The UK's major banks and financial institutions tested their collective ability to respond to a severe cyber attack in a simulation dubbed Waking Shark 2, run on Tuesday afternoon in the heart of London's financial district.
The test was ordered by the Bank of England to examine how well firms, including the high-street banks, card providers and the financial authorities, could communicate and co-operate in the event of a wide-ranging attack on the UK's banking online payments systems, which transfer trillions of pounds a day.
But industry experts believe a more ‘real-world' exercise is needed to test financial firms' incident response plans - and crucially their ability to stop a major cyber attack at the earliest possible stage.
The Bank of England was saying little about Waking Shark 2 ahead of the event, but it followed an original simulation run in March 2011 at Credit Suisse's offices in Canary Wharf which involved just over 100 representatives from 33 participating financial firms, infrastructure providers and financial regulators.
Waking Shark 1 revealed problems in cross-firm communications during a severe cyber attack. It also underlined the need for clarity over the roles of the financial authorities, the Government's Centre for the Protection of National Infrastructure (CPNI), the Cyber Security Operations Centre (CSOC) and other overseers. Waking Shark 2 was set up to test whether these lessons had been learned.
John Yeo, EMEA director at security services and technology firm Trustwave, welcomed “financial institutions taking cyber security so seriously and actively encouraging organisations to take a proactive approach to tackling potential cyber threats”. But he argued: “What needs to be implemented are real-world attack scenarios that truly test the businesses' incident response plans.”
Yeo said Wednesday's simulation likely included how well firms can co-ordinate and communicate with one another, and how banks can ensure the availability of cash in ATMs. But he felt that, “the more important issue is what are they communicating about, and what happens when an attack is more subversive, and not immediately obvious when it strikes?”
“In our experience, the majority of organisations that suffer a breach do not realise for some time that they have been hit, let alone where the attack originated from, and how it works.”
Richard Horne, cyber security partner at PricewaterhouseCoopers, also thinks much more detailed testing is needed, focused on stopping cyber attacks in their tracks.
“This exercise is useful in raising awareness of the potential systemic impact of a cyber attack and in testing the ability of regulators to co-ordinate high level response across many organisations to an attack with wide-scale impact,” Horne said. "The real challenge however is to build co-ordination across the sector to contain cyber incidents at an early stage, so that this kind of crisis scenario is never reached.”
Horne felt that, "whilst an exercise like this helps to highlight the scale of the challenge, it will take a lot of detailed technical work and testing – co-ordinated across the industry - to really understand all the interdependencies and develop meaningful containment and recovery plans."
Meanwhile Andrew Miller, chief operating officer at solutions provider Corero Network Security, said “learning to co-operate” would be one of the biggest benefits emerging from the exercise, adding: “I personally believe that there needs to be more information sharing within financial organisations on the latest threats and attacks they are facing so they can develop a knowledge pool on how to protect against them.”
LogRhythm managing director for international markets, Ross Brewer, agreed but called for the lessons learned to be “shared with a wider audience” in other industry sectors.
“Far too many organisations are still relying on reactive security measures when they should be constantly prepared for an attack and it is likely this exercise will prove this to be an extremely outdated thought process,” Brewer said. “The only way to ensure businesses have the best possible chance of keeping today's sophisticated threats out is through 24/7 monitoring of all network activity.”
Dr Guy Bunker, a spokesperson for the Jericho Forum and senior vice president of products at information security company Clearswift, told SCMagazineuk.com that UK financial institutions should also examine how they protect against “the insider threat”.
And he said they should consider running a global cyber attack preparedness test in the future. “It's not feasible at this time, there's a lot of hurdles that will have to be crossed but I think it is something that the financial world should move towards, so that we don't end up with somebody attacking some small country as a means to get to the big countries,” Bunker explained.
Waking Shark 2 was driven by the Bank of England's Financial Policy Committee (FPC) which in October issued a warning to the UK's major banks that they needed to get their house in order by having detailed cyber defence plans in place by March next year.