IntroductionProfileRon Martin, CPPCEO, The Consultancy Coalition (Consullition,LLC)Executive Director, Open Security Exchange (OSE)Associate Director, Electronic Security Council (ESC)Adjunct Professor, Capitol Technology University (CTU), Laurel, MarylandBiographyDeputy Director, Critical Infrastructures and Cyber Protection Center, CTUDirector, Identity, Credentialing and Access Management LAB, CTUFormer Prince William County , Virginia Police OfficerRetired US Army Officer with over 27 years of Military Police serviceRetired US Federal Government Employee with over 8 years of service

Memberships:ASIS International 1983-present; Regional Vice President Region 3D, Physical Security council, ASIS Physical Security and Workplace Violence Standards working group, Former IT Security and Crime and Lost prevention councils, Security Industry Association Standards Committee, Member of InfraGard Louisiana Alliance , Member International Organization of Black Security Executives

Professional Contributions:(Original) NIST SP 800-116, Using Smart Cards in a Physical Access Control Systems Federal Identity, Credentialing and Access Management (FICAM) Roadmap DevelopmentNIST SP 500-296 (Draft) Cloud AdoptionASIS International Supply Chain Risk Management Standard: A Compilation of Best Practices (SCRM)ASIS International Risk Assessment Standard

ron@Consullition.com

Critical Infrastructure Security and Resilience

Commercial Facilities Sector

The Commercial Facilities Sector includes a diverse range of sites that draw large crowds of people for shopping, business, entertainment, or lodging. Facilities within the sector operate on the principle of open public access, meaning that the general public can move freely without the deterrent of highly visible security barriers. The majority of these facilities are privately owned and operated, with minimal interaction with the federal government and other regulatory entities.

THE ENVIRONMENT

© 2015, Avigilon Corporation. All rights reserved. AVIGILON and the AVIGILON logo are trademarks of Avigilon Corporation

The City may house most if not all of our nation’s

Critical Infrastructure

How is your Organization, your City your Area

your Country Prepared?

The City may house most if not all of our nation’s

Critical Infrastructure

How is your Organization, your City your Area

your Country Prepared?

The City may house most if not all of our nation’s

Critical Infrastructure

How is your Organization, your City your Area your

Country Prepared?

• Chemical • Commercial Facilities• Communications • Critical Manufacturing• Dams • Defense Industrial Base• Emergency Services • Energy• Financial Services • Food and Agriculture• Government Facilities • Healthcare and Public Health• Information Technology • Nuclear Reactors, Materials, and Waste• Transportation Systems • Water and Wastewater Systems

Perspectives

International CIIP Handbook 2008/2009

• Critical Information Infrastructure Protection (CIIP)

• The CIIP Handbook focuses on national governmental efforts to protect critical (information) infrastructure.

• identifies critical sectors of 25 countries & 7 International organizations

• “Countries at a Glance” provide a quick overview of the most important actors and documents in each country.

Zurich,

Switzerland

Survey Categories

• Critical Sectors

• Past and Present Initiatives and Policies

• Organizational Overview

• Early Warning and Public Outreach

• Law and Legislation

“…In our view, CIP is more than CIIP, but CIIP is

an essential part of CIP...”

Additional International Resources

Australia

The Trusted Information Sharing Network (TISN) for Critical Infrastructure

Resilience provides an environment where business and government can share vital

information on security issues relevant to the protection of our critical infrastructure

and the continuity of essential services in the face of all hazards.

United Kingdom

The Centre for the Protection of National Infrastructure (CPNI) protects national

security by providing protective security advice. Protective security is 'putting in

place, or building into design, security measures or protocols such that threats may be

deterred, detected, or the consequences of an attack minimised.

Critical Infrastructure Sectors

Critical Infrastructure Sector logos'

Commercial Facilities Sector: The Department of

Homeland Security is designated as the Sector-Specific

Agency for the Commercial Facilities Sector.

Sector is divided into eight subsectors:

Entertainment and Media Public Assembly

Gaming Real Estate

Lodging Retail

Outdoor Events Sports Leagues

Commercial Facilities Sector-Specific Plan - 2015

8.33 MB

2010 PLAN

Multifactor Authentication for e-CommerceReducing the risk of false online identification and authentication fraud for e-commerce transaction using multifactor authentication tied to existing web analytics and contextual risk calculation.> Download our recently released Project Description and provide feedback.

Securing Non-Credit Card, Sensitive Consumer DataHelping to secure non-credit card, sensitive consumer data through capabilities such as data masking and tokenization to improve the security of data transmitted and stored during commercial payment transactions, as well as data shared internally within a retail organization and externally with business partners.> Download our recently released Project Description and provide feedback.

Consumer/Retail Sector

As greater security control mechanisms are implemented at the point of sale, retailers in the United States may see a drasticincrease in e-commerce fraud, similar to what has been widely observed in the UK and Europe following the rollout of EMV chip-and-PIN technology approximately ten years ago. Consumers, retailers, payment processors, banks, and card issuers are all impacted by the security risks of e-commerce transactions. Retailers bear the cost for fraudulent, card-not-present (CNP) transactions, motivating them to reduce fraud in order to avoid damage to reputation and eliminate potential revenue losses, which have been estimated to be over $3 billion dollars. Part of e-commerce fraud reduction includes an increased level of assurance in purchaser or user identity.

Retailers easily gather sensitive data during typical business activities, such as date of birth, address, phone number, and email address, which can be used by various internal users and external partners to accelerate business operations and revenue. There has been an increase in the value of non-credit card, sensitive consumer data on the black market and relatively few regulations or standards specific to this topic in the consumer-facing/retail industry in the United States. Someregulations and standards have emerged or are emerging in Europe and other parts of the world around privacy and protecting personally identifiable information (PII), and those precedents can inform our work in this space.

PII is valued at up to 20 times more than credit card data, with a single credit card number sold at $1 and the average individual’s PII sold at $20.

ATM SKIMMER

• Custom made card skimmer that perfectly matches up to this ATM machine

• close-ups of the electronics on the backside of the device, you will notice that in addition to the magnetic strip reader, it has a battery (the large silver object on the right) some sort of switch (the small silver object in the middle with the small black tab sticking out of it) and of course the control board with the 4 pin connector (the large green board to the left).

Benjamin Tedesco, GCIH, PMP

Additional Skimming Videos

How to spot ATM skimming fraudCredit Card Skimmers Service Stations

Commercial Facilities Sector: The Department of Homeland Security is

designated as the Sector-Specific Agency for the Commercial Facilities Sector.

SUB-SECTOR DYNAMICS

Entertainment and Media Subsector

Key Asset Considerations

• Relatively Limited Access

• High-Profile Celebrities and Media Outlets

• Geographical Concentration

• Self-Contained Services• Hacking and Piracy

Gaming Subsector

Key Asset Considerations

• Small Cities

• 24/7 Operations

• Sophisticated Surveillance

American Gaming Association, 2013 State of the States (AGA 2013), http://www.americangaming.org/sites/default/files/aga_sos2013_rev042014.pdf

Lodging Subsector

Key Asset Considerations

• Continuous Occupancy

• Emergency Shelters

• Self-Contained

• Just-In-Time Buyers

• High-Profile Guests and Events

American Hotel & Lodging Association, “2014 Lodging Industry Profile,” accessed October 8, 2015, https://www.ahla.com/content.aspx?id=36332 .

Outdoor Events Subsector

Key Asset Considerations

• Diversity

• Perimeter

• Seasonality

• Small Cities

• Ownership

Public Assembly Subsector

Key Asset Considerations

• Diversity

• Emergency Shelters

• Command Center

• Ownership

Developed using data from: U.S. Census Bureau, “Statistics of U.S. Businesses,” NAICS codes 71, 7132, 71311, 72112 , 512131, 512132, accessed October 8, 2015, http://www.census.gov/econ/susb/

Real Estate SubsectorKey Asset Considerations

• Continuous Occupancy

• Division of Responsibility between Owners and Tenants

• Tenant/Resident Identification

• Subcontracting

• Faith-based Facilities

Retail SubsectorKey Asset Considerations

• Multiple Access Points

• Frequency and Volume of People

• Highly Competitive

• Dependence on Global Supply Chains

• Retail Stores as Distribution Centers during Disasters

• Reliance on Point-of-Sale Cyber Systems

Sports Leagues Subsector

Key Asset Considerations

• Ownership/Owner–Lessee Agreements

• Emergency Shelters

• Command Centers

• Security

• SAFETY Act

Support Anti-terrorism by Fostering Effective Technologies Act (SAFETY Act)

Established in 2002, the SAFETY Act created liability limitations for claims resulting from an act of terrorism where

Qualified Anti-Terrorism Technologies have been deployed, encouraging antiterrorism programs and technology in stadium applications.

Since 2008, the National Football League’s Best Practices for Stadium Security, Major League Baseball’s All Star Game, and several sporting venues have received SAFETY Act protections.

Facilities in other subsectors have also received SAFETY Act protections, and the CF Sector is working to raise awareness among the whole sector.

Protective Security Advisors (PSAs)

The PSA Program maintains a robust operational field capability, with Regional Directors (RDs) and PSAs serving in 73 districts in 50 States and Puerto Rico. The RDs and PSAs serve as the link to Department of Homeland Security (DHS) infrastructure protection resources

The PSAs have five mission areas:

• Plan, coordinate, and conduct security surveys and assessments – PSAs conduct voluntary, non-regulatory security surveys and assessments on critical infrastructure assets and facilities within their respective regions. • Plan and conduct outreach activities – PSAs conduct outreach activities with critical infrastructure owners and operators, community groups, and faith-based organizations in support of IP priorities. • Support National Special Security Events (NSSEs) and Special Event Activity Rating (SEAR) events – PSAs support Federal, State, and local officials responsible for planning, leading, and coordinating NSSE and SEAR events. • Respond to incidents – PSAs plan for and, when directed, deploy to Unified Area Command Groups, Joint Operations Centers, Federal Emergency Management Agency Regional Response Coordination Centers, and/or State and local Emergency Operations Centers in response to natural or man-made incidents. • Coordinate and support improvised explosive device awareness and risk mitigation training – PSAs work in conjunction with IP’s Office for Bombing Prevention by coordinating training and materials to SLTT partners to assist them in deterring, detecting, preventing, protecting against, and responding to improvised explosive device threats.

COMMERCIAL FACILITIES SECTOR VISION

SECTOR VISION, GOALS, AND PRIORITIES

Commercial Facilities Sector Activities Are Mapped to: GOALS and PRIORITIES

Critical Infrastructure Risk Management Framework (NIPP)

Critical Infrastructure Risk Management Framework (Sector Guide)

Critical Infrastructure Security and Resilience

COMMERCIAL SERVICES REVIEW

Since 2010, CF Sector partners in the public and private sectors have taken significant steps to reduce sector risk, improve coordination, and strengthen security and resilience capabilities.

Developed no-cost, online training available through FEMA’s Independent Study Program for active shooter preparedness, insider threat, surveillance awareness, and more.

The Commercial Facilities (CF) Sector is made up of an extremely diverse range of sites and assets where large numbers of people congregate daily to conduct business, purchase retail products, and enjoy recreational events and accommodations.

Critical Infrastructure Security and Resilience

Commercial Facilities Sector