The German IT Security Certification Scheme

Joachim Weber

Joachim Weber | The German IT-Security Certification Scheme | 11.09.2017 | Page 2

The German IT Security Certification Scheme

1. The role of the BSI2. The German IT Certificate Scheme3. Certification procedures in detail4. International recognition5. Status in Germany

1. The role of the BSI

The organisation BSIThe mission of the BSIA brief history of the BSIRole of the BSI – The branch D2

Joachim Weber | The German IT-Security Certification Scheme | 11.09.2017 | Page 4

l Director Arne Schönbohm

l Division B:l Consulting for Government, the Private Sector and Society

l Division CK:l Cyber Security and Critical Infrastructures

l Division D:l Cyber Security for Digitisation, Certification and Standardisation

l Branch D2: Certification and Standardisation

l Division KT:l Cryptotechnology and IT Management for Increased Security Requirements

BSI - Organisation

Joachim Weber | The German IT-Security Certification Scheme | 11.09.2017 | Page 5

The mission of the BSI

Prevention

Abteilung KKrypto-TechnologieDr. Gerhard Schabüser

Fachbereich K2KryptographischeAnwendungen

Fachbereich K1VS-IT-Sicherheit

Detection Reaction

Cyber Security

Cryptographic innovations

Security of classified information

Secure identities

Certification

Awareness campaigns

IT Security consultations & Support of the Government

Information security in digitisation throughprevention, detection and reaction for government, business and society .

Joachim Weber | The German IT-Security Certification Scheme | 11.09.2017 | Page 6

A brief history of the BSI

Founding ofthe BSI

Law passed to set upthe BSI (BSIG)

National Communication Security and Certification Agency (NCSA)

Central IT Security service provider of the German administration

National plan for protection of the information infrastructure (NPSI)

UP Bund and UP KRITIS

Central Cyber Security Agency

National Cyber Defence Authority (NCDA)

Cyber Defence Center (CAZ)

Cyber Security Strategy for Germany

Alliance for Cyber SecurityNew generalframework

Amendment ofthe BSIG

Founding ofthe CAZ

IT SecurityLaw (IT-SiG)

Joachim Weber | The German IT-Security Certification Scheme | 11.09.2017 | Page 7

Role of the BSI - The branch D2

IT security requirementsfor

IT security products,infrastructure and services

Public and Legal framework

Certification

Standardisationsecurity by design

2. The German IT Certificate Scheme

Certified productsPartner in the certification schemeReasons for a German certificateThe certification schemeThe brand-name BSI: High level of trustThe German certificate worldwideThe Common Criteria – The CCRA since 2014

Joachim Weber | The German IT-Security Certification Scheme | 11.09.2017 | Page 9

Certified products

Joachim Weber | The German IT-Security Certification Scheme | 11.09.2017 | Page 10

Partner in the certification scheme

Nationalcertification centre

ManufacturerManufacturer

Testing centreTesting centreNational

IT Security

Internationalstandardisation

IT Securitymade in Germany

Economy

Joachim Weber | The German IT-Security Certification Scheme | 11.09.2017 | Page 11

Reasons for a German certificate

EconomyStrengthening Germany

as place ofIT Security and Privacy

Support ofGerman manufacturers in the

international environment

Impartial Review of privatetesting centres for maximal

benefits of the manufacturers

PoliticsParticipation

in developing

international standards

Expertise

in designing appropriate

security guidelines

SocietyTrust through

mandate and reputation

of the BSI

Stands for international

recognised Testing Quality

(SOGIS, CCRA, DAkkS)

Joachim Weber | The German IT-Security Certification Scheme | 11.09.2017 | Page 12

The certification scheme

Technical guidelines

Legal requirements(EnWG, SigG, ...)

Conformity Testprivate qualified testing centre

CertificateBSI

The certification proves that a productfulfils the testing and law requirements

Testing method(e.g. ISO 27001, Common Criteria/ISO 15408)

Application ofinterested party

Joachim Weber | The German IT-Security Certification Scheme | 11.09.2017 | Page 13

The brand-name BSI: High level of trust

Person & service certificate

Recognition and qualification of testing centres / persons

Certifying of security services

e.g. ISO/IEC 17025

Product certificate

Common Criteria/PP Technical Guidelines (TR)

Security Function / interoperability

System & service certificate

ISO 27001/IT-Baseline

Protection Certification – IT Security

Joachim Weber | The German IT-Security Certification Scheme | 11.09.2017 | Page 14

Example: Huawei

è Certified by BSI: Huawei AR Series Service Router AR1220

è Currently under evaluation: Huawei OptiX OSN 1800 V V100R13C00

è More certifications are in preparation

Law (BSIG):The certificate will be awarded if it satisfies the necessary criteria

(completes successfully the evaluation)and there is no public interest against the issuing of such a certificate.

Pictures © by Huawei

Joachim Weber | The German IT-Security Certification Scheme | 11.09.2017 | Page 15

International recognition up to EAL 2 or according to cPP. European recognition up to EAL 4 andin selected technical domains up to EAL 7.

The German certificate worldwide

Joachim Weber | The German IT-Security Certification Scheme | 11.09.2017 | Page 16

The Common Criteria – The CCRA since 2014

Motivation:Comparable evaluation results in a growing community

„Low Assurance Policy“:No mutual recognition above EAL level 2

„collaborative Protection Profiles“ (cPP):Collaborative development of ProtectionProfiles for COTS products(EAL level 1-4)

3. Certification procedures in detail

The Common Criteria - Role allocationPrinciple Responsibilities in the Certification Process

Joachim Weber | The German IT-Security Certification Scheme | 11.09.2017 | Page 18

The Common Criteria – Role allocation

BSI – Certification Body ITSEFEvaluation reports and documentationComments on evaluation reports

Approval of evaluation results

GuidanceApplication

Certificate

Evaluation of product and documentationSite visits

Applicant(Developer)

Security requirements

Joachim Weber | The German IT-Security Certification Scheme | 11.09.2017 | Page 19

Principle Responsibilities in the Certification Process

r Developer:r provides ToE and documentation

r ITSEF (IT Security Evaluation Facility):r evaluates ToE and delivers report

r Certification Bodyr central institutionr ensures uniform approachr ensures comparable evaluation results

4. Status in Germany

BSI: Status in GermanyEuropean PerspectiveGerman Regulation for Digitisation of the national energy network

Joachim Weber | The German IT-Security Certification Scheme | 11.09.2017 | Page 21

• Germany: BSI – more than 20 years independent national certification body for IT Security•• Technical standards and certification are instruments of governmental regulation• in the area of critical infrastructure protection, examples:

• eHealth,• energy grids,• eID documents,• telematics in transportation,• payment transactions

• BSI supports governmental law initiatives by tailored technical standards and certification processes• on both European and national level•• More than 100 certificates are issued per year (about 75% on high assurance level)•• 9 national evaluation labs

BSI: Status in Germany

Joachim Weber | The German IT-Security Certification Scheme | 11.09.2017 | Page 22

• European Digital Single Market propagates concept of• common regulation structures to foster common European values•• IT industry has strong and market driven interest in European IT security certificates• seeking competitive advantages on the world markets•• European and international IT security standardisation and cooperation• (SOG-IS MRA and CCRA)

European Perspective

Joachim Weber | The German IT-Security Certification Scheme | 11.09.2017 | Page 23

• Digitisation and integration of 1.5 million decentralized and renewable energies creates high complexity• Intelligent network is needed to link energy generation, storage and consumption• Challenge: threats increases, infrastructures become more complex, amount of data is multiplied

→ We need trustworthy products and systems in the energy network and a secure communication infrastructure

electricity

measured data andstatus information /

control signals

Example: Digitisation and energy transition

Joachim Weber | The German IT-Security Certification Scheme | 11.09.2017 | Page 24

German Regulation for Digitisation of the national energy network

Digitisation of the Energy Transition Act (September 2nd, 2016)• based on EU Directives Electricity, Gas and Energy Efficiency• sets the legal and technical basis for an intelligent energy network in Germany

Article 1: Metering Point Operating Act• deals with installation and operation of smart metering systems• ensures a high level of data protection, IT security and interoperability• uses Protection Profiles and Technical Guidelines to achieve security and• conformity/compatibility of IT components• enables development of further fields of application (e.g. smart grid, e-Mobility)

Current status of roll out in Germany• 900 DSOs (distribution system operators), 42 million metering points• 8 Smart-Meter-Gateways from manufacturers in evaluation/certification by the BSI;• field tests and pilots are running

Size of market (minimum)• > 6,000 kWH and plants > 7 kW ≈ 5.6 million gateways (800 million € per year)

Privacy ITsecurity

Futureproof

Fastrollout

Smart-Meter-Gateway

Joachim Weber | The German IT-Security Certification Scheme | 11.09.2017 | Page 25

Thank you for your attention!

Contact

Joachim WeberHead of Branch D2: Certification and Standardisationzertifizierung@bsi.bund.deTel. +49 (0) 228 99 9582-0Fax +49 (0) 228 99 10 9582-5400

Bundesamt für Sicherheit in der InformationstechnikPostfach 20036353133 Bonnwww.bsi.bund.de/EN/