the german it security certification scheme - sesec.eu · pdf fileè currently under...
TRANSCRIPT
The German IT Security Certification Scheme
Joachim Weber
Joachim Weber | The German IT-Security Certification Scheme | 11.09.2017 | Page 2
The German IT Security Certification Scheme
1. The role of the BSI2. The German IT Certificate Scheme3. Certification procedures in detail4. International recognition5. Status in Germany
1. The role of the BSI
The organisation BSIThe mission of the BSIA brief history of the BSIRole of the BSI – The branch D2
Joachim Weber | The German IT-Security Certification Scheme | 11.09.2017 | Page 4
l Director Arne Schönbohm
l Division B:l Consulting for Government, the Private Sector and Society
l Division CK:l Cyber Security and Critical Infrastructures
l Division D:l Cyber Security for Digitisation, Certification and Standardisation
l Branch D2: Certification and Standardisation
l Division KT:l Cryptotechnology and IT Management for Increased Security Requirements
BSI - Organisation
Joachim Weber | The German IT-Security Certification Scheme | 11.09.2017 | Page 5
The mission of the BSI
Prevention
Abteilung KKrypto-TechnologieDr. Gerhard Schabüser
Fachbereich K2KryptographischeAnwendungen
Fachbereich K1VS-IT-Sicherheit
Detection Reaction
Cyber Security
Cryptographic innovations
Security of classified information
Secure identities
Certification
Awareness campaigns
IT Security consultations & Support of the Government
Information security in digitisation throughprevention, detection and reaction for government, business and society .
Joachim Weber | The German IT-Security Certification Scheme | 11.09.2017 | Page 6
A brief history of the BSI
Founding ofthe BSI
Law passed to set upthe BSI (BSIG)
National Communication Security and Certification Agency (NCSA)
Central IT Security service provider of the German administration
National plan for protection of the information infrastructure (NPSI)
UP Bund and UP KRITIS
Central Cyber Security Agency
National Cyber Defence Authority (NCDA)
Cyber Defence Center (CAZ)
Cyber Security Strategy for Germany
Alliance for Cyber SecurityNew generalframework
Amendment ofthe BSIG
Founding ofthe CAZ
IT SecurityLaw (IT-SiG)
Joachim Weber | The German IT-Security Certification Scheme | 11.09.2017 | Page 7
Role of the BSI - The branch D2
IT security requirementsfor
IT security products,infrastructure and services
Public and Legal framework
Certification
Standardisationsecurity by design
2. The German IT Certificate Scheme
Certified productsPartner in the certification schemeReasons for a German certificateThe certification schemeThe brand-name BSI: High level of trustThe German certificate worldwideThe Common Criteria – The CCRA since 2014
Joachim Weber | The German IT-Security Certification Scheme | 11.09.2017 | Page 9
Certified products
Joachim Weber | The German IT-Security Certification Scheme | 11.09.2017 | Page 10
Partner in the certification scheme
Nationalcertification centre
ManufacturerManufacturer
Testing centreTesting centreNational
IT Security
Internationalstandardisation
IT Securitymade in Germany
Economy
Joachim Weber | The German IT-Security Certification Scheme | 11.09.2017 | Page 11
Reasons for a German certificate
EconomyStrengthening Germany
as place ofIT Security and Privacy
Support ofGerman manufacturers in the
international environment
Impartial Review of privatetesting centres for maximal
benefits of the manufacturers
PoliticsParticipation
in developing
international standards
Expertise
in designing appropriate
security guidelines
SocietyTrust through
mandate and reputation
of the BSI
Stands for international
recognised Testing Quality
(SOGIS, CCRA, DAkkS)
Joachim Weber | The German IT-Security Certification Scheme | 11.09.2017 | Page 12
The certification scheme
Technical guidelines
Legal requirements(EnWG, SigG, ...)
Conformity Testprivate qualified testing centre
CertificateBSI
The certification proves that a productfulfils the testing and law requirements
Testing method(e.g. ISO 27001, Common Criteria/ISO 15408)
Application ofinterested party
Joachim Weber | The German IT-Security Certification Scheme | 11.09.2017 | Page 13
The brand-name BSI: High level of trust
Person & service certificate
Recognition and qualification of testing centres / persons
Certifying of security services
e.g. ISO/IEC 17025
Product certificate
Common Criteria/PP Technical Guidelines (TR)
Security Function / interoperability
System & service certificate
ISO 27001/IT-Baseline
Protection Certification – IT Security
Joachim Weber | The German IT-Security Certification Scheme | 11.09.2017 | Page 14
Example: Huawei
è Certified by BSI: Huawei AR Series Service Router AR1220
è Currently under evaluation: Huawei OptiX OSN 1800 V V100R13C00
è More certifications are in preparation
Law (BSIG):The certificate will be awarded if it satisfies the necessary criteria
(completes successfully the evaluation)and there is no public interest against the issuing of such a certificate.
Pictures © by Huawei
Joachim Weber | The German IT-Security Certification Scheme | 11.09.2017 | Page 15
International recognition up to EAL 2 or according to cPP. European recognition up to EAL 4 andin selected technical domains up to EAL 7.
The German certificate worldwide
Joachim Weber | The German IT-Security Certification Scheme | 11.09.2017 | Page 16
The Common Criteria – The CCRA since 2014
Motivation:Comparable evaluation results in a growing community
„Low Assurance Policy“:No mutual recognition above EAL level 2
„collaborative Protection Profiles“ (cPP):Collaborative development of ProtectionProfiles for COTS products(EAL level 1-4)
3. Certification procedures in detail
The Common Criteria - Role allocationPrinciple Responsibilities in the Certification Process
Joachim Weber | The German IT-Security Certification Scheme | 11.09.2017 | Page 18
The Common Criteria – Role allocation
BSI – Certification Body ITSEFEvaluation reports and documentationComments on evaluation reports
Approval of evaluation results
GuidanceApplication
Certificate
Evaluation of product and documentationSite visits
Applicant(Developer)
Security requirements
Joachim Weber | The German IT-Security Certification Scheme | 11.09.2017 | Page 19
Principle Responsibilities in the Certification Process
r Developer:r provides ToE and documentation
r ITSEF (IT Security Evaluation Facility):r evaluates ToE and delivers report
r Certification Bodyr central institutionr ensures uniform approachr ensures comparable evaluation results
4. Status in Germany
BSI: Status in GermanyEuropean PerspectiveGerman Regulation for Digitisation of the national energy network
Joachim Weber | The German IT-Security Certification Scheme | 11.09.2017 | Page 21
• Germany: BSI – more than 20 years independent national certification body for IT Security•• Technical standards and certification are instruments of governmental regulation• in the area of critical infrastructure protection, examples:
• eHealth,• energy grids,• eID documents,• telematics in transportation,• payment transactions
• BSI supports governmental law initiatives by tailored technical standards and certification processes• on both European and national level•• More than 100 certificates are issued per year (about 75% on high assurance level)•• 9 national evaluation labs
BSI: Status in Germany
Joachim Weber | The German IT-Security Certification Scheme | 11.09.2017 | Page 22
• European Digital Single Market propagates concept of• common regulation structures to foster common European values•• IT industry has strong and market driven interest in European IT security certificates• seeking competitive advantages on the world markets•• European and international IT security standardisation and cooperation• (SOG-IS MRA and CCRA)
European Perspective
Joachim Weber | The German IT-Security Certification Scheme | 11.09.2017 | Page 23
• Digitisation and integration of 1.5 million decentralized and renewable energies creates high complexity• Intelligent network is needed to link energy generation, storage and consumption• Challenge: threats increases, infrastructures become more complex, amount of data is multiplied
→ We need trustworthy products and systems in the energy network and a secure communication infrastructure
electricity
measured data andstatus information /
control signals
Example: Digitisation and energy transition
Joachim Weber | The German IT-Security Certification Scheme | 11.09.2017 | Page 24
German Regulation for Digitisation of the national energy network
Digitisation of the Energy Transition Act (September 2nd, 2016)• based on EU Directives Electricity, Gas and Energy Efficiency• sets the legal and technical basis for an intelligent energy network in Germany
Article 1: Metering Point Operating Act• deals with installation and operation of smart metering systems• ensures a high level of data protection, IT security and interoperability• uses Protection Profiles and Technical Guidelines to achieve security and• conformity/compatibility of IT components• enables development of further fields of application (e.g. smart grid, e-Mobility)
Current status of roll out in Germany• 900 DSOs (distribution system operators), 42 million metering points• 8 Smart-Meter-Gateways from manufacturers in evaluation/certification by the BSI;• field tests and pilots are running
Size of market (minimum)• > 6,000 kWH and plants > 7 kW ≈ 5.6 million gateways (800 million € per year)
Privacy ITsecurity
Futureproof
Fastrollout
Smart-Meter-Gateway
Joachim Weber | The German IT-Security Certification Scheme | 11.09.2017 | Page 25
Thank you for your attention!
Contact
Joachim WeberHead of Branch D2: Certification and [email protected]. +49 (0) 228 99 9582-0Fax +49 (0) 228 99 10 9582-5400
Bundesamt für Sicherheit in der InformationstechnikPostfach 20036353133 Bonnwww.bsi.bund.de/EN/