The Unseen Devices and Remote Access Contractors That Increase Banking Operations Cyber Risk

The Unseen Devices and Remote Access Contractors That Increase Banking Operations Cyber Risk

A modern bank runs on far more than its core banking platform. It runs on a quiet layer of connected machinery: the cameras watching the vault, the readers on every secured door, the intrusion and fire alarm panels, the environmental sensors, and the power and cooling systems keeping the data center alive. Financial services has spent two decades hardening its applications and its endpoints. The connected devices underneath, and the outside companies that install and operate them, have rarely had the same scrutiny.

That gap widens every year. The same drive toward automation and efficiency that made banking faster has turned the sector's facilities into cyber-physical systems: operational technology (OT) and Internet of Things (IoT) devices that bridge the digital and physical worlds. They deliver real gains in cost, safety and control. They also expand the attack surface in two directions at once: into the devices themselves and into the third parties who hold the keys to them.

The Insecure, Exposed, Connected Middleware Quietly Running Your Building

Start with the devices. IP cameras, badge and access-control readers, intrusion and fire alarm panels, environmental sensors, uninterruptible power supplies (UPS) and building management systems (BMS) are no longer isolated boxes on a wall. They are networked endpoints, many speaking protocols such as Modbus and BACnet that were designed decades ago for reliability, not security, and that often carry neither encryption nor authentication.

The direction, reinforced by the EU's NIS2 Directive and similar moves in other markets, is consistent: boards are accountable for keeping critical functions running, including the ones a vendor operates on their behalf.

These systems also lean on shared middleware that quietly sits underneath the whole building. The Tridium Niagara Framework; a Honeywell platform that ties HVAC, lighting, energy management and security systems into one data model; runs in countless commercial buildings, including bank branches and offices. In July 2025, Nozomi Networks Labs disclosed 13 vulnerabilities in Niagara, consolidated into 10 CVEs, that an adjacent attacker could chain to reach root-level control of a Niagara device and pivot deeper into the network. The chain depends on a specific misconfiguration, encryption left disabled on a network device, which raises a warning on the security dashboard, and Tridium has issued patches. The lesson is less about one product than about a pattern: the more our buildings converge on connected platforms, the more a single overlooked device has the potential to become a foothold.

The cybersecurity community describes much of this technology as “insecure by design”: it can be abused through legitimate functionality, with no exploit required, and BMS rank among the most exposed assets our research observes. Default or hard-coded credentials, flat and unsegmented networks, and remote access left open for maintenance widen the opening further. In some cases, these systems are even reachable directly from the internet. In January 2022, researchers at Cyble found roughly 20,000 internet-facing data center infrastructure management instances, including cooling dashboards, UPS controllers and rack monitors, many still guarded by factory-default passwords.  

A single connected device is rarely just a single risk. As Nozomi Networks Labs has noted, one compromised IoT device can serve four purposes at once:  

  • An entry point into the network
  • A target in its own right
  • A platform for reconnaissance
  • A foothold for launching the next move

A Revolving Door of Integrators, MSPs and Maintenance Contractors

Here is the part most resilience plans understate. The alarm systems, the cameras, the cooling and often large parts of the IT estate are not run by the institution at all. They are installed and maintained by specialist integrators and managed service providers, many of whom keep standing remote access so they can patch, monitor and troubleshoot. Every one of those connections is a door into your environment controlled by someone outside your walls. It’s safe to say that a fire or intrusion panel wired to your network by a low-bid contractor rarely gets the same hardening as a server.

We have already seen where this leads. The 2013 breach of U.S. retailer Target began not with its payment systems but with a heating and cooling contractor, Fazio Mechanical, whose stolen remote-access credentials opened a path into a network with little separation between vendor systems and payment terminals. The lesson translates cleanly to financial services, where the same kind of integrators wire up branch alarm panels and data-center controls: the security of your facility is only as strong as the weakest third party with a login to it.

The risk is not limited to the building layer. In January 2023, a LockBit ransomware attack on ION Group, a provider of cleared-derivatives software, knocked out a platform that dozens of banks and brokers depend on. Roughly 40 firms across Europe and the U.S. were forced back to processing trades by hand, some for days. None of those institutions had been breached directly. They simply relied on a supplier they did not control, and when that supplier went down, so did they.

Closing the Gap: the Global Reach of DORA

Regulators have drawn the same conclusion, and they are putting third-party risk at the center. In the European Union, the Digital Operational Resilience Act (DORA), formally Regulation (EU) 2022/2554, has applied since 17 January 2025 across 21 categories of financial entity. Its reach is effectively global, since ICT providers that serve EU financial firms fall within scope wherever they are based.

DORA rests on five pillars, and the one drawing the most attention is third-party risk related to information and communication technology (ICT). The ION attack became one of its clearest justifications. Firms must now map their dependence on outside providers, manage the concentration risk of leaning on a single supplier for a critical function, and keep documented exit plans for when one fails. Contracts must spell out incident-notification timelines, security standards and audit rights. Major incidents carry a tight reporting clock, with an initial notification within four hours of classification and a final report within a month, and systemically important firms must run threat-led penetration testing. The direction, reinforced by the EU's NIS2 Directive and similar moves in other markets, is consistent: boards are accountable for keeping critical functions running, including the ones a vendor operates on their behalf.

Know What Connected OT/IoT Assets You Have and What to Fix First

If nearly all of your cybersecurity investment has gone into IT, you may not have the operational resilience you believe you have. The connected devices and the third-party connections into them are exactly where visibility tends to run out, and you cannot defend, segment or patch an asset, or govern a remote login, that you have never inventoried.

This is the problem Nozomi Networks is built to solve. We give financial institutions a complete and accurate inventory of their OT and IoT assets, continuous monitoring of the networks and remote connections those assets depend on, and risk-based vulnerability management that turns a sprawling device estate into a short list of what to fix first. The outcome is straightforward: visibility, context and control across the cyber-physical systems your business runs on, no matter who installed them.  

To find out where your connected and third-party risk really sits, contact us today.