The German IT Security Certification Scheme. Joachim Weber

Transcription

1 The German IT Security Certification Scheme Joachim Weber

2 The German IT Security Certification Scheme 1. The role of the BSI 2. The German IT Certificate Scheme 3. Certification procedures in detail 4. International recognition 5. Status in Germany Joachim Weber The German IT-Security Certification Scheme Page 2

3 1. The role of the BSI The organisation BSI The mission of the BSI A brief history of the BSI Role of the BSI The branch D2

4 BSI - Organisation Director Arne Schönbohm Division B: Consulting for Government, the Private Sector and Society Division CK: Cyber Security and Critical Infrastructures Division D: Cyber Security for Digitisation, Certification and Standardisation Branch D2: Certification and Standardisation Division KT: Cryptotechnology and IT Management for Increased Security Requirements Joachim Weber The German IT-Security Certification Scheme Page 4

5 The mission of the BSI Information security in digitisation through prevention, detection and reaction for government, business and society. Prevention Cyber Security Abteilung K Cryptographic Krypto-Technologie innovations Dr. Gerhard Schabüser Security of classified information Fachbereich Secure identities K1 VS-IT-Sicherheit Certification Detection Awareness Fachbereich campaigns K2 Kryptographische Anwendungen IT Security consultations & Support of the Government Reaction Joachim Weber The German IT-Security Certification Scheme Page 5

6 A brief history of the BSI IT Security Law (IT-SiG) Founding of the CAZ Amendment of the BSIG Law passed to set up the BSI (BSIG) Founding of the BSI New general framework Alliance for Cyber Security Cyber Defence Center (CAZ) National Cyber Defence Authority (NCDA) Cyber Security Strategy for Germany Central Cyber Security Agency UP Bund and UP KRITIS National plan for protection of the information infrastructure (NPSI) Central IT Security service provider of the German administration National Communication Security and Certification Agency (NCSA) Joachim Weber The German IT-Security Certification Scheme Page 6

7 Role of the BSI - The branch D2 Public and Legal framework Standardisation security by design IT security requirements for IT security products, infrastructure and services Certification Joachim Weber The German IT-Security Certification Scheme Page 7

8 2. The German IT Certificate Scheme Certified products Partner in the certification scheme Reasons for a German certificate The certification scheme The brand-name BSI: High level of trust The German certificate worldwide The Common Criteria The CCRA since 2014

9 Certified products Joachim Weber The German IT-Security Certification Scheme Page 9

10 Partner in the certification scheme IT Security made in Germany International standardisation Manufacturer National certification centre Economy National IT Security Testing centre Joachim Weber The German IT-Security Certification Scheme Page 10

11 Reasons for a German certificate Economy Politics Society Strengthening Germany as place of IT Security and Privacy Support of German manufacturers in the international environment Impartial Review of private testing centres for maximal benefits of the manufacturers Participation in developing international standards Expertise in designing appropriate security guidelines Trust through mandate and reputation of the BSI Stands for international recognised Testing Quality (SOGIS, CCRA, DAkkS) Joachim Weber The German IT-Security Certification Scheme Page 11

12 The certification scheme Application of interested party Testing method (e.g. ISO 27001, Common Criteria/ISO 15408) Technical guidelines Conformity Test private qualified testing centre Certificate BSI Legal requirements (EnWG, SigG,...) The certification proves that a product fulfils the testing and law requirements Joachim Weber The German IT-Security Certification Scheme Page 12

13 The brand-name BSI: High level of trust Product certificate System & service certificate Common Criteria/PP Security Technical Guidelines (TR) Function / interoperability ISO 27001/IT-Baseline Protection Certification IT Security Person & service certificate Recognition and qualification of testing centres / persons Certifying of security services e.g. ISO/IEC Joachim Weber The German IT-Security Certification Scheme Page 13

14 Example: Huawei è Certified by BSI: Huawei AR Series Service Router AR1220 Pictures by Huawei è Currently under evaluation: Huawei OptiX OSN 1800 V V100R13C00 è More certifications are in preparation Law (BSIG): The certificate will be awarded if it satisfies the necessary criteria (completes successfully the evaluation) and there is no public interest against the issuing of such a certificate. Joachim Weber The German IT-Security Certification Scheme Page 14

15 The German certificate worldwide International recognition up to EAL 2 or according to cpp. European recognition up to EAL 4 and in selected technical domains up to EAL 7. Joachim Weber The German IT-Security Certification Scheme Page 15

16 The Common Criteria The CCRA since 2014 Low Assurance Policy : No mutual recognition above EAL level 2 collaborative Protection Profiles (cpp): Collaborative development of Protection Profiles for COTS products (EAL level 1-4) Motivation: Comparable evaluation results in a growing community Joachim Weber The German IT-Security Certification Scheme Page 16

17 3. Certification procedures in detail The Common Criteria - Role allocation Principle Responsibilities in the Certification Process

18 The Common Criteria Role allocation Applicant (Developer) Guidance Application Certificate Evaluation of product and documentation Site visits Security requirements BSI Certification Body Evaluation reports and documentation Comments on evaluation reports Approval of evaluation results ITSEF Joachim Weber The German IT-Security Certification Scheme Page 18

19 Principle Responsibilities in the Certification Process r Developer: r provides ToE and documentation r ITSEF (IT Security Evaluation Facility): r evaluates ToE and delivers report r Certification Body r central institution r ensures uniform approach r ensures comparable evaluation results Joachim Weber The German IT-Security Certification Scheme Page 19

20 4. Status in Germany BSI: Status in Germany European Perspective German Regulation for Digitisation of the national energy network

21 BSI: Status in Germany Germany: BSI more than 20 years independent national certification body for IT Security Technical standards and certification are instruments of governmental regulation in the area of critical infrastructure protection, examples: ehealth, energy grids, eid documents, telematics in transportation, payment transactions BSI supports governmental law initiatives by tailored technical standards and certification processes on both European and national level More than 100 certificates are issued per year (about 75% on high assurance level) 9 national evaluation labs Joachim Weber The German IT-Security Certification Scheme Page 21

22 European Perspective European Digital Single Market propagates concept of common regulation structures to foster common European values IT industry has strong and market driven interest in European IT security certificates seeking competitive advantages on the world markets European and international IT security standardisation and cooperation (SOG-IS MRA and CCRA) Joachim Weber The German IT-Security Certification Scheme Page 22

23 Example: Digitisation and energy transition electricity measured data and status information / control signals Digitisation and integration of 1.5 million decentralized and renewable energies creates high complexity Intelligent network is needed to link energy generation, storage and consumption Challenge: threats increases, infrastructures become more complex, amount of data is multiplied We need trustworthy products and systems in the energy network and a secure communication infrastructure Joachim Weber The German IT-Security Certification Scheme Page 23

24 German Regulation for Digitisation of the national energy network Digitisation of the Energy Transition Act (September 2 nd, 2016) based on EU Directives Electricity, Gas and Energy Efficiency sets the legal and technical basis for an intelligent energy network in Germany Article 1: Metering Point Operating Act deals with installation and operation of smart metering systems ensures a high level of data protection, IT security and interoperability uses Protection Profiles and Technical Guidelines to achieve security and conformity/compatibility of IT components enables development of further fields of application (e.g. smart grid, e-mobility) Current status of roll out in Germany 900 DSOs (distribution system operators), 42 million metering points 8 Smart-Meter-Gateways from manufacturers in evaluation/certification by the BSI; field tests and pilots are running Size of market (minimum) > 6,000 kwh and plants > 7 kw 5.6 million gateways (800 million per year) Privacy Fast rollout IT security Future proof Smart-Meter-Gateway Joachim Weber The German IT-Security Certification Scheme Page 24

25 Thank you for your attention! Contact Joachim Weber Head of Branch D2: Certification and Standardisation Tel. +49 (0) Fax +49 (0) Bundesamt für Sicherheit in der Informationstechnik Postfach Bonn Joachim Weber The German IT-Security Certification Scheme Page 25