The German IT Security Act Is Now a Reality

The
Customer Magazine
The German IT Security
Act Is Now a Reality
So how should
CRITIS operators
prepare?
Issue 1/2015
An Interview with
Dr Walter Schlebusch,
CEO of Giesecke &
Devrient
“The protection of
critical infrastructures
has only just begun”
Flexible and Mobile
SINA Workstations
at the German Federal
Ministry of Finance
Neither Bulky
nor Boring
Designing optimised
security concepts based
on IT Baseline Protection
Content
4
An Interview with Dr Walter Schlebusch,
CEO of Giesecke & Devrient
“The protection of critical infrastructures has only just begun”
24
National
04 An Interview with
Dr Walter Schlebusch
06 A Strong Partnership:
AREVA and secunet
08 Flexible and Mobile –
Security by Design
For OEMs and suppliers, IT security in connected
vehicles is a major challenge. What solutions are
there? And, most importantly, when does what
solution make sense?
SINA Workstations
10 The IT Security Act –
a Pipe Dream No More
13 Separated, Together, Then
Separated Again
Technologies & Solutions
20 SINA Receives the Highest International
Approvals
22 SINA Makes Life Easier
Science
24 Security by Design:
14 An Interview with
26 Where App Dangers Lurk
Protecting Connected Vehicles
Dr Gabi Dreo Rodosek
International
News in Brief
19 Dr Rainer Baumgart Appointed to the
16 EasyPASS Among the Top 3
ENISA Advisory Board Again
16 And Twelve Points Go to...
23 Points for German IT Security
17 German Expertise for a
National PKD Solution
18 Neither Bulky nor Boring:
2 secuview 1/2015
IT Baseline Protection
Dates
27 Upcoming Events
Editorial
I
T security affects us all. Whether private users
November, we’ll reveal different ways to effectively
on their smartphones, manufacturers facing the
overcome these challenges and devise solutions
increased networking of control and production
together.
networks, or entire countries – in all areas, the
internet doesn‘t just offer great opportunities and
We’ve specialised in the effective protection and
convenience; it also harbours threats.
defence of IT systems for years now. In his interview, Walter Schlebusch says: “For us, security
Effective protection and defence can only be
requires more than just a colourful band of Swiss
achieved thanks to careful observation, research
Guards to extract a problem. Ideally, you should
and detailed analysis, both of the attacker and
work with the customer to devise an IT security
existing and future innovations in technology. The
strategy that will then be implemented consistently.”
CODE research centre in Munich is working on
This not only describes the approach of our parent
precisely that, as Dr Gabi Dreo Rodosek explains in
company G&D, but also precisely defines our own
her interview. CODE has made the tailored protec-
position. As you know, our five divisions therefore
tion of critical infrastructures a research field in its
aim to work in close concert with our customers.
own right, and even politicians are now turning their
We outline a few of our latest projects for you in this
attention to these companies. The new IT Security
issue.
Act is intended to “significantly improve the security of IT systems (IT security) in Germany”. Under
Happy reading!
the law, critical infrastructures will not only have to
adapt their IT infrastructure, but also their organisational processes. Uncertainty reigns here at the
moment. At our Information Security Symposium in
Dr Rainer Baumgart
secuview 1/2015 3
National
“The Protection of Critical
Infrastructures Has Only
Just Begun”
An interview with Dr Walter Schlebusch,
CEO of Giesecke & Devrient
With Giesecke & Devrient (G&D) and secunet, two
German providers are positioning themselves in a
highly specialised market...
Dr Schlebusch: And that is our strength! G&D earns
the vast majority of its profits abroad and has access
to numerous national administrations, financial institutes, telecommunications providers and techno-
In interview:
Dr Walter Schlebusch has
been the CEO of G&D since
2013. He had previously been
a member of the Board since
1 January 2000 and was
responsible for the company‘s
Banknote division.
logy firms worldwide. secunet has a strong national
footprint, with years of experience in the government
sector and an excellent range of SINA products and
border control solutions.
What do you think are G&D’s strengths in IT security?
Dr Schlebusch: My first thought is, of course, our
years of international experience in the security
technology sector and our wide range of secure
products. These have made us a credible, reliable
and legitimate trust anchor for many customers. So,
just like you wouldn’t give your house key to just
Dr Schlebusch, after the recent hacker attack on the
anyone, our customers are – quite rightly – entitled to
German parliament, do we still need to promote IT
have their data handled professionally and securely.
security?
Dr Schlebusch: No matter where the attack origina-
What does that mean in practice?
ted, incidents like this illustrate just how vulnerable
Dr Schlebusch: In order to work in highly secure
our systems are. Discussions surrounding the pro-
environments, you need to completely understand
tection of critical infrastructures haven’t ended with
your customers’ processes. Unlike security compa-
the passing of the IT Security Act; they’ve only just
nies that cast a wide net, we’ve chosen to specialise
begun.
in IT security. For us, security requires more than just
4 secuview 1/2015
National
a colourful band of Swiss Guards to extract a problem. In the same way, subsequent, ad hoc access to
a customer system is simply not enough. Ideally, you
should work with the customer to devise an IT security strategy that will then be implemented consistently.
To help with this, we offer hardware and software
solutions and support customers with highly skilled
“For us, security requires
more than just a colourful
band of Swiss Guards to
extract a problem.”
consultancy.
On the one hand, users know the colourful world of
attack scenarios on IT and production systems.
apps. On the other, there’s the serious topic of secu-
Until now, the typical medium-sized business has
rity. How do they go together?
been able to do little to combat these. We can help
Dr Schlebusch: In an abstract sense, security is
them to implement appropriate and scalable security
difficult to communicate. It’s much easier to grasp
solutions.
using concrete examples; the on-board communications of German premium vehicles and industrial
On the national level, we’re obviously excited about
plants are both already secured by G&D, for instance.
the implementation of the IT Security Act. This is a
Mobile wallets around the world are based on security
big opportunity for industries to independently agree
made by G&D, and banking apps run securely thanks
on the security measures that legislators will require
to our technology. The scope of application for IT
them to implement.
security is therefore greater than you might think just
looking at your smartphone!
Finally, the broad field of identity assurance and
identity management offers huge potential, since the
What future trends do you predict?
Internet of Things is based on the secure assignment
Dr Schlebusch: These days, everyone is talking
of identities to objects and processes. Our years of
about Industry 4.0, or the complete networking of
experience in secure connectivity and secure soft-
industrial automation. We believe security is pivotal
ware development based on specialist hardware will
to this. Take the growing number of asymmetric
allow us to contribute a lot here.
secuview 1/2015 5
A Strong Partnership:
AREVA and secunet
The new IT Security Act is intended to provide greater
security for critical infrastructures. However, operators will
remain responsible for implementing any new measures
T
he attack on the French television broad-
and for a while it even lost control of its website and
caster TV5Monde at the beginning of April
most social media accounts. It took days for things
is just one example of a crime that threatens
to get back to normal.
to impact more of our lives nowadays. The cyber
attack caused tremendous damage; the station’s
The consequences would have been far more
broadcasting operations were disrupted for hours,
serious if a successful attack had been launched
6 secuview 1/2015
National
against essential providers like energy or water
from best practices with the highest classes of
suppliers. As shown on page 10, the IT Security Act
protection worldwide:
is now intended to provide more comprehensive
- Developing ISMS, from risk assessment to
security for critical infrastructures (CRITIS). However,
auditing, e.g. in accordance with ISO/IEC 27000
operators will remain responsible for implementing
- Industrial security with security zones and security
any new measures.
grading, e.g. in accordance with IEC 62443
- Security modelling and simulation
Security for digital control systems
AREVA isn’t just a supplier for nuclear power
stations and wind farms; it also draws on years of
experience in critical infrastructures to provide a
wide range of security products and services for
digital control systems. In close cooperation with
partners like secunet, AREVA considers security
long before plant operation, starting from the early
product development phase. That way, it can offer
fully formed solutions, whether laying the founda-
- Process control systems and network control
technology
- SIEM (security information and event
management)
- Automation security, e.g. PCS7, WINCC,
SIPROTEC
- Intrusion detection and intrusion prevention,
whitelisting and security tests, etc.
- Ongoing threat detection, assessment, analysis
and defence
tions for an ISMS (information security management
system), putting together a complete concept, or
implementing special hardware and software
More information:
solutions.
Holger Hoppe
[email protected]
All of its industrial security services are combined in
an integrated approach, meaning that nuclear and
Christoph Schambach
non-nuclear customers can benefit in equal measure
[email protected]
Reliable integrity monitoring
With the OPANASecTM solution, AREVA has developed a range of easy-to-use software modules
for diverse control systems that can be used to monitor system integrity. The solution means
programs can only be modified by turning a key switch, while attacks that manipulate user software and configuration data are reliably detected and instantly reported. The solution has been
certified by TÜV SÜD and patents are pending.
secuview 1/2015 7
National
Flexible and Mobile
SINA Workstations at the German Federal Ministry of Finance
I
t’s generally not so easy to reconcile our personal
Mobility isn’t the only consideration here; IT security
and professional lives. Despite this, the German
is also a major factor. Staff need more than the abi-
Ministry of Finance (BMF) is introducing flexible
lity to process data and use specialist applications
working hours for secure work when teleworking
outside of the office – they need to be able to do so
or on the go, thus proving itself to be an incredibly
securely. A lot of the data processed by the BMF
Employees
modern, family-friendly government department.
is of significant political and economic interest, and
of the BMF
BMF applications can now even be accessed on
therefore has to be kept confidential at all times.
undergo
business trips.
intensive
SINA Workstation offers precisely this level of
training in
The duties and responsibilities of the BMF are
security to the three key groups of mobile BMF
Bonn and
complex and varied – not just at the national
users:
Berlin on
level, but at the European and international levels,
how to use
too. This requires specialist knowledge, flexibility
Business travellers
the SINA
and commitment from its employees – even when
The BMF represents Germany in various financial
Workstation.
they’re not in the office. For employees to meet
committees and organisations – especially at the
these requirements even while away on business,
European and international levels. While away on
and to ensure top performance without compro-
business, BMF employees have to be able to work
mising personal projects, the BMF has invested in
securely with every mobile connection, no matter
around 1,000 SINA Workstations as a secure
where it is – whether an open Wi-Fi connection at a
platform for mobile work.
conference, UMTS at the airport or a hotspot at their
8 secuview 1/2015
National
hotel. It’s especially important that data and specia-
are always available and larger data volumes can be
list applications be accessed using SINA Worksta-
processed without difficulty.
tion, which allows users to work in a secure, virtual
environment.
No matter the user, the SINA Workstation delivers
maximum flexibility and mobility – earning it the
Mobile employees
“audit berufundfamilie” certificate and making it the
Those who have to interrupt their work throug-
perfect answer to high-level job requirements at the
hout the day – or who need one or more days to
national and international levels.
care for children or a sick relative – can now work
from home or elsewhere. In the office, mobile
All data and applications can be accessed secu-
employees connect to the ministry’s LAN via their
rely and without restriction, no matter the location
SINA Workstation. Elsewhere, they use whatever
and type of (unsecure) internet connection used.
mobile connections are available – and very often
This and the German Federal Office for Information
their own home’s Wi-Fi.
Security‘s approval (in this case for classification
level RESTRICTED) was the main reason that the
Teleworkers
BMF chose the SINA Workstation.
Teleworkers have two main places of work: their
home and the office. Using the SINA Workstation,
these employees can benefit from a secure, high-
More information:
performance LAN connection to the BMF both at
Thomas Peine
home and at work, meaning data and applications
[email protected]
The project at a glance
-1,000 SINA Workstations were installed by a single secunet employee in just two weeks.
The install server was used to conveniently implement tailored adjustments.
-Efficient logistics for the delivery, installation and roll-out of 1,000 devices.
-Comprehensive project management – the project manager was on hand to support the customer
from first contact to operation.
-Project management methods: stakeholder management, risk management, earned-value analysis
and scheduling.
-The project team consisted of fifteen people from secunet, ten from ZIVIT and five from the BMF;
the core team consisted of seven employees.
-Measures to help train users: newsletters, instructional videos, information stands outside the
canteen, three one-hour training sessions and quick-start guides.
secuview 1/2015 9
The German IT Security Act –
a Pipe Dream No More
It’s really happened: the German government’s act on
“heightening the security of IT systems” has been approved
by the Bundestag and Bundesrat
S
leeping Beauty had no chance. She didn’t
According to the explanatory note, the act on
see the prince coming. Otherwise she
heightening IT system security (the IT Security Act)
might have put on some lipstick and fixed
– which was introduced by the German Federal
her hair... but let’s get back to reality for a moment.
Cabinet on 17 December 2014 and approved by
10 secuview 1/2015
National
the Bundestag and Bundesrat on 12 June and 10
any plant or facility that‘s vital to the functioning of
July 2015, respectively – is intended to “significantly
the community. The IT Security Act doesn’t include
improve the security of IT systems in Germany”.
any further criteria. Instead, as already mentioned,
it provides for more detailed conditions by decree.
It‘s debatable whether or not this omnibus law,
According to the bill’s explanatory note, an estima-
which includes amendments to a variety of German
ted 2,000 operators of critical infrastructures will
legislation, is sufficient to wake Sleeping Beauty
soon be subject to registration.
from her slumber, in which businesses and public
bodies are regularly chided in reports on information
security incidents.
How should (potential) CRITIS operators
prepare?
The present uncertainty regarding who will soon be
After the German Federal President formally signs
subject to the act as a CRITIS operator should not
the law, a decree must be issued that clearly
tempt those in question to be awoken only with a
defines who is an operator of critical infrastructures.
kiss.
The prince is on his way... but unlike Sleeping
Beauty, we can see him coming. And we can there-
Instead, we recommend that (potential) CRITIS
fore prepare for his arrival.
operators prepare as follows:
- Determine which parts of the organisation
Who will be primarily affected by the
IT Security Act?
(processes, organisational units, products and
The operators of critical infrastructures across all
- Investigate their current security levels;
industries will need to:
- Develop a strategy for information security
- comply with a minimum level of IT security,
management to consistently maintain a minimum
- provide proof of compliance through security
level of IT security going forward;
audits,
- Select competent, qualified employees to act as
- introduce and uphold procedures for reporting
contact persons and develop a system for
significant IT security incidents to the Federal
reporting significant IT security incidents;
Office for Information Security (BSI), and
- Select a suitable service provider for independent
- operate a contact point.
security audits;
services) constitute critical infrastructures;
- Initiate pre-emptive certification according to
The act also sets out different, industry-specific
ISO/IEC 27001 in compliance with the relevant
security standards.
security requirements.
Who is a CRITIS operator?
It’s an essential prerequisite to structure and secure
According to the act, critical infrastructures (CRITIS)
organisations and processes, but that alone is not
include all plants and facilities that belong to the
enough to consistently meet the proposed heigh-
energy, IT and telecommunications, transport,
tened level of IT security for critical infrastructures.
health, water, food, finance and insurance sectors,
Appropriate measures should also be taken on the
as well as to the media and cultural centres, plus
technical level.
>>>
secuview 1/2015 11
National
Securing energy and water supplies
authorities to process confidential documents. The
Take the example of energy and water suppliers, for
BSI evaluates devices and systems for these very
whom IT plays a central role not just in the office,
application scenarios – and then approves them for
but in the control of plants using process control
processing data over the internet. The SINA Work-
engineering, too. Here, the effective technical sepa-
station and SINA Tablet were approved accordingly
ration of internal IT networks from public networks
and fulfil all of the requirements for CRITIS opera-
guarantees the integrity of process control data and
tors:
the availability of the operating IT systems for plant
- Strict separation of the production network from
control. Systems and networks are only connected
if they need to be; the control room should be strictly
the internet
- Trusted end devices under constant control of the
separated from internet services, for instance (see
control room
page 13).
•
Use of remote control functions – even by mobile
However, at the same time, it must be possible to
•
Remote maintenance by internal or external
workers
access public networks in remote control scenarios.
specialists
Operators can meet these challenges by establishing
security zones and relationships that can be cont-
From the control room, a central online manage-
rolled using a central management system. Among
ment system can be used to incorporate individual
other things, this will let them allow or block a secure
SINA devices into the production network as requi-
connection with systems in the field at any time from
red, without risking the network connecting through
the control room.
the devices to other networks or the internet.
Sealing off production networks from
the internet
Together with BSI-evaluated encoders on layer 2
When introducing security zones, all connected end
inter-network architecture SINA offers an approved
devices should naturally be taken into account, e.g.
all-in-one solution for production networks – leaving
those of internal or external maintenance technicians
you to sit back and calmly await your prince.
and layer 3 for remote control technology, the secure
when servicing the system or on stand-by. The problem is, even with a VPN connection as secure as this,
all of the vulnerabilities on the end device are linked
More information:
to the production network. Furthermore, if the end
Alexander Schlensog
device connects or has connected to the internet,
[email protected]
the separation of the production network from the
internet (the so-called air gap) is worthless.
Such requirements for (mobile) end devices are
nothing new; they’ve long been used by the
12 secuview 1/2015
National
Separated, Together,
Then Separated Again
How IT security can be effectively established
in the age of digitalisation and open networks
I
n the past, we would run a
access points are being estab-
strictly separated, autonomous
lished and integrated with smart
network to guarantee the con-
functions.
tinued availability of production
networks. This allowed us to use
At first glance, the requirements
network control systems or su-
for digitalisation and IT security
per computer systems to reliably
differ greatly; from a purely tech-
protect (waste)water, transport,
nical standpoint, purely reactive
energy and other autonomous
measures like virus scanners and
networks from dangerous inter-
web filters are no longer enough
faces with the outside world.
to
guarantee
adequate
and
reliable security. Many security
However, digitalisation has given
exports are promoting a so-called
highly secure network separation
rise to increasingly complex re-
“de-networking” for greater secu-
thanks to SINA. This strict se-
quirements for these networks.
rity. However, is this development
paration creates proactive and
For example, the management
really in step with the present
sustainable security.
of energy networks has become
requirements of digitalisation?
more complicated due to the
Is strict separation despite net-
Consequently, the aforementioned
energy revolution and subse-
working the ultimate goal and
challenges only seem contradic-
quent decentralisation of energy
solution?
tory at first glance. When effecti-
producers, micro-generators and
vely designed and implemented,
central plant operators (energy
What might seem irreconcilable
and when combined with organi-
supply companies) in the context
at first glance is certainly a techni-
sational measures, modern-day
of the smart grid. The manage-
cal challenge, but it is possible
security technologies can achieve
ment of numerous decentralised
– and even common practice in
this “de-networking” within a
and centralised plants and facili-
certain other fields. For example,
network, thereby guaranteeing
ties takes place over IP networks,
secure networks can be created
adequate security.
which leads to the merging of IT
within networks using isolation
and process networks. Informat-
techniques (the principle behind
More information:
ion is therefore exchanged across
secunet safe surfer) derived from
Torsten Redlich
networks, while new devices and
terminal server technology or
[email protected]
secuview 1/2015 13
Science
An Interview with
Dr Gabi Dreo Rodosek
The tailored protection of networks in
Industry 4.0 and critical infrastructures
is a research field in its own right
defence against advanced persistent threats (APT)
and smart attacks, as well as visualising the state of
security and identifying attackers (geolocation).
In interview:
Dr Gabi Dreo Rodosek is
Professor of Communication
Systems and Network
Security at the University of
the Armed Forces’ Institute
for Computer Engineering
in Munich and is also the
spokesperson for the cyber
defence research centre
CODE (Cyber Operations
Defence).
However, technology alone can’t guarantee security.
That’s why we also systematically research legal
frameworks, management processes, and their
effects, not forgetting users and their own security
awareness.
Alongside research, networking is one of the research centre’s key activities. In our globalised world,
cyber criminals can easily operate across borders
thanks to increased diversification and networking.
This threat can only be combatted with a network
of experts, which requires a high degree of mutual
trust. Cyber security experts from different universities, research institutes, agencies and companies all
cooperate, share information and exchange data in
Dr Dreo Rodosek, you’re the spokesperson for the
the trusted environment provided by CODE.
CODE research centre. What are the centre’s goals?
Dr Dreo Rodosek: Our aim is to conduct compre-
Cyber attacks don’t recognise national borders.
hensive research into all aspects of cyber security.
Does CODE also cooperate with international
organisations?
Our main focus is the exploration of new security
Dr Dreo Rodosek: The challenge is actually one of
technologies and approaches. At the moment,
a global nature. The research centre has therefo-
some of our research includes the detection of and
re secured a partnership with NATO’s Cooperative
14 secuview 1/2015
Science
Cyber Defence Center Of Excellence (CCDCOE). In
In light of the increased networking of economically
this context, we’ve signed a mutual agreement to
and socially important systems like industrial pro-
support each other in research. We also work clo-
duction chains (Industry 4.0) and components of
sely with ENISA, largely through Dr Helmbrecht, an
critical infrastructures, these have especially high
honorary professor at our IT Faculty*. Meanwhile, on
protection requirements. Tailored protection at a rea-
the national level, we have a number of cooperation
sonable cost – and which results in an acceptable
agreements with security agencies and commercial
businesses that work in the global cyber security
industry. I’m afraid I can’t go into any more detail
about our current projects.
How does research and teaching at the University
of the Armed Forces differ from other IT security
departments in Germany?
Dr Dreo Rodosek: Compared to cyber security
research at other universities and research centres,
we concentrate heavily on cooperation with the armed forces and related agencies and services, as
well as with companies with special security requirements. In some cases, our research is “for German
eyes only”, and doesn’t involve visiting scholars,
PhD students or undergrads from other countries.
The fact that our cooperation is so trusted and
“In our globalised world,
cyber criminals can easily
operate across borders
thanks to increased
diversification and networking. This threat can
only be combatted with a
network of experts, which
requires a high degree of
mutual trust.”
successful is evident in the partnerships we’ve been
able to establish so far.
residual risk – actually constitutes its own research
field, in which legal frameworks, management mo-
The intensity of cyber attacks is increasing exponen-
dels, technical components and user awareness
tially. What do you expect to be the biggest threat
have to be coherently and consistently linked. These
over the next few years and what measures is CODE
systems are under threat from APTs and smart
developing as a result?
attacks, for which we need to develop unique taxo-
Dr Dreo Rodosek: From a technological point of
nomies and metrics for detection and defence.
view, I’d say the growth of vulnerable mobile devices
and their heterogeneity, plus new technologies like
software-defined networking and interclouds (clouds
of clouds). With this in mind, at CODE we’re rese-
* Editor’s note: at the University of the Armed Forces in
Munich
arching anomaly-based detection methods at the
communication level, as well as associated filters
and analytics tools. In addition, traffic volumes and
bandwidth are increasing. Data analysis in these
networks presents a big data problem. In response,
we’re investigating how to use new approaches (e.g.
security analytics) to combat attacks early on in the
provider network, which will help ease the burden on
customers and users.
secuview 1/2015 15
International
EasyPASS Among the Top 3
S
imply and conveniently
in Germany to 140*, enabling
which new technologies are being
across the border: Fol-
even more travellers to cross the
used to establish a more modern
lowing the lead of the
Schengen Area’s external borders
and efficient border management
Munich,
without assistance. A similarly
system. Automated border control
Düsseldorf, Hamburg and Berlin-
high number of automated border
has a major role to play here.
Tegel airports, the Cologne-Bonn
control systems internationally
airport completed installing the
only exists in the Netherlands and
EasyPASS
the United Kingdom.
Frankfurt
control
am
Main,
automated
system,
border
implemented
* In the German installation, the
secunet easygate is supplemented
with components from the Bundesdruckerei (BDR).
by a consortium of secunet and
This development ties in perfectly
Bundesdruckerei, by the middle
with the European Commission’s
More information:
of 2015. This will bring the total
Smart Borders programme for
Frank Steffens
number of secunet easygates
higher mobility and security, under
[email protected]
And Twelve Points Go to...
T
he secunet Golden Reader
all ICAO-compliant eMRTDs like
Tool Platinum Edition (GRT)
electronic passports. The soft-
has been awarded maxi-
ware is constantly being improved
mum points from as many as 27
and adapted to meet customers’
countries! Nations including Azer-
requirements. Today, the GRT
baijan, Estonia, India and Canada
already supports all internatio-
voted for the German software,
nal security protocols, including
which is designed to read different
BAC, EAC 1.0 and 2.0 and SAC.
electronic identity documents –
Alongside domestic and foreign
thus definitively proving the global
passports, the tool can also read
popularity of secunet’s GRT.
and
verify
German
residence
permits and the new German
The secunet Golden Reader Tool
identity card, as well as foreign
Platinum Edition is the latest
electronic driving licences and
version of the extensively tested
registration certificates.
Golden Reader Tool developed
jointly by secunet and the German
16 secuview 1/2015
Federal Office for Information Se-
More information:
curity (BSI). As a result, secunet
Norbert Richartz
has successfully developed a
[email protected]
software application for reading
www.secunet.com/grtplatinum
German Expertise for a
National PKD Solution
Tamper-proof and efficient ePassport verification:
EGSP delivers a solution with HJP, Bundesdruckerei,
secunet and G&D
A
bu Dhabi-based Emirates
forms the basis of secunet’s eID
now introduced the National PKD
German Security Printing
PKI Suite.
system to examine the data ob-
LLC (EGSP) has delivered
tained from the ICAO PKD and
other sources, and to forward
the establishment of a National
Proof of authenticity and
tamper-proofing
Public Key Directory (NPKD) solu-
Electronic passports are equip-
certificate revocation lists (CRLs)
tion. The system is used at border
ped with a chip that prevents the
to
control points in the United Arab
undetected manipulation of the
systems
Emirates (UAE) to ensure the tam-
passport holder’s personal data.
systems”) at border control posts
per-proof and efficient verification
Using the Public Key Directory
throughout the country. In Sep-
of domestic and foreign electronic
of the International Civil Aviation
tember 2011, the United Arab
passports. For the implementat-
Organisation (ICAO), border cont-
Emirates became the first country
ion of the security solution “made
rol staff can verify the authenticity
in the Middle East to join the
in Germany”, EGSP – the NPKD
of passport data. To do this, they
ICAO PKD. Now, it is the first
project’s general contractor –
rely on having access to prequali-
country in the Middle East to have
was supported by its partners
fied certificates (Document Signer
implemented
HJP Consulting GmbH, Bundes-
Certificates) and other public key
solution.
druckerei GmbH, secunet Security
infrastructure (PKI) from active
Networks AG and Giesecke &
ICAO member states.
the complete infrastructure for
all
document
verification
(so-called
“inspection
a
National
PKD
More information:
Oliver Jahnke
Devrient GmbH. In particular, G&D
provided the NPKD software that
the appropriate certificates and
The UAE‘s Ministry of Interior has
[email protected]
secuview 1/2015 17
International
Neither Bulky nor Boring:
IT Baseline Protection
secunet’s three-pillar procedure makes it possible to quickly
implement a tailored IT security concept for public authorities
and companies based on IT baseline protection (IT-Grundschutz, a BSI guideline for an IT security methodology). The
methodology takes both specialised processes and standard
IT applications into account
F
or 15 years, secunet has worked according
Using their collective knowledge, secunet’s experts
to the methods of IT baseline protection. It
have developed a tailored procedure to implement
has already completed over 1,000 projects in
baseline protection that overcomes these difficulties
the field of government administration at the federal
while taking advantage of the benefits of the appro-
state level and in companies across diverse indus-
ach. The methodology stands on three pillars, which
tries. Through it all, one thing has become clear:
should be implemented in parallel and will help to
the implementation of information security based
develop a certifiable ISMS in accordance with IT
on IT baseline protection is well-suited to standard
baseline protection.
IT components, but faces the following challenges
nonetheless:
-Pillar One: secure core IT
An institution’s IT consists of core systems. These
- Combination with specialised processes
are viewed in a bottom-up approach. This concerns
- Minimal employee knowledge in IT departments
both visualised infrastructures and physical
regarding the specialised processes they monitor
clients, servers and network components, as well
and their protection requirements
as general applications like web servers or the
- No integrated operation of management systems
active directory.
and information security management systems
- The joint handling of compliance requirements and
-Pillar Two: specialised security
concepts
IT security only in exceptional cases
The institution’s specialised tasks, applications
- Later successes and high complexity through
and business processes that use secure core IT
traditional processes in the baseline protection
systems are viewed in the form of specialist
waterfall model
security concepts (top-down approach).
(ISMS)
18 secuview 1/2015
International
News in Brief
Dr Rainer Baumgart
Appointed to the
ENISA Advisory
Board Again
T
he European Union Agency for
Network and Information Security (ENISA) has announced
the members of its Permanent Stakeholders’ Group (PSG). With a newly
reduced membership of 23, the PSG
is composed of representatives from
industry, business, consumer organisa-
- Pillar Three: ISMS
tions and national regulatory authorities.
An often underestimated part of information
The board advises the Executive Direc-
security is the very core of most standards, and
tor of ENISA on developing ENISA’s ac-
thus of IT baseline protection itself: the ISMS.
tivities, communicating with the relevant
stakeholders, and identifying all issues
Fast results, eliminating the
disadvantages of IT baseline protection
and integrating specialised processes
related to IT security.
The standard 100-2 of the Federal Office for Infor-
member of the PSG from 2010 to 2012,
mation Security doesn’t state that the individual
after which Volker Schneider represented
steps for creating a security concept should be taken
secunet at ENISA. In March, secunet’s
one after the other. secunet’s methodology involves
CEO was once again appointed to the
simultaneously starting multiple steps and pursuing
PSG. His current membership will expire
the three pillars in parallel. This makes it possible
on 1 September 2017.
Dr Rainer Baumgart was previously a
to quickly and efficiently achieve results and
integrate the ISMS into other, existing management
systems.
More information:
René Seydel
[email protected]
secuview 1/2015 19
Technologies & Solutions
SINA Receives the Highest
International Approvals
secunet is the only German manufacturer of IPsec solutions
for the NATO SECRET security classification
A
t the beginning of the year, NATO approved
2014. Previously, the Council of the European Union
the SINA L3 Box H, SINA Workstation H
approved a variety of other encryption devices in
and SINA Terminal H cryptographic compo-
the SINA range for the secure transfer of information
nents for the NATO SECRET security classification.
on public networks in the EU.
This means that all NATO member states, as well as
the entire NATO organisation and its units worldwide,
This makes secunet the only manufacturer that
are permitted to use these SINA products for NATO
offers IP-based cryptographic solutions for all EU
SECRET-classified communications.
security classifications. In addition, secunet is the
only German manufacturer to meet NATO’s requi-
At the European level, the SINA L3 Box S (software
rements for IPsec solutions for the NATO SECRET
versions 2.2 and 3.7), the SINA L2 Box S (software
high security classification.
versions 3.2 and 3.3), and the SINA Workstation S
(version 3.1.2) were approved for the RESTREINT
UE (EU RESTRICTED) classification in June of this
More information:
year. The SINA L3 Box H was approved for the
Merlin Gräwer
SECRET UE (EU SECRET) classification in August
[email protected]
20 secuview 1/2015
AREVA PRoVidEs
solutions.
sAfE And sEcuRE.
For AREVA as leading nuclear supplier, safety and security
are top priorities – also for IT. Customers of various industries
are relying on our know-how today.
www.areva.de
Technologies & Solutions
SINA Makes Life Easier
SINA Workflow now creates a legally compliant, digital audit
trail without media discontinuity
Workflow
... was jointly developed by the BSI and secunet. For the
while being simultaneously connected to the central
first time, the advantages of legally compliant, IT-based
registry via another session. This means that content
work have been applied to digital classified documents.
and classified administrative data (access rights for a
SINA Workflow guarantees the secure, continuous and
document, metadata, CI classifications, etc.) can be
legally compliant implementation of individual business
recorded and collected directly at the workstation. SINA
processes involving classified information (CI) and
Workflow also allows users to cooperate on classified
other sensitive documents.
documents and collaborative administrative processes
like preliminary work and co-signature processes.
Users work with classified documents in an integrated
network in a special SINA Workstation workflow session,
22 secuview 1/2015
Technologies & Solutions
SINA Workflow makes work
processes...
... more convenient
While Mr Smith sets off to the central registry to
receive a hard copy of a SECRET-classified document, Ms Green can accept, read and process a
News in Brief
Points for
German
IT Security
classified document at her SINA Workflow workstation. All of her amendments and other activities
will be automatically recorded in the background
and can therefore be traced. With Mr Smith’s paper
document, a CI administrator has to record all of his
amendments by hand.
... more direct
CeBIT 2015
D
ata security was a key topic at
this year’s CeBIT in March. In
the first few days of the event,
secunet’s stand once again attrac-
Let’s assume that Ms Green works at a national
ted a number of visitors. North-Rhine
government agency and has to distribute classi-
Westphalia’s prime minister, Hannelore
fied documents to the associated state authorities.
Kraft, congratulated the company on a
She can do this using SINA Workflow without CI
successful end to 2014 and expres-
couriers, provided that the state authorities each
sed her pride that NRW’s highly secure
have a workstation from Ms Green’s SINA Workflow
cryptographic solutions are competitive
domain. Classified documents can then also be
both in Germany and abroad.
approved by a recipient via SINA Workflow. Users
can receive the document, export it securely to a
German Minister of the Interior Thomas
data storage device and edit it further on their own
de Maizière talked to secunet CEO Dr
system, as necessary.
Rainer Baumgart about the new hardware versions of the highly secure SINA
... faster
Tablet S – which has been approved by
It’s possible to access the central registry and
the German Federal Office for Informati-
classified information 24/7, anywhere in the world. In
on Security (BSI). The tablet was added
practice, secure document distribution on a “need-
to the company’s SINA product portfolio
to-know” basis, a transparent audit trail, and features
last year and is the only BSI-approved
for the fast and flexible management of user access
tablet workstation that guarantees
rights mean SINA Workflow is a major time-saver at
ultra-mobile information security.
a considerably lower cost.
State Secretary Brigitte Zypries (German Federal Ministry of Economics and
More information:
Technology) is committed to promoting
Stefan Reuter
Germany as a global technology hub
[email protected]
and visited secunet’s stand to get up
to speed with the latest developments
in IT security, such as protecting critical
infrastructures.
secuview 1/2015 23
Technologies & Solutions
Security by Design:
Protecting Connected
Vehicles
For OEMs and suppliers, IT security in connected vehicles
is a major challenge. What solutions are there? And, most
importantly, when does what solution make sense?
Y
ou’re sitting in the car and want to quickly
phicfunction or security module adequately protect
dictate a text message via voice control.
against external attack? The answer is obvious: no!
And so you don’t have to search for one
A secure system cannot be assured using individu-
at your destination, you use the internet to find an
al security functions, technologies or cryptographic
empty parking space before you arrive. Convenient,
processes, and even existing security specifications
huh? But what about security for all the IT-based
can – if implemented by those lacking a sound un-
interfaces needed? What if, for instance, an attack
derstanding – be misinterpreted and miss their mark.
is launched over the Wi-Fi connection, leading to an
In addition, vulnerabilities often arise from inadver-
error message in the car?
tent errors when implementing IT security measures.
The automotive industry is grappling with these
questions more and more every day – because it’s
Three core elements to protecting IT
infrastructures in vehicles
no small task to develop and operate robust IT infra-
Only a methodical approach can effectively protect
structure that can protect modern luxury vehicles
vehicles against attacks on their IT infrastructure.
from external attacks. Indeed, even specialists like
Essentially, three methods have been shown to be
Microsoft, Apple and Co. face huge challenges when
effective, especially when used together:
it comes to the various possible threat scenarios.
- An open analysis of the system’s requirements,
Cryptography provides the mathematical solutions
with particular emphasis on data protection and
used by these companies, but can a single cryptogra-
data security. Data protection is predominantly
24 secuview 1/2015
regulated by the German Data Protection Act
testing. Instead, attacks are simulated outside the
(Bundesdatenschutzgesetz, BDSG), which ens-
specifications for normal operation.
hrines data economy (who will have access to what
data and why) in law. In addition, data security
Each of these methods offers specific advantages.
relates to all relevant data in the control unit,
However, while they can be applied individually,
including the operating system and any encryption
only a combination of all three provides maximum
keys or processes used, for instance.
security and dramatically reduces error. That’s why
secunet offers OEMs and suppliers competent and
- The implementation of a secure software
reliable support in these three areas – and has done
development life cycle (SecSDLC).
for nearly 20 years.
At the very least, these kinds of secure software
development processes should be established for
More information:
critical systems. This requires more than a set of
Harry Knechtel
guidelines for developers; secure software develop-
[email protected]
ment is associated with organisational, technical
and administrative measures.
- The verification and protection of systems using
penetration tests. This isn’t about functional
secuview 1/2015 25
Technologies & Solutions
Where App Dangers Lurk
Critical data can be lost quicker than you’d think. Even serious
app developers shouldn’t be trusted blindly. This is the only
way to stop hackers in their tracks
D
ata has to be protected – and that natu-
And with that, your data is gone. The hacker is
rally also applies to the data collected by
happy, the app provider is innocent and you’re left
apps. But is a news app worth protecting
with egg on your face.
when you’re not providing any critical information?
A well-known provider doesn’t think so and has left
The problem is, websites are often displayed in apps
the data stream unencrypted between the app and
without the address bar, which you could otherwise
its servers… but what happens when an attacker
use to check the site URL and SSL encryption. It’s
manipulates the data?!
therefore very easy for hackers to use unencrypted
apps to display a perfect copy of your login page
Fake news, which can’t be distinguished from real
and read any and all data you enter. We trust apps
news by appearance alone, is mixed in with legitimate
blindly. Or have you genuinely questioned whether or
news reports. If you want to display the full text, you
not your data is encrypted during transfer?
can access the relevant content by simply clicking
through the app. For example, when an article re-
The solution? With a bit of technical know-how, you
ports that there has been an attack on your email
can see for yourself whether or not data traffic is
provider, an embedded link could – very conveniently
encrypted. Simply open the relevant login page in a
– lead you straight to the login page for your email
‘real’ browser outside the app, where you can then
provider so you can change your password.
see the address bar. Alternatively, you could write to
the providers of every app you use and find out their
answers. Not very convenient, we know – but you
must be aware of the dangers of apps. It’s is the only
way to ensure your data doesn’t inadvertently make
it into the wrong hands.
More information:
Markus Linnemann
[email protected]
26 secuview 1/2015
Dates
September to December
15 – 17 Sept 2015
»
NIAS – Cyber Security Symposium / Mons, Belgium
6 Oct 2015
»
Zukunft. Automation. (theme: energy/water/waste disposal) / Potsdam
6 – 8 Oct 2015
»
it-sa / Nuremburg
14 – 16 Oct 2015
»
KiT 2015 – 8th International Scientific Conference / Vysoké Tatry, Slovakia
20 – 22 Oct 2015
»
AFCEA TechNet Europe / Berlin
4 Nov 2015
»
Critical Infrastructures Information Security Symposium / Düsseldorf
10 – 11 Nov 2015
»
ISSE 2015 / Berlin
13 Nov 2015
»
IT Security on Board workshop / Munich
17 – 18 Nov 2015
»
Berlin Security Conference / Berlin
1 – 2 Dec 2015
»
4th VKU IT Conference / Nuremburg
7 Dec 2015
»
Police Days 2015 / Hamburg
Would you like to arrange
an appointment with us?
Just send an e-mail to
[email protected]
Critical Infrastructures Information Security Symposium
The IT Security Act has been approved by the Bundestag and Bundesrat. As an operator of critical infrastructures, the
government now needs your input. But what minimum security requirements do you need? How can you implement them
effectively and successfully? And how do others do it? We’ll be answering these questions and more at the Critical
Infrastructures Information Security Symposium in Düsseldorf on 4 November 2015.
We invite you to share your experiences with other participants in similar situations and benefit from topical and informative
presentations by the BSI, RWE and Emscher Lippe Energie.
You can reserve a spot at the event free of charge by emailing [email protected].
Subscribe
to secuview
Would you like to receive secuview on a regular basis, free of charge?
Please choose between the print and electronic versions and subscribe at
https://www.secunet.com/en/secuview.
There you can also change your preference or unsubscribe.
Imprint
Editor:
secunet Security Networks AG
Kronprinzenstraße 30
45128 Essen, Germany
www.secunet.com
Print
compensated
Id-No. 1547962
www.bvdm-online.de
Press Law Representative: Christine Skropke, [email protected]
Chief Editor, Head of Design and Content:
Claudia Roers, [email protected]
Design: Agentur für dynamisches Marketing, www.knoerrich-marketing.de
Copyright: © secunet Security Networks AG. Alle Rechte vorbehalten. All rights reserved. All
content herein is protected under copyright law. No part of this magazine may be reproduced
or otherwise used without the prior written consent of secunet Security Networks AG.
Illustrations: S. 2, 6, 13, 17, 25: fotolia.com; S. 2, 4, 5: G&D; S. 16, 26: shutterstock.com;
Others: secunet.
secuview 1/2015 27
Check eIDs
in the blink of an eye.
Not everyone crossing your border are who they pretend to be.
That’s why secunet developed the eID PKI Suite: It checks the
integrity of eID documents and the traveller’s identities in the blink
of an eye. Choose between individual software modules for easy
integration into your existing setup, and the complete turn-key
solution. Just as you need it.
IT security made in Germany.
www.secunet.com/en/eidpki
IT security partner of the Federal Republic of Germany