About The Author
Zach Jones, Security Vulnerability Analyst with The Mako Group
The internet changed the world and that includes the workplace. The Mako Group joined the remote work revolution early in its history, but now one member of the team is taking it to the next level. Zach has been a member of The Mako Group team for two years, and is now spending year three on the road while working full time. He is joining the ranks of digital nomads and moving from city to city working across time zones and countries while pursuing his career in federal sales and penetration testing. During his travels, he is learning about local cybersecurity concerns and issues in relation to the industry as a whole and sharing thoughts from the road. We’re pleased to be able to share his findings with you through this blog. Check out the latest from his time in Geneva, Switzerland.
As streamlined logistics, cloud computing, managed service providers and increasing regulatory burden begin to converge, critical infrastructure systems are reaching a crucial junction. This junction has significant implications for end-user experience, business functionality and, perhaps most importantly, cybersecurity. Technological unification has become a hallmark and goal for many different organizations as a method of improved user experience and decreased maintenance expense. The concept of a single standard operating system or global solution using cloud computing is very poetic, if not functional, but is it secure?
As I travel throughout the world, I rely on a variety of technologies and can attest to the frustrations of learning new systems and processes constantly. One such example is ATMs, which vary not just across continents but even within countries. For example, Switzerland is making a dramatic foray into the realm of technological unification. The Swiss banks are preparing to shift to a single, unified ATM operating system and eventually centralized service provider. The service provider, SIX, has been working on behalf of the banks to develop a software platform referred to as ATMFutura. By standardizing across all the banks which currently use about 20 different options and platforms, the service would be completely unified in effect.
There are numerous examples across industries, services and platforms, but the ATM network in Switzerland offers a particularly glaring example of the potential pitfalls of unification versus diversification. In other words, should all of the operating systems and processes be identical or different? Ultimately, the debate rests on an impact and likelihood of cybersecurity threats to the entire industry.
Concentrating On Absolute Security
In a completely unified scenario, the Swiss ATM network would (and soon will be) a work of beauty. Each and every system would deliver the same user experience with no concerns of misunderstanding, error or confusion. Moreover, the prospect of bringing a streamlined supply chain for service and maintenance of all ATMs breathes new life into an industry with nothing left to innovate. ATMs are essentially a commodity and the cheaper they can be managed and operated the more profitable they become. Most notably, this will bring the worst ATMs up to the standard system with a truly versatile experience to complete depositing functions, withdrawal of multiple cash denominations and basic account management operations with all Swiss banks. There is no doubt that a unified ATM network would provide significant benefits to banks, service providers and customers.
All of this comes with a caveat: cybersecurity. If the entire industry relies on a single service provider, SIX, and a single operating system, ATMFutura, then a single vulnerability such as the infamous MS 17-010, could cripple the entire industry. In much the same way as the WannaCry outbreak in 2017, the service disruption alone causes significant damage in addition to the potential for a true compromise of the ATM network.
On the other hand, a single unified system would also bring the combined resources of all Swiss banks and security firms together to evaluate and maintain a single system. This would effectively pour more security related resources into a national Swiss ATM network than any bank or manufacturer could alone. The impact of a compromise, zero-day or insider threat is significantly greater in a unified system because all elements of the ATM network could be affected. However, the likelihood of a compromise, zero-day or sider threat is significantly less due to the sheer volume of resources and effort that can be spent on cybersecurity.
Avoid Total Compromise
In a completely diversified scenario, the Swiss ATM networks would be a patchwork of different operating systems, interfaces, software and service offerings. Each and every system would use unique controls and methods to accomplish different, but similar, goals. Additionally, the potential for poor user experience and ballooning service costs would be high. The Swiss ATM industry is currently composed of many different actors with roughly 20 mainstream configurations. With varying service offerings, provider networks and maintenance operations, the diversified Swiss ATM network leaves something to be desired.
Cybersecurity, as it is today, also leaves something to be desired. Irregular maintenance and patching, as well as limited penetration tests and code reviews, open ATMs up to compromise. However, a single vulnerability or insider threat would barely dent the ATM industry as a whole. It would be like all the ATMs of a single national bank in the US going offline. The service disruption would be a nuisance, but customers could easily walk a block or two to the next bank which would probably not be affected.
The diversified ATM network, or any system in general, is extremely resilient as a whole. The odds of nearly two dozen separately designed and maintained systems being compromised is slim, and the impact of a compromise, zero-day or insider threat is minuscule with so many different system configurations. On the flip side, the likelihood of a compromise, zero-day or insider threat is considerably higher due to resource strain, lack of maintenance and sheer attack surface.
The debate has begun and will continue until a decisive event or technology shows unified or diversified to be far superior. The prospect of unified systems is elegant and pooling the cybersecurity resources of entire industries would create a formidable force toward absolute security. Nevertheless; the impact of one vulnerability could render a critical system of an entire country, vulnerable.