the importance of certification in regulation bernd kowalski · bsi is a leader in international...
TRANSCRIPT
Bernd KowalskiFederal Office for Information Security
Mindshare 2015, June 25th 2015
The Importance of Certification in Regulation
Bernd Kowalski Slide 2
Growing Importance of IT Security Certification
■ Economy & society depend on availability and integrity of IT-Systems■ Lack of privacy and trust in mainstream products■ Public and national security affected■ Governments under pressure to set guidelines for appropriate
technical standards and third party evaluation resp. certification
Bernd Kowalski Slide 3
InternetFederal Government
Manufacturers Service Providers
Business ClientsPrivate / Public
Citizens
Who is setting the Standards?
Bernd Kowalski Slide 4
Digitalization, automation, interconnectedness in all aspects of life:
Smart Grid, Smart Metering (KRITIS) Smart Home, Smart Services Industry 4.0 / Remote Maintenance eMobility / car2car / car2x eHealth/eGovernment Cloud Computing eID / ePayment eCommerce Big Data
Availability, Trust, Transparency
Emerging Challenges, Digital Agenda
Bernd Kowalski Slide 5
Quality and Trust „Made in Germany“
BSI is a leader in international certification
Competitive advantage for manufacturers
Recognition through all relevant certification agreemenents (SOGIS-MRA, CCRA)
Contribution to public security and technological sovereignty
Protection of constutional rights: Art. 1 i.V.m Art. 2 Abs. 1 GG, Art. 10 GG (Citizens)
BSI Certificates – Government Value
Bernd Kowalski Slide 6
Manufacturers apply on their own initiative
Informal consulting prior to the certification process
Authentic product improvements Certification contributes to product development Early identification of basic flaws Realize potential for improvements
Processes based on industry standards Recognized high level of quality (ISO 9001, DAKKS-Akkreditierung) IT security according to most recent technology
Receival of an official certificate Certificates‘ reputation increases market value of industry‘s products
BSI Certificates – Industry Value
Bernd Kowalski Slide 7
Knowledge transfer and innovation support
Engage in international standardization Establish German standards in international markets Strengthen global competitiveness of German companies
Build on Germany‘s reputation for IT security and data protection
Manufacturers receive consulting based on most recent knowlege
Private testing centers providing optimal service for manufacturers
BSI Certificates – Contribution from Evaluation Labs
Bernd Kowalski Slide 8
BSI Certification Services
Certification of systems
ISO 27001 / IT-GSIT Security
Certification of products
Common Criteria Technical GuidelinesIT Security Conformity
Recognition and certification of evaluation Labs, evaluators, services and service providers
e.g. ISO/IEC 17025
Bernd Kowalski Slide 9
BSI Certification Services
Product Certificates on the basis of Common Criteria/PP
■ Smartcard hardware & software
■ Digital Tachograph components
■ Operating systems, firewalls, signature applications
■ Biometric verification systems
■ eID and electronic passport
■ Smart Meter Gateway
Product Certificates acc. to Technical Guidelines■ Conformity and compatibility of IT security components
Certificates for IT-infrastructures acc. to ISO 27001 on thebasis of IT-Grundschutz
BSI-CC-Scheme has been approved under the European Accreditation System
Bernd Kowalski Slide 10
Certified Products – Market-driven Examples
Commercial database and application systems(e.g. Oracle, IBM, Microsoft, SAP, Red Hat)
and server operating systems(e.g. z/OS, SUSE, Red Hat, AIX)
Secure hardware elements(z.B. Trusted Platform Module)
Smart card readers
Highly resistant firewalls(e.g. genugate)
Network storage(e.g. Dell EqualLogic PS Series Storage Array)
Bernd Kowalski Slide 11
Certified Products – Regulated Examples
Electronic Identification(ePass, nPA, eAT)
Smart Grid (Smart Meter Gateway incl. Security Module)
Health SectorSmart card, readers and applications
Digital Tachograph
Bernd Kowalski Slide 12
Technical Guidelines and Protection ProfilesUse Case: Smart Metering – German Approach
Technical Guidelines (TR),Protection Profiles (PP)
Certification,Type Approval
CertifiedProducts
Federal Office for Information Security
National Laws(German Energy Act, etc.)
Legislative Authority
Bernd Kowalski Slide 13
Technical Guidelines and Protection ProfilesUse Case: Smart Metering – German Approach
13
Common Criteria
Protection Profile for the Gateway
Protection Profile for the Security
Module
TechnicalGuideline
Define minimum functionality of the
system
Define requirements for interoperability
Specify requirements on cryptography and
PKI
Calibration
Gateway becomes relevant in calibration
Requirements on meters to be
avoided
Bernd Kowalski Slide 14
Technical Guidelines and Protection ProfilesUse Case: Smart Metering – German Approach
Home Area Network (HAN): Authorized clients (consumers, servicetechnicians) / Controllable Local Systems (CLS)
Wide Area Network (WAN): Authorized clients (energy andservice providers, SMGW Admin)
Local Metrological Network (LMN): Registered meters
Bernd Kowalski Slide 15
Mutual Recognition - CCRA
Recognizing andissuing nations Recognizing nations
India
Czech Republic
Austria
Singapore
Canada
UK US
Germany
France
Australia und New Zealand
Israel
Netherlands
Finland
Japan
Hungary
Greece
Spain South Korea
Denmark
Norway
www.commoncriteriaportal.org
Italy
SwedenPakistan
Turkey Malaysia
Bernd Kowalski Slide 17
Comparison of Certification Policies CCRA / SOGIS-MRA
New CCRA Agreement and Policy: no further mutual recognition beyond EAL Level 2 or collaborative Protection
Profiles (Low Assurance Policy)
motivation: comparable evaluation results in a growing CB-community
development of "collaborative" cPPs for COTS products starting at EAL Level 1-2 and potentially reaching EAL4 at most.
Certification of COTS products
SOGIS-MRA Policy: keep European High Assurance Policy up to EAL Level 7
keep backward compatibility with new CCRA on common standard ISO 15408
motivation: longterm experience with high assurance PPs and evaluations
EAL must be fixed to threats, black box evaluation not appropriate
Serving national & European regulation for critical infrastructures
Bernd Kowalski Slide 18
Certification Policy - CCRA and SOGIS
Government involvement National & European regulations for critical infrastructures require
increasing number of PPs to preserve
Certification policy beyond SOGIS-MRA (CCRA and others) associated partnerships with selected partners (e.g. Japan)
combined procedures for low and high level certificates per product
secure elements are key technology for cloud and mobile services
defend high assurance standards in TTIP-negotiations
Bernd Kowalski Slide 19
Summary
Trustworthiness, Security & Privacy rely on Third party evaluation
Need for Protection Profiles for evaluation
Application of international Common Criteria standard (CCRA)
Continue SOGIS-MRA High Assurance Certification Policy
Challenges with regard to public security and critical infrastructures require government involvement in certification policies and standards
European High Assurance standards shall not become invalid through TTIP
Secure Elements are the core technology for trustworthy IT-Systems
Keep national & European influence on IT security standards
Bernd Kowalski Slide 20
Contact
Federal Office for Information Security (BSI)
Bernd KowalskiGodesberger Allee 185-18953175 BonnGermany