1、July 2023Part 2:A security and resilience framework for CBDC systems Project PolarisBIS Cy������ber Resilience Coordination CentreIn parternship with:A security and resilience framework for CBDC systems 3 Contents 1.Executive summary 5 2.Acronyms and abbreviations 8 3.In��������troduction 9 4.Assumptions about a
2、CBDC ecosystem 11 4.1 A two-tier CBDC model 11 4.2��� Participants security and resilience capabilities 12 4.3 Complexity and risk profile of retail CBDC systems 13 5.Understanding the framework 16 5.1 CBDC security and resilience:objectives and design criteria 16 5.2 Threat landscape for CBDC systems
3、17 5.2.1 Threat actors 18 5.2.2 Threat events 19 5.2.3 Risks 22 5.3 Building blocks of the proposed framework 23 5.4 The Polaris framework for secure and resilient CBDC systems 25 5.4.1 Categorisation of control objectives 26 5.4.2 Enterprise capabilities represented in the framework 27 5������.4.3 Seven
4、steps to secure and resilient CBDC systems 28 6.Applying the framework 33 6.1 Adapting the framework 33������� 6.2 Roles and responsibilities within the central bank 33 6.3 Roles and responsibilities across the ecosystem 36 6.4 Path to readiness and maturity 39 7.Summary 42 8.Appendix A:Control�������� objectives
5、in the framework 43 Prepare 43 Id������entify 48 Protect 50 Detect 54 Respond 55 Recover 56 Adapt 57 A security and resilience framework for CBDC systems 4 9.Appendix B:Enabling technologies for security and resilience 59 10.Glossary 62 11.References 65 12.Acknowledgments 67 This framework was quality ass
6、ured by PA Consulting:A security and resilience framework for CBDC systems 5 1.Executive summary Cyber attacks on critical infrastructure are amongst the top five risks that could������ have the greatest impact on a global scale.1 Central bank digital currency(CBDC)systems would be considered a critical n
7、ational infrastructure,much like real-time gross settlement(RTGS)systems are today.Cyber attacks typically occur across a spectrum of complexity,from simple and opportunistic(such as malware targeting personal data),to much more sophisticated(such as advanced p������ersistent threats(APTs).Rapid growth in
8、 the digital environment and in the interconnectedness between parties and devices r������elying on the internet and telecommunications networks for various purposes has created a diverse and complex cyber threat landscape2 which continues to evolve rapidly;for example,AI-assisted attacks are becoming mor
9、e common.In addition,with the increasing prevalence of cyber-physical systems(physical systems that are integrated with online systems),which are commonly known as devices tha����t form the Internet of Things and which include consumer devices(for example smartphones,smart TVs,wearables,etc)or industria
10、l components,cyber attacks can spill over from the digital to the physical space.The volume of connec�����ted cyber-physical devices is expected to be around 29.4 billion by 20303 and some of these may be used in retail scenarios,creating a large attack surface.CBDCs could be used to provide functionalit
11、y such as programmability,which could fac��������ilitate conditional and automated payments in potential use cases such as delivery vs payment,machine-to-machine payments between consumer devices,or for industrial automation.Any vulnerabilities could affect these transactions or cyber-physical devices and l
12、eave them open to breaches,c�����riminal activity and physical manipulation.CBDC systems could use new technologies,some of which are as yet unproven at the scale and critical operations demands that would be required,and therefore could introduce new security and operati������onal risks.Central banks and othe
13、r actors in a CBDC ecosystem4 will need to face up to this increasingly complex cyber threat landscape,comprised of unpredictable threat actors,new threats,a large atta�������ck surface and points of failure,supply chain risks and an environment where the potential upside for a threat actor could be high.1
14、 See Wor������ld Economic Forum(2023).2 See Doerr et al(2022)for survey results on cyber threats and central banking.3 See Statista(2022)for more details about the number of Internet of Things(IoT)connected devices worldwide.4 A CBDC ecosystem refers to the various public and private sector actors partici
15、pating in a CBDC system.A security and resilience framework for CBDC systems 6 A breach of a CBDC system due to cyber attacks or technical failures could erode confidence and tr�����ust in the CBDC system,the central bank,and potentially the financial system,in addition to generating a range of reputatio
16、nal,operational and potentially legal impact�����s.Retail CBDC systems must be highly secure and resilient.Central banks are at various stages of their work on retail CBDC,and as this progresses it is important that security and resilience be considered at the earliest possible stage.Many central banks a
17、lready have ��������robust cyber security and resilience measures in pl�����ace and adhere to the highest of industry standards in controls and risk management.However,risks cannot be fully eliminated and it is critical that senior leadership be aware of the potential new and elevated level of threats and risks
18、facing CBDC systems so an appropriate risk management and mitigation strategy can be established.The Polaris security and resilience framework �����has been developed to guide central banks in desi�����gning,implementing and operating secure and resilient CBDC systems to mitigate the operational,legal and rep
19、utational risks facing central banks from cyber threats or operational fail������ures.This framework is CBDC-focused and leverages existing industry standards and guidelines,providing central banks with a seven-step model,as shown in Figure 1,for secure and resilient���� CBDC systems.Figure 1:The seven steps
20、for secure and resilient CBDC systems A security and resilience framework for CBDC systems 7 Specifically,central banks could use the framework to:Recognise the complexity and new threat landscape brought by CBDC systems;Adopt moder��������n enabling technologies supporting security and resilience where app
21、ropriate;Take stoc�������k of existing capabilities that could be leveraged for a CBDC system;Identify the capabilities that need to mature;Identify new cap����abilities that would need to be implemented.The framework is a baseline and is intended to be updated periodically,keeping pace with any developments r
22、elated to CBDC systems and the cyber threat landscape,in partn�������ership with the central bank community as well as the public sector and private entities that could participate in a CBDC ecosystem.A security and resilience framework for CBDC systems 8 2.Acronyms and abbreviations AI Arti�������ficial intellig
23、ence AML Anti-money laundering API Application programming interface BCP Business continuity plan BIA Business impact an�����alysis BIS Bank for International Settlements BIS CPMI BIS Committee on Payments and Market Infrastructures B2B Business to business CBDC Central bank digital curre�������ncy CERT Compute
24、r emergency response team COTS Co�������mmercial of�������f-the-shelf software DeFi Decentralised finance DLT Distributed ledger technology DNS Domain name system ENISA European Union Agency for Cybersecurity FI Financial intermediary FMI Financial market infrastructure IOSCO International Organization of Securit
25、ies Commissions IoT Internet������� of Things ISO International Organization for Standar�����dization IT Information technology KYC Know-your-customer NIST National Institute of Standards and Technology PSP Payment service provider RPO Recovery point objective RTGS Real-time gross settlement RTO Recovery time o
26、bjective SEI Software Engineering Institute SIEM Security information�������� and event management SOC Security operations centre A security and resilience framework for CBDC systems 9 3.Introduction A central banks journey with central bank digital currency(CBDC)typically starts with research and proof of
2�����7、concept activities.5 These typically focus on functional capabilities such as issuance and transfer of CBDCs.For a CBDC system to be truly production-ready,it will r������equire robust understanding and implementation of both functional and non-functional capabilities.Payment systems are a target of cyber
28、 attacks.For example,the ����attack on Bangladesh Bank in 2016 involved hackers compromising a users workstation and sending fraudulent payment instructions via the SWIFT network.6 The multiple large-value decentralised finance(DeFi)breaches in 2022 are an example o������f what could go wrong when new technol
29、ogies are used without proper security safeguards.7,8 Threat actors against payment systems and central bank systems could include nation states,organised crime groups,cyber criminals,insiders and hacktivists,among others.Design flaws,supply cha�����in vulnerabilities and weakness in underlying operating
30、 infrastructure could be leveraged by threat actors to compromise systems for a range of reasons including economic disruption,financial gain,to sow distrust and fear or to damage the reputation of a central bank.CBDC systems will need to r�������emain highly resilient in a broad range of scenarios,includi
31、ng short-term(such as t���emporary system outage�������s),ongoing situations(such as in areas without reliable internet,telecommunications connectivity or power),or civil contingency conditions(such as natural disasters or war),9 besides being highly responsive in normal operations.Digital transformation tren
32、ds h�����ave brought new opportunities for security and resilience,but also come with their own challenges which would need to be understood and assessed.For example,cloud computing platforms can provide more computing resources and data centre locations and therefore potentially better resilience,but co
33、uld also increase the risk of data exposure if not managed properly.As technology and the cyber security threat landscape continue to evolve,CBDC systems as well as all the actors in a CBDC ecosystem will need to adapt to new and emerg�����ing threats and implement and apply robust risk,change and operat
34、ional management processes.5 See Kosse and Mattei(2022)������for results from a recent BIS survey.6 World Informatix Cyber Security(2021)contains a detailed description of this incident and how SWIFT has since worked with its user community to strength�����en cyber security.7 See BISIH(2023c).8 The lack of pro
35、per safeguards or understanding of s�������ystems using current technologies is als�������o a challenge.9 These resilience scenario categorisations are set out in the handbook for offline payments also developed as part of Project Polaris(BISIH(2023a).A security and resilience framework for CBDC systems 10 The Po
36、laris framework has been developed to enable central banks to manage CBDC-related security and resilience risks,considering the threat landscape,the challenges and opportunities presented by n������ew and emerging technologies,and an evolving technical and business enviro�������nment.The framework could also hel
37、p central banks assess their cyber security and resilience maturity level as it stands today �������as compared with what could be required when operating a CBDC system,by assessing and r�������anking how the organisation adheres to the practices outlined in this framework.10 This could help inform requirements a
38、nd planning for impleme������nting or improving capabilities at each phase of a CBDC system implementation or in live operations.The Polaris framework makes several assumptions about a future CBDC ecosystem,including the po������tential complexities,challenges and risks this could bring.The criteria and threat
39、landscape considered when developing this framework and its building blocks are also described.These assumptions are discussed in detail in Section 4.Each of the seven step�������s in the framework is discussed in Section 5,with guidance for how central banks can use the framework provided in Section 6.Ove
40、r one hundred control objectives,detailed in Appendix A,could be used as a guide to aid the implementation of the necessary security and resilience capab���������ilities for developing and operating CBDC systems.Cent�����ral banks could choose to adopt some of the enabling technologies and techniques for security
41、 and resilience,as described������� in Appendix B.They may also identify additional capabilities �����that could be required that are not currently detailed in this framework.The seven-step framework is an iterative process,by which central banks should periodically review their preparedness for moving to the n
42、ext phase of their CBDC journey,identify new threats and requirements,ensure their prevention,detection and response controls are still effective,and adapt their security and resilience measures ac����cordingly.10 The NIST cyber security framework(NIST(2018)outlines four tiers for assessment and ranking
43、,which could also be used.A security and resilience framework for CBDC systems 11 4.Assumptions about a CBDC ecosystem This section sets out the assumptions used in developing this framework.4.1 A two-tier CBD�������C model A two-tier CBDC model is assumed.11 In this model the central bank issues CBDC and
44、manages the supply.It maintains the CBDC account balances of financia�������l institutions such as banks and payment service providers(PSPs),which in turn would be responsible for distributing CBDCs to end users(individuals and businesses)and supporting CBDC payme������nts.Such financial institutions will typica
45、lly be responsible for know-your-customer(KYC)and anti-money laundering(AML)compliance and due dili������gence.They are collectively referred to as financial intermediaries(FIs)for the rest of this report.11 See Auer and Bhme(2020)for a disc�����ussion on the various technical designs of CBDC systems.This fram
46、ework focuses on retail CBDCs as they tend to have more components than wholesale ones.Figure 2:A simplified CBDC ecosystem This diagra�����m aims to show key sources of threats and risks,and therefore does not necessarily cover all actors in the CBDC ecosystem.A central bank would bear overall responsib
47、ility for the CBDC system,but �������could outsource or commission its operation to another entity.There could be other financial entities between the central bank and the end user layers.A security and resilience framework for CBDC systems �����12 It is assumed that the CBDC ecosystem needs to support a range
48、of end users who woul�����d use various payment instruments as depicted in Figure 2,and therefore such payment functions would need to be available 24/7.It is assumed that CBDC systems need to integrate with existing and future payment systems.These could include real-time gross���� settlement(RTGS)systems,i
49、nstant payment systems,e-m����oney and mobile money solutions,point of sale solu���tions,embedded payments and various end user solutions as well as other innovations in the future.In addition,cross-border transactions using CBDC may require support for one or more of the interconnection models such as a h
50、ub and spok�����e12 or multi-CBDC bridge13 approach,which may bring additional security and resilience requirements.4.2 Participants security and resilience capabilitie����s This section sets out various assumptions about the security and resilience capabilities and expectations of different participants in
51、a retail CBDC ecosystem.C�����entral banks It is assumed that central banks have robust capabilities and practices for physical and cyber security,resil�����ience,external dependency management and enterprise risk management,leveraging industry standard risk management and security frameworks.It is also assum
52、ed that central banks(or other public authorities)would be involved in assessing and verifying the security and oper����ational resilience measures of participants in the retail CBDC ecosystem,perhaps as part of oversight activities.Participating financial institutions It is assumed that participants in
53、 a retail CBDC ecosystem such as commercial banks,PSPs,and other FIs have robust capabilities and practices for physical and cyber security,resilience,external dependency management and enterprise risk man�������������agement,leveraging industry standard risk management and security frameworks.12 For example,the
54、 BIS Innovation Hubs Project Icebreaker(BISIH et al(2023).13 For example,the BIS Innovation Hubs Dunbar(BISIH et al(2022b)and mBridge(BISIH et al(2022a)projects.A security������� and resilience framework for CBDC systems 13 It is also assumed that these participants would need regular security and operatio
55、nal resilience validation and assessments,including independent audit,assurance and certification in order to be able to provide������ or contin������ue to provide these services.14 Merchants,business users,consumers It is assumed that end users,including merchants,business users and consumers,all play a role i
56、n securing their CBDC value,devices and related payment processes.For example,they may be required to maintain the confidentiality of the credentials used to access their CBDC accounts,and maintain the mi�������nimum security posture of th����e devices they use for CBDC.It is also assumed that there would be r
57、equirements for a minimum level of security and associated p����ractices that end user devices and applications would need to satisfy and adhere to before they can be used.Technology providers It is assumed that technology providers would play a critical role in a CBDC ecosystem,providing a range of cap
58�����、abilities including:Secure and resilient technology infrastructure,compliant with any rules and regulations in a jurisdiction,and assured by an independent party;Cyber security services such as cloud-based malware identification,distributed denial-of-service(DDoS)protection services,security monitor
59、ing,and intrusion detection and prevention systems;Expertise for developing and securing digital currency and payment systems,including independent security validation services;Development of digital wallets(software and/or hardware)for holding������ CBDCs and making CBDC transactions,online or offline;Ri
60、sk management and compliance systems,including CBDC transaction monitoring and behavioura��������l analysis tools;DevSecOps(development,security and operations)solutions to integrate application and infrastructure security throughout the system development,change and operations life cycle.Overall,security a
61、nd resilience of CBDC systems is an end-to-end ecosystem responsibility,relies on awareness and good practices from all participants,and requires public and private partnership.4.3 Complexity and risk profile of retail CBDC systems In ��������������developing this framework,it is assumed that a CBDC system would
62、eventually play a key role in the overall payment ecosystem of a given jurisdiction.When a CBDC 14 Currently some of these financial entities may not be required to go throug������h regular validation of their security posture and related practices.In f������uture,given their potential impact on the CBDC system
63、,we assume they would need to be regularly assessed.A sec����urity and resilience framework for CBDC systems 14 system only plays a“supporting role”,either during the pilot phase or by design,the level to which control objectives for resilience may be applied may not be as extensive,whereas the level to
64、 which control objectives are applied for security should always be robust.As described earlier,a retail CBDC ecosystem could �����involve a large number of participants and integration points,and therefore create a large attack surface and many points of failure.This complexity,combined with the potenti
65、al introduction of new technologies,could contr����ibute to increased risks,which could in turn require mature capabilities in the following areas,besides what central banks are typically already doing:An incident monitoring and response capability that operates 24/7:Any incident rela������ted to CBDC systems
66、 will create reputational risk for a central bank,so the ability to detect,respond,investigate and recover rapidly as well as managing communications around an incident is paramount.The central banks security operations centre(SOC)and incident management function may need to deal with new type�����s of i
67、ncidents such as a breach of offline CBDC payment devices to counterfeit value,which may require new capabilities and tools.The end-to-end security and resilience of a CBDC system would depend o���n each participant in the ecosystem,such as infrastructure service providers,commercial banks and PSPs,wit
68、h some capabilities extending to these participants.The ecosystem is only as strong as its weakest link.Securely implementing and operating maturing technologies at critical infrastructure scale:It is assumed that some central banks could adopt distributed ledger ������technology(DLT)for their retail CBDC
69、 systems(others may not).15 DLT has shown some promise in wholesale use cases16 and has been �����adopted by some large financial institutions for interbank or intrabank settlements.17 In cases where DLT might be used,such platforms may require customised security architecture and additional hardening re
70、lative t������o traditional systems.This would also require actors in a CBDC ecosystem to develop,attract and retain n������ew talent required to design,implement and operate secure and resilient CBDC systems.The large-value attacks on DLT protocols and smart contracts in the DeFi space underscore the potential
71、 operational and reputational risks.18 Concentration risk:Where multiple ecosystem participants rely on the same service pro����vider,this could increase the operational complexity and risk for central banks.15 Central banks which have chosen to use DLT for their pilot/production retail CBDCs include th
������72、e Central Bank of Nigeria,the Eastern Caribbean Central Bank and the Central Bank of Brazil.DLT may be suitable for some central bank requirements for CBDC,whereas for others it may not be,16 Such experimental projects include Jasper,Ubin,Stellar,Khoka and������ Cedar,among others.17 As an example,JPM Coi
73、n has been used inside JPMorgan Chase for different business units to automatically transfer and settle funds,creating more tr�������ansparency and efficiency.18 See BISIH(2023c).A security and resilience framework for CBDC syst�������ems 15 New technologies:A CBDC system would most likely leverage a range of tec
74、hnologies that have not been previously used or may be in limited use in a central bank.Among the already announced CBDC experiments,pilots and production������ systems,DLTs,p����rogrammability,smart contracts and attention to quantum computing have emerged as common themes.It is assumed that CBDC systems cou
75、ld provide functionality to e�������nable programmability(smart contracts being one example)for new use cases utilising automated CBDC payments when certain conditions are met.19 However,recent examples of smart contract hacks,which have led to the los������s of a significant amount of value in DeFi,20 serve as
76、an example of the potential security risks CBDC systems could face.Quantum computing has seen advancement in rec������ent years.Given the known vulnerability of existing cryptographic algorithms to quantum computing,it is assumed that central banks wil�����l require CBDC systems to be crypto-agile21 so upgrade
77、s to cry�����ptography can be applied at pace when incumbent encryption algorithms are no longer deemed safe.22 In summary,it is assumed that a CBDC system would be complex,with a large attack surface and many potential points of failure,bringing new and elevated risks.This framework for security and res
78、ilience has been developed to help central banks navigate this increased complexity and risk profile.19 Central banks may decide ��������not to include programmability in their CBDCs at the foundation layer.However,smart contract�������s could be leveraged by financial institutions or other government agencies at
79、the payment layer.20 BIS Innovation Hub(2023c)lists six high-profile DeFi hacks carried out in recent years,of which th�����ree were related to security flaws around smart contracts,with a combined loss of over US$1 billion.21 CBDC systems should be designed to be crypto-agile irrespective of threats fro
80、m quantum computing.22 Recently,researchers have demonstrated that an AI-assisted side-channel attack could compromise some public key quantum-proof cryptography algorithms(see Ngo(202�����3).A security and resilience framework for CBDC systems 16 5.Understanding the framework This section describes the
81、framework for CBDC security and resilience,covering the objectives,design criteria,threat landscape,industry framework leverages�������������,structure of the framework(steps and control objectives),alignment with enterprise capability domains,and the main content of each of the seven steps.5.1 CBDC security and
82、 resilience:objectives and design criteria Security and resilience cover the confidentiality,integrity and availability23 aspects of a system,and the capability to respond to and recove�������r from incidents.Security measures ensure a systems robustness against threats pos������ed by a range of threat actors su
83、ch as nation states,hacktivists or insiders.Resilience measures ensure a systems robustness against abnormal events such as an outage of a component or a sudden spike in transaction volumes.������Overall,the security and resilience measures applied to a CBDC system aim to safeguard the following:24 Confid
84、entiality:ensures that sensitive information in the CBDC system is only accessible to the authorised users and systems when required.This could include sensitive financial and technical information such as cr������edentials and cryptographic keys.Integrity:ensures that data and supporting technologies in
85、the CBDC system,such as a transaction amount or payee information,have not been tampered with,manipulated or corrupted,that CBDC cannot be do��������uble-spent,new CBDC is only generated������ by the central bank or a process authorised by the central bank,etc.Availability:ensures that a CBDC system will be avail
86、������able 24/7,and provides the required response and transaction processing time.In developing the framework,the following guiding criteria were drawn from industry:Design for resilience:The networks,infrastructure and application architecture should be designed with redundancy and failover capabilities
87、.The system should be prepared to adjust and scale dynamically to handle a sudden surge in transaction volumes,and ensure that tr�����ansaction execution is designed to handle except�������ions gracefully,with risk management controls that focus on prevention and are supported by robust incident management and
88、business continuity plans(BCPs).Eliminate sing�������le points of failure:Identify areas where there is lack of redundancy in the CBDC system or supporting infrastructure such as a network service provider,power supplier,cloud service provider,shared services or key personnel.These should be risk assess�������ed
89、for the likelihood and impact of disruption,with the relev�����ant countermeasures identified and applied.23 Also referred to as the CIA triad.24 Even th��������ough data privacy can benefit from security measures,it is not in scope for this framework.A security and resilience framework for CBDC systems 17 Empha
90、sise timely action:Retail CBDC systems would need to operate 24/7.There would be �����very little tolerance for system outages.The health and availability of the CBDC system would need continuous monitoring so that incidents could be handled as soon as they were �������detected.Robust change management,governan
91、ce,and agile processes would be essential to manage changes in response to incidents,supported by automation solutions used for continuous build,integration,testing,releases and deployment as w�������ell as security testing of any changes.Promote techn�����ology diversity and interoperability:Where possible,sys
92、tems should make use of multiple technology solutions for a given CBDC capability and require each to support standard approaches for integration.For example,end users CBDC wallets should be able to function even when the financia�����l institution providing the wallet has a service outage.This,however,c
93、ould come at additional costs and operational overhead,which would need to be evaluated.Implement defence in depth:When a business impact analysis(BIA)determines that any of the CBDC system components have a severe or high impact on the confidentiality,integrity������ or availability objectives,preventati
94、ve defence measures should be implemented at multiple layers,25 for example across the net���work,application and data access layers.Assume a breach and be ready to respond:Even with a focus on preventative controls,incidents should be expected to occur and therefore detection capabilities are essentia
95、l,supported by readiness to respond to and recov�������er from incidents.Purple-teaming exercises could be important to ensure all ecosystem participants are prepared to respond to different types of incidents that could occur with CBDC systems.Such exercises could involve a range of scenarios involving so
96、phisticated threat actors and ev�����ents,used to validate the effectiveness of defensive and detective controls,identify any gaps and implement improvements.Introduce changes in staggered releases:Staggered rollouts could help reduce risk,by enabling changes to be tested in a limited setting befo�����re rele
97、asin�����g the change at scale.This would allow production issues to be caught and resolved with less impact,or easier roll-������back of changes when required.5.2 Threat landscape for CBDC systems Ensuring security and resilience must take a risk-based approach.Risk management starts with threat analysis.When
98、 assessing the threat landscape for CBDC systems,the following three areas should be considered:1.Common threats to financial systems:This ranges from large-scale attacks,such as the heist experienced by Bangladesh Bank,to the everyday financial crimes 25 The layers in w����hich defences can be implemen
99、ted i���nclude the network layer,identity and access management layer,application or API gateway layers,host layer,application logic layer,and data layer.Each layer could leverage indicators that are visible at that layer to stop an attack.Having multiple layers of defence reduces the chance of an atta
100、ck being successful.A security and resilience framework for CBDC systems 18 committed using social engineering such as phishing,credential theft,SIM swap attacks,26 or man-in-the-middle attacks.2.Emerging threats associated with new technologies:This ��������could include DLT-related attacks against consens
101、us protocols,cross-chain bridges,oracles,attacks against smart contracts or offline CBDC components,etc.3.An expanded attack surface:Th�������is includes the various components in the CBDC ecosystem as described previously,some of which may not be part of the central banks current threat landscape.5.2.1 Th
102、reat actors The threat actors for����� CBDC systems could be explicitly malicious or inadvertently causing an incident.These threat actors could include,but not limited to:1.Nation states or nation state-sponsored groups:these adversaries aim to disrupt or compromise other governments,key organisations,o
103、r individuals to damage or gain access to IT systems,information assets or other intended outcomes,to sow fear or distrust,or to create reputational impact.27 These threat actors are highly skilled and motivated and have significant �����resources at their disposal.For example,the������y could try to counterfe
104、it CBDCs through online or offline channels and inject them into the system.2.Organised crime groups:individuals or groups of people that use technology to create malicious incidents on IT systems to steal sens��������itive data,gain unauthorised use of computing resources,or generate profit.CBDC systems ar
105、e a particularly attractive target due to their large number of customers,the ever-ex������panding attack surface due to their heavy reliance on technology,and the fact that they may hold sensitive data on individuals and busin������esses,as well as the potential to execute fraudulent transactions.In some cases
106、,these threat actors can work with or be sponsored by nation states.3.Hackti������vist groups:individuals or groups who typically have strong sentiment against or opposing views to organisations they target.They use online platforms to express these views,showcasing the impact or da�������mage they have caused t
107、o support their views.They may disrupt the operations of systems or seek to damage the reputation of a central bank through defacing websites,spreading disinformation,sabotaging payment devices,advertising the compr������omise of obsolete devices or potential data leaks to sow distrust.4.Lone hackers or p
108、etty criminals�����:operate on an individual basis and are motivated by financial gain or glory from the intellectual challenge of breaching complex systems.For example,they may use malware or phishing to gain end users CBDC account credentials.5.Professional criminals:have turned their cyber criminal ac
109、tivities into a business.Motivations tend to be financial but they offer“cyber crime as a service”,where 26 SIM swap attacks could be used to compromise a system administrators account if SMS t���ext messages are used as an authentication factor.A zero-trust security architectur������e,discussed later in thi
110、s framework,would not allow SMS texts for authentication.27 Non-financial motivations could be harder to disincentivise.A security and resilience framework for CBDC systems 19 they write malware that can be sold.They may also be working for other threat actors�������.6.Insiders:individuals who have access
111、to a CBDC systems internal operations(for example system administrators,developers,operators)and could work independently or in collusion with others,such as nation states or������� organised crime groups,for financial gain or malicious���� intent.Insiders may also cause accidental or unintentional impacts on
112、CBDC systems through poor change or operational management actions.7.Malicious end users:such end users of the CBDC system will be able to access and exploit CBDC wallets and appl�����ications,typically to manipulate the system and execute fraudulent transactions.This contrast�������s with system insiders,who w
113、ill have access to the internal operations,IT and processes of the CBDC system.8.Third parties:external entities that provide various technology components such as hosting services,or support personnel to manage the implementation or operations of a CBDC sys������tem,could experience a security breach or
114、otherwise behave maliciously to compromise the security or normal operation of the system.9.Nat���ural or hu�����man-caused disasters:natural disasters,wars or other disasters could cause large and sustained power and/or network outages for a prolonged period of time.BCPs for such disasters would need to in
115、clude requirements for CBDC systems.10.Cyber warfare vendors:these are companies that supply cyber weapons.Their products could end up in the wrong hands and be used for������ criminal activities.Som�����e examples include vendors of spyware,which could be used to target senior leadership or key individuals in
116、 a central bank,installed through spear-phishing attacks or spoofed emails,giving criminals access to victims ���keystrokes,screen,camera and microphone.11.AI bots:interactive or covert computer programs powered by AI could be used to extract sensitive information,establish fake accounts,break encrypti
117、on or launch cyber attacks.AI bots could learn and adapt their behaviour to evade detection by security monitoring solution��s.5.2.2 Threat events The following is a non-exhaustive list of threat events that could compr������omise the confidentiality,integrity or availability of a CBDC system.These events a
118、re not necessarily mutually exclusive,as multiple events can occur in one incident.These threat events are pr�������esented in no particular order,and their likelihood and impact may vary.1.Distributed denial-of-service(DDoS)attacks:An attacker can use computing resources they have purchased or a network o
119、f compromised computers or IoT devices to launch a massive volume of service req��������uests to a CBDC system or services it relies on,in order to exhaust the computing resources in a critical area of the ecosystem,resulting in a system overload that causes failure,timeouts or performance degradation.2.Adv
120、anced persistent threat(APT)attacks:APTs are typically sponsored by nation states or organised crime groups.They penetrate the victims system,plant A security and resilienc������e framework for CBDC systems 20 malicious software or create backdoors,and patiently observe network traffic and user and system
121、 behaviour,sometimes lying dormant for long periods of time.APTs typically employ advanced techniques to evade intrusion detection technologies,and quietly exfiltrate data from the victims network or cause damage by insta������lling malware or poisoning data.For example,they could steal significant amo���unt
122、s of money through fraudulent transactions,or compromise a large amount of sensitive information.APTs �����may attack a supply chain in order to access the intended target.They can also be enabled by insiders.3.Malware(wiperware,ransomware,etc)attacks:An attacker plants malicious software into the target
123�������、s computers and networks,which subsequently could either destroy certain computing services,become a backdoor for attackers to connect to the victims network,or be used to �������hold the victims information and computing assets hostage for ransom payments.These can remain dormant and hidden until required
124、 by an att�������acker.4.Social engineering attacks:An attacker could use techniques such as phishing,spear-phishing or baiting,SIM swaps,man-in-the-middle,or compro������mised credentials to take control of an end users CBDC account or administrative accounts that are used to manage the CBDC system.5.Cryptograp
125、hic key compromise:A malicious actor could try to obtain the private key for claiming ownersh������ip of CBDCs by hacking the computer or device containing the key fil������e,searching through the devices memory for traces of the key,conducting cryptanalysis based on collected data that have been generated usin
126、g the key,or via side-channel attacks.28 6.Attacks against new technology components related to DLT or smart contracts:An attacker could find and exploit vulnerabilities in smart contracts,in a DLT consensus protocol,in cross-ledger bridges,in oracles or in governance������ protocols,for example.7.Comprom
127、ise of the payment process:As a payment process often involves multiple parties,the logic in the whole chain of steps coul�����d have������� security gaps,which could be exploited by an attacker to make a purchase without paying,redirect payments to a different recipient,replay payment instructions,or harvest p
128、ayments from wallets that do not require payer consent.8.Malicious end user atta�����cks:An end user of a CBDC system could try to defraud their own CBDC payment device or mobile application,or work with others to jointly attempt different ways to double-spend CBDCs in their possession,or to counterfeit
129、CBDCs.29 9.Insider sabotage attacks:A disgruntled employee or contractor who has access to a CBDC system could attempt to cause the system to malfunction by damaging the hardware,deleting���� key information,shutting down services,providi�����ng incorrect input or enabling other threat actors.28 Side-channel
130、 attacks can be unpredictable and are relevant for cryptographic modules that are exposed to attackers,for example in offline payment solutions for CBDCs.29 Counterfeiting could happen through intrusive means such as physical device breaches or through n���on-intrusive means such as cryptanalysis or si
131、de-channel attacks.A security and resilience framework for CBDC systems 21 10.Insider fraud:A malicious insider may act individually or together with other threa����t actors to commit financial fraud.The attacker could leverage their privileged access and knowledge of the CBDC systems business logic,and
132、 devise ways to defraud the system.11.Human error,negligence,or lack of awareness:A developer may have���� adopted an open source package with security vulnerabilities without any code scanning or review by a cybe�����r security team.The operations team may have delayed applying a security patch or other cri
133、tical updates.A system administrator may mistype a comm������and during system maintenance or forget to renew an expiring digital certificate.12.Information disclosure due to lack of proper controls:An employee may gain unauthorised access due to poor or lack of access management controls.A third-party se
134、rvice provider may see sensitive information related to the CBDC system due to a misconfiguration of the shared IT environment it may have access to,or during troubleshooting when regular controls are not effective.Data could also be exposed to attackers du�����e to a gap in the access control logic,etc.
135、13.Outage in infrastructure layer:A catastrophic natural disaster could cause a widespread and prolonged power outage leading to technology failure at the����� network service provider.Cyber attacks could cause a widespread network service outa�������ge.Human errors could also cause a system outage.14.Service d
136、isruption caused by technology failures:Software or hardware bugs,failed storage media,softw������are patches or upgrades that are not fully tested,expired service account credentials,etc could cause disruption to a CBDC system.The more���� technology components involved,the more complexity in the technology
137、stack,the higher the risk of s�����uch failures becomes.15.Technology obsolescence:Technologies used for a CBDC system may gradually become obsolete,as vendors may withdraw support,or the technology is outdated and could require an upgrade or a switch over to different technologies.If security patches or
138、 bug fixes ar�����e no longer available from any vendor,this could create operational,re�����putational and legal risks for central banks.16.Attack against supply chain vendors:Service and solution providers involved in the supply chains for components of a CBDC system,such as software or hardware,cloud or da
139、ta centre service providers,could be targets of threat actors.Any compromise co�������uld lead to impacts on the integrity or availability of CBDC systems,as well as the confidentiality of sensitive data in the systems.Figure 3 illustrates the relationship between these threat events and the various partic
140、ipants in the ecosystem.A security and resilience framework for CBDC systems 22 5.2.3 Risks Impacts from incidents described above could compromise the integrity and availability of payment services,and the confidentiality of customer data involved.An�����y resulting impact is typically me��������asured along op
141、erational,reputational and legal dimensions.Areas of impa������ct could include:1.Damaged reputation and loss of trust:A failure or breach of the CBDC system,however small,could damage trust in the CBDC system and the central bank.The conta�������gion risk from such sentiment could have knock-on impacts for othe
142、r related financial and non-financial systems that rely on or are intertwined with the CBDC system.2.Disruption to financial services:Individuals and businesses cannot make or receive payments because a CBDC system is unavailable or not functioning as normal.3�����.Failure of processes and���� procedures:One
143、 or more components of the CBDC������ system are not functioning,causing critical business processes such as payment details validation,risk monitoring or compliance checks to fail,or �������being bypassed temporarily.4.Loss of funds:End users,commercial banks,and even the central bank could lose money because o
144、f a cyber attack t�����hat has compromised CBDC systems,accounts or payment processes.Figure 3:Threat events that could affect a CBDC ecosystem(simplified view)A security and resilience framework for CBDC systems 23 5.Compromise of sensitive customer data:As CBDCs are used for payments,data related to pa
145、yment transactions will be processed in the CBDC ecosystem.A cyber attack or ne�������gligence could lead to unauthorised discl�������osure of such sensitive data.6.Loss of integrity in the payment system:A malfunction or compromise at the network,virtual machine or application level could cause key capabilities
146、such as payment clearance and settlement to not work correctly,undermining trust and confidence����� in the system.7.Loss of efficiency:A �����failure or performance issue with the CBDC system may force users to use old or manual processes as a contingency,which could cause significant delays in completing fi
147、nancial transactions.8.Increased cost:Responding to major incidents,and the potential subsequent efforts to streng������then the cyber resilience of CBDC systems,could come at a high cost.Such risks �����to CBDC systems arising from the various threat actors and threat events should be assessed using the centr
148、al banks enterprise risk m�����anagement framework.In some cases,the risk management framework may need to be adapted for operating CBDC systems.It could be used to prioritise any remediations required �����and to assess whether a risk should be mitigated,transferred,or accepted.Results from these analyses an
149、d recommendations can be provided by the Chief������ Risk Officer to senior leadership,an oversight board or risk committee who would make decisions.A detailed threat modelling tool such as the MITRE ATT&CK framework30 could help central banks identify controls that are needed in preventing and detecting
150、various threat events and determining appropriate countermeasures.For DLT-specific threats,further a������nalysis is needed as current threat models do not provide full coverage for all DLT-specific attacks.31 5.3 Building blocks of the proposed framework Implementing CBDC systems would be a large busines
151、s transformation32 programme.This framework aims to provide a holistic set of security and resilience considerations that could be used as a guide for planning,implementing������ or operating CBDC systems,in association with the industry standard frameworks and best practices for ris���k management,informati
152、on security and business continuity already used.This framework includes some common and existing considerations as well as additional ones covering the adoption of modern digital technologies and practices(eg �������DevSecOps and the zero-trust security model33),maturing technologies such as DLT,and������� speci
153、fic considerations for a CBDC and the associated payment capabilities.30 The MITRE ATT&CK framework focuses on cyber security events.Resilience events can be modelled����� similarly but new threat libraries would need to be added to the framework.31 See BISIH(2023c).32 Business���� transformation is a holist
154、ic view of change that combines both organisational and digital changes.33 A detailed description of these trends can be found in Appendix B.A security and resilience framework for����� CBDC systems 24 The following industry frameworks and guidelines are used as the source of input for this framework.34
155、NIST Cybersecurity Framework Version 1.��������1:This provi�������des the capabilities and best practices for dealing with cyber security risks.CERT Resilience Management Model Version 1.2:This provides a detailed framework and implementation guidance for control objectives related to both security and resilience
156、for any ICT systems.ENISA Enabling and managing end-to-end resilience:This focuses on public networks and services.ISO 27001:2022:This is ��������the industry benchmark for measuring an organisations maturity in its information security management system,which will prepare the organisation for coping with c
157、yber security challenges.ISO 23257:2022:This defines the framework for blockchain and DLT solutions.It identifies the key components in such architecture and typical areas of security concerns.Cloud Security Alliance Security guidance for critical areas of focus in �������cloud computing v4.0:This includes
158、 security considerations for deploying solutions in a cloud infrastructure or platform.US Department of Defense Enterprise DevSecOps Reference Design:This covers the best practices for agile software de�����vel������opment,deployment and operations.NIST Zero Trust Architecture:This describes the zero-trust pri
159、nciples,use cases and its role in the overall security architecture.BIS CPMI and IOSCO Principles for financial market infrastructures:Principle 17 provides the key building bl������ocks and conside�������rations for financial market infrastructures(FMIs)to manage operational risks,including information security
160、,scalability and business continuit���y.�����BIS CPMI and IOSCO Guidance on cyber resilience for financial market infrastructures:This provides guidelines on achieving cyber resilience for FMIs and their dependencies.Figure 4 below shows the three layers of input used in formulating this framework:34 See NI
161、ST(2018),SE��������I(2016),ENISA(2011),ISO(2022,2022a),Cloud Security Alliance(2017),US Department of Defense(2019),NIST(2020)and BIS C������PMI and IOSCO(2012,2016).A number of other frameworks exist for security or resilience,with similar guidelines or requirements.A security and resilience framework for CBDC s
162、ystems 25 These common frameworks were leveraged and aggregated to:1.Provide a set of reliable an����d comprehensive control objectives that are important for CBDC systems.2.Provide assurance to practitioners that existing capabilities implemented from or aligned to these frameworks can be leveraged for
163、 the CBDC system.The result of this aggregation is described in����� the following section.5.4 The Polaris framework for secure and resilient CBDC systems To organise the control objectives that have been identified and adapted for CBDC systems,this framewo�����rk has leveraged the NIST cyber security framewo
164、rk but with two additional steps,namely prepare and adapt.This framework therefore has seven steps:Prepare,Identif�����y,Protect,Detect,Respond,Recover and Adapt.The prepare step is separated out from the original NIST framework to highlight a set of fundamental capabilities that would need to be conside
165、red for operating a CBDC�������� system in pilot or production.The adapt step is highlighted for central banks to periodically take stock of the learning from incidents as well as new threats or requirements and come up with potential countermeasures to enhance their level of p�����reparedness and protection.Fig
166、ure 4:Three layers of input used to formulate this framework The bottom layer represents the three primary����� sources of input for the baseline control ob������jects.The middle layer represents inputs for control objectives in IT modernisation and DLT,with the top layer representing inputs for currency and p
167、ayment-related functions.A security and resilience framework for CBDC systems 26 Figure 5 provides an overview of this seven-step framework,with th������e focus for each���� step highlighted in the diagram.Each step includes a set of control objectives to be met for a CBDC system.Each objective is a statement
168、 describing the aim or purpose of controls to be implemented in order to address certain risks related to security or resilience.5.4.1 Categorisation of control objectives This framework comprises 104 control objectives that are grouped under each of the seven steps.Each control objective is ca����tegor
169、ised along four themes:Baseline minimum control objectives that should be met by most ICT systems and are deemed important for CBDC systems;IT modernisation objectives that could support modern approaches to security,resilience and risk management,providin������g a more efficient way to reduce risk;DLT-sp
170、ecific objectives that could apply to DLT-based CBDC systems;CBDC-focused objectives that could apply to CBDC and payment functions.Figu�����r��������e 6 summarises the distribution of these control objectives.Figure 5:The seven steps for secure and resilient CBDC systems A security and resilience framework for
171、CBDC systems 27 5.4.2 Enterprise capab�����ilities represented in the framework In the context of an enterprise envir������onment,security and resilience are part of the overall enterprise capabilities.As shown in Figure 7,the control objectives in this framework are organised along the capabilities as defined
172、 in the CERT Resilience Management Model,for example asset definition and management,identity and access management,application security,environmental control,communications,etc.These capabilities are further organised under the different domains,namely security and resilience managem�������ent,secure acce
173、ss management,secure and resilient �����solutions,secure supply chain,secure and modern operations,secure and resilient infrastructure,and incident response and recovery.E����ach of the seven steps and their key components are detailed below.A full list of the control objectives in each step is provided in A
174、ppendix A of this report.Figur����e 6:Overview of control objectives Figure 7:Capability model to support secure and resilient CBDC systems A security and resilience framework for CBDC systems 28 5.4.3 Seven steps to secure and resilient CBDC systems 1.Prepare This s������tep is intended to guide central bank
175、s in assessing their������� readiness for implementing and operating a secure and resilient CBDC system.This includes commitment from senior leadership,reviewing and possibly updating the enterprise risk management strategy,and augmenting or establishing enterprise capabilities to apply,manage and govern t
176、he control objectives listed in the framework.The o�������bjectives listed in this step fall ������under two themes:baseline and IT modernisation.Baseline capabilities are key and can include:Management commitment,with defined roles and responsibilities in the central bank;Established information security and bu
177、siness continuity functions and governance structure;24/7 monitoring and alerting function;Established risk management,compliance and change management practices;Established infrastructure that supports the need for on-site and off-site ba�������ckup and recovery,among other capabilities.IT modernisation c
178、apabilities that central banks could consider adopting to enhance their security and resilience maturity in the context of CBDC systems could include:Using DevSecOps to streamline and automate the process to build,test,deploy and operate software,to achieve agility without compromising quality c�����ontr
179、ol;Modern security techniques such as security-as-������code and security guardrails enforced at the infrastructure level to contain potential impacts caused by security vulnerabilities at the application level;Capabilities at the infrastructure or application level to facilitate automated scaling of comp
180、uting resources to efficiently accommodate the dynamic change of tran�������saction volume;Zero-trust security practices including strong authentication,least privilege,network segmentation,and continuous validation of identity and trust,etc.Central banks could leverage these where possible or develop a pl
181、an to establish such capabilities if they are������� deemed strategic investments.Without some of these capabilities,there may be continued reliance on legacy processes,which may not A security and resilience framework for CBDC systems 29 support potential requirements for secure and resilient CBDC systems
182、,and could introduce operational risks,a�����dditional costs and longer recovery time from incidents.2.Identify This step is intended to guide central banks to identify the information assets,systems and networks used for CBDC systems,as well as external dependencies,that would need to be protected and h
183、ave resilience measures applied.35 Central banks should consider the following a��������ctivities:Identifying the information assets,systems and networks for a CBDC system to be managed,including integration points and vendor dependencies;Monitoring emerging threats,vulnerabilities and risks that could aff�����e
184、ct CBDC systems,including external dependencies,and determining possible mitigation measures required;Defining the security and resilience requirements for the CBDC �����core functions,online �������and offline,from both the systems and the end users perspective;Defining security requirements for online and off
185、line digital wallets ����that end users will use to hold and use CBDCs;Defining the roles and responsibilities of actors in the CBDC ecosystem(for example,commercial banks and financial institutions)in ensuring end-to-end security and resilience.Once these are defined,they should be communicated,with ac
186、tions assigned to������� specific owners.Tasks and progress should be tracked and reported.3.Protect This step covers objectives for the technical and non-technical controls and measures that would need to be implemented to protect the CBDC sy��������stem against and mitigate the impact of security and resilience
187、incidents.This step also includes controls specific to DLT if this is used for a CBDC system.In addition to the typical emphasis on areas such as network security,identity and access management,application security,resilient architecture and design,and secure and modern operations,the fol��������lowing coul
188、d be applicable to CBDC systems:When user identification is required,leverage an established identity scheme to avoid any additional exposure of user data;35 Actions such as asse���t and ri��������sk identification are part of this step and are detailed in the control objectives set out in Appendix A.A securit
189、y and resilience framework for CBDC systems 30 Due diligence on the security of payment devices,applications and workflows,to minimise the attack surface and possibility of compromise;36 Due�������� diligence on the security of cryptographic keys that are used to secure digital wallets and transactions;Test
190、ing and certification of offline CBDC solutions accord������ing to the security������ criteria defined by the central bank;A real-time monitoring and risk-based decision capability to identify suspicious or anomalous CBDC transactions or compromised digital wallets and take appropriate actions such as blocking
191、a wallet,adjusting transaction limits or other risk management parameters.Comprehensive security validation and testing of th������e CBDC system would help central banks verify whether sufficient controls have been������� implemented.4.Detect With an evolving cyber threat landscape,and the complexity of a CBDC s
192、ystem and its dependencies,incidents should be expected to happen.Central banks and pa�����������rticipants in the CBDC ecosystem would need to be able to detect incidents before they escalate.Some considerations could include:Gaining awareness of potential threats or vulnerabilities through sharing of threat
193、intelligence or coordination of inciden������t response efforts between CBDC ecosystem participants.This could involve the formation of a CERT focused on CBDC systems,as they could be considered critical infrastructure;Establishing a baseline pattern(network traffic,end user behaviour,etc)and constantly c
194、omparing the observations again������st the known patterns for normal behaviour in order to identity possible incidents.This analysis could benefit from a security information and event management(SIEM)system that collects and correlates event logs from multiple sources;Proactively scanning the network an
195、d systems to detect vulnerabilities or indications of compromise.This could be regular vulnerability scanning,“red-teaming”exercise������s,or a targeted“threat hunting”activity.With an evolving c�������yber threat landscape,detection and response capabilities would need to continually adapt;Developing a strategy
196、 for monitoring and detecting potential incidents with offline payments,as real-time monitoring is not possible.Detection capabilities must operate 24/7,with alerts being reviewed and responded �����to around the clock,typically overseen by a SOC capability.36 The BIS Innovation Hubs Project Sela is expe
197、rimenting with various practices to minimize the attack surface including architecture design�����,transaction authorization,and data management.A security and resilience framework for CBDC systems 31 5.Respond Given the unpredictable nature of certain high-impact events such as natural disasters or cybe
198、r attacks,and the criticality of a CBDC system to a nations financial system,central banks should have a dedicated incident response team with clear roles and responsibilities.This te����am needs to be ready to respond to incidents at any time,and would need to treat an incident as ������its highest priority
199、until systems and services a������re restored to a satisfacto������ry level.An incident response team would be led by an incident manager and include a dedicated executive in charge of physical and cyber security such as a Chief Security Officer,in addition to members of the SOC.The team could also include memb
200�������、ers from other functions,including executives or man����agement from affected business areas,legal,communications or risk management,and have support and delegated authority from senior leadership to resolve the incident.This matrix team should be familiar with the incident response and recovery process
201、es through participation in“tabl�������etop”or“purple-teaming”exercises,and be capable of performing root cause analysis,impact containment,eradication of vulnerabilitie������s and remediation of damages that have been caused by the incident.The incident response team would also need to have established contact
202、with incident response functions at participants i������n the CBDC ecosystem,and be able to engage them as appropriate throughout an incident response process.6.Recover This step is about restoring impacted services to normal operations.Activities may include restoration from backups and replaci������ng,repairi
203、ng or upgrading hardware and software.The reco�������very process may need to be coordinated with other participants in the ecosystem;therefore,prep�����aratory plans and processes would need to be established.The following points would be some important considerations:A CBDC system would need to resume normal
204、operation as soon as possible;Clear and timely communication to the public and businesses would be essential,to provide clarity and certainty;T�����ransactions that were pending or in an incorrect state would need to be resolved.37 37 Some cases may need to be resolved via a dispute resolution process;ho
205、wever,further work would be required to determine how this would need to������� be �����designed to handle such incidents according to their severity.A security and resilience framework for CBDC systems 32 It would be important to test and simulate how recovery processes would need to happen in practice,particu
206、larly when maturing technologies(eg DLT)are used,at an early stage.7.Adapt The“adapt”step enables the CBDC system to adjust its operational parameters and go through changes as needed.This includes:Leveraging technologies or services that can automatically scale up when demand is high,for exampl�������e us
207、ing a DDoS protection service that can absorb much more network traffic volume than a����� central banks network can handle,adopting virtual machine management services that can auto-scale,etc;Learning from each incident and making adjustments(eg increasing capacity,hardening certain services,introducing
208、 new controls,training)as needed;Proactively making changes to the CBDC system and associated business processes(based on findings from t������he incident,in response to new cyber threats).The framework for secure and resilient CBDC systems is an iterative process.The“prepare”and“identify”steps should be
209、carried out periodically to reassess maturity and readiness and review identified new threats���.The“protect”and“detect”steps are“always on”�����,making sure that existing controls are still effective while implementing new controls as required.The“respond”and“recover”steps are largely responsive,as a react
210、ion to a security or resilience incident.The“adapt”step could be carried out in different stages,for example during design,in operation,after each incident,and on a regular basis.A security and res������ilience framework for CBDC systems 33 6.Applying the framework This section describes how to apply this
211、 Polaris framework for CBDC security and resilience.6.1 Adapting the frame�����work As shown in Figure 8,this framework could be adapted a����ccording to a central banks mandate,operational context,legal and regulatory obligations,technology solutions used for a CBDC system,broader public service objectives
212、for CBDC systems,associated risk appetite,and business continuity and incident response strategy.The adapted framework could be applied and implemented through integration and potential changes to the technical and business area��������s of the central bank and other participants in the CBDC ecosystem.This
213、adaptation effort could be led by a chief security officer,who would be familiar with the context and the associated business processes and technical capa�����bilities of the organisation.6.2 Roles and responsibilities within the central������� bank Within the central bank,the following set of business roles or
214、 functions would typically be directly involved in overseeing,managing and impl������ementing the security and Figure 8:Adapting the framework A security and resilience framework for CBDC systems 34 resilience framework for the C������BDC system,although many other functions and teams would be likely to contrib
215、ute to its security and resilience.It sho������uld be noted that all roles in a central bank contribute to the security and resilience of the organisation and its systems.1.Central bank senior leadership and board Leadership endorsement and support is a key success factor for any������� security and resilience p
216、rogramme.The CBDC project team needs to mak������e the central banks management aware o����f the importance of these two key elements,and the amount of work needed to meet the objectives.Central bank management should also commit to emphasising the importance of these in their communications to central bank s
217、taff,participants in the CBDC ecosystem and the����� general public.Ideally,members of the central banks executive team(eg the chief������� security officer and the executive accountable for the CBDC system operations)should be appointed as the owners of security and resilience for the CBDC system,who would the
218、n make sure that such topics are regularly discussed at senior leadership,board a�������nd executive meetings,so any risks are included in the central banks risk register,discussed and prioritised,resources are sufficiently allocated,and any change required is executed.2.Chief security officer The chief se
219、curity officer(CSO)is responsible for the day-to-day security(physical and cyber)�������and resilience of the organisation as a whole,including the CBDC system.They would lead the effort of �����adapting the framework to their jurisdiction(as described earlier),set a target and timeline for achieving maturity(t
220、o be described later),and define the minimum security and resilien������ce requirements that would have to be met before the CBDC system could go into pilot,and what additional requirements would have to be met before production.They would define the proper sourc�����ing strategy for supporting the security an
221、d resilience needs of the CBDC system,ensuring that sufficient resources will be ready to perform the ongoing monitoring,detection,response and recovery activities once the CBDC system goes into pilot or p��������roduction,as well as the security due diligence for ongoing changes.They would establish regula
222、r communication with their counterparts in the other participants in������ a CBDC ecosystem(eg financial institutions and major technology suppliers),and provide regular updates to the accountable executive(s)responsible for the CBDC system as well as to the central banks senior leadership and board.Given
223、 the critical importance of a CBDC system and the evolving cyber threat and risk landscape,the CSO should be an executive-level role that reports to the governors and works in close cooperation with the chief risk officer(CRO)and chief information officer(CIO),as opp����osed to reporting to the CIO or c
224、hief operating officer.3.Enterprise governance committees and functions This group of functions manages the central banks overarching governance fram����eworks that encompass all projects and business activities,such as the r�������isk A security and resilience framework for CBDC systems 35 register,the inform
225、ation security policy,the audit function,the vendor management function,etc.These functions should incorporate CBDC-related components into their work and ensure that CBDC is covered in future activities.For example,the techn����ology risk management function should incorporate CBDC-related risks into i
226、ts risk register and start tracking and reporting these risks.Similarly,the business continuity function needs to incorporate CBDC into its set of business processes to manage,and include CBDC-related business����� and technology functions in the overall business continuity and test proced�����ures.4.Steering
227、/stakeholder committees The CBDC programme steering committee should include a senior executive who covers the security and resilience aspe�������cts of the system.This could be the chief(information)security officer or a suitable delegate who ensures that security and resilience requirements are i������mplement
228、ed as planned,prioritised,appropriately resourced and any issues resolved.5.CBDC program�������me team The CBDC programme team is tasked with specifying,designing,implementing,testing and deploying the CBDC systems and associated supporting functions,including the handover into operations.It could use the
229、framework to deri������ve some security and resilience requirements.The programme team should work with the enterprise governance functions to ensure that the CBDC programme follows and leverages existing governance processes and frameworks,but also identifies how these would need to be updated.The progra
�����230、mme team would need to inform the IT infrastructure team of their requirements,and work together with them on specifying the environment configuration for the CBDC system components.The programme team should detail the various CBDC system components needed to establish the necessary incident detecti
231、on,r��������esponse and recovery strategy and procedures.6.Change management function Applying this framework could lead to a central bank identifying capabilities that may need to mature or new capabilities that need to be established.It is critical for central banks to implement change management strategi
232、es for CBDC systems at an early stage to ensure any changes and their impacts are identified,planned for,and com������municated to all stakeholders.On the other hand,a resilient CBDC system relies on the central bank and other involved institutions being responsive,agile and coordinated in their change pr
233、ocesses when an incident response leads to the need t������o make a change to the system.Depending on the solution used for a CBDC system or the nature of the change,a central bank may find itself �������in a position of needing to manage and operate multiple versions of the system for a certain period of time.T
234、his would require careful planning,regular and early communication,change roadmaps and clear details on how different A security and resilience framework for CBDC systems 36 versions might be supported and for how long,and guidance on switchover or migration.7.The IT inf������rastructure team The infrastr
235、ucture team would need t������o allocate sufficient com��������puting,network and storage resources to support the operation and resilience requirements of a CBDC system.Any supporting infrastructure together with the deployed CBDC components would need to meet the security and resilience requirements.Robust proc
236、esses for deployment and roll-back when managing changes to the CBDC system would need to be in place.Regular vulnerability scans and security updates �����of the software and network components supporting a CBDC system should always be prioritise������d.8.The security and resilience functional teams Under the
237、 leadership of the CSO,38 the functions accountable for security and resilience would need to be involved in each phase of the CBDC programme to ensure that security and resilience requirements������ and activities are implemented.These functional teams would need to analyse the architecture components �����of
238、 the CBDC solution,identify new technologies and new dependencies,and ensure the control objectives in this framework are applied.They would need to develop the security and resilience plan and key milestones for the CBDC programme,overseen by and reviewed with t��������he CSO.They would also ensure that th
239、reat modelling ������is performed at a detailed level to help shape the overall security and resilience focus areas for the CBDC programme.They would work with both the programme and infrastructure team to ensure the proper protective and detective controls are implemented.Threat intelligence channels may
240、 need to be established or enhanced to cope with the new threat landscape engendered by the CBDC system.6.3 Roles and responsibilities across th����e ecosystem Besides the central bank,a CBDC ecosystem could involve commercial banks,PSPs,other intermediaries,end users including merchants,and technology
241、solution and service providers.This ecosystem would depend on public-private partnership�����s.The central bank could take the lead on defin����ing the end-to-end security and resilience objectives,requirements and standards for CBDC systems in collaboration with actors in the ecosystem,as well as assessing
242、risks and defining risk tolerance and levels of acceptance.These could form part of any requirements that participan�����ts would need to implement,demonstrate and validate in order to be allowed to operate within an CBDC ecosystem.In addition,central banks could take the lead(working with other������ authorit
243、ies and the private sector)to ensure that security requirements for digital wallets,which could includ������e offline payment functionality,are defined.38 In some organisations,the resilience functional team could be under a different leadership.This would require coordination bet�������ween the chief(informatio
244、n)security offic������er and the leadership for the resilience function.A security and resilience framework for CBDC systems 37 The security and resilience of a CBDC system depends on its weakest link.In that regard,central banks need to ensure not only that the CBDC system has implemented all the ne����cessa
245、ry measures,but also that all p������articipants(eg financial institutions or PSPs)are meeting security requirements,both initially and for ongoing participation.39 The resilience requirement for the CBDC system and its subcomponents should be defined within the broader set of resilience requirements that
246、 apply to a given nations payment services.Central banks need to ensure that the resilience of������ a CBDC system is regularly assessed,possibly through tabletop exercises,with risks,including concentration risk,assessed and managed.The following table summarises the roles and responsibilities of the maj
247、or actors in a CBDC ecosystem in assuring its security and resilience:Table 1:Security and resilience:roles and responsibilities of different acto�����rs Actor Security Resilience Central bank Identify needs for security talent and capabilities to support the cyber security needs of the CBDC and foster c
248、apacity-building in meeting such demands.Establish ownership and accountability on cyber security for the CBDC at the senior executive level.Facilitate cyber security intelligen�������ce-sharing among the CBDC ecosystem participants.Define security-related supervision requirements for financial institution
2�������49、s Identify gaps in the jurisdictions capacity to provide resilient technology infrastructur�������e,and work with other government bodies to foster the development of such capabilities.Ensure that the resilience requirements for the central banks and financial institutions CBDC components are well defined
250、and regularly reviewed.Make sure the central bank meets its CBDC resilience requirements.39 Adherence to security requirements plus assurance,vetting and certification could form part of any regulatory requirements established for certain par�����ticipants in a CBDC ecosystem.A security and resilience fr
251、amework for CBDC systems 38 participating in the CBDC ecosystem.Certify private sector firms who can validate the security of CBDC wallets and other CBDC system components based on the established r������equirements.Consider the inclusion of CBDC system resilience validation as part of the central banks s
252、upervision of financial institutions.Financial institu�����tion Follow the central banks requirements and industry best practices to implement the security measures in its CBDC systems.Engage vendors who are certified by the central bank to conduct independent security assessments of its CBDC systems.Fol
253、low established requirements in developing or selecting CBDC wallets.Make sure its CBDC components meet the resilience requirements as defined with the central bank.Make sure that users who receive CBDC from ���one institution can use it on services provided by another institution.Ma������ke sure users can u
254、se their CBDC offli�����ne per the central banks requirements.Technology provider Provide CBDC-related security design and testing services to central banks and financial institutions.Develop CBDC wallets that meet se������curity and resilience requirements defined with the central bank,ideally by enhancing wa
255、llets that end users are ��������already familiar with.Provide an independent security assessment service for CBDC components managed by the central bank or financial institutions.Under the governments guidance,establish resilient technology infrastructure.Standardise its technologies and modernise its syst
256、em resilience capabilities to support modern mechanisms such as auto-scaling and transparent workload shifting between data centres and even between service providers.A security and resilience framework for CBDC systems 39 As part of fostering a public-private partnership supporting a CB������DC system,a
257、central bank could consider establishing a cyber resilience coordination function in its jurisdiction(or leverage an existing one).Such a function could enable all participat�������ing actors in a CBDC ecosystem to co-ordinate,establish roles and responsibilities,participate in readiness and purple-teaming
258、 exercises,adopt common processes and use the opportunity to enhance their cyber resilience posture.End user solutions supporting CBDC,online or offline,are another����� ar��������ea that would need to involve multiple actors in the ecosystem.This framework could be used to derive some security and resilience re
259、quirements for such solutions.Independent parties could be identified to test,assure and certify end user solutions to be used for CBDCs.40 6.4 Path to readiness����� and maturity Several case studies have underscored that a c�����entral banks operational capabilities,41 as well as its existing technology pro
260、file,could be a major source of operational risk for the CBDC project.42 This framework has ������been developed to help mitigate such risks.The capabilities defined by the control objectives,if required by a central bank,d�����o not all need to be implemented to the highest maturity level before a CBDC system
261、 pilot can be launched.Below are the key ������steps for a central bank to assess its needs and formulate a plan to achieve a sufficient level of security and resilience,using its risk tolerance for the CBDC system.1.Formulate a plan for all required capabilities Control objectives in the“prepare”step in
262、the framework,especially those categorised as“baseline applied to CBDC”,would need to be established before a CBDC system could move into a pilot,and would be essential before moving to a production(live)phase.The rest of the control objectives in the fra����mework should be reviewed to determine what i
263、s required,the maturity level needed,and by when.A method such as the Capability Maturity Model Integration(CMMI)model(SEI(2010)would be used.This would be a �����risk-based approach that considers the benefits of launching a CBDC system,and the mitigating controls to manage risks associated with not ful
264、ly implementing a capability in a given phase of a CBDC programme.When taking this approach,central banks should to be cautious in monitoring the pilot system and be ready to contain the impact o�������f potential incidents,as the reputational impact could affect further phases of the CBDC programme.Figure
265、 9 illustrates how a central bank could go through each control objective in the framewor������k,decide if it is relevant,and if so,when and how the capability should be 40 Requirements for security and resilience,assessment,assurance and certification could form part of regulatory requirements for certai
266、n actors participating in a CBDC ecosystem.41 This includes the central banks internal employees,third-party vendors and external consultants.42 CBDC Task Force report on CBDC in�������formation security and operational risks to central banks,forthcoming.A security and resilience framework for CBDC systems
267、 40 implemented and to what extent,and who should own the implementation of this capability.In this process,central ban������ks could use industry standard guidelines,when needed,in determining the specific controls to be implemented to meet an objective,43 and the capability domain information in each co
268、ntrol objective to identify the appropriate owner(s)for implementation,testing �������or validation of the controls.44 The CBDC programme team should also identify���� the capabilities other participants in a CBDC ecosystem would need to implement and by when,and keep track of progress.43 The CERT Resilience M
269、anagement Model(SEI(2016)and the Payment Card Indus������try Data Security Standard(Payment Card Industry Security Standards Council(2022)provide detailed implementation guidelines on the type of controls to be implemented to satisfy certain contr������ol objectives.44 For example,the first control objective un
270、der“Protect”is“The central bank establishes a separate(or segregated)network segment for its CBDC components where possible.The������� theme is“Baseline applied to CBDC”which means that this control objective for network segregations is assumed to be part of existing practices at A central bank.Figure 9:Fo
271、rmulating an implementation plan for required capabilities A security and resilience framework for CBDC systems 41 2.Work with stakeholders to execute the plan With the support of the executive fro������m the central bank,the CBDC project team would work with internal and external stakeholders to make sur
272、e the require�������d capabilities are implemented based on the defined timeline.For external dependencies,the central banks team would need to establish contact,communicate expectations,and regularly validate progress to make������� sure the external parties would be able to complete their tasks.The central bank
273、 team would need to identify independent parties who could conduct testing and validation and provide evidence to the centr�����al bank on the successful fulfilment of these objectives by external parties.3.Regular updates to executives on status and strategic guidance Through the executive sponsor of th
274、e CBDC security and resilience work,the CBDC project team should regularly update the steering committee�������� and central bank management on the status of implementing the required capabilities for security and resilience,both on the central bank side and for external institutions,so that they understand
275、 the dependencies and the risks associated with any missing capabilities,and provide guidance and support on internal and external resources,timeline adjustments and n������ecessary scope changes.The project team should also bring strategic recommendations to the executives,such as training and talent dev
276、elopment for the central bank,incentives to foster private sector development to support the CBDC programme,and liaison with college educati������on programmes to develop a pool of talent for long-term needs of the CBDC ecosystem.A s�����ecurity and resilience framework for CBDC systems 42 7.Summary The implem
277、entation of retail CBDC systems means that central������� banks would be developing and updating mass market produ�����cts and serving retail consumers,which is a space that most central banks are not familiar with.Combined with the complexity of the ecosystem,and the potential critical role they would play in
278、the financial market infrastructure,retail CBDC systems bring a significant amount of risk to a central bank,especially reputational risks that could stem from a security breach or outage at �������any������� of the participating institutions in the ecosystem.The Polaris framework for secure and resilient CBDC sy
279、stems has been developed to assist central banks in managing this complexity and new risk landscape with a well defined set of control objectives,organise������d under well known enterprise capability domains,along a seven-step iterative process.The threat landscape������ for CBDC systems as laid out in this re
280、port provides a starting point for central banks to take a risk-based approach by understanding and managing the threats to t�������he security and resilience of their CBDC systems.The framework highlights the impor�����tance of looking at the CBDC as an ecosystem,in which the central bank can take the leadersh
281、ip role but the eventual outcome would highly depend on the success of a ������public-private partnership,a long-term strategy for establishing and maturing capabilities across the participating institutions,and fostering the development of a pool of talent and a robust private sector.The framework helps
282、central banks identify areas that need development,both inside the central bank and across the jurisdiction,and could help inform technology providers on the opport������unities and expectations awaiting them.With the const�������antly evolving cyber threat landscape,the various emerging technologies that will p
283、lay important roles in CBDC solutions,and the nascent nature of CBDC business and techn�������ology models,it is expected that the framework will need to be updated at regular intervals in the future in collaboration with central banks and the private sector.A security and resilience framework for CBDC sys
284、tems 43 8.Appendix A:Control objectives in the framework The appendix contains the complete list of the control objectives in the framework for������� secure and resilient CBDCs,as organised by the seven steps.Prepare Capability Control objective Theme 1 Enterprise Focus The board and senior leadership of
285、the central bank take an active role and accountability in establishing a broad understanding of the security and resilience appro��������ach for the CBDC system,through clear communication of its objectives to all relevant parties,including bank������� personnel,third parties and intragroup entities.Baseline appl
286、ied to CBDC 2 Enterprise Focus Senior management of the central bank implement the security and resilience strategy for the CBDC solution and ensure that financial,technical and other resources are appropriately allo��������cated in order to support the central banks overall security and operational resilie
287、nce approach.Baseline applied �����to CBDC 3 Enterprise Focus Information security and resilience roles and responsibilities for the CBDC system are defined and allocated within the central bank.This could include the creation of a dedicated executive-level owner for cyber and physical security,accountab
288、le to the senior leadership.Baseline applied to CBDC 4 Enterprise Focus The central banks information security policies are updated to cover CBDC,approved �����by management,published,communicated to and acknowledged by relevant personnel a������nd relevant interested parties,and reviewed regularly.Baseline ap
289、plied to CBDC 5 People Management The central bank has committed to allocate enough resources to support the implementation and ongoing management of the security and resilience programme for the CBDC system as well as for any enterprise-wide dependencies.Baseline applied to CBDC ������A security and resi
290、lience framework for CBDC systems 44 6 Commun����ications Contact with relevant authorities is established and maintained by the central bank in reporting and resolving incidents affecting the CBDC system.Baseline applied to CBDC 7 Communications The central bank has established contact with special int
291、erest groups o�������r other specialist security forums and professional associations to receive threat intelligence relevant to the CBDC system.Baseline applied to CBDC 8 Change Management Robust change management capabilities are applied to CBDC-related change initiatives affecting people,processes and t
292、echnologies in the central bank and its service and solution providers.Baseline applied to CBDC 9 Service Continuity The central bank has established a service co�������ntinuity capability that includes a cyber resilience incident response and recovery plan(including defined processes,roles and responsibil
293、ities,and technology solutions)that applies to the CBDC system.Baseline applied to CBDC 10 External Dependencies Management The central banks CBDC service continuity p����lan includes exit strategies to maintain the CBDC systems operational resilience in the event of a failure or disruption at a third p
294、arty impacting the CBD�����C systems operations,which should include escrowing the third partys soft�������ware source code and other artifacts that can be used to reconstruct the software,where applicable.Baseline applied to CBDC 11 Service Continuity At least once a year,the central bank reviews,tests and ref
295、reshes its processes,resource allocation and toolset that support the incident response plan covering the CBDC components.The test includes its suppliers and third-party providers where appropriate.Baseline �����applied to CBDC 12 Compliance The central bank conducts regular audit reviews(internal and ex
296、ternal)of the processes and technologies applied to the CBDC system including security controls,business continuity plans and incident response.Baseline applied to CBDC A security and resilience fram��������ework for CBDC systems 45 13 Service Continuity Where required,a backup copy of each of the central b
297、anks CBDC applications and its supporti������ng infrastructure components is maintained in a separate disaster recovery site to provide resilience in case of a disruption of the primary site.Baseline applied to CBDC 14 Service Continuity At least on�����ce a year,the central bank tests the resilience of its CB
298、DC solution.Baseline applied to CBDC 15 Service Continuity The central bank has established and tested its technologies and controls for any remote management of systems,balancing security and business continuity needs.Baseline applied to CB������DC 16 People Management The central bank has implemented an
299、 employee termination policy and associated access management and monitoring procedures to make sure that terminated employees cannot compromise the confidentiality,integrity and availability of the CBDC system.Baseline applied������ to CBDC 17 Change Management The central bank has established a configur
300、ation change controls process for its CBDC system.Baseline applied to CBDC 18 Environmental Control The central bank ensures that physical and environmental security best practices are applied to all its CBDC technology hosting facilities,and reviews such practices on a regular ����basis.Baseline applie
301、d to CBDC 19 Environmental Control All of the facilities us�������ed to operate the CBDC system are protected from power failures and other disruptions caused by failures in supporting utilities.Baseline applied to CBDC 20 Environmental Control Cables carrying power,data or supporting information services
302、for the CBDC systems are protected from interception,interference or damage.Baseline applied to CBDC 21 Environmental Control Protection against malware,�������including ransomware,is implemented and supported by appropriate user awareness and regular mandatory training,including attestation to complying w
303、ith policies and processes in a code of conduct.Baseline applied to CBDC A security and resilience f������ramework for CBDC systems 46 22 External Dependencies Management The central bank has defined and implemented pro����cesses and procedures to manage the information security and supply chain risks associa
304、ted with the use of a suppliers products or services for the CBDC system,including due diligence in selecting,contracting,ongoing monitoring,ass�����urance and audit,exit strategy and offboarding.Baseline applied to CBDC 23 External Dependencies Management The central bank has validated the integrity of
305、any hardware and external software used in t������he CBDC system.Baseline applied to CBDC 24 Training and Awareness The central bank has informed and trained its internal personnel,both regular and privileged users,about their roles and responsibilities with regard to t������he CBDC solution,including its secur
306、ity and resilience.Baseline applied to CBDC 25 Identity and Access Management The central bank has established an identity and access life cycle management process to ass���ign,review,and re-certify its internal users role-based access privileges to all its CBDC system components.Baseline applied to�������� CB
307、DC 26 Service Continuity The central��� bank has implemented and tested a break-glass solution to allow privileged access for managing the CBDC sysem in case of a failure in the regular access control system.Baseline appli�������ed to CBDC 27 Identity and Access Management The central bank has implemented mul
308、tifactor authentication for all internal users access to its financial systems,including hardware-based mul����tifactor authentication for its privileged users.IT modernisation 28 Application Security The central bank has integrated information security into its process for managing application developm
309、ent,including a security architecture review function and security testing carried out by a team that is independent of the project team,and requires CBDC applications to pass security testing before any major release c�������an go into production.Baseline applied to CBDC 29 Application Security The centra
310、l bank has i�������mplemented its application security testing function and processes,including a combination of automated and manual testing,with both static Baseline applied to CBDC A security and resilience framework for CBDC systems 47 and dynamic c��������ode analyses,covering both custom-developed and third-
311、party code(open source,COTS,etc),with a risk-based framework for deciding whether a new application or release can go into production.30 Application Security The central bank has implemented security gates in its DevSecOps pipelines to automate ��������the security testing of its applications,including but
312、not limited to software composition analysis,static code analysis,dynamic application scan,configuration checks,etc,and uses a risk-based approach to decide whether the pipeline needs to stop or can move forward.IT modernisation 31 Application Security The central bank has set up separate devel����opmen
313、t,testing and production environments for its app�������lications,with separate access control and appropriate security measures configured for each.Baseline applied to CBDC 32 Technology Management Where possible,the central bank has implemented security guardrails to leverage capabilities in the u�������nderlyi
314、ng platform to prevent CBDC applications and infrastructure configurations from deviating from the security baseline.IT modernisation 33 Service Continuity The central bank has adopted a microservice architecture and enabled auto-scaling where feasible and appropriate for CBDC applications a���������nd modul
315、es,an��������d has implemented a strategy to migrate such microservice modules to a new infrastructure when a hosting facility is having issues.IT modernisation 34 Change Management The central bank has adopted an agile application deployment and roll-back strategy(comb�����ined with the microservice architectur
316、e where applicable)for the CBDC system,including the blue/gree������n deployment approach where appropriate,to increase application resilience when deploying changes.IT modernisation A security and resilience framework for CBDC systems 48 35 Application Security The central bank has implemented DevSecOps
317、pipelines and/or provisioning and configuration management scripts to automate infrastructure and environment management for its CBDC applications,with little or no manual access to such environments during normal operations.I������T modernisation 36 Identity and Access Management Where possible,the centr
318、al bank enforces just-in-time authorisation for administrators to manually manage the CBDC technology components,with detailed logging of who performed what activities,at what time,and using what ������network devices.IT modernisation 37 Network Se������curity The central bank applies network security best prac
319、tices in areas such as DDoS protection,firewall,intrusion detection and prevention,etc for all its technology environments that support the CBDC,and conducts network-level penetration tests on a regular basis.Baseline applied to CBDC 38 Network Security The central bank keeps its regular emplo�������yee us
320、ers outside of the corporate network tha��������t is directly or indirectly connected to its CBDC system.IT modernisation Identify Capability Control objective Theme 1 Enterprise Focus The central banks role in the CBDC ecosystem is defined and communica������ted.CBDC-focused 2 Asset Definition and Management The
321、 central bank has developed and maintained an inventory of information,systems and other digital assets for the CBDC solution and their interdependencies,assigned owners for such assets,and received ack�����nowledgment from the owners.Baseline applied to CBDC 3 Exter�����nal Dependencies Management The centra
322、l bank has identified all external dependencies related to its CBDC solution,and has assigned internal owners and received acknowledgment from the owners.Baseline applied to C����BDC A security and resilience framework for CBDC systems 49 4 Risk Management The central bank has identified and documented
323、both internal and external threats to the CBDC solution,and formulated its risk resp�������onse to the threats to which its CBDC solution could be vulnerable,with established controls to mitigate risks to an acceptable level.The central bank has established a process to continuously monitor and update such
324、 threats,vulnerabilities,risks and controls.Baseline applied to CBDC 5 Risk Management The central bank has established sufficient c�����ontrols and procedures to identify new threats(internal and external)and new vulnerabilities in its CBDC system and supporting environment,and uses its risk management
325、process to analyse and manage th��ese new threats and vulnerabilities.Baseline applied to CBDC 6 Service Continuity The central bank has defined its CBDC systems resilience requirements at all levels and components,and for all operating states(eg under duress/attack,during recovery,normal operations),
326、in order to support the service continuity plan.Baseline applied to CBDC 7 Service Continuity The central bank has defined its strategy for CBDC transaction integrity during system or technology failures,including how t��������o resume interrupted transactions,how to restore balances and positions when valu
327、e is lost in an interrupted transaction,etc.CBDC-focused 8 Service Continuity Operating pr��������ocedures for the central banks CBDC solution are documented and made available to personnel who need them,including during emergencies and potential outages of the central banks regular corporate network.Baseli
328、ne applied to CBDC 9 Compliance Legal and regulator���������y requirements and other obligations relevant to information security,data protection,data privacy,etc related to the CBDC and the central bank�����s approach to meet these requirements are identified,documented and kept up to date.Baseline applied to CB
329、DC A security and resilience framework for CBDC systems 50 10 Application Security The central bank has identified,specified and approved information security requirements for its CBDC application or applicat�������ion components,to be either developed or procured.Baseline applied to CBDC 11 S�������ervice Contin
330、uity The central bank has decided whether it is going to support offline CBDC payments when either the back-end CBDC service is not reachable or the end �������user has no access to a smartphone,internet,or power.CBDC-focused 12 Technology Management If applicable,the central bank has defined securi�����ty requ
331、irements for offline CBDC payment solutions so that risks associated with the use of offline payment technologies are within the central banks risk appe����tite/tolerance.CBDC-focused 13 Technology Management The central bank has specifie��������d requirements for CBDC wallet providers to allow such wallets to
332、interoperate with ������each other so that end users can continue to use the CBDCs in the wallet in case the wallet provider has a service outage,etc.CBDC-focused 14 Compliance The handling of personally identifiable information(PII�������)in the central banks CBDC solution meets applicable legal and regulatory
333、requirements in the jurisdiction,with appropriate disclosure to end users where applicable.Baseline applied to CBDC Protect Capability Control objective Theme 1 Network Security The centr���al bank establishes a separate network segment for its CBDC components where poss�����ible.Baseline applied to CBDC 2 Application Security The central bank has implemented layered defence for its CBDC applications and
sgpjbg002
工作日 8:30 - 17:30
报告分类
