The German IT Security Act Is Now a Reality
Transcription
The German IT Security Act Is Now a Reality
The Customer Magazine The German IT Security Act Is Now a Reality So how should CRITIS operators prepare? Issue 1/2015 An Interview with Dr Walter Schlebusch, CEO of Giesecke & Devrient “The protection of critical infrastructures has only just begun” Flexible and Mobile SINA Workstations at the German Federal Ministry of Finance Neither Bulky nor Boring Designing optimised security concepts based on IT Baseline Protection Content 4 An Interview with Dr Walter Schlebusch, CEO of Giesecke & Devrient “The protection of critical infrastructures has only just begun” 24 National 04 An Interview with Dr Walter Schlebusch 06 A Strong Partnership: AREVA and secunet 08 Flexible and Mobile – Security by Design For OEMs and suppliers, IT security in connected vehicles is a major challenge. What solutions are there? And, most importantly, when does what solution make sense? SINA Workstations 10 The IT Security Act – a Pipe Dream No More 13 Separated, Together, Then Separated Again Technologies & Solutions 20 SINA Receives the Highest International Approvals 22 SINA Makes Life Easier Science 24 Security by Design: 14 An Interview with 26 Where App Dangers Lurk Protecting Connected Vehicles Dr Gabi Dreo Rodosek International News in Brief 19 Dr Rainer Baumgart Appointed to the 16 EasyPASS Among the Top 3 ENISA Advisory Board Again 16 And Twelve Points Go to... 23 Points for German IT Security 17 German Expertise for a National PKD Solution 18 Neither Bulky nor Boring: 2 secuview 1/2015 IT Baseline Protection Dates 27 Upcoming Events Editorial I T security affects us all. Whether private users November, we’ll reveal different ways to effectively on their smartphones, manufacturers facing the overcome these challenges and devise solutions increased networking of control and production together. networks, or entire countries – in all areas, the internet doesn‘t just offer great opportunities and We’ve specialised in the effective protection and convenience; it also harbours threats. defence of IT systems for years now. In his interview, Walter Schlebusch says: “For us, security Effective protection and defence can only be requires more than just a colourful band of Swiss achieved thanks to careful observation, research Guards to extract a problem. Ideally, you should and detailed analysis, both of the attacker and work with the customer to devise an IT security existing and future innovations in technology. The strategy that will then be implemented consistently.” CODE research centre in Munich is working on This not only describes the approach of our parent precisely that, as Dr Gabi Dreo Rodosek explains in company G&D, but also precisely defines our own her interview. CODE has made the tailored protec- position. As you know, our five divisions therefore tion of critical infrastructures a research field in its aim to work in close concert with our customers. own right, and even politicians are now turning their We outline a few of our latest projects for you in this attention to these companies. The new IT Security issue. Act is intended to “significantly improve the security of IT systems (IT security) in Germany”. Under Happy reading! the law, critical infrastructures will not only have to adapt their IT infrastructure, but also their organisational processes. Uncertainty reigns here at the moment. At our Information Security Symposium in Dr Rainer Baumgart secuview 1/2015 3 National “The Protection of Critical Infrastructures Has Only Just Begun” An interview with Dr Walter Schlebusch, CEO of Giesecke & Devrient With Giesecke & Devrient (G&D) and secunet, two German providers are positioning themselves in a highly specialised market... Dr Schlebusch: And that is our strength! G&D earns the vast majority of its profits abroad and has access to numerous national administrations, financial institutes, telecommunications providers and techno- In interview: Dr Walter Schlebusch has been the CEO of G&D since 2013. He had previously been a member of the Board since 1 January 2000 and was responsible for the company‘s Banknote division. logy firms worldwide. secunet has a strong national footprint, with years of experience in the government sector and an excellent range of SINA products and border control solutions. What do you think are G&D’s strengths in IT security? Dr Schlebusch: My first thought is, of course, our years of international experience in the security technology sector and our wide range of secure products. These have made us a credible, reliable and legitimate trust anchor for many customers. So, just like you wouldn’t give your house key to just Dr Schlebusch, after the recent hacker attack on the anyone, our customers are – quite rightly – entitled to German parliament, do we still need to promote IT have their data handled professionally and securely. security? Dr Schlebusch: No matter where the attack origina- What does that mean in practice? ted, incidents like this illustrate just how vulnerable Dr Schlebusch: In order to work in highly secure our systems are. Discussions surrounding the pro- environments, you need to completely understand tection of critical infrastructures haven’t ended with your customers’ processes. Unlike security compa- the passing of the IT Security Act; they’ve only just nies that cast a wide net, we’ve chosen to specialise begun. in IT security. For us, security requires more than just 4 secuview 1/2015 National a colourful band of Swiss Guards to extract a problem. In the same way, subsequent, ad hoc access to a customer system is simply not enough. Ideally, you should work with the customer to devise an IT security strategy that will then be implemented consistently. To help with this, we offer hardware and software solutions and support customers with highly skilled “For us, security requires more than just a colourful band of Swiss Guards to extract a problem.” consultancy. On the one hand, users know the colourful world of attack scenarios on IT and production systems. apps. On the other, there’s the serious topic of secu- Until now, the typical medium-sized business has rity. How do they go together? been able to do little to combat these. We can help Dr Schlebusch: In an abstract sense, security is them to implement appropriate and scalable security difficult to communicate. It’s much easier to grasp solutions. using concrete examples; the on-board communications of German premium vehicles and industrial On the national level, we’re obviously excited about plants are both already secured by G&D, for instance. the implementation of the IT Security Act. This is a Mobile wallets around the world are based on security big opportunity for industries to independently agree made by G&D, and banking apps run securely thanks on the security measures that legislators will require to our technology. The scope of application for IT them to implement. security is therefore greater than you might think just looking at your smartphone! Finally, the broad field of identity assurance and identity management offers huge potential, since the What future trends do you predict? Internet of Things is based on the secure assignment Dr Schlebusch: These days, everyone is talking of identities to objects and processes. Our years of about Industry 4.0, or the complete networking of experience in secure connectivity and secure soft- industrial automation. We believe security is pivotal ware development based on specialist hardware will to this. Take the growing number of asymmetric allow us to contribute a lot here. secuview 1/2015 5 A Strong Partnership: AREVA and secunet The new IT Security Act is intended to provide greater security for critical infrastructures. However, operators will remain responsible for implementing any new measures T he attack on the French television broad- and for a while it even lost control of its website and caster TV5Monde at the beginning of April most social media accounts. It took days for things is just one example of a crime that threatens to get back to normal. to impact more of our lives nowadays. The cyber attack caused tremendous damage; the station’s The consequences would have been far more broadcasting operations were disrupted for hours, serious if a successful attack had been launched 6 secuview 1/2015 National against essential providers like energy or water from best practices with the highest classes of suppliers. As shown on page 10, the IT Security Act protection worldwide: is now intended to provide more comprehensive - Developing ISMS, from risk assessment to security for critical infrastructures (CRITIS). However, auditing, e.g. in accordance with ISO/IEC 27000 operators will remain responsible for implementing - Industrial security with security zones and security any new measures. grading, e.g. in accordance with IEC 62443 - Security modelling and simulation Security for digital control systems AREVA isn’t just a supplier for nuclear power stations and wind farms; it also draws on years of experience in critical infrastructures to provide a wide range of security products and services for digital control systems. In close cooperation with partners like secunet, AREVA considers security long before plant operation, starting from the early product development phase. That way, it can offer fully formed solutions, whether laying the founda- - Process control systems and network control technology - SIEM (security information and event management) - Automation security, e.g. PCS7, WINCC, SIPROTEC - Intrusion detection and intrusion prevention, whitelisting and security tests, etc. - Ongoing threat detection, assessment, analysis and defence tions for an ISMS (information security management system), putting together a complete concept, or implementing special hardware and software More information: solutions. Holger Hoppe holger.hoppe@areva.com All of its industrial security services are combined in an integrated approach, meaning that nuclear and Christoph Schambach non-nuclear customers can benefit in equal measure christoph.schambach@secunet.com Reliable integrity monitoring With the OPANASecTM solution, AREVA has developed a range of easy-to-use software modules for diverse control systems that can be used to monitor system integrity. The solution means programs can only be modified by turning a key switch, while attacks that manipulate user software and configuration data are reliably detected and instantly reported. The solution has been certified by TÜV SÜD and patents are pending. secuview 1/2015 7 National Flexible and Mobile SINA Workstations at the German Federal Ministry of Finance I t’s generally not so easy to reconcile our personal Mobility isn’t the only consideration here; IT security and professional lives. Despite this, the German is also a major factor. Staff need more than the abi- Ministry of Finance (BMF) is introducing flexible lity to process data and use specialist applications working hours for secure work when teleworking outside of the office – they need to be able to do so or on the go, thus proving itself to be an incredibly securely. A lot of the data processed by the BMF Employees modern, family-friendly government department. is of significant political and economic interest, and of the BMF BMF applications can now even be accessed on therefore has to be kept confidential at all times. undergo business trips. intensive SINA Workstation offers precisely this level of training in The duties and responsibilities of the BMF are security to the three key groups of mobile BMF Bonn and complex and varied – not just at the national users: Berlin on level, but at the European and international levels, how to use too. This requires specialist knowledge, flexibility Business travellers the SINA and commitment from its employees – even when The BMF represents Germany in various financial Workstation. they’re not in the office. For employees to meet committees and organisations – especially at the these requirements even while away on business, European and international levels. While away on and to ensure top performance without compro- business, BMF employees have to be able to work mising personal projects, the BMF has invested in securely with every mobile connection, no matter around 1,000 SINA Workstations as a secure where it is – whether an open Wi-Fi connection at a platform for mobile work. conference, UMTS at the airport or a hotspot at their 8 secuview 1/2015 National hotel. It’s especially important that data and specia- are always available and larger data volumes can be list applications be accessed using SINA Worksta- processed without difficulty. tion, which allows users to work in a secure, virtual environment. No matter the user, the SINA Workstation delivers maximum flexibility and mobility – earning it the Mobile employees “audit berufundfamilie” certificate and making it the Those who have to interrupt their work throug- perfect answer to high-level job requirements at the hout the day – or who need one or more days to national and international levels. care for children or a sick relative – can now work from home or elsewhere. In the office, mobile All data and applications can be accessed secu- employees connect to the ministry’s LAN via their rely and without restriction, no matter the location SINA Workstation. Elsewhere, they use whatever and type of (unsecure) internet connection used. mobile connections are available – and very often This and the German Federal Office for Information their own home’s Wi-Fi. Security‘s approval (in this case for classification level RESTRICTED) was the main reason that the Teleworkers BMF chose the SINA Workstation. Teleworkers have two main places of work: their home and the office. Using the SINA Workstation, these employees can benefit from a secure, high- More information: performance LAN connection to the BMF both at Thomas Peine home and at work, meaning data and applications thomas.peine@secunet.com The project at a glance -1,000 SINA Workstations were installed by a single secunet employee in just two weeks. The install server was used to conveniently implement tailored adjustments. -Efficient logistics for the delivery, installation and roll-out of 1,000 devices. -Comprehensive project management – the project manager was on hand to support the customer from first contact to operation. -Project management methods: stakeholder management, risk management, earned-value analysis and scheduling. -The project team consisted of fifteen people from secunet, ten from ZIVIT and five from the BMF; the core team consisted of seven employees. -Measures to help train users: newsletters, instructional videos, information stands outside the canteen, three one-hour training sessions and quick-start guides. secuview 1/2015 9 The German IT Security Act – a Pipe Dream No More It’s really happened: the German government’s act on “heightening the security of IT systems” has been approved by the Bundestag and Bundesrat S leeping Beauty had no chance. She didn’t According to the explanatory note, the act on see the prince coming. Otherwise she heightening IT system security (the IT Security Act) might have put on some lipstick and fixed – which was introduced by the German Federal her hair... but let’s get back to reality for a moment. Cabinet on 17 December 2014 and approved by 10 secuview 1/2015 National the Bundestag and Bundesrat on 12 June and 10 any plant or facility that‘s vital to the functioning of July 2015, respectively – is intended to “significantly the community. The IT Security Act doesn’t include improve the security of IT systems in Germany”. any further criteria. Instead, as already mentioned, it provides for more detailed conditions by decree. It‘s debatable whether or not this omnibus law, According to the bill’s explanatory note, an estima- which includes amendments to a variety of German ted 2,000 operators of critical infrastructures will legislation, is sufficient to wake Sleeping Beauty soon be subject to registration. from her slumber, in which businesses and public bodies are regularly chided in reports on information security incidents. How should (potential) CRITIS operators prepare? The present uncertainty regarding who will soon be After the German Federal President formally signs subject to the act as a CRITIS operator should not the law, a decree must be issued that clearly tempt those in question to be awoken only with a defines who is an operator of critical infrastructures. kiss. The prince is on his way... but unlike Sleeping Beauty, we can see him coming. And we can there- Instead, we recommend that (potential) CRITIS fore prepare for his arrival. operators prepare as follows: - Determine which parts of the organisation Who will be primarily affected by the IT Security Act? (processes, organisational units, products and The operators of critical infrastructures across all - Investigate their current security levels; industries will need to: - Develop a strategy for information security - comply with a minimum level of IT security, management to consistently maintain a minimum - provide proof of compliance through security level of IT security going forward; audits, - Select competent, qualified employees to act as - introduce and uphold procedures for reporting contact persons and develop a system for significant IT security incidents to the Federal reporting significant IT security incidents; Office for Information Security (BSI), and - Select a suitable service provider for independent - operate a contact point. security audits; services) constitute critical infrastructures; - Initiate pre-emptive certification according to The act also sets out different, industry-specific ISO/IEC 27001 in compliance with the relevant security standards. security requirements. Who is a CRITIS operator? It’s an essential prerequisite to structure and secure According to the act, critical infrastructures (CRITIS) organisations and processes, but that alone is not include all plants and facilities that belong to the enough to consistently meet the proposed heigh- energy, IT and telecommunications, transport, tened level of IT security for critical infrastructures. health, water, food, finance and insurance sectors, Appropriate measures should also be taken on the as well as to the media and cultural centres, plus technical level. >>> secuview 1/2015 11 National Securing energy and water supplies authorities to process confidential documents. The Take the example of energy and water suppliers, for BSI evaluates devices and systems for these very whom IT plays a central role not just in the office, application scenarios – and then approves them for but in the control of plants using process control processing data over the internet. The SINA Work- engineering, too. Here, the effective technical sepa- station and SINA Tablet were approved accordingly ration of internal IT networks from public networks and fulfil all of the requirements for CRITIS opera- guarantees the integrity of process control data and tors: the availability of the operating IT systems for plant - Strict separation of the production network from control. Systems and networks are only connected if they need to be; the control room should be strictly the internet - Trusted end devices under constant control of the separated from internet services, for instance (see control room page 13). • Use of remote control functions – even by mobile However, at the same time, it must be possible to • Remote maintenance by internal or external workers access public networks in remote control scenarios. specialists Operators can meet these challenges by establishing security zones and relationships that can be cont- From the control room, a central online manage- rolled using a central management system. Among ment system can be used to incorporate individual other things, this will let them allow or block a secure SINA devices into the production network as requi- connection with systems in the field at any time from red, without risking the network connecting through the control room. the devices to other networks or the internet. Sealing off production networks from the internet Together with BSI-evaluated encoders on layer 2 When introducing security zones, all connected end inter-network architecture SINA offers an approved devices should naturally be taken into account, e.g. all-in-one solution for production networks – leaving those of internal or external maintenance technicians you to sit back and calmly await your prince. and layer 3 for remote control technology, the secure when servicing the system or on stand-by. The problem is, even with a VPN connection as secure as this, all of the vulnerabilities on the end device are linked More information: to the production network. Furthermore, if the end Alexander Schlensog device connects or has connected to the internet, alexander.schlensog@secunet.com the separation of the production network from the internet (the so-called air gap) is worthless. Such requirements for (mobile) end devices are nothing new; they’ve long been used by the 12 secuview 1/2015 National Separated, Together, Then Separated Again How IT security can be effectively established in the age of digitalisation and open networks I n the past, we would run a access points are being estab- strictly separated, autonomous lished and integrated with smart network to guarantee the con- functions. tinued availability of production networks. This allowed us to use At first glance, the requirements network control systems or su- for digitalisation and IT security per computer systems to reliably differ greatly; from a purely tech- protect (waste)water, transport, nical standpoint, purely reactive energy and other autonomous measures like virus scanners and networks from dangerous inter- web filters are no longer enough faces with the outside world. to guarantee adequate and reliable security. Many security However, digitalisation has given exports are promoting a so-called highly secure network separation rise to increasingly complex re- “de-networking” for greater secu- thanks to SINA. This strict se- quirements for these networks. rity. However, is this development paration creates proactive and For example, the management really in step with the present sustainable security. of energy networks has become requirements of digitalisation? more complicated due to the Is strict separation despite net- Consequently, the aforementioned energy revolution and subse- working the ultimate goal and challenges only seem contradic- quent decentralisation of energy solution? tory at first glance. When effecti- producers, micro-generators and vely designed and implemented, central plant operators (energy What might seem irreconcilable and when combined with organi- supply companies) in the context at first glance is certainly a techni- sational measures, modern-day of the smart grid. The manage- cal challenge, but it is possible security technologies can achieve ment of numerous decentralised – and even common practice in this “de-networking” within a and centralised plants and facili- certain other fields. For example, network, thereby guaranteeing ties takes place over IP networks, secure networks can be created adequate security. which leads to the merging of IT within networks using isolation and process networks. Informat- techniques (the principle behind More information: ion is therefore exchanged across secunet safe surfer) derived from Torsten Redlich networks, while new devices and terminal server technology or torsten.redlich@secunet.com secuview 1/2015 13 Science An Interview with Dr Gabi Dreo Rodosek The tailored protection of networks in Industry 4.0 and critical infrastructures is a research field in its own right defence against advanced persistent threats (APT) and smart attacks, as well as visualising the state of security and identifying attackers (geolocation). In interview: Dr Gabi Dreo Rodosek is Professor of Communication Systems and Network Security at the University of the Armed Forces’ Institute for Computer Engineering in Munich and is also the spokesperson for the cyber defence research centre CODE (Cyber Operations Defence). However, technology alone can’t guarantee security. That’s why we also systematically research legal frameworks, management processes, and their effects, not forgetting users and their own security awareness. Alongside research, networking is one of the research centre’s key activities. In our globalised world, cyber criminals can easily operate across borders thanks to increased diversification and networking. This threat can only be combatted with a network of experts, which requires a high degree of mutual trust. Cyber security experts from different universities, research institutes, agencies and companies all cooperate, share information and exchange data in Dr Dreo Rodosek, you’re the spokesperson for the the trusted environment provided by CODE. CODE research centre. What are the centre’s goals? Dr Dreo Rodosek: Our aim is to conduct compre- Cyber attacks don’t recognise national borders. hensive research into all aspects of cyber security. Does CODE also cooperate with international organisations? Our main focus is the exploration of new security Dr Dreo Rodosek: The challenge is actually one of technologies and approaches. At the moment, a global nature. The research centre has therefo- some of our research includes the detection of and re secured a partnership with NATO’s Cooperative 14 secuview 1/2015 Science Cyber Defence Center Of Excellence (CCDCOE). In In light of the increased networking of economically this context, we’ve signed a mutual agreement to and socially important systems like industrial pro- support each other in research. We also work clo- duction chains (Industry 4.0) and components of sely with ENISA, largely through Dr Helmbrecht, an critical infrastructures, these have especially high honorary professor at our IT Faculty*. Meanwhile, on protection requirements. Tailored protection at a rea- the national level, we have a number of cooperation sonable cost – and which results in an acceptable agreements with security agencies and commercial businesses that work in the global cyber security industry. I’m afraid I can’t go into any more detail about our current projects. How does research and teaching at the University of the Armed Forces differ from other IT security departments in Germany? Dr Dreo Rodosek: Compared to cyber security research at other universities and research centres, we concentrate heavily on cooperation with the armed forces and related agencies and services, as well as with companies with special security requirements. In some cases, our research is “for German eyes only”, and doesn’t involve visiting scholars, PhD students or undergrads from other countries. The fact that our cooperation is so trusted and “In our globalised world, cyber criminals can easily operate across borders thanks to increased diversification and networking. This threat can only be combatted with a network of experts, which requires a high degree of mutual trust.” successful is evident in the partnerships we’ve been able to establish so far. residual risk – actually constitutes its own research field, in which legal frameworks, management mo- The intensity of cyber attacks is increasing exponen- dels, technical components and user awareness tially. What do you expect to be the biggest threat have to be coherently and consistently linked. These over the next few years and what measures is CODE systems are under threat from APTs and smart developing as a result? attacks, for which we need to develop unique taxo- Dr Dreo Rodosek: From a technological point of nomies and metrics for detection and defence. view, I’d say the growth of vulnerable mobile devices and their heterogeneity, plus new technologies like software-defined networking and interclouds (clouds of clouds). With this in mind, at CODE we’re rese- * Editor’s note: at the University of the Armed Forces in Munich arching anomaly-based detection methods at the communication level, as well as associated filters and analytics tools. In addition, traffic volumes and bandwidth are increasing. Data analysis in these networks presents a big data problem. In response, we’re investigating how to use new approaches (e.g. security analytics) to combat attacks early on in the provider network, which will help ease the burden on customers and users. secuview 1/2015 15 International EasyPASS Among the Top 3 S imply and conveniently in Germany to 140*, enabling which new technologies are being across the border: Fol- even more travellers to cross the used to establish a more modern lowing the lead of the Schengen Area’s external borders and efficient border management Munich, without assistance. A similarly system. Automated border control Düsseldorf, Hamburg and Berlin- high number of automated border has a major role to play here. Tegel airports, the Cologne-Bonn control systems internationally airport completed installing the only exists in the Netherlands and EasyPASS the United Kingdom. Frankfurt control am Main, automated system, border implemented * In the German installation, the secunet easygate is supplemented with components from the Bundesdruckerei (BDR). by a consortium of secunet and This development ties in perfectly Bundesdruckerei, by the middle with the European Commission’s More information: of 2015. This will bring the total Smart Borders programme for Frank Steffens number of secunet easygates higher mobility and security, under frank.steffens@secunet.com And Twelve Points Go to... T he secunet Golden Reader all ICAO-compliant eMRTDs like Tool Platinum Edition (GRT) electronic passports. The soft- has been awarded maxi- ware is constantly being improved mum points from as many as 27 and adapted to meet customers’ countries! Nations including Azer- requirements. Today, the GRT baijan, Estonia, India and Canada already supports all internatio- voted for the German software, nal security protocols, including which is designed to read different BAC, EAC 1.0 and 2.0 and SAC. electronic identity documents – Alongside domestic and foreign thus definitively proving the global passports, the tool can also read popularity of secunet’s GRT. and verify German residence permits and the new German The secunet Golden Reader Tool identity card, as well as foreign Platinum Edition is the latest electronic driving licences and version of the extensively tested registration certificates. Golden Reader Tool developed jointly by secunet and the German 16 secuview 1/2015 Federal Office for Information Se- More information: curity (BSI). As a result, secunet Norbert Richartz has successfully developed a norbert.richartz@secunet.com software application for reading www.secunet.com/grtplatinum German Expertise for a National PKD Solution Tamper-proof and efficient ePassport verification: EGSP delivers a solution with HJP, Bundesdruckerei, secunet and G&D A bu Dhabi-based Emirates forms the basis of secunet’s eID now introduced the National PKD German Security Printing PKI Suite. system to examine the data ob- LLC (EGSP) has delivered tained from the ICAO PKD and other sources, and to forward the establishment of a National Proof of authenticity and tamper-proofing Public Key Directory (NPKD) solu- Electronic passports are equip- certificate revocation lists (CRLs) tion. The system is used at border ped with a chip that prevents the to control points in the United Arab undetected manipulation of the systems Emirates (UAE) to ensure the tam- passport holder’s personal data. systems”) at border control posts per-proof and efficient verification Using the Public Key Directory throughout the country. In Sep- of domestic and foreign electronic of the International Civil Aviation tember 2011, the United Arab passports. For the implementat- Organisation (ICAO), border cont- Emirates became the first country ion of the security solution “made rol staff can verify the authenticity in the Middle East to join the in Germany”, EGSP – the NPKD of passport data. To do this, they ICAO PKD. Now, it is the first project’s general contractor – rely on having access to prequali- country in the Middle East to have was supported by its partners fied certificates (Document Signer implemented HJP Consulting GmbH, Bundes- Certificates) and other public key solution. druckerei GmbH, secunet Security infrastructure (PKI) from active Networks AG and Giesecke & ICAO member states. the complete infrastructure for all document verification (so-called “inspection a National PKD More information: Oliver Jahnke Devrient GmbH. In particular, G&D provided the NPKD software that the appropriate certificates and The UAE‘s Ministry of Interior has oliver.jahnke@secunet.com secuview 1/2015 17 International Neither Bulky nor Boring: IT Baseline Protection secunet’s three-pillar procedure makes it possible to quickly implement a tailored IT security concept for public authorities and companies based on IT baseline protection (IT-Grundschutz, a BSI guideline for an IT security methodology). The methodology takes both specialised processes and standard IT applications into account F or 15 years, secunet has worked according Using their collective knowledge, secunet’s experts to the methods of IT baseline protection. It have developed a tailored procedure to implement has already completed over 1,000 projects in baseline protection that overcomes these difficulties the field of government administration at the federal while taking advantage of the benefits of the appro- state level and in companies across diverse indus- ach. The methodology stands on three pillars, which tries. Through it all, one thing has become clear: should be implemented in parallel and will help to the implementation of information security based develop a certifiable ISMS in accordance with IT on IT baseline protection is well-suited to standard baseline protection. IT components, but faces the following challenges nonetheless: -Pillar One: secure core IT An institution’s IT consists of core systems. These - Combination with specialised processes are viewed in a bottom-up approach. This concerns - Minimal employee knowledge in IT departments both visualised infrastructures and physical regarding the specialised processes they monitor clients, servers and network components, as well and their protection requirements as general applications like web servers or the - No integrated operation of management systems active directory. and information security management systems - The joint handling of compliance requirements and -Pillar Two: specialised security concepts IT security only in exceptional cases The institution’s specialised tasks, applications - Later successes and high complexity through and business processes that use secure core IT traditional processes in the baseline protection systems are viewed in the form of specialist waterfall model security concepts (top-down approach). (ISMS) 18 secuview 1/2015 International News in Brief Dr Rainer Baumgart Appointed to the ENISA Advisory Board Again T he European Union Agency for Network and Information Security (ENISA) has announced the members of its Permanent Stakeholders’ Group (PSG). With a newly reduced membership of 23, the PSG is composed of representatives from industry, business, consumer organisa- - Pillar Three: ISMS tions and national regulatory authorities. An often underestimated part of information The board advises the Executive Direc- security is the very core of most standards, and tor of ENISA on developing ENISA’s ac- thus of IT baseline protection itself: the ISMS. tivities, communicating with the relevant stakeholders, and identifying all issues Fast results, eliminating the disadvantages of IT baseline protection and integrating specialised processes related to IT security. The standard 100-2 of the Federal Office for Infor- member of the PSG from 2010 to 2012, mation Security doesn’t state that the individual after which Volker Schneider represented steps for creating a security concept should be taken secunet at ENISA. In March, secunet’s one after the other. secunet’s methodology involves CEO was once again appointed to the simultaneously starting multiple steps and pursuing PSG. His current membership will expire the three pillars in parallel. This makes it possible on 1 September 2017. Dr Rainer Baumgart was previously a to quickly and efficiently achieve results and integrate the ISMS into other, existing management systems. More information: René Seydel rene.seydel@secunet.com secuview 1/2015 19 Technologies & Solutions SINA Receives the Highest International Approvals secunet is the only German manufacturer of IPsec solutions for the NATO SECRET security classification A t the beginning of the year, NATO approved 2014. Previously, the Council of the European Union the SINA L3 Box H, SINA Workstation H approved a variety of other encryption devices in and SINA Terminal H cryptographic compo- the SINA range for the secure transfer of information nents for the NATO SECRET security classification. on public networks in the EU. This means that all NATO member states, as well as the entire NATO organisation and its units worldwide, This makes secunet the only manufacturer that are permitted to use these SINA products for NATO offers IP-based cryptographic solutions for all EU SECRET-classified communications. security classifications. In addition, secunet is the only German manufacturer to meet NATO’s requi- At the European level, the SINA L3 Box S (software rements for IPsec solutions for the NATO SECRET versions 2.2 and 3.7), the SINA L2 Box S (software high security classification. versions 3.2 and 3.3), and the SINA Workstation S (version 3.1.2) were approved for the RESTREINT UE (EU RESTRICTED) classification in June of this More information: year. The SINA L3 Box H was approved for the Merlin Gräwer SECRET UE (EU SECRET) classification in August merlin.graewer@secunet.com 20 secuview 1/2015 AREVA PRoVidEs solutions. sAfE And sEcuRE. For AREVA as leading nuclear supplier, safety and security are top priorities – also for IT. Customers of various industries are relying on our know-how today. www.areva.de Technologies & Solutions SINA Makes Life Easier SINA Workflow now creates a legally compliant, digital audit trail without media discontinuity Workflow ... was jointly developed by the BSI and secunet. For the while being simultaneously connected to the central first time, the advantages of legally compliant, IT-based registry via another session. This means that content work have been applied to digital classified documents. and classified administrative data (access rights for a SINA Workflow guarantees the secure, continuous and document, metadata, CI classifications, etc.) can be legally compliant implementation of individual business recorded and collected directly at the workstation. SINA processes involving classified information (CI) and Workflow also allows users to cooperate on classified other sensitive documents. documents and collaborative administrative processes like preliminary work and co-signature processes. Users work with classified documents in an integrated network in a special SINA Workstation workflow session, 22 secuview 1/2015 Technologies & Solutions SINA Workflow makes work processes... ... more convenient While Mr Smith sets off to the central registry to receive a hard copy of a SECRET-classified document, Ms Green can accept, read and process a News in Brief Points for German IT Security classified document at her SINA Workflow workstation. All of her amendments and other activities will be automatically recorded in the background and can therefore be traced. With Mr Smith’s paper document, a CI administrator has to record all of his amendments by hand. ... more direct CeBIT 2015 D ata security was a key topic at this year’s CeBIT in March. In the first few days of the event, secunet’s stand once again attrac- Let’s assume that Ms Green works at a national ted a number of visitors. North-Rhine government agency and has to distribute classi- Westphalia’s prime minister, Hannelore fied documents to the associated state authorities. Kraft, congratulated the company on a She can do this using SINA Workflow without CI successful end to 2014 and expres- couriers, provided that the state authorities each sed her pride that NRW’s highly secure have a workstation from Ms Green’s SINA Workflow cryptographic solutions are competitive domain. Classified documents can then also be both in Germany and abroad. approved by a recipient via SINA Workflow. Users can receive the document, export it securely to a German Minister of the Interior Thomas data storage device and edit it further on their own de Maizière talked to secunet CEO Dr system, as necessary. Rainer Baumgart about the new hardware versions of the highly secure SINA ... faster Tablet S – which has been approved by It’s possible to access the central registry and the German Federal Office for Informati- classified information 24/7, anywhere in the world. In on Security (BSI). The tablet was added practice, secure document distribution on a “need- to the company’s SINA product portfolio to-know” basis, a transparent audit trail, and features last year and is the only BSI-approved for the fast and flexible management of user access tablet workstation that guarantees rights mean SINA Workflow is a major time-saver at ultra-mobile information security. a considerably lower cost. State Secretary Brigitte Zypries (German Federal Ministry of Economics and More information: Technology) is committed to promoting Stefan Reuter Germany as a global technology hub stefan.reuter@secunet.com and visited secunet’s stand to get up to speed with the latest developments in IT security, such as protecting critical infrastructures. secuview 1/2015 23 Technologies & Solutions Security by Design: Protecting Connected Vehicles For OEMs and suppliers, IT security in connected vehicles is a major challenge. What solutions are there? And, most importantly, when does what solution make sense? Y ou’re sitting in the car and want to quickly phicfunction or security module adequately protect dictate a text message via voice control. against external attack? The answer is obvious: no! And so you don’t have to search for one A secure system cannot be assured using individu- at your destination, you use the internet to find an al security functions, technologies or cryptographic empty parking space before you arrive. Convenient, processes, and even existing security specifications huh? But what about security for all the IT-based can – if implemented by those lacking a sound un- interfaces needed? What if, for instance, an attack derstanding – be misinterpreted and miss their mark. is launched over the Wi-Fi connection, leading to an In addition, vulnerabilities often arise from inadver- error message in the car? tent errors when implementing IT security measures. The automotive industry is grappling with these questions more and more every day – because it’s Three core elements to protecting IT infrastructures in vehicles no small task to develop and operate robust IT infra- Only a methodical approach can effectively protect structure that can protect modern luxury vehicles vehicles against attacks on their IT infrastructure. from external attacks. Indeed, even specialists like Essentially, three methods have been shown to be Microsoft, Apple and Co. face huge challenges when effective, especially when used together: it comes to the various possible threat scenarios. - An open analysis of the system’s requirements, Cryptography provides the mathematical solutions with particular emphasis on data protection and used by these companies, but can a single cryptogra- data security. Data protection is predominantly 24 secuview 1/2015 regulated by the German Data Protection Act testing. Instead, attacks are simulated outside the (Bundesdatenschutzgesetz, BDSG), which ens- specifications for normal operation. hrines data economy (who will have access to what data and why) in law. In addition, data security Each of these methods offers specific advantages. relates to all relevant data in the control unit, However, while they can be applied individually, including the operating system and any encryption only a combination of all three provides maximum keys or processes used, for instance. security and dramatically reduces error. That’s why secunet offers OEMs and suppliers competent and - The implementation of a secure software reliable support in these three areas – and has done development life cycle (SecSDLC). for nearly 20 years. At the very least, these kinds of secure software development processes should be established for More information: critical systems. This requires more than a set of Harry Knechtel guidelines for developers; secure software develop- harry.knechtel@secunet.com ment is associated with organisational, technical and administrative measures. - The verification and protection of systems using penetration tests. This isn’t about functional secuview 1/2015 25 Technologies & Solutions Where App Dangers Lurk Critical data can be lost quicker than you’d think. Even serious app developers shouldn’t be trusted blindly. This is the only way to stop hackers in their tracks D ata has to be protected – and that natu- And with that, your data is gone. The hacker is rally also applies to the data collected by happy, the app provider is innocent and you’re left apps. But is a news app worth protecting with egg on your face. when you’re not providing any critical information? A well-known provider doesn’t think so and has left The problem is, websites are often displayed in apps the data stream unencrypted between the app and without the address bar, which you could otherwise its servers… but what happens when an attacker use to check the site URL and SSL encryption. It’s manipulates the data?! therefore very easy for hackers to use unencrypted apps to display a perfect copy of your login page Fake news, which can’t be distinguished from real and read any and all data you enter. We trust apps news by appearance alone, is mixed in with legitimate blindly. Or have you genuinely questioned whether or news reports. If you want to display the full text, you not your data is encrypted during transfer? can access the relevant content by simply clicking through the app. For example, when an article re- The solution? With a bit of technical know-how, you ports that there has been an attack on your email can see for yourself whether or not data traffic is provider, an embedded link could – very conveniently encrypted. Simply open the relevant login page in a – lead you straight to the login page for your email ‘real’ browser outside the app, where you can then provider so you can change your password. see the address bar. Alternatively, you could write to the providers of every app you use and find out their answers. Not very convenient, we know – but you must be aware of the dangers of apps. It’s is the only way to ensure your data doesn’t inadvertently make it into the wrong hands. More information: Markus Linnemann markus.linnemann@secunet.com 26 secuview 1/2015 Dates September to December 15 – 17 Sept 2015 » NIAS – Cyber Security Symposium / Mons, Belgium 6 Oct 2015 » Zukunft. Automation. (theme: energy/water/waste disposal) / Potsdam 6 – 8 Oct 2015 » it-sa / Nuremburg 14 – 16 Oct 2015 » KiT 2015 – 8th International Scientific Conference / Vysoké Tatry, Slovakia 20 – 22 Oct 2015 » AFCEA TechNet Europe / Berlin 4 Nov 2015 » Critical Infrastructures Information Security Symposium / Düsseldorf 10 – 11 Nov 2015 » ISSE 2015 / Berlin 13 Nov 2015 » IT Security on Board workshop / Munich 17 – 18 Nov 2015 » Berlin Security Conference / Berlin 1 – 2 Dec 2015 » 4th VKU IT Conference / Nuremburg 7 Dec 2015 » Police Days 2015 / Hamburg Would you like to arrange an appointment with us? Just send an e-mail to events@secunet.com Critical Infrastructures Information Security Symposium The IT Security Act has been approved by the Bundestag and Bundesrat. As an operator of critical infrastructures, the government now needs your input. But what minimum security requirements do you need? How can you implement them effectively and successfully? And how do others do it? We’ll be answering these questions and more at the Critical Infrastructures Information Security Symposium in Düsseldorf on 4 November 2015. We invite you to share your experiences with other participants in similar situations and benefit from topical and informative presentations by the BSI, RWE and Emscher Lippe Energie. You can reserve a spot at the event free of charge by emailing events@secunet.com. Subscribe to secuview Would you like to receive secuview on a regular basis, free of charge? Please choose between the print and electronic versions and subscribe at https://www.secunet.com/en/secuview. There you can also change your preference or unsubscribe. Imprint Editor: secunet Security Networks AG Kronprinzenstraße 30 45128 Essen, Germany www.secunet.com Print compensated Id-No. 1547962 www.bvdm-online.de Press Law Representative: Christine Skropke, christine.skropke@secunet.com Chief Editor, Head of Design and Content: Claudia Roers, claudia.roers@secunet.com Design: Agentur für dynamisches Marketing, www.knoerrich-marketing.de Copyright: © secunet Security Networks AG. Alle Rechte vorbehalten. All rights reserved. All content herein is protected under copyright law. No part of this magazine may be reproduced or otherwise used without the prior written consent of secunet Security Networks AG. Illustrations: S. 2, 6, 13, 17, 25: fotolia.com; S. 2, 4, 5: G&D; S. 16, 26: shutterstock.com; Others: secunet. secuview 1/2015 27 Check eIDs in the blink of an eye. Not everyone crossing your border are who they pretend to be. That’s why secunet developed the eID PKI Suite: It checks the integrity of eID documents and the traveller’s identities in the blink of an eye. Choose between individual software modules for easy integration into your existing setup, and the complete turn-key solution. Just as you need it. IT security made in Germany. www.secunet.com/en/eidpki IT security partner of the Federal Republic of Germany