July 2017 Monthly Member Bulletin

• From the Executive Director
• Council Highlights and Other Resources
• CSEIP Recertification Program
• New IoT Security Event

Executive Director’s Corner

IOT Security Thought Rooted in the Present, Not the Future

Every day I come across articles and blogs pointing out the security shortcomings of Internet-connected devices and networks, all of which seem to be calling for something to be done about it, yet no one seems to pay attention or step up. While we have dedicated our IoT information portal – www.iotsecurityconnection.com – to raising awareness of these security concerns, we’re not getting an avalanche of inquiries from organizations to join this fight to look at this problem.

Perhaps no one wants to admit that the security problem is already too embedded in the devices in the market today, and the cost to address the problem and proactively fix it is too unpleasant. It is similar to the Medicare fraud problem, where acknowledging that the government has a $30 billion a year security flaw that could be fixed with a less than $1 billion investment in chip-enabled Medicare ID cards is ignored, because nobody will own the solution so they allow the problem to continue.

Security experts agree that a few simple changes to the design of video cameras, home health monitors, industrial sensors, and connected consumer devices – for example, eliminating default passwords and assigning unique tamper resistant devices identifiers during the manufacturing process – would avoid prevent attacks from hacking systems. Those hacking systems are specifically designed to search the Internet for devices that aren’t built with those simple security features.

This elementary approach would address present threats, but security needs the development of technology that will prevent attacks in the future. That requires innovations in cryptography, which can be applied to low resource microcontrollers that can perform fast, low-overhead security challenges and responses on relatively simple 8-bit, 16-bit, and 32-bit processors.

These answers can be found in the modern smart card and secure element industry. Chip manufacturers in the Secure Technology Alliance have served industries such as payments, transit, smart IDs and e-passports, building security solutions into low power microprocessors. Embedding those chips and securely programming and personalizing them into IoT devices for specific environments are what they are building their future on.

But first, the IoT ecosystems need to admit that there is a problem. The Secure Technology Alliance provides the forum and resources to help IoT stakeholders address these problems. You are invited to join our IOT Security Council and work on promoting security solutions and you can attend our next public forum on advancing secure IOT payments by attending IOT Payments 2017 October 10-11 in Austin.

Council Highlights

• Council projects. A summary of all active Council projects is posted on the Secure Technology Alliance members-only site
• The Access Control Council is currently working on two projects, the development of a PACS deployment playbook for the GSA CIO and an education series on PIV-enabled PACS implementation for government physical security specialists. The Council is also updating its charter to align with the expanded Secure Technology Alliance mission
• The Health and Human Services Council is working on a healthcare 2.0 webinar presentation.
• The Identity Council has launched a new cross-council project, a white paper on the mobile identity landscape, in collaboration with the Access Control Council and Mobile Council. The white paper will assess the market landscape, document use cases and identify best practices and requirements
• The Internet of Things (IoT) Security Council has launched a new white paper project on IoT and payments. The white paper will provide a resource that outlines best practices for implementing payments with IoT devices as guidance for developing IoT payment-enabled applications
• The Mobile Council is continuing work on two white papers: mobile profiles and provisioning; Trusted Execution Environment (TEE) 101. The Council is also developing two webinars based on the mobile identity authentication white paper and the TEE 101 white paper
• The Payments Council has three white papers in process: EMVCo Payment Account Reference (PAR) use cases; best practices for payments with wearables; contactless payments implementation challenges. The Council is also defining a project on approaches to secure the card-not-present environment
• The Transportation Council is currently working on two projects: an NFC and mobile ticketing webinar and part two of the multimodal payments convergence white paper

If you would like to participate in a Secure Technology Alliance Council, please contact Mike Strock, [email protected].

New EMV Resources

• The U.S. Payments Forum Communications & Education Working Committee published a new resource, the Acquirer Testing & Certification The glossary defines terms used in acquirer EMV testing and certification forms.
• The Forum Communications & Education Working Committee also published the white paper, EMV Receipt Best Practices, to review recommendations and requirements for data elements found on receipts for chip-on-chip transactions.
• The U.S. Payments Forum published updates to several publications to add scenarios or clarify content
  • Managing Card-Based Tip and Gratuity Payments for EMV Chip white paper
  • EMV Chargeback Best Practices white paper
  • EMV Implementation Guidance: Fallback Transactions white paper
  • PIN Bypass in the U.S. Market white paper

Congratulations New Recipient

CSCIP/G Certification

• Rebecca JACKSON, XTec

CSEIP Recertification Program

In March 2017, the Secure Technology Alliance began offering a recertification program for CSEIP recipients. Recertification extends the value of the CSEIP certification by demonstrating that the CSEIP certificant is current with new technologies approved by GSA for implementing ePACS systems and refreshes knowledge of the best practices for design and implementation of government security solutions.

Benefits of Recertification

Recertification provides confirmation to industry colleagues, business partners and potential customers that the certificant:

• Maintains competency and has the necessary working understanding of Federal E-PACS system requirements, system design, engineering and life cycle disciplines covered under the CSEIP certification
• Is proven to possess continued eligibility to participate in contracts serving Federal E-PACS project

Recertification Duration

The CSEIP certification is valid for two (2) calendar years, in line with federal agency requirements, and the recertification extends that for another two years. CSEIPs who completed their certifications in 2014 and 2015 must complete their recertification in 2017.

Upcoming Recertification Dates

Exam dates now through the end of the year are on the following days:

• Aug 10, 2017
• Sept 14, 2017
• Oct 12, 2017
• Nov 9, 2017
• Dec 7, 2017

For complete information on recertification, fees and how to prepare, visit http://www.securetechalliance.org/activities-cseip-recertification/.

New Conference on IoT Payments

IoT Payments 2017 will be held October 10-11, 2017 at the Hyatt Regency Hotel in Austin, Texas. This new event will bring together financial executives, device and application providers and retail industry experts on the evolving intersection of payments and the Internet of Things (IoT). To register or submit a speaking proposal, please visit the event site.