Thin Line Between Physical Security and Cyber Security in Financial Infrastructure &...

Thin Line Between Physical Security and Cyber Security in Financial Infrastructure & Assets Protection

This post is also available in: heעברית (Hebrew)

By Or Shalom

Providing cyber defense to financial infrastructure and assets is complex, as these systems and infrastructures are usually situated in the public space. Moreover, it is very challenging to overcome the attacker’s high motivation throughout the activity  with tools, deception methods, technologies, and collaborations in order to get their hands on the money.

These kinds of attacks concepts in such incidents demonstrate clearly the desired balance between physical security and cyber. Sometimes the attack integrates a physical approach to the target and with a cyber attack, e.g. sabotaging automated bank services systems, ATMs (for collecting money or using stolen cards) or accessing clearing systems (for stealing credit data, etc.). Therefore, the security program must reflect a synergy between physical security and cybersecurity.

In 2015, an international hacking operation was exposed after the hackers succeeded in stealing som $1 billion from hundreds of banks around the world (Carbanak). The attack method included implanting malware in the banks’ computing systems and ordering the bank’s ATMs to cash out banknotes on predefined days and hours. The attack started with the delivery of a phishing email message with a hostile link which enabled access to the accounts of the systems managers. Gaining access to the security and camera systems also enabled intelligence collection from the activities of the tellers inside the bank. From then on, joined the physical security aspect  

Interested in learning more about cybersecurity? Attend i-HLS’ InnoTech Expo in Tel Aviv – Israel’s largest innovation, HLS, and cyber technologies expo – on November 18-19, 2020

because in addition to the need for adequate planning of the bank cameras in a way that does not enable information collection about the tellers’ activities and external control, there should have been a plan of the security systems and cameras at the vicinity of the ATMs in order to detect anomalies.

The security videos from the Carbanak events have demonstrated that the right analytics could have led to the detection of the suspects immediately or shortly after the event. Optimization in camera definitions and smart analytics can help detect suspects, suspected activities (e.g. people loitering, waiting, and dismantling or changing hardware, etc.). The specification and implementation of video analytics technologies enable the leveraging of intelligence insights, producing heat maps, a trigger for image analysis from different angles, suspects detection, forces dispatch, and other deterrence capabilities. Additional definitions, such as preferred planning of indoor ATM system will keep the circle inside a secure, controlled hall.

Regulation 357 of Israel’s Banks Supervisor regarding information technology management is directed at the process of risk evaluation. The regulation includes users mapping, system’s functionality and operations, system’s vulnerability, outsourcing, and the system’s environment. As a rule, planning financial infrastructures and assets security should also conform to the Crime Prevention Through Environmental Design (CPTED), which allows planning protection (against crime or access) in accordance with an analysis of the environmental conditions and the regional crime features. According to this method, the security planning of an ATM located at a high crime industrial zone will be slightly different than the one regarding and ATM in a crowded zone or main street.  

In many types of research (Kaspersky’s research, DEFCON conferences),  research groups have proved an attack capability of malicious technical configuration changing for control dominance and attack on those components. The components change is linked to the disconnection and change of communications sockets inside the device itself and among the components, as well as the integration of responses against MITM – Man in The Middle – attacks. Also, a strong local definition setting that will ensure that any report regarding even a momentary disconnection and connection among the systems would lead to a shutdown and locking process of the post and the reporting of the incident to the control room. The system will return to routine operation only after the arrival of a local team to investigate the incident and its circumstances.

The clearing point of sales (POS), too, are exposed to the same threats in public spaces. The majority of the attacks include a combination of a technological component for copying the data and sensitive information regarding the customers or an attack against the POS networked post through a malicious email (Spear Phishing) in order to attack and enable financial cyberattacks and damage to the transaction and clearing processes.  Damaging these POSs can cause losses to the company, harm its reputation and bring about the loss of customers’ trust. Therefore, there should be logical definitions, including the separation of the clearing POS at the internet network through allocating a dedicated VLAN for connection to the clearing post only, without access to other internet websites. In addition, access to these POSs should have physical security layers in the public sphere and when the facilities are crowded with people (also at the teller POS and with any customers’ ability to access). Video cameras and analytics control must be implemented for the purposes of deterrence, investigation, etc.

Or Shalom – Security and cyber expert and adviser to government and defense industries. 

He holds a master’s degree, as well as civil and nation qualifications in the world of information security and cyber. He has experience in developing cyber risk mitigation plans for companies and organizations, as well as experience with business development in the cyber fields. Shalom has led various professional cyber programs to various entities in academia and the civilian and security industries.

Interested in learning more about cybersecurity? Attend i-HLS’ InnoTech Expo in Tel Aviv – Israel’s largest innovation, HLS, and cyber technologies expo – on November 18-19, 2020 at Expo Tel Aviv, Pavilion 2.

For details and registration