Juan Ramon Aramendia, Head of Cyber Security Product Engineering, Auriga
‘’The ATM Security Association (ASA) reported, as of mid-April 2022, approximately 70% of over 10,000 global ATM crime incidents were fraud attacks. This poses a huge public safety concern as cash remains a vital payment method worldwide, despite bank branch closures. In August, the Post Office managed increased amounts of cash, £3.45bn, the highest total since it began recording volumes five years ago. This highlights the importance of access to cash locally and nationwide, especially under the current cost-of-living crisis.
Business leaders must take a step back and reconsider their existing IT infrastructure as cybercriminals continue to target banking services, particularly ATMs, to steal money and confidential information, leading to economical losses, business continuity disruption and service interruptions. Traditional endpoint security models are not rigorous enough to protect critical systems since trust is typically based either on external legitimacy sources or known malicious behaviours. This trust model should not be considered robust enough when dealing with inherently vulnerable systems where attacks are highly targeted, and where third-party actors can have uncontrolled physical and privileged access to the devices (in case of local maintenance).
Preventative measures – Never trust and always verify
Cybersecurity management needs to complement and coexist alongside digitalisation programs, especially on the deployment of even the most advanced ATMs and assisted self-service terminals (ASSTs), which are now being used in next generation branches and digital banking hubs.
Security leaders can take preventative measures to reduce the likelihood of attacks and mitigate the damage caused by honing into these for review. Banks and financial services providers should look to embrace the concept of Zero Trust across their entire infrastructure to secure self-service devices; especially those that were previously vulnerable to cyber-attacks.
It was born as a paradigm shift from a traditional security model designed to “guard the castle”, where attackers were supposed to only come from outside. While internal users and systems were considered “innocent”. Yet, as data (cloud, hybrid infrastructures) and workers (hybrid, remote offices) are now more mobile than ever, the perimeter no longer exists – internal and external systems and users bring the same risks. Thus, the Zero Trust security model is based on the assumption that any infrastructure can already be compromised by the mere fact of existing.
When we talk about OT (operational technologies) environments that manage critical devices, such as ATMs or ASSTs (assisted self-service devices), the Zero Trust model must be at the core of the cybersecurity strategy. This model must make a series of suspicious assumptions about the vulnerability of the infrastructure that manages the devices, assuming that the remote access system can be manipulated, that the software distribution system can be used to deploy malware, that the maintenance technician or the end user himself can be attackers or that our hard drive can be stolen to carry out reverse engineering activities.
That said, Zero Trust is a marketing term, and it is not possible to trust nothing or no one at all. In practice, there should always be a secure core or “trusted core”, which must be based on always granting the minimum necessary privileges and thus drastically reduce the attack surface. In other words, we are talking about a strategy based on the “presumption of guilt” as opposed to the traditional “presumption of innocence”.
In the case of critical devices, the key to defining this “core of trust” involves trusting only those resources (software and hardware) and accesses (local or remote) that are strictly necessary for the correct provision of the service, identifying them in a precise manner, and verifying them in each use. It is important to point out that the criteria for adding elements to the “trust core” must always be based on learning linked to the internal certification processes of the devices and never be based exclusively on reputation – remember that criminals often use legitimate tools to attack us. However, the security policy must still be aligned with the operating state of the device. When the device is in service, this policy must be as restrictive as possible (adhere to the “core of trust”), but when the device is subject to a planned technical maintenance process, this policy should be extended temporarily, monitoring all activity, and explicitly authorising any changes that affect that “secure core”.
Finally, it is critical that all chosen security technologies are ready to adapt to the different needs of an entity that is, in itself, heterogeneous. They must be easy to use and allow security policies to be easily created, updated, and implemented. Cybersecurity is not a general model but unique to each organisation, which is why any cybersecurity strategy that wants to be successful must be completely aligned with the operations model and sponsored by the board of directors.
Zero Trust in action
5B(https://www.5b.com.gt/), the largest ATM provider in Central America, successfully secured their fleets of ATMs from cyber-attacks by implementing a cybersecurity solution based on Zero Trust. The protection technologies and methods deployed made it possible to secure key devices without interrupting operations, whilst centralising device network security to ensure efficient control. In addition, by concentrating security operations on a single platform, it ensures there is minimal impact on the performance of the devices.
It made it possible for 5B to achieve 98.4% optimisation in the up time of the entire ATM network and allowed the business to maintain full control over the integrity of software and hardware deployed on their fleet. The ATM provider was then able to run seamless 24/7 monitoring, which is crucial for the automated detection of suspicious activities and the implementation of premeditated response plans that include physical and remote verifications.”