the importance of certification in regulation bernd kowalski · bsi is a leader in international...

Bernd KowalskiFederal Office for Information Security

Mindshare 2015, June 25th 2015

The Importance of Certification in Regulation

Bernd Kowalski Slide 2

Growing Importance of IT Security Certification

■ Economy & society depend on availability and integrity of IT-Systems■ Lack of privacy and trust in mainstream products■ Public and national security affected■ Governments under pressure to set guidelines for appropriate

technical standards and third party evaluation resp. certification


InternetFederal Government

Manufacturers Service Providers

Business ClientsPrivate / Public

Citizens

Who is setting the Standards?


Digitalization, automation, interconnectedness in all aspects of life:

Smart Grid, Smart Metering (KRITIS) Smart Home, Smart Services Industry 4.0 / Remote Maintenance eMobility / car2car / car2x eHealth/eGovernment Cloud Computing eID / ePayment eCommerce Big Data

Availability, Trust, Transparency

Emerging Challenges, Digital Agenda


Quality and Trust „Made in Germany“

BSI is a leader in international certification

Competitive advantage for manufacturers

Recognition through all relevant certification agreemenents (SOGIS-MRA, CCRA)

Contribution to public security and technological sovereignty

Protection of constutional rights: Art. 1 i.V.m Art. 2 Abs. 1 GG, Art. 10 GG (Citizens)

BSI Certificates – Government Value


Manufacturers apply on their own initiative

Informal consulting prior to the certification process

Authentic product improvements Certification contributes to product development Early identification of basic flaws Realize potential for improvements

Processes based on industry standards Recognized high level of quality (ISO 9001, DAKKS-Akkreditierung) IT security according to most recent technology

Receival of an official certificate Certificates‘ reputation increases market value of industry‘s products

BSI Certificates – Industry Value


Knowledge transfer and innovation support

Engage in international standardization Establish German standards in international markets Strengthen global competitiveness of German companies

Build on Germany‘s reputation for IT security and data protection

Manufacturers receive consulting based on most recent knowlege

Private testing centers providing optimal service for manufacturers

BSI Certificates – Contribution from Evaluation Labs


BSI Certification Services

Certification of systems

ISO 27001 / IT-GSIT Security

Certification of products

Common Criteria Technical GuidelinesIT Security Conformity

Recognition and certification of evaluation Labs, evaluators, services and service providers

e.g. ISO/IEC 17025


BSI Certification Services

Product Certificates on the basis of Common Criteria/PP

■ Smartcard hardware & software

■ Digital Tachograph components

■ Operating systems, firewalls, signature applications

■ Biometric verification systems

■ eID and electronic passport

■ Smart Meter Gateway

Product Certificates acc. to Technical Guidelines■ Conformity and compatibility of IT security components

Certificates for IT-infrastructures acc. to ISO 27001 on thebasis of IT-Grundschutz

BSI-CC-Scheme has been approved under the European Accreditation System


Certified Products – Market-driven Examples

Commercial database and application systems(e.g. Oracle, IBM, Microsoft, SAP, Red Hat)

and server operating systems(e.g. z/OS, SUSE, Red Hat, AIX)

Secure hardware elements(z.B. Trusted Platform Module)

Smart card readers

Highly resistant firewalls(e.g. genugate)

Network storage(e.g. Dell EqualLogic PS Series Storage Array)


Certified Products – Regulated Examples

Electronic Identification(ePass, nPA, eAT)

Smart Grid (Smart Meter Gateway incl. Security Module)

Health SectorSmart card, readers and applications

Digital Tachograph


Technical Guidelines and Protection ProfilesUse Case: Smart Metering – German Approach

Technical Guidelines (TR),Protection Profiles (PP)

Certification,Type Approval

CertifiedProducts

Federal Office for Information Security

National Laws(German Energy Act, etc.)

Legislative Authority



13

Common Criteria

Protection Profile for the Gateway

Protection Profile for the Security

Module

TechnicalGuideline

Define minimum functionality of the

system

Define requirements for interoperability

Specify requirements on cryptography and

PKI

Calibration

Gateway becomes relevant in calibration

Requirements on meters to be

avoided



Home Area Network (HAN): Authorized clients (consumers, servicetechnicians) / Controllable Local Systems (CLS)

Wide Area Network (WAN): Authorized clients (energy andservice providers, SMGW Admin)

Local Metrological Network (LMN): Registered meters


Mutual Recognition - CCRA

Recognizing andissuing nations Recognizing nations

India

Czech Republic

Austria

Singapore

Canada

UK US

Germany

France

Australia und New Zealand

Israel

Netherlands

Finland

Japan

Hungary

Greece

Spain South Korea

Denmark

Norway

www.commoncriteriaportal.org

Italy

SwedenPakistan

Turkey Malaysia


Mutual Recognition - SOGIS-MRA

UK


Comparison of Certification Policies CCRA / SOGIS-MRA

New CCRA Agreement and Policy: no further mutual recognition beyond EAL Level 2 or collaborative Protection

Profiles (Low Assurance Policy)

motivation: comparable evaluation results in a growing CB-community

development of "collaborative" cPPs for COTS products starting at EAL Level 1-2 and potentially reaching EAL4 at most.

Certification of COTS products

SOGIS-MRA Policy: keep European High Assurance Policy up to EAL Level 7

keep backward compatibility with new CCRA on common standard ISO 15408

motivation: longterm experience with high assurance PPs and evaluations

EAL must be fixed to threats, black box evaluation not appropriate

Serving national & European regulation for critical infrastructures


Certification Policy - CCRA and SOGIS

Government involvement National & European regulations for critical infrastructures require

increasing number of PPs to preserve

Certification policy beyond SOGIS-MRA (CCRA and others) associated partnerships with selected partners (e.g. Japan)

combined procedures for low and high level certificates per product

secure elements are key technology for cloud and mobile services

defend high assurance standards in TTIP-negotiations


Summary

Trustworthiness, Security & Privacy rely on Third party evaluation

Need for Protection Profiles for evaluation

Application of international Common Criteria standard (CCRA)

Continue SOGIS-MRA High Assurance Certification Policy

Challenges with regard to public security and critical infrastructures require government involvement in certification policies and standards

European High Assurance standards shall not become invalid through TTIP

Secure Elements are the core technology for trustworthy IT-Systems

Keep national & European influence on IT security standards


Contact

Federal Office for Information Security (BSI)

Bernd KowalskiGodesberger Allee 185-18953175 BonnGermany

[email protected]

the importance of certification in regulation bernd kowalski · bsi is a leader in international...

Documents