USE CASE: Securing ATMs with Zero Trust Networking

SECURING ATMS WITH

ZERO TRUST NETWORKING
Industry Malware-based attacks on ATMs have led to financial losses from
Financial Services “jackpotting,” reputational damage, and frustrated customers. One
common factor in these successful attacks has been the absence of
appropriate network segmentation.
Use Case
Protect ATMs from cyberattacks.

Business Benefits
$ Increase the availability of ATMs for customer
convenience and transactions.
Operational Benefits
Reduce losses from theft of ATM cash as well
as the number of field service calls with improved
resilience to cyber incidents.
Security Benefits
Prevent lateral movement by attackers or
unauthorized insiders to ATMs or related
systems. Inspect all traffic to/from ATMs for
malicious content.
The Palo Alto Networks approach
to protecting ATM environments
can significantly lower risks.
At a high level, the approach includes:
Zero Trust network segmentation for the ATM
devices and related infrastructure.
Least-privileged access policy for all ATM-related
­components.
Secure IPsec VPN connection between the ATMs
and the corporate data center.

Business Drivers
• Banks, credit unions, and other financial institutions maintain a fleet of ATMs as a strategic asset that establishes personalized
touchpoints for customer self-service and convenience.
• Availability and resilience are crucial to the role of ATMs in the omnichannel strategy for customer engagement, helping
them serve as the bridge between the physical and digital channels.
• Despite the growing popularity of electronic transactions, cash is still a preferred payment method for a significant segment of
the population.
• As a repository for cash, ATMs have been subject to physical attacks since their introduction more than 50 years ago. Recently,
malware-based attacks have gained prominence as a mechanism to “cash out” ATMs.

Traditional Approaches
Antivirus and Anti-Malware Approaches
In general, ATMs are physically hardened to restrict access to their underlying internal systems. However, this doesn’t offer any protection
against network-borne attacks. Since most ATMs are built on Microsoft Windows®, they have typically been secured with traditional, signa-
ture-based antivirus/anti-malware like any other Windows machine. Unfortunately, signature-based protection has proven less than desirable
given its reactive posture. Moreover, such products lack protection against exploits. Consequently, motivated and experienced attackers can
bypass these legacy products with inexpensive, automated tools that can produce countless unique, unknown attacks. Ultimately, traditional
approaches are proving inadequate to protect ATMs against compromise.
1
Palo Alto Networks | Securing ATMs with Zero Trust Networking | Use Case
USE CASE: Securing ATMs with Zero Trust Networking

Palo Alto Networks Approach

Beyond securing the ATM as an endpoint device, implementing a Zero Trust network architecture can minimize risk by
controlling access to these critical assets and exposing unauthorized activity. The Zero Trust model was developed specifically
to address the security of sensitive data and critical applications in enterprise environments. The primary goal of Zero Trust
is to prevent attackers and malicious insiders from successfully compromising critical data, applications, and systems through
exploits, malware, and credential- or user-based attacks.
Applying this concept to ATMs, these devices are protected by a segmentation gateway (in the form of a Next-Generation
Firewall) that limits traffic to only what is required for the device to function. Only legitimate application traffic to and from
the ATM is allowed to pass the Next-Generation Firewall, but even this is inspected for malware, vulnerabilities, and com-
mand-and-control behavior. Any unexpected traffic is blocked as potential malicious activity in this least-privileged access
model. Furthermore, the Palo Alto Networks GlobalProtect™ agent may be run on the ATM to establish a secure connection
directly to the segmentation gateway.

GlobalProtect
agent

ATM-related infrastructure
GP
ATM
Next-Generation
Firewall IPsec VPN

Retail branch
Unrelated IT resources

Data center

Figure 1: Zero Trust applied to ATMs and related components

Zero Trust can also be applied to data center resources to partition ATM-related servers and backend infrastructure from other
unrelated resources. Even east-west traffic to and from ATM-related components within the data center would be inspected
to prevent lateral movement by malicious actors or unauthorized insiders for further protection. Adopting this approach for
network segmentation complements other best practices for ATM cyber hygiene and minimizes the risk to these frequently
targeted devices.

3000 Tannery Way © 2019 Palo Alto Networks, Inc. Palo Alto Networks is a registered
Santa Clara, CA 95054 trademark of Palo Alto Networks. A list of our trademarks can be found
Main: +1.408.753.4000 at https://www.paloaltonetworks.com/company/trademarks.html. All other
Sales: +1.866.320.4788 marks mentioned herein may be trademarks of their respective companies.
Support: +1.866.898.9087 securing-atms-with-zero-trust-networking-euc-080119

www.paloaltonetworks.com