The Open Call Type B applications are under evaluation EU-CIP Knowledge Hub REGISTER NOW

FINSTIX: A standards-based model for representing and sharing security information for critical infrastructures of the financial sector

November 9, 2023

The EU-CIP project is dedicated to the establishment of Europe's most expansive community and ecosystem focused on critical infrastructure protection and resilience. A fundamental element of this initiative revolves around the utilisation of insights and accomplishments derived from prior CIP/CIR projects, serving as a cornerstone for EU-CIP's ongoing endeavours. As part of this effort, this blog presents the outcomes of the FINSEC project (Integrated Framework for Predictive and Collaborative Security of Financial Infrastructures, GA No 786727). FINSEC, a flagship project that reached its conclusion in 2021, sought to develop, demonstrate and bring to market an integrated, intelligent, collaborative and predictive approach to the security of critical infrastructures in the financial sector.

The infrastructures of the financial sector are nowadays more critical, sophisticated and interconnected than ever before, which makes them increasingly vulnerable to security attacks. Despite increased awareness, most security measures remain fragmented and static and are thus inappropriate for confronting sophisticated and asymmetric attacks. The FINSEC project considered the critical infrastructures of the financial sector as large-scale cyber-physical systems, which must be protected based on a holistic approach that considers both physical security risks and cyber-security risks, along with their interrelationships, interactions and cascading effects across the financial services supply chain.

To facilitate a combined cyber/physical approach to security, the project identified the main components needed. To this end, a proper data model is essential to provide an integrated representation of physical and cyber assets and their relationships, to operate on data and to define the scope of the prediction algorithms. In the design of a data model, two different approaches can be adopted: the first one comprises the definition of the model from scratch, covering all the business requirements of the considered use cases; the second one comprises the expansion (i.e., detailing) of an existing standard with the objects individualised by the use cases and missing in the standard. The FINSEC project pursued the second solution, resulting in the FINSEC-FINSTIX data model. FINSTIX extends the Structured Threat Information eXpression (STIX) 2 [https://oasis-open.github.io/cti-documentation/] standard combining information coming from both physical and logical worlds and thus, contributing to the defence against both cyber and physical threats.

STIX 2 is an open-source language and serialisation format that lets data model users exchange cyber threat intelligence (CTI) in a consistent and machine-readable manner, thus allowing automated threat exchange, automated detection and response, and more. Using STIX, the security communities can better understand what computer-based attacks are most likely to be seen and to anticipate and/or respond to those attacks faster and more effectively.

The project chose STIX because it already defines concepts important for CTI (such as Observed Data, Vulnerability, Attack Pattern, Malware, Course Of Action), while enabling an easy extension through the addition of custom parameters to already existing STIX objects and/or the creation of brand-new custom objects. In addition, STIX allows easy references to other external sources of intelligence (such as CAPEC). The FINSEC extension to STIX2 has been driven by the FINSEC Project use cases, which led to the inclusion of information relevant to the financial sector, enabling the correlation of physical and logical data.

The whole FINSEC Platform can be conceived as an "intelligent engine" capable of transforming events and observed data from the physical and digital world (physical-cyber infrastructure) into Threat Intelligence. The information produced will be referred to Cyber and Physical Threat Intelligence (CPTI). In the same way that Cyber Threat Intelligence (CTI) is valuable information exchanged in the Cyber Security Domain, the CPTI produced in the FinTech sector is the added-value information produced by the platform which could be exchanged (in-out) between Financial Organisations and Security Organisations (CERT/CSIRT-like).

The link between the FINSEC project and EU-CIP is crucial; EU-CIP can leverage the outcomes and insights from FINSEC to enhance its own efforts in critical infrastructure protection and resilience, in particular with solutions, best practices, and approaches derived from the finance sector. By integrating the knowledge and solutions from the FINSEC project, EU-CIP can benefit in the following ways:

  • Cross-Sectoral Learning: Leveraging the insights and methodologies from the finance sector, EU-CIP can enhance its understanding of CIP, enabling the adoption of cross-sectoral best practices that encompass both the financial and non-financial sectors. This cross-sectorial knowledge can significantly strengthen the overall resilience and security measures within the critical infrastructure domain.
  • Enhanced Interoperability: Incorporating the solutions and standards developed within the finance sector can contribute to the development of a more robust and interoperable critical infrastructure protection framework. By drawing on the expertise and experiences of the finance sector, EU-CIP can promote greater coherence and compatibility across various sectors, fostering a more integrated and unified approach to security.
  • Holistic Resilience Strategies: The comprehensive approach to security and resilience adopted by the FINSEC project in the finance sector can serve as a blueprint for EU-CIP in formulating holistic resilience strategies. By taking into account the interconnected nature of critical infrastructures, EU-CIP can draft proactive and adaptive measures that mitigate the impact of potential threats and ensure the continued functioning of essential services.
  • Standardization and Compliance: The integration standards utilized in the finance sector can contribute to the evolution and refinement of the existing standards framework within EU-CIP. By aligning with established financial sector standards and incorporating relevant practices, EU-CIP can strengthen its compliance measures and help to enhance the overall security posture of critical infrastructure systems.
  • Knowledge Enrichment and Sharing: By populating the EU-CIP knowledge base with insights from the finance sector, EU-CIP can facilitate a more comprehensive understanding of emerging threats and vulnerabilities across various critical infrastructure domains. This knowledge enrichment can foster a culture of proactive information sharing and collaboration, enabling stakeholders to stay ahead of evolving security challenges and effectively respond to potential risks.
  • Knowledge Transfer and Best Practices: EU-CIP can benefit from the insights and best practices developed in the FINSEC project. The lessons learned from FINSEC's holistic approach to security, which integrates cyber and physical security considerations, can provide valuable guidance for EU-CIP's own initiatives in enhancing the resilience of critical infrastructure.

The integration of FINSEC's solutions and approaches, along with the knowledge gathered from the finance sector, can contribute significantly to the development of a more robust, interconnected, and adaptive critical infrastructure protection and resilience framework within the EU-CIP project, enhancing its ability to address the multifaceted challenges of critical infrastructure protection and resilience.

GFT Italia, November 2023

Leave a Comment