Over the next few days, the previous system for payment transactions in Switzerland, Ibasec, will be deactivated: As of July 2017, the successor version SIC4 with SASS will go into operation. This is secured with the Primus HSM S500 from Securosys. It will process transactions in the amount of up to 480 billion Francs per day. What were the requirements for the system, which factors contributed to its success, and how does Securosys now stand? A success story.
In a nutshell
The Swiss Interbank Clearing (SIC) is operated on behalf of the Swiss National Bank (SNB) by SIX Group AG. It had to be updated to the new version SIC4 with SASS. It has been in operation since 1987, has been renewed three times, has always functioned securely, and is considered efficient. With the new overhaul, the system should, however, be ready for the future. New standards should therefore be supported and the operating costs reduced – and thus, naturally, the safety of transactions should furthermore be upheld on the highest level. Therefore, among other things, an encryption system that is absolutely secure against manipulation is necessary.
SIC in numbers:
440 million transactions in 2015
350 interfaced subscribers
over 480 billion CHF settled payments on peak days
In November 2015, we at Securosys received the definite order to contribute a tailored hardware security module (HSM) for SIC4 with SASS. The principal laid great value on a Swiss solution for this critical infrastructure in Switzerland in order to exclude security breaches in the supply chain. The principal moreover specified that the functionality of the device had to be reduced to the necessary items for security reasons. For this purpose, we developed the Primus HSM S500.
On April 14th 2016, SIC4 with SASS started productive operation as planned – and with it, our Primus S500. The payment transaction system has since functioned as requested and reliably. At the end of June 2017, the previous system Ibasec will be deactivated.
Initial situation: update for a critical infrastructure
SIX operates the payment system Swiss Interbank Clearing on behalf of and under the oversight of the Swiss National Bank. Financial institutions thus carry out transactions with each other in Swiss Francs and in Euros – within seconds. Card payment also takes place via SIC. The SIC system takes a leading role in the Swiss financial system and it can handle much more than just payments: with SIC, the SNB establishes its monetary policy and supplies the Swiss financial market with liquid assets. Thus, it becomes clear that SIC is a critical infrastructure for Switzerland.
At the end of 2010, SIX presented a rough concept for an updated SIC in collaboration with the SNB. This should be fit for the next decade and a half, should support new standards, and should be less costly to operate than the current system. Among other things, plans were made to replace the previous security solution IBASEC with a hardware security module (HSM) with origins in Switzerland.
Requirements: Swiss product, true random numbers
In November 2015 SIX granted us at Securosys the contract to develop an HSM for SIC that fulfills the following requirements:
- Swiss product: Design, assembly, and programming in Switzerland with a strongly controlled supply chain
- Generation of a true random key
- Destruction of the key in the case of manipulation or access attempts
- Several manipulation sensors
- Control of various encryption algorithms
- Authentication, signature, and encryption tasks
- Reliability as well as ensuring group redundancy and symmetrical application
- Interface for Java cryptography architecture (JCA / JCE)
Implementation of the fastest and most secure HSM
An HSM arose that withstands the strongest specifications for military infrastructure: Primus S500. At this time, it is the fastest and most secure device on the market. Sensible components such as a random number generator were developed and implemented by us with our Securosys engineers, the delivered components were chosen from security considerations, and the devices were prepared by us with strong security measures.
SIC4 generates lower transaction costs than the previous version
supports ISO-20022 and thus harmonizes with Swiss payment transactions
has a new functionality in cash management
is capable of handling multiple currencies
Our time frame saw the following milestones:
- June – December 2014: Preliminary project. Development of the technical specifications
- December 2014 – 03/31/2016: Main project. Goal: Timely acceptance of the HSM (hardware and software)
- April 2015: Delivery of the first prototype version of SIX
- November 2015: Definitive contract awarding by SIX
- 11/15/2015: Delivery of the first series of SIX
- April 2015 to March 2016: Test phase
- 3/31/2016: Acceptance of the HSM by SIX
- 4/14/2016: Timely “Go Live” by SIC4 with SASS
- 30 June 2017: all participants are moved to SIC4 with SASS. Ibasec will be deactivated.
Results: HSM runs reliably
After an extensive test phase, SIC4 was placed in operation according to schedule – and thus of course the Primus HSM S500 as well. Since then it has run perfectly and reliably. The individual banks have been patched in little by little since November 2016.
Factors for success: expertise and experience
The following factors will contribute to the timely success of the project:
- Very good, open communication with SIC and the SNB
- Expertise and experience of the Securosys development team
- Clear structuring of the project
- Focus on maintaining the schedule and constant oversight and defusing of project risks (Risk driven development)
SIC4 with SASS – an innovation project with precision in budget and time –is the first payment system of its type in Europe that through a unique combination of the newest software technology, groundbreaking hardware security and a globally active standard in the financial industry, facilitates progressive digitalization and makes payment handling less costly and more secure for all participants in the Swiss market.
(SIX Testimonial regarding the Swiss ICT Award)
New products: network encryptor and HSM as a Service
The Primus S500 was developed exclusively for use within SIC4. We at Securosys subsequently designed further HSM models for the market:
- Primus X Series (Launch in October 2016): The highly available high-performance HSM
- Primus E Series (Launch in May 2017): The cost-saving replacement for PCI cards
- Decanus, a remote control terminal for the Primus series (Launch expected in October 2017)
- Centurion, a link and network encryptor for the protection of communication from locations (launch August 22, 2017
- HSM-as-a-service (launch September 19, 2017; specially suitable for KMU which the HSM administration wants to leave to experts)