Last week, the European Central Bank has published the European framework for testing financial sector resilience to cyber attacks.
The framework aims to simulate the effects of cyber attacks on critical systems in the banking industry in the European Union.
The move is the response to the numerous cyberheists that hit the financial industry in the past years, like the attacks against the SWIFT system and the assault against online and mobile services at the Netherlands’ three top banks.
The framework also includes the involvement of “red teams” for vulnerability assessments and penetration tests of systems used by companies in the financial sector.
“The European Central Bank (ECB) today publishes the European Framework for Threat Intelligence-based Ethical Red Teaming (TIBER-EU), which is the first Europe-wide framework for controlled and bespoke tests against cyber attacks in the financial market.” reads the announcement published by the ECB.
“The TIBER-EU framework facilitates a harmonisedEuropean approach towards intelligence-led tests which mimic the tactics, techniques andprocedures of real hackers who can be a genuine threat. TIBER-EU based tests simulate a cyber attack on an entity’s critical functions and underlying systems, such as its people, processes andtechnologies. This helps the entity to assess its protection, detection and response capabilities against potential cyber attacks.”
The main goal for the Framework is to facilitate testing for cross-border entities under oversight of several authorities.
TIBER-EU aims to help organizations measure their ability in detecting and responding cyber attacks.
The Threat Intelligence-based Ethical Red Teaming (TIBER-EU) framework will provide a guideline for operators in the sector to carry out any security tests.
“It is up to the relevant authorities and the entities themselves to determine if and when TIBER-EU based tests are performed,” the ECB said.
“Tests will be tailor-made and will not result in a pass or fail – rather they will provide the tested entity with insight into its strengths and weaknesses, and enable it to learn and evolve to a higher level of cyber maturity,” continues the announcement.
Initially, the adoption of the framework will not be mandatory, the tests will be tailor-made and “will not result in a pass or fail – rather they will provide the tested entity with insight into its strengths and weaknesses, and enable it to learn and evolve to a higher level of cyber maturity.”
The instructions on how to “How to implement the European framework for Threat
Intelligence-based Ethical Red Teaming” are available here.