Original URL: http://www.theregister.co.uk/2011/11/22/london_banks_resilience_exercise/

'Nervous' London bankers run mock cyberattack exercise

Banks test resilience of financial system as Occupy protestors mass outside

By John Leyden

Posted in Security, 22nd November 2011 15:46 GMT

London banks are taking part in a simulated cyberattack exercise on Tuesday designed to test the resilience of the UK's financial service industry to a collapse of telecoms systems and Olympics-related transport disruption.

The exercise is occurring against the real world backdrop of the Occupy the City protestors, camped outside the Square Mile. The joint Financial Services Authority, Bank of England and Treasury initiative involves staff from around 80 banks. An outline of the scenario to be played out on Tuesday by UK Financial Sector Continuity explains that the excise will look at responses to simulated cyber-attack and internet service disruption.

We have designed a scenario that will test the ability of participants to respond to a concerted cyber attack on the financial sector. Thus, there is a strong focus upon dependencies on telecommunications and the internet as well as managing the return to business as usual.

It will also examine the impact of transport disruption against the backdrop of the Olympics.

In response to feedback, we have released the scenario well in advance so facilitators have more time to review injects and their impacts, engage the right people and in-house experts and organise their participation on exercise day. We have reduced the focus on crisis management and included a dedicated strategic element on exercise day.

Sian John, UK security strategist at Symantec, commented: "With more than 80 companies lined up to take part in the exercise today there are likely to be plenty of nervous bankers in the UK waiting to see the results of this test. Often you see security being considered at the last minute rather than being engineered into projects and infrastructures from day one so it’s very encouraging to see an important sector like this taking part in preventative measures.

"Threats are becoming increasingly targeted and focused on accessing information that can be used for malicious gain or sold on via underground markets. An exercise like this will demonstrate exactly how robust their [banking] systems are and where the vulnerabilities lie. It may mean they need to reconsider back up sites for example or rethink security altogether – whatever the results it’s a nice illustration that financial institutions are proactively looking to manage risk."

Henry Harrison, Technical Director at BAE Systems Detica, said that the scenario played out through the exercise needs to be as thorough and realistic as possible in order to yield the best possible results.

"It is very pleasing to see the financial sector taking the threat of cyber attack so seriously and we hope that other sectors will follow suit," Harrison said. "The key to this sort of exercise is using sufficiently representative scenarios. This is as true for cyberattack scenarios as for financial disaster scenarios – while it is simple to imagine situations such as a total loss of communications, realistic scenarios should also include the loss of confidence in the integrity of data or key systems, or indeed the loss of confidence in the confidentiality of communications between different players in the system." ®