Cash and payments
4.5 A common penetration testing framework improves financial sector cyber security
The possibilities created by digitalisation are made use of extensively in financial sector services. This does, however, also expose the entities to cyber risks. An attack on a bank or a payment system could, in addition to direct impacts, cause a major loss of confidence in the financial system.
To improve their protection capabilities, financial sector entities strive to identify vulnerabilities in their systems by testing them with the techniques and procedures used by real-life attackers.
In 2020, the Bank of Finland introduced a Finnish implementation of the pan-European model that supports testing and improves the cyber resilience of the financial sector.
Payment and securities systems attract criminals
Financial sector services are based on a huge number of systems that create a network, for example via payment and settlement systems or trading in financial instruments.
Systems that process money and other assets attract also criminals.
Entities can test their protection capabilities by mimicking the tactics, techniques and procedures of real-life threat actors. Entities can use the observations produced during testing for developing their protection capabilities. In what are called penetration testing exercises, an attacker commissioned by the entity tries to, in a controlled manner, gain access to the entity's production systems.
The European Central Bank adopted in May 2018 the TIBER-EU framework that provides guidance on penetration testing. The framework is created for financial market infrastructures as well as banks and other entities. TIBER stands for Threat Intelligence-based Ethical Red Teaming.
A common model helps to build an overall picture
The purpose of penetration testing is to identify vulnerabilities in the systems and processes of individual entities or in the behaviour of people. The objective is also to test the detection, response and recovery capabilities of entities.
The enhancement of financial sector resilience requires cooperation and exchange of information. Better protection capabilities at individual entities and infrastructures improve the protection of the entire sector.
The interconnectedness of entities in the sector and the importance of the networks between them for the functioning of society underline the fact that cyber security is not a competition factor but a common interest.
The TIBER-EU framework also supports collaboration between authorities in the testing of financial entities that operate in several countries.
What is the scope of the national implementation guide?
The pan-European TIBER-EU framework provides guidance on penetration testing. The use of the framework in actual testing activities is, however, based on the national implementation guide introduced in various participating countries.
The implementation guide defines the nationally significant elements of testing, for example the threat data used in the planning of testing, the legal framework to be considered and the test support services available.
The national implementation guide under the TIBER framework defines the planning and execution phases of testing and the documents that the entities must produce at the various stages.
The Bank of Finland published the TIBER-FI Implementation Guide in April 2020. In the preparation of the Implementation Guide, the Bank of Finland took into account the feedback from financial entities, where possible. The Implementation Guide will be developed further based on feedback and practical experience.
Use of TIBER-FI is voluntary for financial sector entities.
In addition to Finland, there are national implementations of the TIBER-EU framework in, for example, Belgium, the Netherlands, Sweden, Germany and Denmark.
What are the elements of TIBER-FI?
The threat landscape used in testing in accordance with the TIBER-FI Implementation Guide is created on the basis of the generic threat landscape report, which is updated annually.
The report is provided by Nordic Financial CERT. As of December 2020, the report has covered all the Nordic countries.
The entities conducting TIBER-FI testing are also provided with the Finnish legal framework documentation applied in penetration testing.
For the planning and coordination of testing, the Bank of Finland provides the organisations with Test Manager support services.
For information exchange and cooperation purposes, the Bank of Finland launched in 2020 a TIBER-FI collaboration network for cyber security experts from financial sector organisations.