After a longer standstill, the discussion about the IT Security Law (IT-SIG 2.0) is now beginning again. Recently, a 3rd draft of the bill was published by the Federal Ministry of the Interior, Building and Community (BMI).
Current status of the amendment
The amendment of the IT-SiG has now been in effect since April 2019, presumably delayed by the legal requirements for the use of technical products from third countries by operators of critical infrastructures. The third draft bill is now ready to be voted on by the various departments. Adoption before the end of the first quarter of next year no longer seems unrealistic.
What are the main focuses of the draft law?
The new draft bill focuses on the threats to cyber security. In addition, the powers of the BSI will also be expanded and new areas of responsibility will be created, e.g. as a national cyber security certification authority with the implementation of active detection measures.
The new draft also includes the notification of critical components in § 2 section 13:
“The use of a critical component (…), is to be indicated by the operator of a critical infrastructure to the Federal Ministry of the Interior, Building and Community before installation. In the announcement the critical component and the kind of their employment are to be indicated “.
Critical components are especially those IT products that are used in KRITIS and are of high importance for the functioning of the community. For telecommunications network operators or telecommunications service providers, these components are defined in more detail in the catalog pursuant to § 109 (6) TKG; all others are specified in a corresponding BSI catalog.
Only critical components may be used whose manufacturers have issued a declaration of their trustworthiness to the operator of the critical infrastructure (guarantee declaration). The BMI determines the minimum requirements for the guarantee declaration, taking into account superior public interests, in particular security policy concerns. The guarantee declaration must state whether and how the manufacturer can adequately ensure that the critical component does not have any technical properties that could have an abusive effect on the security, integrity, availability or operability of the critical infrastructure (such as sabotage, espionage or terrorism).
Here a new duty of disclosure arises for the operators of the components. Previously, manufacturers had to apply to the BSI for certification of these components. This new listing of critical components contains highly sensitive targets. Successful attacks by hackers or secret services can cause lasting damage to critical infrastructures in the Federal Republic of Germany.
The discussion about requirements for the IT products used, identification and authentication procedures and their evaluation with regard to information security is also taken up and specified. These specifications lead to the development and publication of a state of the art of security requirements for IT products. In addition, there are requirements for consumer protection and consumer information.
Conclusion
It remains to be seen whether this schedule can be met. In terms of content, the new draft is a significant improvement, because it is more concrete than the draft of April 2019. It is critical that the evaluation of the IT-SIG of 2015, which should have taken place after four years at the latest, is still pending.
The SRC experts will be happy to discuss the innovations and their effects with you and to support you in implementing the requirements of the IT-SIG and BSIG as well as in providing evidence within the scope of §8(a) BSIG (“Kritis-audit”).
PCI DSS v4.0 release delayed
The publication of a new, fundamentally revised version of the payment transaction standard PCI DSS has been announced since 2019. We are eagerly awaiting the changes that the new version will bring.
After PCI DSS v4.0 had already undergone two RFC phases in 2019 and 2020, the PCI Security Standards Council has now decided to also initiate an RFC phase for supporting documents, in particular for
in June 2021. However, this will also delay the publication of PCI DSS v4.0.
Instead of the announced release period in Q2 2021, the aimed period of finalization is now Q4 2021. The actual release date has not yet been specified.
We must therefore be patient a little longer before we can properly plan the migration. With the shift of the publication date, the planned transition periods from PCI DSS v3.2.1 to v4.0 have also been postponed. We are therefore also postponing our PCI DSS v4.0 webinars to 2022.
How cryptocurrencies create new market opportunities for banks and financial services providers
“The importance of cryptocurrencies is growing ever faster. Banks can use their expertise in implementing regulatory issues to gain a good starting position in the market for cryptocurrency services such as key custody. Through their existing competences in dealing with cryptographic procedures, e.g. in authorisation, online banking or PIN protection, banks already bring along a large part of the technical prerequisites for entering this business field.” SRC expert Dagmar Schoppe explains the opportunities for banks and financial service providers with regard to the development of cryptocurrencies in an article just published on the specialist platform “it-daily.net”.
Are there dependencies on the digital euro?
The increasing interest in cryptocurrencies — in addition to the rapid rise in the euro equivalent to a bitcoin observed in recent days — should also be seen in connection with the discussion about the introduction of a digital euro. The digital euro — according to the perception in the German banking industry (DK) — is assessed as a forward-looking means of payment in a digital economy that coherently complements the existing and proven systems and structures. In this context, the greatest possible synergies should be sought with existing payment transaction solutions so that access to digital central bank money can be secured for end consumers.
New opportunities in the digitalisation of business processes
Institutions face the challenge of increasing their visibility in this new market segment in order to then be able to respond to requests from customers, retailers as well as service providers. In the medium term, the generally growing interest in cryptocurrencies can also result in opportunities for institutions that, for example, offer their corporate customers self-issued cryptocurrencies to support them in the digitalisation of their business processes.
The SRC experts follow the exciting developments in the field of cryptocurrency and the digital euro for you and support you in the realisation of your crypto custody service. We will be happy to inform you about the opportunities to get involved in this innovative sector.
further literature
Operational Resilience — Cyber resilience requirements for institutions
Current key topics: Operational Resilience and Cybersecurity
Attacks on the financial system can have serious consequences — not only for the affected company, but also for the entire public. Experts at the Bundesbank and security experts at BaFin and the ECB also cite cyber attacks and a lack of resilience to such attacks as the greatest threat posed by increasing digitization in the financial sector. This is one of the reasons why more legal and regulatory frameworks are being created in order to establish uniform standards across the entire financial sector and increase the „operational resilience“.
For both the ECB and BaFin, the focus in 2020 was on “operational resilience” and “cybersecurity”. In addition, the TIBER-EU program was launched at European level, which the Bundesbank implemented as TIBER-DE in September 2020. Alongside this, the EU published its requirements for operational resilience and cybersecurity in October 2020 as part of the Digital Finance Package in the form of DORA (Digital Operational Resilience Act).
The question for those responsible is how these various activities interact and — even more relevant — how efficiently they contribute to the achievement of the objectives.
Revision of MaRisk and BAIT — Operational IT Security
Domestically, BaFin published its approaches to addressing operational IT risks in October with the amendment of MaRisk and BAIT. The importance of the topic is evident in the expansion of the BA IT requirements as part of a new chapter. Implementing the specific requirements formulated there is likely to pose major challenges on smaller and medium-sized institutions, as they are aimed at operating a security information and event management system (SIEM), setting up and operating a security operations center (SOC), as well as regular internal deviation analyses, vulnerability scans, penetration tests and the simulation of attacks (“red teaming”). In practical terms, this requires the establishment of a professional cyber security department as well as independent internal information security structures. This will pose major challenges on the institutions concerned, due to the required expertise and limited resources on the labor market alone. Emergency management — also in a separate new chapter in the BA IT — is addressed as a further focal point.
The TIBER Program of the ECB and the Bundesbank
Back in 2018, the central banks of the European System of Central Banks launched the TIBER-EU (Threat Intelligence-based Ethical Red Teaming) program. TIBER-EU serves as a framework on threat-led penetration testing that financial institutions can use to put their own resilience to cyberattacks to the test. The goal here is to create a “gold standard” of penetration testing. The clear reluctance to participate in TIBER-DE can be explained on the one hand by the complex scope of the project, the significant risks and, on the other hand by the “voluntary nature” of participation. Of course, especially in 2020, many internal forces are tied up elsewhere, also due to the Covid pandemic. The question arises as to whether the institutions subjectively perceive the risk of a cyber attack as critically.
Digital Operational Resilience Act (DORA) of the EU
With the publication of the Digital Finance Package, the EU regulatory framework on digital operational resilience contains a comprehensive legislative proposal for the Europe-wide prevention and reduction of cyber risks. Up to now, national regulations for operational resilience have been in place, but they do not do justice to the cross-border and global use of IT systems and are therefore not very effective. Moreover, this fragmentation also carries the risk of inconsistencies and is also associated with additional high expenses for institutions operating across Europe.
It is therefore highly desirable to strive for uniform regulations with DORA, in particular for risk management, testing, outsourcing emergency and incident management. In addition to improving and optimizing the resilience of the IT systems used, a significant reduction in administrative effort for the institutions will certainly also be achieved.
Increasing Cyber Resilience together
The SRC experts will gladly discuss the new developments and their impact on the legal and regulatory level with you. Together we analyze your need for action and support you in the implementation. We evaluate the amendment of MaRisk and BA IT for your institution, support you in the preparation, execution and analysis of TIBER tests and analyze the planned requirements of DORA. You can draw on our experience from countless penetration tests, banking compliance and information security management projects.
Cryptocurrencies — When and how will the Digital Euro emerge?
The European Central Bank’s (ECB) public consultation on the Digital Euro concluded on January 12, 2021. Based on the statements received, a fundamental decision on the continuation of this major project is expected in the summer of 2021. In this context, the developments of the private sector cryptocurrencies Bitcoin and Diem (formerly Libra) are also considered. Other central banks’ activities, e.g. in Sweden regarding the “E‑Krona” as well as in China, will certainly have an impact in this regard as well.
Statement of the German Banking Industry Committee
In its statement on the Digital Euro, the German Banking Industry Committee expressed its support for the ECB’s activities and pledged its assistance with the design and project planning.
Predominantly positive tenor
The tenor of the German Banking Industry Committee statement is mostly positive. The Digital Euro is considered to be a pioneering payment method in a digital economy, which coherently complements the existing and proven systems and structures. The aim should be to achieve the greatest possible synergies with existing payment transaction solutions in order to ensure access to digital central bank money for end consumers. There is consensus that digitization is changing payment transactions and that the ECB needs to carefully design the Digital Euro to ensure financial stability. To implement the targeted activities, high investments are inevitable for both institutions and the economy. But the use of modern tokenization solutions, e.g. through Distributed Ledger Technology (DLT), enables the implementation of innovative payment solutions. In this context, the use of smart contracts and micropayments, services such as “Blockchain as a Service”, “Smart Contracts as a Service” or payment offers in the Internet-of-Things (IoT) are conceivable.
Need for clarification
It is considered critical that the proven two-tier banking system with central bank and commercial banks could be called into question. According to the German Banking Industry Committee, this constellation is essential for money market stability, the supply of loans to companies and private individuals, and the acceptance of and trust in the payment methods issued. The established banking system is seen as a crucial component for ongoing economic growth.
Another open question is to what extent a Digital Euro is to be regarded as a crypto-asset in the sense of MiCA (Proposal for a regulation on Markets in Crypto-assets) and what implications this might have. The German Banking Industry Committee has also issued a statement on the ECB’s proposed regulation.
There is a need for further clarification with regard to some regulatory issues. In this context, the German Banking Industry Committee proposes an orientation towards existing standards. All parties involved should at least comply with the requirements of
From the German Banking Industry Committee‘s point of view, legal certainty, uniform specifications for a token-based fiat money and an appropriate regulatory standard are the basic prerequisites for consumer acceptance and trust in the Digital Euro.
Courses of action for payment institutions
The discussion on the Digital Euro has to be seen in the context of the general increase in the importance of cryptocurrencies. Many companies have long since recognized that Distributed Ledger Technology can help to efficiently digitize complex supply relationships. It is therefore a logical consequence that there is also growing interest in using this new technology to process payments as well. In the future, it will certainly not only be central bank-issued cryptocurrencies that will be used. For payment institutions, the generally growing interest in cryptocurrencies increasingly results in the need to offer their own customers storage of and trading in cryptocurrencies. In addition, opportunities may also arise for institutions that offer their corporate customers self-issued cryptocurrencies to support them in the digitalization of their business processes.
The SRC experts will keep an eye on the exciting developments in the field of cryptocurrency and the Digital Euro for you and support you in the realization of your crypto storage service. We will gladly inform you about the options to get involved in this innovative sector.
BSI publishes study results on the security of medical products and care products
The thoughts of unsafe medical or care products is disconcerting. Especially in a sensitive area such as the health care sector, the affected person trusts in the best possible help. But especially with the advancing digitalisation in the healthcare sector, vulnerabilities are increasingly appearing in networked medical‑, IoT- and elderly care products. If such vulnerabilities are discovered or even exploited, this often poses a major problem for users and manufacturers of these products.
The Federal Office for Information Security (BSI) therefore initiated the projects “ManiMed — Manipulation of Medical Devices” and “eCare — Digitisation in Care” in order to be able to assess the IT security of selected products.
he studies now published by the BSI enable manufacturers to improve the IT security features of their products. In addition, users of medical devices are informed about which IT security features could be critical. Improved IT security features strengthen the confidence of patients and doctors in the security of networked medical devices. In the study, a total of six products from different categories were examined in terms of IT security.
SRC played a major role in the preparation of the eCare study. The study focused on networked products (both medical and IoT products) that are used in the field of care for the elderly or sick. These include, for example, devices for measuring vital data or a tablet for senior citizens. A total of six products from different categories were examined from an IT security perspective. The results of the study can be found on the BSI website for Download.
In summary, the IT security level of the products examined can be rated as poor to very poor. The results lead us to believe that none of the products examined, including their interfaces, apps, etc., have been subjected to a professional security evaluation, an independent penetration test or similar.
IT Security Act 2.0 passed by the cabinet
In the end, draft followed draft — and then it happened very quickly. Last Wednesday, 16 December 2020, the cabinet passed the IT Security Act 2.0. Federal Minister of the Interior Horst Seehofer calls it a “breakthrough for Germany’s security”. Industry associations as well as the UP KRITIS are sharply critical of the involvement of the experts there, both in the content and the very short comment period of only a few working days for draft nos. 3 and 4. This does not reflect the importance of the planned amendments to the law.
Start of discussion in November
Surprisingly, the discussion on the IT Security Act was reignited in November with a third draft bill. After a long standstill, the discussion about critical infrastructures, their operators and the role of the BSI got moving again. The comments of the technical experts, which were aimed at improving the content of essential points as well as clarifying open questions, e.g. the partly disproportionate level of sanctions, transition periods, the certification and notification of the use of so-called critical components or also the inclusion of new sectors such as waste management.
More powers for the BSI
It is clear that the BSI’s powers will be greatly expanded. This can be seen not only in the number of newly created posts, but also in the effort to create a cyber intervention force as quickly as possible.
Evaluation of the IT-Sig 1.0
Furthermore, the legally stipulated evaluation of the IT-SIG 1.0 according to Article 10 is still pending. Also according to Article 9 of the Critical Infrastructure Ordinance (KritisV), the BSI Critical Infrastructure Ordinance — and thus in particular the threshold values above which an operator is considered a critical infrastructure — must be evaluated every two years.
Changes in content
In the view of the SRC experts, the following points are the main changes in the new IT-SIG:
Regulations on IT security of companies in special public interest: Self-declaration forms provided by the BSI are no longer binding, with the submission of the self-declaration there is an obligation to register with the BSI.
In addition, conceptual adjustments and concretisations were made throughout the entire bill. On 16 December 2020, the Federal Cabinet adopted the draft for the IT Security Act 2.0. The cabinet version is available for download.
Further regulation on IT security
The draft bill on the Telecommunications Modernisation Act (Act on the Implementation of Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 on the European Electronic Communications Code (recast) and on the Modernisation of Telecommunications Law), which was also presented on 09.12.2020, also contains provisions on IT security.
The SRC experts will be happy to exchange views with you on the innovations as well as their effects and support you in implementing the requirements from IT-SIG and BSIG as well as in providing evidence within the scope of §8(a) BSIG (“Kritis-Prüfung”).
gi-Geldinstitute reports on EPEC and the change in payment traffic in Europe
gi-Geldinstitute, the trade journal for IT, organisation and communication in credit institutions reports on EPEC, the European Payment Expert Consortium for payment transactions and its consulting services.
With a view to developments and standards in Europe’s payment traffic, three European experts for the standardisation of payments have founded the European Payment Expert Consortium (EPEC). Besides the German SRC Security Research & Consulting GmbH, these are the French companies ELITT and FrenchSys. SRC reported in the article Frenchsys, Elitt and SRC found the EPayStandards Consortium.
The EPEC consortium combines the know-how of three European experts acquired in various standardisations. EPEC offers consulting services for European payment service providers. Both the harmonised European standards and local specifics are taken into account. The offer covers, among other things, the use of payment standards, implementation guidelines, as well as functional and security specifications for pan-European solutions for card, mobile and internet payments.
The gi-Geldinstitute reports on EPEC. The title Der Zahlungsverkehr befindet sich im Wandel. The article describes the environment and upcoming challenges of EPEC.
Is the IT security law 2.0 on its way?
After a longer standstill, the discussion about the IT Security Law (IT-SIG 2.0) is now beginning again. Recently, a 3rd draft of the bill was published by the Federal Ministry of the Interior, Building and Community (BMI).
Current status of the amendment
The amendment of the IT-SiG has now been in effect since April 2019, presumably delayed by the legal requirements for the use of technical products from third countries by operators of critical infrastructures. The third draft bill is now ready to be voted on by the various departments. Adoption before the end of the first quarter of next year no longer seems unrealistic.
What are the main focuses of the draft law?
The new draft bill focuses on the threats to cyber security. In addition, the powers of the BSI will also be expanded and new areas of responsibility will be created, e.g. as a national cyber security certification authority with the implementation of active detection measures.
The new draft also includes the notification of critical components in § 2 section 13:
“The use of a critical component (…), is to be indicated by the operator of a critical infrastructure to the Federal Ministry of the Interior, Building and Community before installation. In the announcement the critical component and the kind of their employment are to be indicated “.
Critical components are especially those IT products that are used in KRITIS and are of high importance for the functioning of the community. For telecommunications network operators or telecommunications service providers, these components are defined in more detail in the catalog pursuant to § 109 (6) TKG; all others are specified in a corresponding BSI catalog.
Only critical components may be used whose manufacturers have issued a declaration of their trustworthiness to the operator of the critical infrastructure (guarantee declaration). The BMI determines the minimum requirements for the guarantee declaration, taking into account superior public interests, in particular security policy concerns. The guarantee declaration must state whether and how the manufacturer can adequately ensure that the critical component does not have any technical properties that could have an abusive effect on the security, integrity, availability or operability of the critical infrastructure (such as sabotage, espionage or terrorism).
Here a new duty of disclosure arises for the operators of the components. Previously, manufacturers had to apply to the BSI for certification of these components. This new listing of critical components contains highly sensitive targets. Successful attacks by hackers or secret services can cause lasting damage to critical infrastructures in the Federal Republic of Germany.
The discussion about requirements for the IT products used, identification and authentication procedures and their evaluation with regard to information security is also taken up and specified. These specifications lead to the development and publication of a state of the art of security requirements for IT products. In addition, there are requirements for consumer protection and consumer information.
Conclusion
It remains to be seen whether this schedule can be met. In terms of content, the new draft is a significant improvement, because it is more concrete than the draft of April 2019. It is critical that the evaluation of the IT-SIG of 2015, which should have taken place after four years at the latest, is still pending.
The SRC experts will be happy to discuss the innovations and their effects with you and to support you in implementing the requirements of the IT-SIG and BSIG as well as in providing evidence within the scope of §8(a) BSIG (“Kritis-audit”).
20 years SRC
20 years ago, on 27 November 2000, the founding meeting of the shareholders of SRC took place. That is a long time, but in retrospect it does not seem to be the case for the acting persons. This perception is of course subjective, but a decisive factor will certainly be the rapid development in the field of information technology.
The complexity of digitalisation and the constantly growing need to create trust in new solutions is the business basis of SRC, the essential reason why SRC exists. At the same time this is also a big obligation — namely to ensure that new digital solutions are really trustworthy.
SRC’s work on such things that many people experience in their daily life can be explained vividly. These are, above all, contactless payment by card and mobile phone, secure access to bank accounts by third parties, electronic patient files, secure communication in connection with the Galileo system and in the Bundeswehr, or even quite “mundane” things such as bottle deposit machines or tamper-proof cash registers — all topics of digitisation with which millions of people come into contact in one way or another every day. The development does not end there, with Open Finance, IoT and the increased use of AI methods there are still many exciting topics to be addressed.
None of these solutions has been produced or is operated by SRC itself, but we have made a decisive contribution to all of them: We provide confidence in these digital solutions — for reliability, security and future-proofness. We create “a good feeling” in dealing with digitalisation:
— Standards for new technologies create investment security,
— Reliable functionality of new solutions through testing,
— Technical safety of new solutions through safety concepts and tests.
In fact, this “good feeling”, the trust, is something like the lubricant of digitalisation. For many people, the digitisation and mechanisation of everyday life means that processes are no longer manageable and the truth content of information is sometimes unclear. Trust makes it possible to reduce this complexity and often opens the door to acceptance of the new ways of experiencing and acting that digitisation aims to create.
The complexity of digitalisation and the constantly growing need to create trust in new solutions is the business basis of SRC, the essential reason why SRC exists. At the same time this is also a big obligation — namely to ensure that new digital solutions are really trustworthy.
In the 20 years of SRC’s existence we have carried out more than 20,000 projects. Every year there have been more and also SRC has grown year by year — not only in terms of the number of employees, but especially in terms of the expansion of expertise, partly in areas that did not exist at the time of the foundation of SRC.
The current pandemic situation does not allow us to adequately celebrate our 20th anniversary, which we would have liked to do together with our customers. We are thinking about making up for this at a suitable time. But even without a party, we would be pleased if you, our customers, continue to place your trust in us.
TIBER-DE | Increasing the cyber resilience of the financial system
Digitisation of the financial sector — Chances & cyber risks
The increasing digitalisation of the financial sector not only provides new opportunities, but also leads to increased cyber risks. In particular, attacks on the financial system can have serious consequences not only for the affected company, but also for the entire public. For this reason, the central banks of the European System of Central Banks have already launched the TIBER-EU (Threat Intelligence-based Ethical Red Teaming) programme in 2018. TIBER-EU serves as a framework for threat-based penetration tests.
In the summer of 2019, the Deutsche Bundesbank and the German Federal Ministry of Finance (BMF) decided to implement TIBER-DE as a national framework for financial companies to test their own resistance to cyber attacks. This implemention has now taken place.
To whom is TIBER-DE addressed?
TIBER-DE particularly addresses critical companies in the financial sector, such as large banks and insurance companies and their IT service providers and payment service providers. In its TIBER implementation, the Deutsche Bundesbank emphasises that the purpose of conducting TIBER-DE tests is to “establish a network of national companies belonging to the target group in order to improve the cyber-resistance of the financial sector in a sustainable and cooperative way, together and by conducting TIBER-DE tests.
What happens in a TIBER-DE test?
In a TIBER-DE test, commissioned hackers (“Red Team”) use information from a threat intelligence provider (“spy”) to test the cyber resistance of a company. The primary goal is to identify security gaps in the production systems (“critical functions”) within the framework of an attack scenario that is as real as possible. The TIBER-DE test consists of three phases, which are presented here in a shortened form:
Risks of the TIBER-DE Test
The TIBER-DE test targets the productive systems with the “critical functions” of an institute in order to realistically evaluate their cyber-resistance. However, this is also accompanied by risks, e.g. regarding the confidentiality, integrity or availability of the data or systems. In any case, the institute has to perform a detailed risk analysis and take appropriate measures to minimise the risks before a TIBER-DE test is performed.
Furthermore, companies are confronted with organisational, technical and data protection challenges. Critical business processes have to be identified, defensive measures have to be established and documented. In addition, TIBER-DE tests must be coordinated with the various stakeholders concerned, e.g. service providers. Furthermore, a confidentiality obligation must be observed by all parties.
Currently the participation in TIBER-DE tests is based on a voluntary basis. Along with the not inconsiderable risks this seems to be the reason for the hesitation to perform a TIBER-DE test.
Team up for a successful TIBER-DE test
The experts of SRC can prepare a TIBER test together with you. This includes the company-wide scoping of the critical business processes to be tested and support in establishing compliant reporting channels and processes to control and execute TIBER tests. This means that the internal preparations are now in place to have a TIBER-compliant penetration test performed by a service provider. With the experience gained from countless penetration tests, bank compliance and information security management projects, we are happy to support you through the entire process of a TIBER test.