On Friday, 07 May 2021, the Bundesrat finally approved the controversial IT Security Act 2.0. The Bundestag had already approved it at the end of April 2021. In this regard, Federal Minister of the Interior Horst Seehofer spoke of a “good day for cyber security in Germany”. He commented: “Digitalisation permeates all areas of life, and the pandemic has once again accelerated this process enormously. Our protection mechanisms & defence strategies must keep pace — this is what the IT Security Act 2.0 is for”. As early as November 2020, the discussion about the IT Security Act was reignited with a third draft bill. In terms of content, many aspects that were already the subject of the government draft from 2020 have been retained. However, they have been modified in detail. Thus, the continuing industry-wide criticism of the IT Security Act 2.0 seems hardly surprising.
Expanded powers for the BSI, inventory data disclosure and the so-called “Huawei clause
A central aspect of the new IT Security Act is the expanded powers for the Federal Office for Information Security (BSI). There are improvements in the draft law at least in the concretisation of overriding protection goals and the work of the BSI geared to them. In addition, the handling of vulnerabilities and security gaps is to become more transparent. The new law is intended to make the BSI a key player in the fight against botnets and the spread of malware. To this end, 799 new positions will be created.
Detection of security vulnerabilities
The BSI will be empowered to detect security vulnerabilities at the interfaces of IT systems to public telecommunications networks by means of port scans. In addition, it will be allowed to use honeypots and sinkholes to analyse malware and attack methods.
Storage and collection of inventory and log data
A particularly critical aspect of data protection is that in future the BSI will be allowed to store and evaluate “log data” and personal user information (such as IP addresses) generated during online communication between citizens and federal administrative institutions for a period of 12 to 18 months. This also includes internal “logging data” from the authorities. Furthermore, the BSI may obtain inventory data information from providers of telecommunications services. This is intended to protect those affected and to detect attacks, e.g. by Trojans such as Emotet.
The so-called “Huawei clause” — hurdle for the exclusion of equipment suppliers
The so-called “Huawei clause” sets the hurdle for the exclusion of individual equipment suppliers from network expansion for 5G, for example, quite high. It is also part of the amendment. The federal government is to be able to prohibit the use of “critical components” in the event of “probable impairment of public safety and order”. To this end, there will be a certification obligation and manufacturers will have to issue a guarantee declaration.
In this regard, the BSI tweets in the sense of a “self-image” that security vulnerabilities will be communicated transparently and remedied quickly, consumers will be provided with even more neutral, up-to-date information on digital topics and critical infrastructures will be supported with close-meshed advice and supervision.
Strengthening consumer protection and more security for businesses
In addition, the new IT Security Act contains regulations to strengthen consumer protection and increase security for companies. To this end, consumer protection is included in the BSI’s catalogue of tasks. Furthermore, a uniform IT security label will in future make it clear to consumers which products already comply with certain IT security standards.
In order to increase corporate security, operators of critical infrastructures and, in the future, other companies in the special public interest (e.g. arms manufacturers or companies of particularly great economic importance) must implement certain IT security measures and will be included in the trustful exchange of information with the BSI.
Draft of a second ordinance amending the BSI Criticality Ordinance (BSI-KritisV) published
The IT-SiG 2.0 not only refers to the Critis Ordinance, it also expands the existing obligations of the CRITIS operators. For this reason, it is not surprising that on 26 April 2021, the Federal Ministry of the Interior published the draft of a second ordinance amending the BSI Critis Ordinance as part of the consultation of associations, specialist groups and academia. Corresponding comments are to be submitted by 17 May 2021.
The draft bill contains considerable changes and adjustments to the content as well as new additions in the individual annexes to determine the categories of installations and concrete threshold values, in particular in part also the individual numerical assessment criteria. In addition, software and IT services that are necessary for the provision of a critical service are now also identified as investments within the meaning of the regulation. Furthermore, trading in securities and derivatives is included as a new critical service.
Support from SRC experts
The SRC experts will be happy to exchange views with you on the innovations as well as their effects and support you in the implementation of the requirements from IT-SIG and BSIG as well as in the provision of evidence within the scope of §8(a) BSIG (“Critical Service Examination”).
Kick-off for the Digital Euro
After long and intensive discussions at the European level, the starting signal for the digital euro was given on 14 July 2021. First, core questions on the impact on financial stability and monetary policy as well as on the legal framework and a possible technical implementation will be clarified within the framework of a two-year study phase. The goal of the introduction of the digital euro is still to meet the “needs of the people in Europe” and to serve as a supplement to already established payment procedures.
A final decision on the design of the digital euro is then expected after the study phase in mid-2023.
“We will enter into a dialogue with the European Parliament and other European decision-makers and inform them regularly about our findings. Individuals, merchants and the payments sector will also be involved,” said Fabio Panetta (Member of the ECB Executive Board and Chair of the Digital Euro Task Force).
Results of the practical test
The preparatory basis for the landmark decision was the results of a practical test phase over nine months, which examined, among other things, technical aspects of distributed ledger technology (DLT for short), data protection, anti-money laundering and the use of existing systems (e.g. TARGET Instant Payment Settlement — TIPS for short). Energy aspects of possible architecture concepts were also investigated with the aim of limiting energy consumption to well below the current requirements of known cryptocurrencies, e.g. Bitcoin.
Focus on data protection
Consumer protection and data protection aspects are central aspects of the discussion about the digital euro, in addition to the technical implementation. For consumers, the digital central bank money represents a direct claim against the central bank, which under certain circumstances can be limited by a cap in the “wallet”. The competition of the digital euro with cash becomes clear in the discussion about the anonymity of payments. It seems clear that — also with a view to combating money laundering — there will be no completely anonymous digital euro.
Assessment of the German Banking Industry
In a statement, the “Deutsche Kreditwirtschaft” emphasises the digital euro above all in its preservation of the monetary sovereignty of the Eurozone. The digital euro is assessed as a forward-looking means of payment in a digital economy, which coherently complements the existing and proven systems and structures. The aim should be to achieve the greatest possible synergies with existing payment solutions so that access to the digital central bank money can be secured for end consumers. There is a consensus that digitalisation is changing payment transactions and that the ECB must carefully design the digital euro to ensure financial stability. In order to implement the envisaged activities, high investments are inevitable for both the institutions and the economy.
Will cryptocurrencies become more than speculative objects?
Established cryptocurrencies such as Bitcoin and Co. are gaining importance as speculation objects in asset management, but they are currently rather meaningless in payment transactions. Nevertheless, the ongoing discussion about private cryptocurrencies, e.g. Diem from the Facebook universe, has certainly driven the discussion about the Digital Euro.
The SRC experts follow the exciting developments in the field of cryptocurrency and the Digital Euro for you and support you in the realisation of your crypto custody service. We will be happy to inform you about the possibilities to get involved in this innovative sector.
CASH.DIGITALWEEK 2021 // Webinar: Cryptocurrencies create market opportunities for banks and financial service providers
In a webinar at CASH-DIGITALWEEK 2021, our expert Dagmar Schoppe will explain how cryptocurrencies can create new market opportunities for banks and financial service providers. The date for the webinar is Thursday, 9 September 2021 at 11:00.
Banks and financial service providers traditionally have not only the technical competences to process trustworthy business transactions, but also the necessary expertise to implement regulatory requirements. This can be used well as an entry point into the market for services related to cryptocurrencies, because it is precisely the rapidly growing interest in cryptocurrencies that opens up growing opportunities for credit institutions to become active in this market and to serve customers here as well.
For this, it is necessary that the institutions increase their visibility in this new market segment. Only in this way can they then respond to enquiries from customers, traders as well as service providers. Corporate customers thus also have the opportunity, for example, to offer cryptocurrencies they have issued themselves or to optimally support their customers’ digital business processes using blockchain technology. With the support of banks and financial service providers, corporate clients can further advance the digitalisation of their business processes.
The SRC experts are following the exciting developments in the field of cryptocurrency for you. During the webinar “CASH.DIGITALWEEK 2021 // Webinar: Cryptocurrencies create market opportunities for banks and financial service providers”, Dagmar Schoppe, Head of Banking Compliance at SRC, will explain possible strategies and answer participants’ questions.
SRC provides expert opinion on e‑prescription for gematik
IT security plays a special role in the digitalisation of the healthcare system. In the context of the introduction of the electronic prescription (e‑prescription) for which gematik is responsible, the security of all components will be tested by independent experts approved by gematik.
The introduction of the e‑prescription and the e‑prescription app started on 1 July 2021. By then, data security for patients, doctors and pharmacists had to be ensured. In order to check the security of these applications in their daily work, gematik, with the approval of the Federal Office for Information Security, commissioned several expert opinions to test the applications. Some of these expert opinions were prepared by the experts of the SRC. The result: Nothing stands in the way of a controlled commissioning into production operation. The applications can be integrated into the telematics infrastructure (TI).
The prerequisite for the test phase that now follows is the security assessment, in which the SRC assessors were involved for two components. SRC employees have been approved as experts by gematik since 2014 and have assessed the identity provider service of RISE as well as the specialist service e‑prescription of IBM. gematik published the summary of the expert reports prepared by the SRC experts on its website on 1 July 2021.
In the test phase that has just started, the e‑prescription is now being tested in everyday practice in the model region of Berlin-Brandenburg. Here, practical findings on the interaction of all components involved in the e‑prescription are to be collected first. The nationwide introduction of the e‑prescription is being prepared for the 4th quarter of 2021.
Every person with statutory health insurance can use their NFC-enabled electronic health card (eGK) with the corresponding PIN for the e‑prescription. The eGK is issued as standard by the statutory health insurance funds to their insured persons.
From 2022, the e‑prescription will be obligatory for all those insured by the statutory health insurers, but private health insurers have already made clear their interest in participating in the e‑prescription. For the time being, private health insurers can decide voluntarily whether to issue the eGK to their insured.
“The introduction of the e‑prescription and the associated app is undoubtedly a milestone for the digitalisation of the German health system. At SRC, we are a little proud to have contributed to securing this solution with our work,” says Randolf Skerka, Head of IS Management at SRC.
“This assessment was characterised by smooth and intensive coordination with the manufacturers RISE and IBM as well as gematik. Only in this way was it possible to ensure the high quality in the short time available,” says Dr. Jens Putzka on behalf of all colleagues involved at SRC.
Lancom 1900EF VPN Router receives first Accelerated Security Certification (BSZ)
The BSI has granted LANCOM Systems GmbH the first certificate according to the new BSI scheme “Accelerated Security Certification” (BSZ for short). In this pilot procedure, SRC evaluated the security features of the Lancom 1900EF VPN Router and finally recommended approval to the BSI.
LANCOM has already had the security of its solutions tested and confirmed or certified by SRC in many procedures using Common Criteria evaluations or penetration tests. With the pilot evaluation for the BSZ, the BSI, LANCOM and SRC have jointly set a further standard for the certification of IT security solutions, with the aim of achieving time-to-market certification.
The Accelerated Security Certification (BSZ) allows manufacturers to have their products evaluated and certified by the BSI within a specified period of time. The evaluation must be carried out by a test centre recognised by the BSI. With the BSZ, the total effort of the evaluation, in comparison to e.g. Common Criteria evaluations, is predetermined from the beginning (fixed time). This allows manufacturers to estimate the expected effort well.
When designing the attack scenarios, the BSZ allows the evaluators a relatively large leeway. This test catalogue must be presented to the BSI extensively and in detail. This design leeway demands an above-average degree of expertise, care and creativity from both the evaluation facility institution and each individual evaluator. The test catalogue and the final evaluation in the test report draw on a broad know-how of cryptography, penetration tests, protocol attacks. The implementation by the manufacturer is evaluated by the test centre and the responsible persons at SRC have to defend this against the critical view of the BSI.
“Accelerated security certification will certainly play a major role, especially in the field of IOT devices,” says Gerd Cimiotti, Managing Director of SRC Security Research & Consulting GmbH. Like Lancom and the BSI, he expresses his thanks for the professionalism on all sides with which this pilot procedure was ultimately brought to a successful conclusion.
Ralf Koenzen, founder and managing director of LANCOM Systems GmbH, gives the manufacturer’s perspective: “When you do something for the first time, the effort is always greater. It is precisely then that you feel the experience and expertise of a partner like SRC as orientation and noticeable relief.”
As a long-standing partner of the BSI, SRC has already carried out a large number of projects in the most diverse approval schemes. SRC is currently in the process of being recognised as a test centre for accelerated security certification.
We would also be happy to accompany your accelerated security certification. If you have any questions about the BSZ, please do not hesitate to contact us.
AI security: The right measure for regulating AI
Precisely because of their enormous potential, their diverse areas of application and their ability to learn, artificial intelligence (AI) systems must be and remain safe and controllable at the same time. Here, it is important to find the right balance in regulation.
Voice assistants, translations at the push of a button, predictive maintenance or applicant management systems. Despite the diverse areas of application, artificial intelligence (AI) is only at the beginning of its development. many of the future areas of application are not even foreseeable yet. This opens up great opportunities for developers and manufacturers to achieve competitive advantages with improvements based on the use of artificial intelligence.
In addition to further coordination, a great deal of detailed work will now have to be done in the future; the corresponding norms and standards will have to be worked out or adapted and procedures for conformity assessment will have to be developed. In doing so, the organisational and technical effort for manufacturers should be kept within reasonable limits so as not to hinder the developments of AI systems. At the same time, it is also important to gain economic and social trust in this promising technology.
Under the german title “KI-Sicherheit: Das richtige Maß zur Regulierung von KI finden”, the magazine “it-daily” gave Randolf-Heiko Skerka, Division Manager IS Management at SRC Security Research & Consulting GmbH, the opportunity to comment comprehensively.
If you are interested, we look forward to hearing from you.
IT Security Act 2.0 approved by the Bundesrat (Upper House)
On Friday, 07 May 2021, the Bundesrat finally approved the controversial IT Security Act 2.0. The Bundestag had already approved it at the end of April 2021. In this regard, Federal Minister of the Interior Horst Seehofer spoke of a “good day for cyber security in Germany”. He commented: “Digitalisation permeates all areas of life, and the pandemic has once again accelerated this process enormously. Our protection mechanisms & defence strategies must keep pace — this is what the IT Security Act 2.0 is for”. As early as November 2020, the discussion about the IT Security Act was reignited with a third draft bill. In terms of content, many aspects that were already the subject of the government draft from 2020 have been retained. However, they have been modified in detail. Thus, the continuing industry-wide criticism of the IT Security Act 2.0 seems hardly surprising.
Expanded powers for the BSI, inventory data disclosure and the so-called “Huawei clause
A central aspect of the new IT Security Act is the expanded powers for the Federal Office for Information Security (BSI). There are improvements in the draft law at least in the concretisation of overriding protection goals and the work of the BSI geared to them. In addition, the handling of vulnerabilities and security gaps is to become more transparent. The new law is intended to make the BSI a key player in the fight against botnets and the spread of malware. To this end, 799 new positions will be created.
Detection of security vulnerabilities
The BSI will be empowered to detect security vulnerabilities at the interfaces of IT systems to public telecommunications networks by means of port scans. In addition, it will be allowed to use honeypots and sinkholes to analyse malware and attack methods.
Storage and collection of inventory and log data
A particularly critical aspect of data protection is that in future the BSI will be allowed to store and evaluate “log data” and personal user information (such as IP addresses) generated during online communication between citizens and federal administrative institutions for a period of 12 to 18 months. This also includes internal “logging data” from the authorities. Furthermore, the BSI may obtain inventory data information from providers of telecommunications services. This is intended to protect those affected and to detect attacks, e.g. by Trojans such as Emotet.
The so-called “Huawei clause” — hurdle for the exclusion of equipment suppliers
The so-called “Huawei clause” sets the hurdle for the exclusion of individual equipment suppliers from network expansion for 5G, for example, quite high. It is also part of the amendment. The federal government is to be able to prohibit the use of “critical components” in the event of “probable impairment of public safety and order”. To this end, there will be a certification obligation and manufacturers will have to issue a guarantee declaration.
In this regard, the BSI tweets in the sense of a “self-image” that security vulnerabilities will be communicated transparently and remedied quickly, consumers will be provided with even more neutral, up-to-date information on digital topics and critical infrastructures will be supported with close-meshed advice and supervision.
Strengthening consumer protection and more security for businesses
In addition, the new IT Security Act contains regulations to strengthen consumer protection and increase security for companies. To this end, consumer protection is included in the BSI’s catalogue of tasks. Furthermore, a uniform IT security label will in future make it clear to consumers which products already comply with certain IT security standards.
In order to increase corporate security, operators of critical infrastructures and, in the future, other companies in the special public interest (e.g. arms manufacturers or companies of particularly great economic importance) must implement certain IT security measures and will be included in the trustful exchange of information with the BSI.
Draft of a second ordinance amending the BSI Criticality Ordinance (BSI-KritisV) published
The IT-SiG 2.0 not only refers to the Critis Ordinance, it also expands the existing obligations of the CRITIS operators. For this reason, it is not surprising that on 26 April 2021, the Federal Ministry of the Interior published the draft of a second ordinance amending the BSI Critis Ordinance as part of the consultation of associations, specialist groups and academia. Corresponding comments are to be submitted by 17 May 2021.
The draft bill contains considerable changes and adjustments to the content as well as new additions in the individual annexes to determine the categories of installations and concrete threshold values, in particular in part also the individual numerical assessment criteria. In addition, software and IT services that are necessary for the provision of a critical service are now also identified as investments within the meaning of the regulation. Furthermore, trading in securities and derivatives is included as a new critical service.
Support from SRC experts
The SRC experts will be happy to exchange views with you on the innovations as well as their effects and support you in the implementation of the requirements from IT-SIG and BSIG as well as in the provision of evidence within the scope of §8(a) BSIG (“Critical Service Examination”).
IT security in the health sector: Regulation is necessary and overdue
Open interfaces, outdated technology and different interests: IT security in the health sector is a complex topic, after all it is about the needs and safety of the patient. A major problem is the lack of regulation on the part of authorities such as the Federal Institute for Drugs and Medical Technology and the Federal Office for Information Security — currently there are only recommendations but no binding guidelines.
The Federal Office for Information Security (BSI), the Federal Institute for Drugs and Medical Devices (BfArM) and gematik are the competent authorities for IT security of medical devices in Germany. It must be ensured that unauthorised persons cannot use the IT in medical devices and systems against the patient and that components and systems are only open to authorised persons. Companies specialising in IT security, such as SRC Security Research & Consulting GmbH from Bonn, can help here. Regulation is necessary to create security standards — although a sense of proportion is needed here. Because over-regulation can also cause damage.
Under the title “IT Security in the Healthcare Sector: Regulation is necessary and overdue” (german), the magazine “all about security” gave Randolf-Heiko Skerka, Head of IS Management at SRC Security Research & Consulting GmbH, the opportunity to comment comprehensively.
If you are interested, we would be pleased to hear from you.
BSI publishes CC certificates of connectors in the healthcare sector
Within the framework of the gematik telematics infrastructure, a connector coordinates and encrypts the communication between the client system, eGK, HBA/SMC and the central telematics infrastructure. It thus represents the link between these components on the decentralised service provider side and the central telematics infrastructure.
A connector fulfils security requirements that have been laid down in corresponding protection profiles.
The connector in product type version 3 comprises the following components:
SRC has successfully evaluated the network and application connector in product type version 3 of the company Research Industrial Systems Engineering (RISE) Forschungs‑, Entwicklungs- und Großprojektberatung GmbH. The certificates BSI-DSZ-CC-1052-V3-2021 and BSI-DSZ-CC-1132–2021 have been published by the BSI.
In addition SRC has successfully evaluated the network and application connector in product type version 3 of the company secunet Security Networks AG. The certificates BSI-DSZ-CC-1044-V3-2020 and BSI-DSZ-CC-1135–2020 have been published by the BSI.
For questions about Common Criteria or other evaluations, please contact us.
Certification of fiskaly Cloud Crypto Service Provider
Among other things, the Tax Code provides for a combination of technical and organisational measures to effectively prevent manipulation of digital basic records. The core of the tax code is a certified technical security device (TSE for short). The TSE is the central technical component for securing the basic records against subsequent manipulation. The certification aims to ensure a uniform minimum level of trust and security in the TSE as well as compliance with necessary interoperability requirements.
Cash register systems carry out digital basic records in the above sense. Therefore, the cash register security ordinance of the Federal Ministry of Finance specifies requirements for the certification of TSEs, which have been implemented accordingly by the BSI. These include detailed requirements for the security module, the storage medium, the digital interface and the electronic storage, which have been published in the form of several technical guidelines and protection profiles.
The central security component of a TSE is a so-called Cryptographic Service Provider (CSP). This is the component that performs the cryptographic signature operations and securely manages essential components such as cryptographic keys and other parameters.
The BSI has certified fiskaly’s CSP Light based on the evaluation results of the SRC. This CSP Light is implemented as a cloud service to enable integration into networks.
In contrast, CSPs can also be created in the form of smart cards for stand-alone systems. Such products have also already been evaluated by SRC.
PCI DSS v4.0 release delayed
The publication of a new, fundamentally revised version of the payment transaction standard PCI DSS has been announced since 2019. We are eagerly awaiting the changes that the new version will bring.
After PCI DSS v4.0 had already undergone two RFC phases in 2019 and 2020, the PCI Security Standards Council has now decided to also initiate an RFC phase for supporting documents, in particular for
in June 2021. However, this will also delay the publication of PCI DSS v4.0.
Instead of the announced release period in Q2 2021, the aimed period of finalization is now Q4 2021. The actual release date has not yet been specified.
We must therefore be patient a little longer before we can properly plan the migration. With the shift of the publication date, the planned transition periods from PCI DSS v3.2.1 to v4.0 have also been postponed. We are therefore also postponing our PCI DSS v4.0 webinars to 2022.