SUCCESS STORY INFORMATION SECURITY

Similar documents
Assurance Continuity Maintenance Report

Learn how to explain the purpose and business benefits of an ISMS, of ISMS standards, of management system audit and of third-party certification

Google Cloud & the General Data Protection Regulation (GDPR)

Legal Regulations and Vulnerability Analysis

Global Manufacturer MAUSER Realizes Dream of Interconnected, Adaptive Security a Reality

The German IT Security Certification Scheme. Joachim Weber

IT SECURITY AT THE GERMAN RESEARCH REACTOR FRM II BASED ON THE GERMAN IT SECURITY GUIDELINE SEWD-IT

ISO/ IEC (ITSM) Certification Roadmap

Build confidence in the cloud Best practice frameworks for cloud security

Testing and Certification Procedure

Protecting your data. EY s approach to data privacy and information security

Professional Evaluation and Certification Board Frequently Asked Questions

Module 6: Network and Information Security and Privacy. Session 3: Information Security Methodology. Presenter: Freddy Tan

BSI-CC-PP for

Audit and Certification Process of GUTcert for

BSI-CC-PP-0088-V for

SWIFT Customer Security Controls Framework and self-attestation via The KYC Registry Security Attestation Application FAQ

Joint Interpretation Library. Certification of "open" smart card products

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

ACCREDITATION: A BRIEFING FOR GOVERNMENTS AND REGULATORS

Predictive Assurance

ISO9001:2015 LEAD IMPLEMENTER & LEAD AUDITOR

Manufacturer certification in plant, metal and rolling-stock engineering

New International Health and Safety Standard ISO 45001

BSI-CC-PP for. Java Card Protection Profile - Open Configuration, Version December developed by. Oracle Corporation

Product overview DETECT. PROTECT Connect.

Description of the certification procedure MS - ISO 9001, MS - ISO 14001, MS - ISO/TS and MS BS OHSAS 18001, MS - ISO 45001, MS - ISO 50001

Industrial Security - Protecting productivity IEC INDA

BSI-CC-PP for. FIDO Universal Second Factor (U2F) Authenticator, Version 1.0. developed by. Federal Office for Information Security

If you should require any further information then please do not hesitate to contact us. We will be please to help you.

White Paper IDIS (Interoperable Device Interface Specification)

SPECIFIC PROVISIONS FOR THE ACCREDITATION OF CERTIFICATION BODIES IN THE FIELD OF INFOR- MATION SECURITY MANAGEMENT SYSTEMS (ISO/IEC 27001)

Description of the TÜV NORD CERT certification procedure GMP+ FC (Feed Certification scheme) of GMP+ International B.V. (NL)

Compliance and Security in a Cloud-First Era

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Working with the EU Directive High common level of network and information security. Martin Apel, SANS ICS Summit, Munich und

ISO/IEC :2015 IMPACT ON THE CERTIFIED CLIENT

A compliance journey to the cloud how to build a medical cloud platform regulatory- and ISO27000-compliant. Carl Zeiss Meditec AG Thorsten Bischoff

Smart Gas Metering in Germany.

Session 609 Tuesday, October 22, 2:45 PM - 3:45 PM Track: IT Governance and Security

_isms_27001_fnd_en_sample_set01_v2, Group A

Solution Oil & Gas. tgood.com

INFORMATION SECURITY MANAGEMENT

Training Catalog. Decker Consulting GmbH Birkenstrasse 49 CH 6343 Rotkreuz. Revision public. Authorized Training Partner

SECURITY & PRIVACY DOCUMENTATION

RSB Standard for participating operators

ISO Information Security Management Systems Implementation Road Map

R e a c t i o n s t o t h e e - I n v o i c i n g r e p o r t o f t h e EU- E x p e r t g r o u p

ISO/IEC Information technology Security techniques Code of practice for information security controls

BULGARI S.p.A BY THE AUTHORITY OF THE COUNCIL. IS A CERTIFIED MEMBER OF THE Responsible Jewellery Council. Executive Director

Valcambi SA BY THE AUTHORITY OF THE COUNCIL. IS CHAIN-OF-CUSTODY CERTIFIED BY THE Responsible Jewellery Council. Executive Director

White Paper Implementing mobile electronic identity

Mobile Felica on CX Virgo platform Version 5.0

Microsoft Partner FAQ

SIZ Informatikzentrum der Sparkassenorganisation GmbH Simrockstraße Bonn, Germany. Sicherer IT-Betrieb, Basisvariante, version 1.

BSI C5 Status Quo. Dr. Clemens Doubrava, BSI,

AT FIRST VIEW C U R R I C U L U M V I T A E. Diplom-Betriebswirt (FH) Peter Konrad. Executive Partner Senior Consultant

How to Become a CMA (Certified Management Accountant) May 10, 2017

ISO/IEC INTERNATIONAL STANDARD

Fiscal 2015 Activities Review and Plan for Fiscal 2016

Driving Global Resilience

UKAS accredited Certification Bodies

TÜV SÜD Industrie Service GmbH. Maximising efficiency of power stations and plants.

Cooperation with other Certification Systems

RSPO Certification Step by step

EVALUATION AND APPROVAL OF AUDITORS. Deliverable 4.4.3: Design of a governmental Social Responsibility and Quality Certification System

UGANDA NATIONAL BUREAU OF STANDARDS LIST OF DRAFT UGANDA STANDARDS ON PUBLIC REVIEW

Global Security Consulting Services, compliancy and risk asessment services

30 th -31 st May 2019 Brussels, Belgium 31 st May 2019 ISO Auditor Examination

Introduce the major evaluation criteria. TCSEC (Orange book) ITSEC Common Criteria

IoT & SCADA Cyber Security Services

Expected outcomes. for accredited certification to ISO management system standards such as ISO 9001 and ISO 14001

Inspection and Certification for Individual Farms, Smallholder Group Certification S S R A N A S R S C I E N T I S T

Aviation Academy International GmbH AVIATION ACADEMY INTERNATIONAL. ISO Certification of Aviation Experts

WLA Certification : Preparation and Management

Balancing energy and environmental demands

When Recognition Matters INTRODUCING NEW PECB CERTIFICATION SCHEMES.

Section Qualifications of Audit teams Qualifications of Auditors Maintenance and Improvement of Competence...

Demonstrating data privacy for GDPR and beyond

HEALTH AND SAFETY PROGRAM 207 Permit Writer Certification Procedure

Conformity assessment Requirements for bodies providing audit and certification of management systems. Part 6:

EU General Data Protection Regulation (GDPR) Achieving compliance

Annex No. 1 as of April 30, to the certification report. T-Systems-DSZ-ITSEC as of September 24, 2002

The emerging EU certification framework: A role for ENISA Dr. Andreas Mitrakas Head of Unit EU Certification Framework Conference Brussels 01/03/18

AUDITOR / LEAD AUDITOR PHARMACEUTICAL AND MEDICAL DEVICE INDUSTRY

ICAO S COOPERATIVE NETWORK OF TRAINING CENTRES

IT Governance ISO/IEC 27001:2013 ISMS Implementation. Service description. Protect Comply Thrive

IBM Corporation. Global Energy Management System Implementation: Case Study. Global

EXAM PREPARATION GUIDE

Project Management Certification

Escaping PCI purgatory.

Trend Micro Professional Services Partner Program

An Introduction to the ISO Security Standards

EN CEPA CERTIFIED: HERE IS HOW IT WORKS DQS - COMPETENCE FOR SUSTAINABILITY

LL-C (Certification) Services Overview

PATHWAYS TO INNOVATION IN DISASTER RISK MANAGEMENT. Paolo Venturoni CEO European Organisation For Security 4 th June 2018

ORDINANCE ON EMPLOYMENT PROMOTION (AZAV) INFORMATION SECURITY MANAGEMENT SYSTEMS ACCORDING TO DIN ISO/IEC (INCL. IT SECURITY CATALOGUE)

EXAM PREPARATION GUIDE

NETWORK ACCESS CONTROL OVERVIEW. CONVENIENCE. SECURITY.

LICS Certification Scheme

Transcription:

SUCCESS STORY

Landis+Gyr cares for security in Smart Metering Safety modules for Smart-Meter Gateways according to Common Criteria The fabrication of intelligent power meters, the so called Smart Meters, is subject to legal provisions while fulfilling strong security requirements, and their compliance has to be checked and certified. Landis+Gyr, a Smart Meter pioneer, with the support of Sidler Information Security GmbH, has conceived a conforming information security concept, clearing the path towards secure Smart-Meter solutions. The first Smart-Meter-Gateway produced according to the latest standard could be registered for certification by Landis+Gyr in July 2013. Landis+Gyr, with headquarters in Zug and subsidiaries all around the globe, is a worldwide leader in the field of smart metering and a leading provider of integrated energy-management solutions. The company does not only enable energy providers and final customers to improve their energy efficiency and reduce their energy costs, therefore contributing with its effort to a sustainable resource exploitation. Creating and developing sustainable values and solutions and matching them with the challenges of energy policies are also part of the daily business of an industry leader. Implementation of legal requirements The deployment of intelligent power meters -that is, Smart Meters- is a basic prerequisite for the implementation of the Action Plan for the Energy Efficiency in Europe. It proposes that at least 80 percent of all consumers within the EU-member states are to be equipped with intelligent power meters before the year 2020. Within this frame, Germany has played a pioneering role and released, through the Bundesamt für Sich erheit in der Informationstechnik (BSI) a safety profile (BSI-CC-0073) for a Smart Metering Gateway and its appertaining safety modules conformed to the Common Criteria. Manufacturers like Landis+Gyr faced new challenges with these extensive requirements contained in the BSI-safety module and its legal provisions and to be implemented in electronic meters and Smart-Meter-Gateways. Not only the product itself will have to be submitted to certification in order to establish the compliance with these security requirements, there are also certain minimal requirements during the development process, the documentation, the support during the lifecycle of the product, testing and weak point checks that have to be met. The product will get its certification only if the whole framing environment passes this audit. Thomas Mosel, Head of Information Security EMEA at Landis+Gyr comments on this subject: «The safety module according to the internationally recognized IT-security guidelines of the Common Criteria includes a high number of security requirements. Very soon it was clear to us that we had to take in someone with the necessary know-how in order to implement this comprehensive catalogue of requirements, especially in the field of IT-security. Looking for an expert we came across Wolfgang Sidler of Sidler Information Security. His enormous knowledge in security questions matched perfectly with the forthcoming project. This way, we started to talk and eventually engaged him for the implementation of the project».

Cross GAP-analysis from A to Z In April 2012, Thomas Mosel und Wolfgang Sidler began with an in-depth survey with GAP analysis, in which the already existing information security was collated with the current requirement catalogue at hand. not to work under an enormous time pressure. We could take us enough time both for the establishment of the GAP-analysis and the security concept that was to follow in order to test each point for every detail and prepare ourselves intensively and very precisely for the BSI-certification». More than just an information security concept The Assurance Requirements of the Common Criteria are an important part of it. They define the minimum requirements of the development process, the documentation, the support during the product lifecycle, of tests and weak point checks that have to be necessarily observed and the way how the evaluator has to check these requirements. Based on the catalogue, it was later established which of these requirements already existed on an organizational level and which ones were required to be accomplished, which points had to be complemented in what way or even needed to be newly developed. And finally, how the final catalogue of measures would look like. The derived concept of information security established by Wolfgang Sidler on hand of the analysis he had worked out has been inserted in all areas of Landis+Gyr and is now applied on all levels, from the soft and hardware development through the configuration management to the production and quality assurance. It took around 12 months until this concept of information security could be presented to the management for clearance Thomas Mosel explains: «We had the privilege With the now released information security concept, Landis+Gyr has set the first decisive step on the way to a secure intelligent metering system for power and gas according to the new legal provisions. In July 2013, it could register the first Smart-Meter Gateway compliant with the Common Criteria and Safety Profile (BSI-CC-PP-0073) at the Bundesamt für Sicherheit in the Informationstechnik (BSI) for certification. The current development is now being aligned with the requirements of the Common Criteria Certification process. «A product certification is, except for certain limitations, valid on an international level. This is why we have displayed the security concept internationally, to enable its use regardless of the country or place where it is going to be used» explains Mosel, adding: «The experience in the field of security that Thomas Sidler brought us from an international level was also very helpful to us in this matter».mosel specifically mentions the ISO-27001 certification project of Landis+Gyr in England, that was realized simultaneously to the Common Criteria project and defines all safety relevant functions derived from the implementation and operation within the company of an Information-Safety Management System (ISMS) «Both projects have profited from each other within the frame of their respective analyses and concept developments, with information flowing in both directions». Here, Wolfgang Sidler worked with internal departments in England, actively supported the security audit and also was present from his assessing position during the successful certification in England in July».

Security awareness for employees Technical security measures do not only need organizational decisions but also -and very specially- personal measures in order to be effective. On the basis of the established information security scheme, a complementary training-concept related to the implementation of the security guidelines was put in place. On the initiative of Wolfgang Sidler, an awareness-training for employees took place for the first time in June 2012. A further security training based on the results obtained from the Common Criteria project and aimed to those employees engaged in the project followed in 2013. «It wasn t only the very positive response among the employees being useful, it also provided us with a constructive discussion and a good feedback» according to Thomas Mosel. «Especially the review and the resulting proposals for improvements that were subsequently produced by Wolfgang Sidler on behalf of the training records were extremely helpful. The awareness training conforms with current standards today and we will be able to perform, on demand and at any time, more of these trainings by our own». The bottom line The course for the future of intelligent metering systems has been set at Landis+Gyr, the final results of the project met the expectations and are in line to guarantee the security of the information, the data protection and the safety of Smart Grids. It is now only waiting for its certification. Once it has been granted, the industry will soon be offered sustainable solutions.

Project Details Smart Meter Gateway Common Criteria EAL4+ Product Certification Performing an information security gap analysis based on the ISO 27001 Elaborate special security concepts and policies for development, project management and production processes. Conduct ISO 27001 audit in England and France in Smart Meter production plants ISMS Framework coaching based on ISO 27001 and ISO 27002 Project Category www.sidler-security.ch info@sidler-security.ch Holzhäusernstrasse 5a CH-6331 Hünenberg - Switzerland

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback