The EU-CIP project is dedicated to the establishment of Europe’s most expansive community and ecosystem focused on critical infrastructure protection and resilience. A fundamental element of this initiative revolves around the utilisation of insights and accomplishments derived from prior CIP/CIR projects, serving as a cornerstone for EU-CIP’s ongoing endeavours. As part of this effort, this blog presents the outcomes of the FINSEC project (Integrated Framework for Predictive and Collaborative Security of Financial Infrastructures, GA No 786727). FINSEC, a flagship project that reached its conclusion in 2021, sought to develop, demonstrate and bring to market an integrated, intelligent, collaborative and predictive approach to the security of critical infrastructures in the financial sector.
The infrastructures of the financial sector are nowadays more critical, sophisticated and interconnected than ever before, which makes them increasingly vulnerable to security attacks. Despite increased awareness, most security measures remain fragmented and static and are thus inappropriate for confronting sophisticated and asymmetric attacks. The FINSEC project considered the critical infrastructures of the financial sector as large-scale cyber-physical systems, which must be protected based on a holistic approach that considers both physical security risks and cyber-security risks, along with their interrelationships, interactions and cascading effects across the financial services supply chain.
To facilitate a combined cyber/physical approach to security, the project identified the main components needed. To this end, a proper data model is essential to provide an integrated representation of physical and cyber assets and their relationships, to operate on data and to define the scope of the prediction algorithms. In the design of a data model, two different approaches can be adopted: the first one comprises the definition of the model from scratch, covering all the business requirements of the considered use cases; the second one comprises the expansion (i.e., detailing) of an existing standard with the objects individualised by the use cases and missing in the standard. The FINSEC project pursued the second solution, resulting in the FINSEC-FINSTIX data model. FINSTIX extends the Structured Threat Information eXpression (STIX) 2 [https://oasis-open.github.io/cti-documentation/] standard combining information coming from both physical and logical worlds and thus, contributing to the defence against both cyber and physical threats.
STIX 2 is an open-source language and serialisation format that lets data model users exchange cyber threat intelligence (CTI) in a consistent and machine-readable manner, thus allowing automated threat exchange, automated detection and response, and more. Using STIX, the security communities can better understand what computer-based attacks are most likely to be seen and to anticipate and/or respond to those attacks faster and more effectively.
The project chose STIX because it already defines concepts important for CTI (such as Observed Data, Vulnerability, Attack Pattern, Malware, Course Of Action), while enabling an easy extension through the addition of custom parameters to already existing STIX objects and/or the creation of brand-new custom objects. In addition, STIX allows easy references to other external sources of intelligence (such as CAPEC). The FINSEC extension to STIX2 has been driven by the FINSEC Project use cases, which led to the inclusion of information relevant to the financial sector, enabling the correlation of physical and logical data.
The whole FINSEC Platform can be conceived as an “intelligent engine” capable of transforming events and observed data from the physical and digital world (physical-cyber infrastructure) into Threat Intelligence. The information produced will be referred to Cyber and Physical Threat Intelligence (CPTI). In the same way that Cyber Threat Intelligence (CTI) is valuable information exchanged in the Cyber Security Domain, the CPTI produced in the FinTech sector is the added-value information produced by the platform which could be exchanged (in-out) between Financial Organisations and Security Organisations (CERT/CSIRT-like).
The link between the FINSEC project and EU-CIP is crucial; EU-CIP can leverage the outcomes and insights from FINSEC to enhance its own efforts in critical infrastructure protection and resilience, in particular with solutions, best practices, and approaches derived from the finance sector. By integrating the knowledge and solutions from the FINSEC project, EU-CIP can benefit in the following ways:
The integration of FINSEC’s solutions and approaches, along with the knowledge gathered from the finance sector, can contribute significantly to the development of a more robust, interconnected, and adaptive critical infrastructure protection and resilience framework within the EU-CIP project, enhancing its ability to address the multifaceted challenges of critical infrastructure protection and resilience.
GFT Italia, November 2023