grey dynamics

The fragile recovery of the Nigerian banking sector and regular terror attacks have raised concerns about the cyber and physical vulnerabilities of financial institutions against the misuse of Commercial Off The Shelf (COTS) available drone technology.

Following the increase of sophisticated cyber-attacks in the recent years—Nigeria was ranked 3^rd in the World for cybercrime in 2017. In June 2018, the Central Bank of Nigeria issued a Draft Cybersecurity Guideline for Deposit Money Banks (DMB) And Payment Service Providers (PSP) to raise awareness and enforce cyber security best practices in this industry.

Personally Identifiable Information (PII) stored in banking facilities and its wider infrastructure are a prized target to all sort of hackers. The limited amount of population using the financial system increases the value of this type of data. The situation is further aggravated by the slow improvement of the sector, exposing small institutions to bail outs or buy outs. This encourages the unlawful acquisition of private information in support of these processes and threatens the private data or physical security also of their employees.

Drones are utilized as anonymous flying devices, difficult to detect, capable to penetrate and steal secrets from restricted areas or sensitive buildings and deploy complex cyber-attacks. Their ability to integrate and operate remotely COTS hacking or spoofing equipment, raises questions not only about how to defend against them, but also how to protect unsuspected vulnerabilities…

Nigeria has a regulated airspace when it comes to drones and their pilots, but of course these rules are ignored by individuals or organizations with bad intentions. Moreover, these technologies are easily available online or in specialized local shops and have recently been used against the Nigerian army by terrorist organization Boko Haram. Boko Haram has an history of bank robberies and bank attacks using explosive devices. Protesters are also a regular threat to the banking sector and national financial institutions. They are often involved in deadly confrontations with the security forces.

Drones offer a capability to perpetrate cyber and physical attacks to banking institutions, with potential huge impacts in terms of financial loss or casualties. However, the response to this type of unconventional and asymmetric threat should aim to address the wider variety of challenges the banking sector is facing in the Nigerian context.

Therefore, we offer the following observations and recommendations:

• Although, the Cybersecurity Guideline issued by the Central Bank of Nigeria is a step in the right direction, it doesn’t address the drone threat and its consequences to the banking industry
  
  
• To address this issue, most providers, propose various type of anti-drone solutions, mainly based on RF sensors and cameras, but they lack the expertise to protect the vulnerabilities targeted by these same drones
  

For example, a known vulnerability in the banking sector is the GNSS component of the time servers, critical to the financial industry. This vulnerability can be exploited for spoofing and hacking purposes from a drone

A.  Control Stations send position and time synchronization information to the satellites

B.  Satellites send their position and time info to Earth

C.  Receiver calculates its position and time

• The ideal solution should propose a layered approach, mixing various type of sensors and components to address the overall security challenges faced by the Nigerian banking sector

Different types of aerial and ground radar systems to autonomously detect targets:

The aerial radar will be placed above the infrastructure or building, for all potential threats coming from the air the ground radars sensors deliver situational awareness on around the perimeter to protect and provide early warnings for suspicious gatherings of people from their inception, vehicle attacks, triggering autonomously the proper defensive reactions.

• Electro-optics & Infrared sensors for threat identification
  
  
• Communications intelligence (COMINT) component for jamming and disrupting
  
  
• Drone signals Radio Frequency-Scanner and Direction Finder:

Allow to identify the position of the pilot and drone even before the take-off, in urban environments without line of sight, where there can be lot of noises in term of other radio signals. This part of the solution allows the takeover (hacking) of the malicious drone and landing in a safe and remote area identified in advance. This is particularly recommended when operating in urban environment where jamming of the threat endangers surrounding population.

• Forensics software to investigate information from the eventual disrupted drone
  
  
• Cyber threat intelligence and red-teaming solutions to simulate live attacks in a controlled environment. This will offer training to react properly in case of a cyber-attack
  
  
• AI-powered solutions to enable security guards the precise engagement of moving threats with minimal collateral damage when using firearms (last resort).

Following a holistic approach to tackle the challenges faced by the Nigerian banking sector, the security will likely improve and offer better preparation against cyber threats, reducing this negative trend.

Image: Powie / Pixabay (link)

Disclaimer: The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of Grey Dynamics LTD.