European Central Bank urges simulated cyberattacks to defend against real threats
European financial institutions and central banks, along with critical European banking and payments infrastructure providers, face an increasing onslaught from hackers that has prompted two major responses: implementing the Network and Information Security (NIS) Directive and publishing the European Framework for Threat Intelligence-based Ethical Red Teaming (TIBER-EU).
TIBER-EU is the first Europe-wide framework for controlled cyberattacks to test the security and resilience of financial entities. It enables authorities to work with entities under their responsibility to put in place a program for tests carried out by red teams of "white hat" ethical hackers.
Recent criminal cyberattacks include the June 2017 ransomware attack that hit Ukrainian banks and the January 2018 distributed denial of service (DDoS) attack against the top three Dutch banks, ABN Amro, ING and Rabobank. Cyberattacks cost financial services firms more than any other industry, and the rate of financial services industry breaches has tripled over the past five years, according to Cost of Cyber Crime Study, a February report by Accenture and the Ponemon Institute.
The European Central Bank, which oversees systemically important clearing and settlement infrastructures in the eurozone, published TIBER-EU on May 2. Its framework facilitates a harmonized European approach toward threat intelligence-led tests that mimic the tactics, techniques and procedures of real hackers.
TIBER-EU tests simulate a cyberattack on an entity’s critical functions and underlying systems. This helps the entity to assess its protection, detection and response capabilities against potential cyberattacks, the ECB said.
“The risk of cyberattacks is high, and TIBER-EU offers a tool to the financial sector to reach a higher level of cyber-resilience,” said Wiebe Ruttenberg, senior adviser in the ECB’s directorate general, market infrastructure and payments. “The ECB takes cyber threats against the financial sector very seriously, and is committed to work with other authorities to help the financial sector to become more resilient against the increasing threat of these attacks.”
It is up to the relevant authorities and the entities themselves to determine if and when TIBER-EU based tests are performed, according to Ruttenberg.
“The framework has been designed for national and European authorities and entities that form the core financial infrastructure, including entities with cross-border activities which fall within the regulatory remit of several authorities,” he said. “The framework can be used for any type of financial sector entity, as well as entities in other sectors.”
Entities covered by TIBER-EU include bank-operated payment systems, central counterparty clearing houses, credit rating agencies, stock exchanges, retail banks, payments processors, card networks, insurers and any service providers deemed critical for the functioning of the financial sector.
The ethical tests will not result in a pass or fail, but will give the tested entity insights into its strengths and weaknesses, and enable it to develop a higher level of cyber maturity, the ECB said. The results are valid in all the European countries in which the entity operates.
In the testing phase, a threat intelligence provider prepares a Targeted Threat Intelligence Report on the entity, setting out attack scenarios for the test. The report will be used by the red team provider to carry out an intelligence-led red team test of specified critical live production systems, people and processes.
Adoption of the framework faces challenges, according to Paul McKay, senior analyst for Forrester Research. “One of the key issues in TIBER-EU is that the precise requirements of the Targeted Threat Intelligence (TTI) report aren’t well specified,” he wrote in a blog post. “This leaves quite a lot of ambiguity as to what is really expected by authorities from the TTI report.
Also, the framework’s requirement to operate within the law limits the red-team tests, since cybercriminals are not limited by mere legal rules and regulations.
Thirdly, the framework is voluntary, and widespread adoption is critical to its success. McKay warned that there could be inconsistent coverage if some EU member states decide not to adopt TIBER-EU.
Several national authorities in the EU have already implemented domestic-only frameworks. The Bank of England, which governs the U.K.’s core banking systems including its Faster Payments System, launched the CBEST framework in 2014. CBEST provides a methodology for U.K. financial institutions to voluntarily test their cyberdefenses using advanced threat intelligence and realistic attack simulations.
CBEST was subsequently implemented by the Dutch central bank De Nederlandsche Bank in its TIBER-NL framework.
In addition to attacks on banking systems, there are major cybersecurity threats to nonfinancial critical infrastructure in the EU. The Dutch national tax authority experienced a DDoS attack in January.
May 9 was the deadline for the NIS directive, which was passed by the European Parliament in 2016 to become part of EU member states’ national legislation.
The NIS directive’s goal is to create a base level of security for organizations operating essential services in the EU such as banking, financial services infrastructure, energy, health and digital infrastructure such as cloud computing.
Organizations affected by the directive are deemed “operators of essential services” and must implement its provisions to deliver the required base level of security for those services. EU member states must identify these operators of essential services by November 2018.
According to Forrester Research’s McKay, key elements include financial penalties for breaches of the directive, determined by each member state.
“Organizations will need to notify their designated competent authority of any breach that impacts the services they operate, not just those impacting personal data,” McKay wrote. “Timeframes haven’t been specified, but some are suggesting mirroring the GDPR [General Data Protection Regulation] 72-hour breach notification requirement. The breach data received by operators may be distributed to other EU member states through threat intelligence sharing channels. This sharing of information to help other, similar operators is a new expansion that could take cross-EU cyber-cooperation up a level.”