Banks in the UK are simulating the combined effects of a cyber attack and Olympic gridlock today
UK banks are being put to the test today, in a voluntary simulation designed to test their mettle in a crisis.
Led by the Financial Services Authority, and compiled with the help of the Bank of England and the finance ministry, the two part drill began at eight in the morning and will assess business continuity systems and practices in 87 UK banks – in response to reports that they are under increased attack from cyber criminals.
Extreme scenario testing
According to a Reuters report, the drill will include a simulated cyber attack on financial systems; disrupting communications and Internet access as well as wholesale- and retail-payment systems. Banks will have to deal with the fallout of fictional customers not being able to draw cash or make card payments.
A second, simultaneous simulation will replicate the potential travel disruptions that may be caused by the Olympic Games, leaving many employees unable to get to work or ATMs running out of currency because the vans carrying the cash are stuck in heavy traffic.
The watchdog will publish a summary of its findings in February and banks that struggle will have questions to answer, according to reports – even though the FSA says that “there are no ‘passes’ or ‘fails'” and that the “exercise is about firms assessing business continuity systems and updating them where necessary and about the authorities identifying areas for further attention,”.
Preparing for the worst
In light of the rise in sophisticated hacking attacks against banks and governement installations, the UK’s government systems was recently involved in a transatlantic cyber security exercise focussing on advanced persistent threats (APTs) and SCADA hacking.
Although this is not the first FSA drill, the severity and extent of malicious infiltration has the industry is keeping a close eye on this one.
Unsurprisingly, security firms welcomed sigs that the banking sector is taking action.
“Often you see security being considered at the last minute rather than being engineered into projects and infrastructures from day one so it’s very encouraging to see an important sector like this taking part in preventative measures,” said Sian John, UK security strategist at Symantec. “Approximately 144,000 malicious files are detected each day, equating to more than 4.3 million each month. Threats are becoming increasingly targeted and focused on accessing information that can be used for malicious gain or sold on via underground markets”.
“An exercise like this will demonstrate exactly how robust their systems are and where the vulnerabilities lie. It may mean they need to reconsider back up sites for example or rethink security altogether – whatever the results it’s a nice illustration that financial institutions are proactively looking to manage risk.”
Others warned that an exercise is only as good as the scenario it uses: “It is very pleasing to see the financial sector taking the threat of cyber attack so seriously and we hope that other sectors will follow suit,” said Henry Harrison, technical director at BAE Systems Detica. “The key to this sort of exercise is using sufficiently representative scenarios. This is as true for cyber attack scenarios as for financial disaster scenarios – while it is simple to imagine situations such as a total loss of communications, realistic scenarios should also include the loss of confidence in the integrity of data or key systems, or indeed the loss of confidence in the confidentiality of communications between different players in the system.”
The voluntary exercise is one of the largest of its kind in the world, involving thousands of staff. 2009 saw 5,000 bank employees battle against imaginary floods, and severe weather conditions while in 2006, a hypothetical six-week flu epidemic tested companies’ ability to cope with large-scale staff absences.