (collaborative) risk assessment and mitigation.
Note that information sharing between stakeholders of the financial supply chain is a first and prerequisite step to their collaboration in security issues. In the finance sector, the Financial Services Information Sharing and Analysis Center (FS-ISAC) has been established, as an industry forum for sharing data about critical cybersecurity threats in the financial services industry. Information sharing is according a foundation for collaboration in security processes like joint risk scoring for assets and services that are part of the financial services supply chain. Such IT-supported collaborative workflows have already been demonstrated in other sectors and could offer benefits in the financial sector as well. Recent advances in IT technologies like blockchain and cloud computing facilitate the sharing of information and the implementation of collaborative security functionalities.
3. Compliance to Stringent Regulatory Requirements and Directives
Financial institutions are nowadays faced with a need of complying with a host of regulations, which has a severe impact on their security strategies. For example:
- The Second Payment Services Directive (PSD2): Compliance to the 2nd Payment Services Directive (PSD) demands for banks to be able to interact with multiple Payments Services Providers (PSPs) in the scope of an API based Open Banking approach. This raises more cybersecurity concerns and asks for strong security measures like pentesting and vulnerability assessment on the APIs.
- The General Data Privacy Regulation (GDPR): As of May 2018 financial organizations have to comply with the General Data Privacy Regulation (GDPR), which asks for stricter and effective security measures for all assets where personal data are managed and exchanged. Note that GDPR foresees significant penalties for cases of non-compliance, which is the reason why financial organizations are heavily investing in security systems and measures that boost their compliance.
- The Network Information Systems (NIS) Directive: The NIS Directive prescribes security measures for the resilience of the IT systems and networks that support Europe’s critical infrastructures, including infrastructures in the financial sector. The prescribed measures include the establishment of risk-driven security polices, as well as the collaboration between security teams (including CERTs (Computer Emergency Response Teams) and CSIRTs (Computer Security Incident Response Teams) at national and international level. Financial organizations are therefore investing in the implementation of the NIS Directive’s mandates.
4. Limited Automation
Financial organizations are nowadays required to secure their infrastructures in a fast moving and volatile environment, which is characterized by a proliferating number of threats and vulnerabilities that are likely to emerge and affect a critical infrastructure at all times. Hackers and adversaries are continually taking advantage of leading edge technologies in order to exploit the rising number of vulnerabilities of the physical and cyber assets of the critical infrastructures. Therefore, it is not practical and in several cases not possible to manually carry out all security and protection tasks such as detection, monitoring, patching, reporting and security policy enforcement activities.
In this context, one of the main challenges faced by the security officers of financial organizations is the poor automation of security functions. To confront this challenge there is a need for solutions that offer immediate mitigation actions, as well as (semi)automated enforcement of security policies. To this end, financial organizations can take advantage of recent advances in technologies like Artificial Intelligence, Machine Learning and automated orchestration of security functions.
5. Lack of Flexibility in Coping with a Proliferating Number of Threats
In addition to automation, security officers of financial organizations are very keen on being flexible when dealing with the proliferating number of threats, including the emergence of several new cyber threats every year. Hence, security departments must be able to deploy new security functions (such as patches or protection policies) very frequently e.g., daily or even several times per day. In this direction financial organizations could benefit from latest developments in software engineering practices and methodologies such as the DevOps (Development and Operations) paradigm. Recent research initiatives are exploring the use of DevOps in security systems engineering, which is sometimes called DevSecOps.
These are the top challenges to be confronted by financial organizations nowadays, when it comes to securing their critical infrastructures. In subseqeunt posts, we will illustrate some solutions to these challenges, including results from relevant EU projects like H2020 FINSEC and prominent security use cases that can be supported by these solutions. Stay tuned!