In today’s connected world, the digital operations of the financial services industry are more important than ever. According to Chapter 3 of the April 2024 Global Financial Stability Report published by the International Monetary Fund (IMF), cyber incidents pose an acute threat to macro-financial stability as technological and financial interconnectedness means that the disruption of critical services can have widespread and cross-border societal impact. In response to cyber threats, the European Parliament adopted the Digital Operational Resilience Act (DORA) to create a standardized approach for determining and managing digital operational risk across the financial sector. 

By understanding how to incorporate Internet of Things (IoT) security as part of managing digital risk, covered entities can improve their security and compliance postures. 

What is the Digital Operational Resilience Act (DORA)?

On November 17, 2022, the European Parliament formally adopted the Digital Operational Resilience Act (DORA) to establish uniform requirements governing network and information system security across the financial sector and third parties across its supply chain. This framework seeks to ensure that these organizations can withstand, respond to, and recover from disruptions to and threats against Information Communication Technology (ICT) services. 

While DORA entered into force on January 16, 2023, it will apply beginning January 17, 2025. This short time frame becomes even more challenging as the governing bodies are still in the process of publishing technical guidelines for organizations that need to achieve compliance. 

At a high level, DORA establishes the following requirements:

• Article 6 ICT risk management framework: implementing and maintaining strategies, policies, and procedures
• Article 7 ICT systems, protocols, and tools: using and maintaining ICT system operations
• Article 8 Identification: risk analysis for all information and ICT assets and processes
• Article 9 Protection and prevention: security policies and technical controls that protect data
• Article 10 Detection: monitoring and detecting anomalous activity
• Article 11 Response and recovery: business impact analysis that drives ICT business continuity policy
• Article 12 Backup, restoration, and recovery: activating established and tested policies, practices, and procedures while minimizing disruption
• Article 13 Learning and evolving: training and awareness for all staff
• Article 14 Communication: crisis communications plans and policies

Who needs to comply with DORA?

The list of entities that must comply includes:

• Payment institutions
• Credit institutions
• Account information service providers
• Electronic money institutions
• Investment firms
• Trading venues and repositories
• Managers of alternate investment funds
• Management companies
• Data reporting service providers
• Insurance and reinsurance undertakings
• Crypto-asset services providers
• Central security depositories
• Central counterparties

What are the Draft Regulatory Technical Standards?

On January 17, 2024, the governing bodies released the final Draft Regulatory Technical Standards that outline the technical requirements for achieving DORA compliance. Since DORA defines ICT assets as any software or hardware asset in the network and information systems, covered entities should consider how to manage IoT devices within the framework of the following requirements. 

Article 3 ICT Risk Management

This article requires the following:

• identify, implement, and document ICT risk treatment measures for the ICT risk assessed, including the determination of ICT risk treatment measures necessary to bring ICT risk within the risk tolerance levels referred to in point
• monitoring of any changes to the ICT risk and cyber threat landscape, internal and external vulnerabilities and threats, and ICT risk

Article 4 ICT Asset Management Policy

This article requires the following records:

• unique identifier of each ICT asset;
• information on the location, either physical or logical, of all ICT assets;
• the classification of all ICT assets,
• the identity of ICT asset owners;
• business functions or services supported by the ICT asset;
• the ICT business continuity requirements, including recovery time objectives and recovery point objectives;
• whether the ICT asset may be or is exposed to external networks, including the internet;
• the links and interdependencies among ICT assets and the business functions using each ICT asset;
• end dates of the ICT third-party service provider’s regular, extended, and custom support services 

Article 10 Vulnerability and Patch Management

This article requires the following that apply to IoT devices:

• identify and update relevant and trustworthy information resources to build and
• maintain awareness about vulnerabilities
• ensure the performance of automated vulnerability scanning and assessments on ICT asset
• verify that ICT third-party service providers handle vulnerabilities related to the ICT services
• identify criteria to prioritize the deployment of patches and other mitigation measures
• to address the vulnerabilities identified
• monitor and verify the remediation of vulnerabilities
• recording of any detected vulnerabilities affecting ICT systems and the monitoring of their resolution

Article 12 Logging

This article requires entities to: 

• Identify the events to be logged 
• Set a retention period for the logs
• Create measures to secure and handle the log data

Article 16: ICT Systems Acquisition, Development, and Maintenance

The covered entity’s policy must: 

• identify security practices and methodologies relating to the acquisition, development, and maintenance of ICT systems
• require the identification of technical specifications and ICT technical specification
• define measures to mitigate the risk of unintentional alteration or intentional manipulation of the ICT systems during development, maintenance, and deployment in the production environment.

How Asimily Enables DORA Compliance for IoT Devices

With Asimily, organizations can incorporate their IoT devices into their security program to improve monitoring and accelerate DORA compliance. 

Identify and Document IoT Assets

Asimily’s passive monitoring platform collects and provides the following information that enables organizations to respond to Article 4 ICT asset management policy:

• All IoT devices connected to their networks
• Manufacturer
• Device type
• IP addresses
• Applications on devices
• Operating systems and versions
• Software versions

Our proprietary, patented algorithm cross-references vast amounts of data to help identify device information and includes data derived from third-party vendors’ Software Bill of Materials (SBOMs).

Assess Risk

Asimily’s platform provides an overall security risk score that enables covered entities to assess and manage IoT, business impact, and third-party vendor risk to help enable Article 4 and Article 6 compliance. Asimily’s risk score includes information like:

• Device risk: the number and types of devices that have active vulnerabilities and would have a high impact on operations
• Network anomalies: any malicious or suspicious activity detected on the network.
• Number of vulnerabilities remediated: both the total number and the number of high-risk vulnerabilities fixed during a given period
• Risk modeling: pre-purchase and deployment simulations to identify the least risky configurations

Vulnerability Management and Remediation Prioritization

With Asimily’s passive vulnerability scanner, organizations can safely identify vulnerabilities without experiencing a service disruption. Asimily’s deep, contextual engine provides insights by aggregating and analyzing:

• Manufacturer-supplied security data
• Open-source software components
• Vulnerability criticality
• Current attack methods using the vulnerability

With this information, organizations can identify the vulnerabilities that would have the greatest impact on their security posture. From there, they can leverage Asimily’s simple, short, and effective recommendations that include activities like:

• Deactivating unnecessary services without impacting clinical function.
• Blocking risky services with a Network Access Control (NAC) tool.
• Hardening vulnerable devices by updating their configurations.
• Implementing micro-segmenting when altering configurations.

Incident Detection and Response

Maintaining operational resilience means covered entities need to consider any event that could disrupt business, including both cyberattacks and misconfigurations that lead devices to fall offline. Incorporating IoT into security and disaster recovery plans enables compliance with Articles 10, 11, and 12.

By integrating IoT device data into their continuous monitoring activities, organizations can collect critical forensic information like:

• RAM from servers 
• Traffic information from network devices
• Data transferred to an FTP server

This data enables organizations to improve their security alerts, reducing key metrics like Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR). 

To learn more about Asimily, download our whitepaper, IoT Device Security in 2024: The High Cost of Doing Nothing, or contact us today.