Trading Networks: Vulnerable or Not?
Don’t get complacent. Trading networks are far from “safe zones”.
With concentrated efforts over a long period of time, sophisticated and stealthy malware can gain (and maintain) access into key servers at multiple exchanges. Once firmly planted across these multiple institutions, they could theoretically launch a coordinated attack, halting trading activity and wreaking havoc in the financial markets with far reaching consequences. Perhaps a little dramatic, but it’s a scenario that a good number of cybersecurity practitioners and regulators worldwide anticipate as a plausible cyberattack scenario to safeguard against.
Trading networks have traditionally been considered “safe zones” in the world of cyber attacks. Its critical systems (Execution Systems, Data Dissemination, Order Entry, Order Routing, Risk Management, just to name a few) are typically not internet facing, and have strict control measures enforced between the trading network zone and enterprise network zone. But with an increasing number of cyber incidents directed toward FMIs (Financial Market Infrastructures) over the years, (in a survey of 46 securities exchanges conducted by IOSCO and the World Federation of Exchanges, 83% reported a breach), cybersecurity and risk management practitioners in the industry have re-examined those long held beliefs.
Air gapping of networks is great in theory, but is based on several assumptions, namely the inability to breach controls imposed, insider trust, inability to compromise insiders and complete separation between traditional IT technologies and operational technologies (OT). As incidents of compromise across industries with air-gapped networks have shown, including intrusions into highly protected networks like the DoD’s SIPRNet, these assumptions have, on occasion, proved to be faulty. While these measures might be able to deter the common hacker, it still leaves these networks vulnerable to the truly motivated 2% of the hackers using advanced, persistent and targeted attacks.
For one, interconnectivity between the IT world and OT world at these trading venues is an issue. Firewalls and rules may control communications to an extent, but as long as this interconnectivity exists, there is a way in for the persistent hacker. As pen testing in these organizations have revealed, there are ways for an attacker to enter and move within the entire enterprise system. Here, they gain access to trading platforms and the ability to view, update or delete trade information.
Aside from a malicious insider or a hacker being able to successfully circumvent perimeter controls, the unsuspecting insider may very well be a hacker’s ally in gaining access to the enterprise network. This could be through typical vectors such as phishing emails or waterholing attacks, or even compromised personal devices. For example, an employee’s mobile phone could be compromised outside of work by downloading an infected app or even while using public wifi or public charging ports. Once they plug back into the company network, they inadvertently enable the spread of malware. Or, the user might plug an infected USB (this was the vector of infection in the DoD SIPRNet compromise, for instance) into a system at work for a file transfer, which can compromise additional systems. Apart from this, there could be the case of the inadvertent human error — a temporary remote connection that is made for a contractor and then forgotten about, or security controls that insiders themselves try to bypass. All can serve as potential infiltration points.
Secondly, the point of infiltration could be through a trading venue’s participant system. With the high degree of connectivity that exists between these networks, if a participant’s system is compromised, hackers can gain unauthorized access to the trading venue systems and cause havoc. It is this very interconnectedness that has prompted many to classify cybersecurity risk as a systemic risk in the securities market. The security at the smallest exchange can affect the largest exchange.
The vendor supply chain represents another danger zone. In a survey by the U.S. Securities and Exchange Commission Office of Compliance Inspections and Examinations in February 2015, 88% of broker-dealers and 74% of advisers stated that they have experienced cyber attacks directly or through one or more of their vendors. What’s more, these are all systems. And as all systems go, they need regular updates. A hacker can attack software or hardware updates, or trick an employee into installing fake updates or patches. The adoption of cloud technology further opens up the risk of an adversary establishing a control server within the cloud provider’s server farm.
As outlined above, FMIs have various points of vulnerability, which leave them susceptible to cyber intrusions and the aftermath. These could have various effects like unauthorized access leading to fraudulent use of a trading participant’s algorithm/automated trading systems, or compromise of Order Management Systems (OMS) leading to false orders or the inability to correctly route orders. Matching engines could be taken offline or Risk Management systems could be attacked. Clearing system breaches could result in fraudulent payments being made or trading networks could be corrupted or shut down, leading to suspension of all activity. All of these scenarios are of course highly disruptive, which can negatively affect market liquidity and investor confidence.
In light of these alarming situations, the CPMI-IOSCO issued a cyber resilience guideline for FMIs in 2016. The guidelines were designed to provide guidance in the areas of Governance, Identification, Protection, Detection, Response, Recovery, Testing, Situational Awareness and Learning and Evolving, and go a long way in proposing measures to build cyber resilient financial market systems. Of course, the ever-evolving nature of cybersecurity threats will require continuous updates to these guidelines.
The fact remains…Full transparency and visibility into what is happening on your network is key in navigating these environments. Detection, forensics and swift response to incidents on trading network operational systems require a different class of monitoring tools, purpose built to bring visibility into trading networks as opposed to more typical IT environments. Tools that bring visibility to IT and OT networks, and the threat propagation between both, are critical.
And that’s where Corvil comes in. With its long history and success in monitoring trading network environments and the ability to seamlessly add a layer of security monitoring to both trading networks and general enterprise networks, Corvil’s Security Analytics solution is best equipped to monitor these high-risk environments.