Financial institutions are among the most sophisticated entities when it comes to cyber resiliency and cyber program maturity. That’s not surprising. Banks, loan services, credit unions, and investment and brokerage firms manage vast amounts of money, which makes them attractive targets for cybercriminals. Those assets are tied to highly sensitive personal and financial data, making them even more attractive targets for extortion and ransomware schemes. As the continuous operation of financial institutions is vital to both the economy and national security, most countries consider them as critical infrastructure. This can bring intense regulatory pressure with large fines for non-compliance, giving financial institutions every incentive to focus on cyber resilience.
Examples of financial institutions being at the forefront of cybersecurity abound. They digitalized and automated processes much earlier than other sectors, which brought great efficiency gains but also made them prime targets for digital fraud and theft. That lead to earlier cyber regulation than other sectors, too. In the U.S., the Gramm-Leach-Bliley Act (GBLA) of 1999, which mandates that financial institutions safeguard consumer financial information, predates cybersecurity regulations in other industries. While much more recent, the EU’s Digital Operational Resilience Act (DORA) aims to fill a perceived regulatory gap by addressing digital operational resilience in the financial sector.
The upshot is an industry that has long focused on digitalization and its associated advantages, has invested continuously in cybersecurity tools, and has high adoption of frameworks and best practices such as regular risk assessments, incident response plans and strict attention to compliance. Opportunities to be at the forefront of cyber resilience and cutting-edge technology continue to present themselves – including the need to secure building automation systems (BAS) and building management systems (BMS), automated detection and remediation for IoT environments, and cybersecurity for wireless frequencies, from Wi-Fi and Bluetooth to LoRa and drones.
Cybercriminals know these systems are often unprotected and increasingly focus on them. Vulnerabilities abound that can act as gateways to IT compromises, particularly in smart buildings.
Anatomy of a Modern Financial Institution
The stately columns, gilded domes and stone gargoyles that once branded banks as temples of finance still anchor many cities and towns, but those buildings may now function as restaurants or bars. Modern, digital-first banks are decentralized, with small branches or satellite offices that offer few in-person services. Not only are these newer buildings often LEED-certified for energy efficiency but, like other smart buildings, they’re almost completely managed by OT and IoT devices.
Something we’re often asked by banking and other CISOs is, “Why would someone target my lighting or HVAC system?” Because they’re easily exploited.
Smart buildings rely on BMS/BAS to control and optimize operations, both for occupant comfort and for energy efficiency, safety and security. The OT systems in smart buildings may include HVAC systems, elevators, lighting controls, closed-circuit TVs, advanced alarm systems, fire detection and suppression systems, and badge readers or other access control systems. IoT devices may include printers and telephones but also ATMs, safety cameras, touch-enabled kiosks and other POS terminals for processing transactions.
Many of these devices use older, proprietary or non-standard embedded operating systems and lack the advanced cyber features that more modern IT devices have. Often they are installed without basic cyber hygiene protection like enabling. encryption or authentication measures. This makes these devices easier to compromise than standard IT devices, and many even have direct access to the internet.
More Building Automation to Protect: Data Centers
In the digital age, a bank’s crown jewels are no longer solely physical assets sitting in a vault. Rather, financial records and other sensitive data is typically stored in a mix of on-premise (or collocated) data centers and the cloud. For credit card processors, data centers are a critical component of their infrastructure not just for speed, high availability and redundancy but because they meet the strict global security requirements in PCI DSS for handling sensitive payment care data.
Given their business criticality across many sectors, data centers have become high-value targets for cyberattacks. With their tight temperature, access and other controls, these facilities often have even more advanced OT and IoT vulnerabilities than other smart buildings. Yet, here again, cybersecurity measures are primarily focused on protecting data servers, network communications and IT applications. The critical OT controlling power, cooling and access control are often overlooked.
IT Security Investments Offer Diminishing Returns
Across industries, OT and IoT devices are a growing percentage of total digital assets. A 2024 survey found that OT, IoT and other specialized systems comprise 42% of enterprise assets — and account for 64% of mid- to high-level enterprise risk. Regulatory pressures are requiring CISOs to assume greater accountability for enterprise risk and to communicate it accurately to their boards. Yet many security executives are still tempted to let OT and IoT assets fall through the cracks. Aren’t they out of scope for corporate IT departments? Doesn’t the facilities team or facility management company handle that? Or the OEM? This is a common misperception, yet if these systems are compromised, it will be corporate IT and cybersecurity leaders who must deal with the consequences.
If all of your cybersecurity investment has been poured into your IT systems, you don't have the cybersecurity maturity that you think you do. Your IT network is a shrinking subset of your overall attack surface, and the growing part is the part you least understand.
Recently a bank called us in because they were concerned with the cyber hygiene of their alarm systems. We found that the third-party contractor that was installing and operating them wasn't changing the default credentials or updating firmware as required. That’s not unusual. The alarm systems were part of the bank’s networks, which means the InfoSec department needed to manage them or risk exposure.
CISOs and other cybersecurity executives typically come up through traditional IT security or software development ranks, with formal or informal business training along the way. Taking on OT and IoT risk comes with a steep learning curve. Something we’re often asked by banking and other CISOs is, “Why would someone target my lighting or HVAC system?” Because they’re easily exploited.
Attackers know that OT and IoT systems are seldom monitored, so it’s common to use them as vectors to establish a presence in the network and pivot. We frequently see this with IP cameras and other IoT systems that are connected with default credentials. Many devices can be compromised at once via a distributed attack and used to build a botnet, set up a command-and-control server and exfiltrate data.
Nozomi Networks Can Help
With just these few examples of BMS vulnerabilities under your belt, hopefully it’s clear that if all of your cybersecurity investment has been poured into your IT systems, you don't have the cybersecurity maturity that you think you do. Your IT network is a shrinking subset of your overall attack surface, and the growing part is the part you least understand.
The Nozomi Networks platform can help you find and secure every single connected device in your environment — OT, IoT and IT — and understand its vulnerabilities and what it’s communicating with. Unlike IT-focused vendors, our platform leverages passive monitoring via deep packet inspection of all BMS/BAS and IoT protocols (BACnet, MQTT, RTSP and ONVIF, to name the most common), which is the foundation for a successful IoT security implementation. Thanks to investment from leading BMS and energy management OEMs including Schneider Electric, Mitsubishi Electric and Johnson Controls, we also have visibility into the deeper parts of building networks that other tools can’t access.
For smaller branches where a network sensor may be overkill, lightweight endpoint sensors are a great option. For centralized risk management across sites and regions, all data from network, endpoint and wireless sensors is visible in the cloud, with customizable risk-scoring, threat intelligence and prioritized remediation dashboards to help you take the right actions.
If you’re ready to own enterprise cybersecurity risk and want complete visibility into all connected assets and their communications, along with an automated risk analysis of your environment, contact us today.
