Integrating cyber-physical: Security in Banks without Breaking it

Cyberattacks on financial institutions are becoming more prevalent. Some media reports suggest that more malware was targeted at banks in 2019 than any other industry. Cyberattacks are also becoming diverse, ranging from simple phishing attacks to complex attempts to access credit cards and bank accounts. This is hardly news anymore though, banks, by the very nature of what they handle, make an attractive threat. But what is concerning is the increasing number of ways in which cyber and physical security threats converge. Integrated digitalized solutions for operational, as well as security purposes, are increasingly becoming a normacross industries. The downside of it all is this emerging security threat. In this article, we take a look at the new kinds of security threats that customers in the banking vertical should be aware of in 2020, how these can be mitigated with a proper framework, the role of systems integrators and how the right solutions can be used in the right ways.
What Kind of Cyber and Physical Security Threat to Expect in 2020?
In Britain, some of the largest retail banks have been forced to halt processing foreign currency orders after a cyberattack on exchange provider Travelex. In Africa, operations at several banks were affected after attack by Russian hackers.
There is no doubt that there will be more incidents taking place in the future, given the nature of the technology and how hackers continue to successfully exploit vulnerabilities. But even more, concerning is how physical security is now connected to cybersecurity. With physical security solutions becoming more and more digitalized and integrated, an attack on either of the domains could have wide-ranging repercussions.
“Financial organizations are battling a growing number of physical and digital security threats,” said James Somerville-Smith, Global Customer Marketing Leader – End-User Programs at Honeywell Commercial Security. “According to new research from Honeywell Commercial Security, which surveyed 1,000 large financial institutions across the UK and North America, physical security incidents in large financial institutions have increased across all access points, with half of respondents reporting that incidents affecting employee access systems, physical safety of staff and data centers have gone up over the last year.”
Sophisticated Attacks and Higher Loss
According to Joon Jun, President of the Global Business Division at IDIS, we are likely to see organized cybercriminals continuing to find and target any weakness they can exploit.
“With increased global political instability, we can also expect more state-sponsored cyberattacks on banks and other critical infrastructure where an attack can damage productivity and result in major disruption and financial losses,” Jun said.
On the cybersecurity front, major attacks and threats to the banking sector are focused in three areas, sensitive data exfiltration, ransomware attacks, and denial of service attacks targeting IoT devices, along with risks induced by third party vendors with weak internal cyber hygiene, according to Kevin Sheridan, Director of Financial Institution Services for Convergint.
Convergence of Attacks
Alarmingly, several attackers have taken advantage of physical security solutions that are in place. For instance, hackers gaining access to surveillance cameras at ATMs are able to access the pin codes that customers enter. Jun pointed out that theft of biometric data as hackers look to bypass multi-factor authentication (MFA). This danger was
highlighted last year when Kaspersky Lab researchers identified the selling of digital fingerprints together with
associated personal data on the dark market.
Finding Method in The Madness
To tackle these growing problems of attacks on integrated security systems and avoid security breaches of any kind, banks must plug the gaps between standalone platforms by integrating their physical and digital security systems across the entire enterprise.
“As many financial institutions are both multisite and multiregional, such as retail banks with HQs and then branches, this means striking a careful balance between global central integration control and different regions using different systems and equipment – or locally monitored systems with global remote management as a possibility,” Somerville-Smith said.
However, an even major issue is that while cyber and insider threats make for more fascinating stories, physical security can often be overlooked. Jun explains that these risks have not gone away though and include bank and ATM robbery, cash-in-transit attacks, social engineering to gain access to restricted areas, and corporate espionage.
Plus, banks should also be considering the safety of their airspace, with drones posing not only a terrorist threat to corporate enterprises but cyber threats too as they have the capability to Wi-Fi spoof and trick employees and visitors into thinking they are connecting to a trusted network in order for hackers to gain access into a bank’s corporate network as well as harness personal data including banking details.
Creating a Framework for Cyber-Physical Integration in Banks
In the UK and North America, financial institutions are shifting towards a global management system of physical security. Asurvey from Honeywell Commercial Security shows that half of the respondents (47 percent) said their company’s security is managed at a global level, with all branches under the same enterprise or integrated system, and a further third (32 percent) said they were planning to shift to a global model.
With integration playing an important role across both security measures and markets, enterprise solutions featuring remote oversight and management are going to grow in popularity.
A Holistic Approach
“The keyword is ‘integrated’,” explains Martin Koffijberg, Director, Business Development, Banking and Finance at Axis Communications. “A failure to look holistically at both physical and cybersecurity – to connect the physical with the logical – will inevitably create vulnerabilities. It is important to adopt some form of Enterprise Security Risk Management or Converged Security approach.”
Both physical and IT security should follow the same cybersecurity principles and be evaluated in the same way, Koffijberg added. The first step has to be an acknowledgment from physical security practitioners that these security devices are connected to the network and, while performing security operations, create new risks to a business that hasn’t been seen with older technologies.
Framework Components
First, thorough and continued risk assessments need to be part of every physical security manager’s playbook. Today, many banks in the West have implemented sophisticated physical identity and access management (PIAM) policies, which control not only access into buildings but into the corporate network too.
“These feature useful functions like shutting down access to networks when an employee leaves their laptop, desk or building,” Jun said. “Other functions include enforcing two-factor authentication before login and the use of analytics to flag suspicious network access or unusual activity.”
Speaking about his company’s experience in dealing with the situation, Kevin Sheridan, Director of Financial Institution Services for Convergint, said that their larger financial clients are focused on four key elements of securing their operational security systems to mitigate the risk of any potential vulnerabilities. These are:
1. Device Identification
With the volume of connected devices integrated into physical security systems at financial institutions, awareness of what devices are deployed, where they are deployed, and what their operational status has become more important than ever.
2. Device Hardening Protocols
Password management is a focal point of our most sophisticated clients. Changing default passwords, while seemingly a rather basic activity, is something that many institutions have struggled to achieve given the volume
of IoT devices deployed.
3. End-to-End Encryption
Physical security system architectures are increasingly having this level of network architecture as a requirement of physical security system design.
4. Patch Management
Keeping your systems up to date with the latest firmware patches and software updates, when combined with the aforementioned elements, reduces the attack surface significantly.
The Human Factor And AI
When designing a comprehensive security solution with a holistic approach, technology is only part of the problem to be dealt with. The other part is the people who use the technology. To mitigate physical breaches, human error, and surveillance monitoring, it’s also important to address the problem of fatigue.
“That’s where deep learning and AI solutions can transform control rooms operations for major financial institutes, including those that operate 100s or even 1000s of cameras across large and multiple sites,” Jun said “Because deep learning learns over time, it distinguishes between environmental factors versus actual threats, such as an intruder or suspicious loitering. This translates into fewer false alarms and reduces the chance of control room operators shut down alarms, resulting in a quicker, more appropriate response to incidents.”
Solutions Critical to Fighting Cyber-Physical Threats in 2020
Physical security systems and devices that are connected to the network are endpoints that can potentially introduce significant cyber risk into an organization. Physical security devices are frequently overlooked by IT departments and oftentimes, are not properly patched, updated, or managed.
“These devices are typically configured with default passwords, open ports, and protocols, and they run legacy firmware versions with known vulnerabilities,” explained Kevin Sheridan, Director of Financial Institution Services for
Convergint. “Hostile actors can exploit these vulnerabilities, allowing them to gain an initial foothold into an organization’s network. These compromised devices can then be used as a foothold within the network to pivot to other devices or systems.”
Properly hardening camera, card reader, video management, and other connected systems prior to their initial deployment, and properly managing them throughout their lifecycle, will significantly reduce the attack surface that can be exploited, thereby reducing risk.
Major Factors to Consider
According to James Somerville-Smith, Global Customer Marketing Leader – End-User Programs at Honeywell
Commercial Security, there are four key considerations to bear in mind when integrating cyber and physical security systems:
1. You must ensure that all physical hardware components are cyber secure in their own right
2. All intelligence and data must be protected behind a strong and comprehensive firewall
3. Access to sensitive areas such as data rooms needs to be protected by multilayered accreditation
4. Systems in sensitive areas are protected via local security so that personnel is not able to access systems unless they have properly badged into the restricted area. This will avoid giving system access to personnel in areas that they have got into illegally (e.g., by tailgating), with any breaches being flagged immediately to a central control room so that a response team can be sent to check the breach
Sheridan added that besides properly managing the cybersecurity of the actual physical security devices deployed at a client’s site, it is also imperative that the integrator itself has a strong internal cybersecurity program to ensure the integrator is not the vector for sensitive client data to be compromised.
From Technology to a Process
Martin Koffijberg, Director, Business Development, Banking and Finance at Axis Communications is of the opinion that the concept of cybersecurity should be looked at as a process rather than a technology. You can have the best security-related features built into technology, but if they haven’t been enabled or set up correctly your investment in this is lost and the associated risk increased.
This is no different for physical security technologies than any other IT device connected to a network. This has recently been highlighted by the UK Surveillance Camera Commission’s Secure by Design, Secure by Default certifications for manufacturers.
Balancing Costs and Efficiency
It’s not unusual for global banks to now hand over their technical physical security deployments to ICT departments. Cybersecurity risks are making convergence happen in some sectors, including banking, far more rapidly than the advent of IP surveillance did. It’s not unusual now to see surveillance decisions made by heads of IT and cybersecurity (or those people at least being major influencers on purchasing decisions) but this trend is occurring more in the west than elsewhere.
“However, these set-ups are out of the reach of many banks and are seen as too expensive to implement and maintain,” Jun said. “This is compounded by the fact cybersecurity experts in some parts of the world are hard to come by.”
Jun stressed on the importance of cost-efficiency, concluding that banks need the most cost-effective local NVR and centralized serverbased solutions available, and ones that use proprietary protocols and custom file structures which make them unfamiliar to cybercriminals and therefore very difficult to hack. Plug-and-play solutions could also play a key role, as they are easier to install compared to traditional systems.
Bank Security Challenges and the Role of Systems Integrators
There is no question on the need to come up with a comprehensive security framework that would integrate cyber and physical systems in the banking sector. Unfortunately, to implement such an effective framework, banks must overcome certain challenges.
For instance, legacy operating systems can be difficult for financial clients to justify replacing. If an access control platform, for example, isn’t investing in the cybersecurity feature set of their system, it can put clients in a tough position. A well-connected integrator with scale can help a client make sense of both the capabilities of their existing systems, as well as alternative platforms.
“In addition, there are many operating silos within financial institutions, with their own operating mandates and business objectives,” said Kevin Sheridan, Director of Financial Institution Services for Convergint. “Coordinating the cyber posture of those operating entities is absolutely essential. ATM/ITM groups, facilities, physical security
departments, and IT might have different priorities, but they all utilize physical security systems to deliver services to their internal and external stakeholders.”
In the past, many of these operating silos used a variety of integrators, both regionally and within lines of business, but in today’s environment, the most risk-aware clients are single sourcing integration services such that the security protocols are uniform across the entire enterprise.
The Human Factor
Some of the other challenges include the lack of understanding, at a high-level, concerning the risks posed by insecure IoT devices, including IP cameras. Confusion is fueled by mixed messages from vendors about “strong cybersecurity credentials” when in truth some have cameras that are far from secure- with even some devices listed on websites revealing vulnerabilities or backdoors that can be exploited.
“Security is still too often seen as a cost, and therein lies the danger – it is a mistake to just provide a budget for a surveillance upgrade without fully considering cybersecurity threats,” said Joon Jun, President of the Global Business Division at IDIS. “Equally dangerous may be avoiding decisions about upgrades or even maintenance, because strong security is not seen as a business asset. After disaster strikes, it’s too late for boards to discover that a successful cyber-attack via an IoT device, just like a physical attack, can be both disastrous and costly.”
What The Systems Integrator Can Do
Having seen the challenges, it is obvious that constant education, training, and skilling are essential. Every individual can essentially create a potential vulnerability, and a chain is only as strong as its weakest link. According to Martin Koffijberg, Director, Business Development, Banking and Finance at Axis Communications, this means that systems integrators (SI) need to work closely with the manufacturers of physical security equipment to stay abreast of both cybersecurity enhancements and potential vulnerabilities (and, critical, the action required to mitigate these).
“The way that security systems have been designed and manufactured has fundamentally changed over recent years,” Koffijberg said. “The importance of installation and commissioning security systems, combined with an understanding of how corporate networks need to be configured to protect the integrity of the device and network has changed, and human error poses the biggest risk.”
In other words, SI should prepare themselves by investing in technologies and top cyber talent on both the offensive and defensive sides, to better understand the risks that physical security devices can introduce into an organization’s network.
Kevin Sheridan, Director of Financial Institution Services for Convergint, explained that technology investments in credential management, scalable enterprise patch management, and firmware deployment platforms, as well as detection and response capabilities, are some of the tools needed to help reduce the risks often associated with
physical security devices.
“Follow a tried and true published standard; the National Institute of Standards and Technology’s (NIST)
Cybersecurity Framework,” Sheridan added. “It provides a common language that allows staff at all levels within an organization – and at all points in a supply chain – to develop a shared understanding of their cybersecurity risks. The Framework not only helps financial organizations understand their cybersecurity risks (threats, vulnerabilities, and impacts) but how to reduce these risks with customized measures.”