Safeguarding critical infrastructure: lessons learned and best practices for financial organisations

A recent report by Bitsight has shed light on a concerning reality: more than 100,000 exposed industrial control systems (ICS) are owned by organisations worldwide, with the United Kingdom ranking second in Europe.

The opinions expressed here are those of the authors. They do not necessarily reflect the views or positions of UK Finance or its members.

As digital connectivity is paramount and essential in our everyday lives, these exposures could threaten national security and public safety; therefore urgent identification, prioritisation, remediation or compensating controls are needed.

These vulnerabilities or misconfigurations extend beyond the digital realm, potentially giving attackers access or control over physical infrastructure such as power grids, traffic light systems, security controls such as CCTV or door entry systems, and water control systems. In this article, we delve into the insights from the Bitsight report, explore the lessons learned and suggest some best practices that financial organisations in the UK should consider to further enhance their cybersecurity and cyber risk programs.

Understanding the Landscape

The Bitsight report identifies the most commonly-exposed ICS protocols across a number of sectors and highlights those in the UK with the most significant degree of exposure. As financial organisations are the backbone of any economy, it is crucial for them to recognise the potential consequences of these vulnerabilities and the impact on their resilience readiness.

An attack on ICSs could not only jeopardise the confidentiality and integrity of financial data but also disrupt critical services - in turn affecting the stability of the entire financial ecosystem if compromised.

Lessons learned include the following highlights:

  1. Interconnected Risks. The interconnected nature of digital infrastructure and ecosystems implies that any breach in one sector can have cascading effects. Financial organisations must understand and assess the interdependencies within the digital ecosystem, adopting a holistic approach to cybersecurity including an understanding of the suppliers, 3rd parties and associated risks of each service including resilience models should it be required.
  2. Proactive Risk Assessment. The Bitsight report highlights the importance of regular and continuous risk assessments. Financial organisations should invest in robust risk assessment processes to identify priorities and mitigate potential exposure of their ICSs, ensuring proactive rather than reactive cybersecurity is the norm.
  3. Collaboration is Key. The concentration of exposed systems in specific geographic areas highlights the need for regional collaboration so that organisations can work together on remediation. Financial institutions should actively participate in information-sharing initiatives and collaborate with government agencies, law enforcement, and other critical infrastructure sectors to enhance collective cybersecurity resilience and readiness.

Best Practices for Financial Organisations

  1. Continuous Monitoring. Implementing continuous monitoring of ICSs is crucial to detect and respond to potential risks promptly. Automated monitoring tools can provide real-time insights into the security posture of critical systems, allowing organisations to take immediate or rapid action in the event of anomalies.
  2. Investment in Cybersecurity Awareness. Human error remains a significant factor in cybersecurity incidents. Financial organisations should invest in cybersecurity awareness and training programs, building a “think secure” culture across the organisation to ensure employees are well-informed about the evolving threat landscape, promptly report anomalies and adhere to best practices. Metrics and mechanisms are needed to continually evaluate the understanding and effectiveness of any training.
  3. Incident Response Planning. The development and regular testing and adjustment of incident response plans and cyber readiness are essential. Financial organisations should be well-prepared to respond immediately and rapidly in the event of a cybersecurity incident, minimising the impact on operations and maintaining customer trust and reputation.

The Bitsight report highlights the need for the financial sector to reassess and strengthen its cybersecurity and cyber risk programs. By understanding the lessons learned from Bitsight’s research into exposed ICSs and implementing best practices, financial institutions can accelerate their security capability in a prioritised manner and therefore play a pivotal role in safeguarding critical infrastructure, protecting both national security and the confidentiality of their customer's sensitive data while ensuring the financial sector's readiness in the face of evolving cyber risks.