Securing securities exchange systems

By: The WFE Focus Team May 2018

Dubi Vigdorovich, Cyber, CISO & Data Security Unit Manager, Information Technology and Operations Department, Tel-Aviv Stock Exchange (TASE), provides tips on mitigating cybersecurity vulnerabilities at exchanges.

The digitalisation of the securities industry has facilitated the creation of a truly global capital market unlike anything before it.

Virtually all aspects of securities - issuances, ownership registration, trading, clearing, and lending - are currently conducted in real time in fully digital systems. As a result, vast improvements have been made to market functional efficiency as well as to the process and transparency of price discovery.

However, as the capacity and power of financial markets have increased, so has their vulnerability. Cybersecurity is one of the major challenges currently confronting stock exchanges and financial institutions worldwide. Exchanges are potential targets for cyber-attacks from a great number of sources pursuing an even greater number of aims. Some seek ill-gained profits, while others simply seek to disrupt or destroy. The potential damage to an exchange’s activities caused by cyber-attacks is not limited to financial considerations. Cyber-attacks can damage an exchange's reputation which can cause a loss of investor confidence and could subsequently impact markets and the underlying economy.

Stock exchanges are similar in many respects to other financial organisations, but are set apart by one more crucial vulnerability, a dependency on low latency, which increases their vulnerability under attack. Unlike most other financial institutions, time is always of the essence in securities trading and the optimisation of processing huge volumes of data in minimal time is mission-critical to an exchange’s core business. Cyber-attacks and the defense against them can compromise this key characteristic. If an in-line security solution is being implemented, especially a solution incorporating a deep packet inspection process, latency will likely increase as a result. High latency impinges on an exchange’s ability to react effectively to cyber threats and undermines its competitiveness.

Since an exchange’s resources are not endless, a fool-proof defense is virtually impossible. A risk-based approach must be taken in the design of a multi-layer cyber-defense work plan. A cyber risk assessment is complex, given the various risk factors which must be taken into consideration. An exchange must analyse who might attack (e.g. hackers, employees, suppliers, terrorist organisations), and must evaluate the most feared outcomes (e.g. data theft, market manipulation, down time, data corruption). The risk assessment should evaluate the potential impact on the organisation according to its risk appetite and its risk tolerance. In addition, it must quantitatively evaluate the likelihood of various modes of attack and their costs.

Firewalls are not necessarily designed for low latency. A very low-latency firewall can handle traffic within a few microseconds, but functions mainly as a firewall. Additional protection, such as that provided by intrusion prevention systems (IPS) might cause considerable delay in transaction execution, due to the deep packet inspection process. In order to maintain a low latency, additional cybersecurity measurements should be implemented in both out-of-band and in-line fashion. Some of the solutions are able to continuously read network traffic through the use of tap or span ports and in doing so they can replace in-line solutions.

Over the past few years, innovative commercial cybersecurity solutions have come to market. Some of these are based on smart algorithms which are designed to 'study' the traffic for a period of time in order to analyse the nature of 'normal' traffic. Following this 'learning period', these solutions identify and issue alerts whenever abnormal traffic is detected.

Another effective strategy for cyber defense involves the dispersion of decoys, or 'honeypots' to lure would-be attackers. As soon as hostile activity is detected by a trap, an alert is issued.

Internet and e-mail services expose securities exchanges to zero-day vulnerabilities that are undetected by traditional solutions, including anti-virus software. Malware is usually disguised in what appear to be legitimate files. The safest way to avoid malware infection is to reconstruct each and every file. In this manner, malicious code implanted in a file can been erased and eliminated automatically. Within the framework of securities exchanges, going offline is the best defense. Any workstation with direct access to trading, clearing and other systems should not have access to the internet or e-mail. Similarly, servers and workstations should not belong to the same network.

Israel commands a leading position in developing enterprise cybersecurity solutions, including those specialised for financial institutions. Facing a myriad of threats on a daily basis, TASE has developed a robust system to detect, deflect, and respond to cyber-attacks. TASE is willing to share its expertise in this area with other exchanges. It has recently concluded an agreement with the Astana International Exchange (AIX) for cybersecurity consulting services, which includes providing a variety of solutions and services to the new exchange.