Download as PDF - Secunet

The IT Security Report by 

Issue 1 | 2013 

Partnership for Security 

in Cyberspace 

Alliance for Cyber Security 

as a central information platform 

Increased Security for 

Passengers – including 

online 

Nicolas Hunloh, Team Leader 

Internet, Düsseldorf Int. Airport 

Automation is the Way 

Forward for Border Control 

secunet eGates securely manage 

increasing passenger numbers at 

national borders 

Electronic management 

of classified items without 

discontinuity of media 

SINA Workflow for security and 

compliance with regulations

The IT Security Report by 

Content 

National 

03 Local High-Quality IT Products 

for Local Users 

04 Partnership for Security in Cyberspace – 

Alliance for Cyber Security as a central 

information platform 

06 German Justice Plays it Safe 

08 Increased Security for Passengers – 

including online 

10 Challenges for PKI Systems 

in Vehicles 

International 

14 Automation is the Way Forward for 

Border Control 

Technologies & Solutions 

16 Electronic management of 

classifi ed items without discontinuity 

of media 

09 Hackerstory #2 

Budget and Production Pressures 

as Risk Factors 

12 Preventive security #1 

FIFA World Cup Shoots Holes in IT System 

17 News in Brief 

secunet on Twitter, Xing and LinkedIn / 

New Agreement with National Government 

on IT Security Services / New Appointment 

at the BSI 

18 Events 

Dear Readers, 

irrespective of whether we operate in the public or private sector, we are 

all doing business more and more in cyber space; we are thus increasingly 

dependent on the secure and uninterrupted functioning of digital information 

and communication technologies. If we are to maintain security of information, 

data and processes on a permanent basis, we must continuously adapt to 

the shifting level and nature of the threat posed by hackers and the methods 

they employ. The detailed exchange of information and experiences between 

industry, government agencies and experts not only facilitates a high degree 

of transparency but also makes the job of prevention easier for us all. One 

of the platforms for such exchanges is the Allianz für Cyber-Sicherheit (Alliance 

for Cyber Security) founded by the German Federal Offi ce for Information 

Security (BSI) and the Federal Association for Information Technology, 

Telecommunications and New Media (BITKOM). We spoke with Dr Hartmut 

Isselhorst from BSI about the aims and objectives of the Alliance. 

Here at secunet, we also intend to place the exchange of ideas with our 

customers on a more direct footing; consequently, we have undertaken an 

internal restructuring designed to make us more fl exible in the way we cater 

for your needs, aspirations and demands. We will thus be able to respond 

more effi ciently and quickly to current developments in the cyber world and to 

offer you, our customers, optimum proactive and innovative support as you 

rise to future challenges and implement new projects. 

- Our Public Sector (formerly High Security and Government Division) advises 

clients from the public sector and the defence industry both here in 

Germany and abroad, proposing current products and services that can 

be combined for specifi c circumstances as well as customised security 

solutions. These are fully compatible with any modern administration, they 

are capable of handling jobs at the highest level and they comply with highsecurity 

specifi cations for the protection of classifi ed information. 

- Our Business Sector (formerly Business Security and Automotive Security 

Division) helps private business clients to fully exploit the potential of increased 

digitisation and the associated electronic mapping of business processes, 

and also to securely map intelligent networks, mobile applications, 

IT-based control of production/logistics operations and the digitisation 

of transport and traffi c systems. 

The areas in which we excel and our achievements to date are a matter of 

record. We now present some of the latest developments in this edition of 

secuview. 

I hope you enjoy reading our magazine. 

Best wishes 

19 Dates 

Dr Rainer Baumgart 

02 » 1 | 2013

National 

Local High-Quality 

IT Products for Local Users 

IT security technology ‘Made in Germany’ is being supplied 

direct to government agencies around the country 

Following the successful piloting of the federal government 

IT investment programme in 2010, the German Federal Office 

for Information Security (BSI) launched a follow-up project – 

‘Sondertatbestand’ – in 2012. The purpose of this is to support 

government agencies by simplifying the procurement process 

for IT security solutions, including the SINA range of products. 

This ensures not only that all data is optimally protected 

but also that cryptographic systems approved for the NfD 

(RESTRICTED) classification become more widely established. 

classified 

information 

Within the framework of the Sondertatbestand project, participating 

agencies received products at no extra expense for 

- interface control 

- hard disk encryption 

- encryption of mobile storage media 

- encrypted USB flash devices 

- securing mobile scenarios 

The use of a SINA workstation makes it easy for authorities to 

securely access both unclassified and RESTRICTED data at 

any time and from any location, whether the operator is away 

on business or ‘teleworking’ from home. 

RESTRICTED 

Support close at hand 

SINA experts from secunet provided support to the various 

government IT departments in implementation, installation 

and on-site training. secunet support is then on call around 

the clock, seven days a week. It is a tremendous advantage 

when the experts are just a phone call away. 

When there is a total loss of IT service, it is important that 

response times are short and the correct action is taken. For 

this reason, the Sondertatbestand project also includes a 

security consultancy element. secunet supports the participating 

agencies in complying with the criteria of the federal 

government action plan known as ‘UP-Bund’. This includes 

in particular measures to improve information security and the 

development of a continuity management plan. 

The BSI has conceived the Sondertatbestand project as a way 

of making IT expertise available to individual authorities conveniently 

and without impacting on their budget. In this way, 

applicants procure internationally competitive products from 

national suppliers. And in any case, the German encryption 

industry enjoys a high reputation around the world. The evidence 

for this is in the many national and international projects 

that make use of encryption products from Germany. 

More information: 

Dirk Mangelmann 

dirk.mangelmann@secunet.com 

1 | 2013 « 03

National 

Partnership for Security in 

Cyberspace – Alliance for 

Cyber Security as a central 

information platform 

An Interview with Dr Hartmut Isselhorst of the BSI 

on the Alliance for Cyber Security 

secuview: The new Alliance for Cyber 

Security was founded by the BSI (German 

Federal Office for Information 

Security) and BITKOM at the annual 

CeBIT trade show in March 2012. What 

was the reason for setting up such an 

organisation 

Dr Hartmut Isselhorst: Internet technologies 

in recent years have led to 

major advances in the IT and telecommunications 

industry. Indeed, information 

technology has penetrated virtually 

all areas of our lives and every sector of 

the economy, making them an integral 

part of cyberspace today. As a result, 

value-added processes in the ‘real 

world’ are inextricably linked to the virtual 

world and are barely conceivable 

today without it. The challenge of 

making cyberspace more secure can 

now only be met through the combined 

efforts of business and industry, academia 

and the government. The Alliance 

for Cyber Security reflects this need for 

cooperation and serves as a platform 

for the exchange of knowledge and 

expertise in the field. Indeed, lasting 

security can only be achieved if we 

continually revise our strategies for 

preventing, recognising and responding 

to security threats and the evolving 

methods of cyber criminals. 

secuview: The Alliance’s members include 

partners and members. How 

many companies joined the Alliance in 

2012, and what are the main reasons for 

which individuals and business partners 

seek membership 

Dr Hartmut Isselhorst: We received 

an overwhelmingly positive response 

to the Alliance for Cyber Security, even 

„The Alliance offers a variety of 

services, including issuing warnings 

about current cyber threats, 

identifying best practices, unifying 

industry standards and providing 

security solutions for systems 

currently in use.“ 

during the pilot phase. Since then, other 

noteworthy cyber security experts have 

joined our ranks, meaning that more 

than 200 companies and organisations – 

including 50 of partners – were active 

members of the Alliance for Cyber Security 

at the beginning of 2013. 

The Alliance offers a variety of services, 

including issuing warnings about current 

cyber threats, identifying best practices, 

unifying industry standards and 

providing security solutions for systems 

currently in use, as well as providing 

general recommendations on the se- 

Dr Hartmut Isselhorst, 

man in charge at the 

Department of Cyber 

Security of the BSI 

cure use of IT components. In addition 

to the above, the BSI publishes up-todate 

information regarding the ongoing 

security situation in cyberspace, thus 

enabling institutions to modify their 

activities accordingly. In order for this 

information to be as complete as possible, 

partners and individual members 

in the Alliance are also encouraged to 

report their own knowledge and findings 

regarding cyber attacks to the BSI. 

Finally, alongside acting as a central hub 

for information distribution, the Alliance 

seeks to promote direct knowledge 

exchanges in smaller groups such as in 

regional and industrial working groups 

or informal meetings. 

secuview: What security threats do you 

expect to emerge over the next few 

years, and what measures will the Alliance 

be implementing to counter them 

Dr Hartmut Isselhorst: The growing 

trend of using information services on 

the move is going to have a knock-on 

04 » 1 | 2013

National 

effect on cyberspace security threats. 

Smartphones and tablets are now established 

internet terminals, and their 

position in the market has been 

strengthened by their integration into 

corporate IT systems – both formally 

and through BYOD policies. This has increased 

the attraction of these devices 

to cyber criminals and malware developers. 

The topic of ‘mobile malware’ will 

therefore remain on the agenda for the 

foreseeable future. 

Other 

organisations 

The Alliance for Cyber Security was established in March 2012 by the 

Federal Office for Information Security (BSI) and BITKOM. This joint 

initiative acts as a platform for the sharing of information and experiences 

in the general area of cyber threats. At the international level, 

it promotes cross-border collaboration with other Alliance partners. 

BSI 

Government 

agencies 

Multipliers 

Businesses 

We are also preparing for attacks and 

attempted attacks against specific companies 

or institutions. Cyberspace is an 

attractive point of attack for criminals because 

it provides easy access to potential 

targets and a myriad of opportunities 

for deception, as well as an incredibly 

diverse range of vulnerabilities which 

can be exploited. We expect hackers 

to draw on their experiences of launching 

targeted attacks in recent years to 

further improve their methods and carry 

out increasingly sophisticated attacks. 

We are also anticipating some positive 

developments, however. Indeed, whilst 

companies are still very reticent to disclose 

information about cyber attacks 

on their own systems, the BSI is increasingly 

hearing from companies willing to 

share their experiences in small groups. 

If this trend continues, it will most certainly 

help to raise user awareness and 

provide a more complete picture of the 

current security situation, thus serving 

to boost cyberspace’s ‘immune system’ 

over the long term. 

secuview: Nowadays, the entire world 

is connected via the internet, and so attacks 

can be carried out from far beyond 

our national borders. Will the BSI also be 

working with the Alliance to contact and 

exchange information with other groups 

internationally 

Dr Hartmut Isselhorst: The international 

exchange of knowledge and expertise 

is indispensable when it comes to cyber 

security. Within the Alliance for Cyber 

Operators 

of critical 

infrastructures 

Partners 

Security, this is achieved not only 

through the BSI’s various international 

partnerships, but also through the crossborder 

activities of the Alliance’s partner 

companies. The knowledge and expertise 

gained through this international cooperation 

contributes a great deal to the 

„In light of the overwhelmingly 

positive feedback received from 

companies involved in the Alliance 

for Cyber Security in 2012, we 

intend to continue implementing 

and building upon the organisation’s 

activities in 2013.“ 

Alliance’s work and is always analysed 

and shared in such a way that it benefits 

all members as much as possible. 

In practical terms, the Alliance for Cyber 

Security’s partners and key communicators 

can also contribute by upholding 

knowledge exchange between the Alliance 

and international groups or initiatives 

abroad. 

secuview: One final question: What’s 

next for the Alliance in 2013 

Dr Hartmut Isselhorst: In light of the 

overwhelmingly positive feedback received 

from companies involved in the 

Alliance for Cyber Security in 2012, we 

Other 

institutions of 

particular interest to 

the state (INSI) 

intend to continue implementing and 

building upon the organisation’s activities 

in 2013. In my view, it is important 

to always keep in mind the expectations 

that are communicated to the BSI in the 

course of major events and private discussions. 

This is why we will be organising 

more industry-specific events for 

various target groups in 2013 – to raise 

awareness of cyber security issues on 

the one hand, and to maintain a direct 

dialogue with and between companies 

on the other. We have started the ball 

rolling this year with the first ever Cyber 

Security Day for members of the Alliance 

in January. In February, this event has 

been followed by a major conference 

in partnership with the logistics industry 

and knowledge exchange across 

different sector. We also have several 

other events in the pipeline. In addition 

to the above, I am very much looking 

forward to the numerous contributions 

recently announced by our partners 

which will create significant added value 

for all of the Alliance for Cyber Security’s 

members. 

secunet is a partner company in 

the Alliance for Cyber Security 

and draws on the extensive 

knowledge and expertise of its 

IT security specialists to support 

the organisation’s members. 

1 | 2013 « 05

National 

German Justice 

Plays it Safe 

secunet connects Bavaria to S.A.F.E. 

central registry 

The introduction of mandatory electronic commercial 

registration in 2007 coincided with the launch of a new communication 

infrastructure in the German judicial system. The 

opportunity of having direct access to courts and authorities 

via EGVP proved hugely popular right from the start; in fact, 

projected user numbers were far exceeded after only three 

months in operation. Because everyone registering as an 

EGVP user is assigned a unique mailbox address by the identity 

management system and this data must be constantly 

replicated to all other active EGVPs in the system, the registration 

service is of paramount importance. 

What is EGVP 

The electronic legal and administrative mailbox, in Germany known as 

EGVP (Elektronisches Gerichts- und Verwaltungspostfach), can be used 

by courts and government authorities in communication with each other 

as well as with other parties to certain judicial proceedings (e. g. lawyers, 

notaries, businesses and private citizens) for the safe, legal and effi cient 

transmission of messages, documents and pleadings in the OSCI format 

(Online Services Computer Interface). EGVP automatically encrypts the 

entire data exchange. Messages can also have fi les attached and, if 

necessary, bear an electronic signature. This speeds up legal processes, 

and all parties benefi t from the increased effi ciency. No wonder then that 

more than 40,000 parties to proceedings in all 16 federal states and in 

most federal courts in Germany are making use of the EGVP, a trend that 

is even expected to grow further. 

Separation of registration process 

from EGVP: S.A.F.E. 

In order to be optimally positioned in the future in terms of 

performance and interfaces, the Bund-Länder-Kommission 

für Datenverarbeitung und Rationalisierung in der Justiz (Joint 

Federal and State Commission for Data Processing and Rationalisation 

in Judicial Processes) has prescribed the architecture 

of a federated identity management system for the 

German judiciary. This goes by the name of ‘Secure Access 

to Federated E Justice / E Government’, or S.A.F.E. for short. 

The underlying idea is essentially straightforward: the ‘Identity 

Providers’ which are spread out over a number of different 

domains are combined on a single platform and are addressed 

via standard interfaces. The so-called ‘Trust Domain’ (TD) is 

the central structuring element. This consists of a set of services 

and service users that co-exist in a mutual trust relationship. 

It ensures a unified communications infrastructure 

within the justice system that operates across federal state 

boundaries. 

06 » 1 | 2013

National 

Bavaria creates own Trust Domain 

Up to now, there has been a centralised S.A.F.E. identity 

management system operating from the data centre in North 

Rhine-Westphalia, which is responsible for 

the mailboxes of user parties in all the 

federal states. Bavaria has now become 

the first German federal state to set up 

its own trust domain which is operated 

in its own data centre. This means that 

the management of Bavarian identities 

takes place regionally, thus 

restoring data sovereignty. 

sources that store information about the digital identities 

of users and their operational role. secunet also took on the 

task of integrating the technical basis – the Oracle Identity 

Management Suite – into the existing infrastructure. 

Flexible and fit for the future 

The Bavarian justice system is already in a position to communicate 

confidentially via S.A.F.E. in such administrative 

areas as the central register of wills or the electronic land 

registry. Thanks to its open and highly scalable architecture, 

many more administrative procedures, citizen portals and 

e-government services will follow in the near future. 

In this matter the Bavarian justice 

relied on comprehensive assistance 

from secunet, the IT security 

experts have provided 

organisational and technical 

support to the IT officers of 

the Bavarian judiciary who 

are based at the Munich 

Higher Regional Court 

in the planning, design 

and implementation of 

the S.A.F.E. compliant 

trust domain ‘Justiz 

Bayern’. This involved 

the analysis of the 

administrative procedures 

and of the 

user groups that are 

to be integrated in 

the preliminary stage 

as well as the analysis 

and evaluation of the data 


Norbert Müller 

norbert.mueller@secunet.com 

1 | 2013 « 07

National 

Increased Security 

for Passengers – 

including online 

Nicolas Hunloh, Team Leader Internet, 

Düsseldorf International Airport 

The air transport hub of Flughafen Düsseldorf handles over 

20 million passengers per year, making it the largest airport 

in North Rhine-Westphalia. 70 airlines operate here, serving 

more than 190 destinations. Located in one of Europe’s 

strongest-performing economic regions, with 18 million 

people living within a radius of 100 kilometres, Düsseldorf 

International plays a key role in fulfilling the mobility needs of 

private individuals and businesses in the federal state of North 

Rhine-Westphalia and the south-east of the Netherlands. 

Furthermore, as the largest single employer in Düsseldorf 

with a workforce of around 19,700, the airport has a major 

impact on the jobs market in NRW. 

As traffic has increased over recent years, the corporate 

website has had to adapt and grow to meet the demands 

of passengers as well as 

those who are picking 

them up from the airport 

and other target groups. 

These users visit the site to 

check flight times, 

to find out about 

local conditions, 

to reserve parking 

spaces, to retrieve 

general information 

about the airport, 

and much more 

besides. The website 

is thus a main 

point of contact for 

By undertaking regular 

security checks, including 

around 11 million 

its online platforms, 

users per year. 

Düsseldorf airport 

upholds consistently high 

security standards. 

Various extranets 

provide B2B partners 

and customers 

with helpful 

tools. Data that is 

stored there requires 

secure protection. 

Flughafen 

Düsseldorf GmbH 

therefore took the 

decision in 2012 

to submit its main 

corporate website 

as well as those 

of its subsidiaries 

to an extensive security check. Their 

search for a professional, flexible and 

reliable service provider quickly brought 

them to secunet. 

For the operator, it is particularly important 

that the standards which are 

rigorously adhered to in the everyday 

working environment of the airport’s offline sector (where 

security is at a premium) apply equally to its website. Because 

even data on passengers and partners requires the protection 

of a highly secure and efficient infrastructure against 

externally launched attempts to gain unauthorised access. 

The secunet team therefore set about identifying potential 

vulnerabilities using a detailed penetration test and applying 

recognised standards with particular reference to OWASP 

Top 10 2012. In order to avoid overloading the server infrastructure 

during the procedure, the tests were conducted 

during the low-traffic period between 11pm and 6am. 

08 » 1 | 2013

News in Brief 

HACKERSTORY #2 

Budget and 

Production Pressures 

as Risk Factors 

In many companies, security has become an integral part 

of the production process. In the course of penetration tests, 

secunet nonetheless continues to identify critical vulnerabilities 

in internal systems that threaten the organisation’s 

security and, in the worst-case scenario, its most vital 

functions. 

In subsequent discussions with the relevant system administrators, 

it will usually transpire that the vulnerabilities 

have already been recognised, though not necessarily their 

potential impact. These vulnerabilities are consciously 

accepted, since the affected system is directly involved in 

critical business processes and not every company has a 

sophisticated staging process whereby changes can be 

tested on multiple pre-production systems. The decisionmakers 

are confronted with a dilemma: in order to increase 

system security, a temporary reduction in functionality has 

to be accepted. Subsequent corrective measures – if at all 

feasible – result in correspondingly high costs. Yet failure to 

take the necessary action could ultimately lead to substantially 

higher costs. 

The results were then presented in the form of a detailed 

report, with measures identified for optimisation then being 

implemented within a short time by the specialist departments 

of Flughafen Düsseldorf GmbH and its service providers. 

At the same time, the company used the project to 

introduce new mandatory security standards at all levels. 

Flughafen Düsseldorf GmbH has expressed its intention to 

call on secunet’s anti-hacking expertise in future. 

However, if IT security teams are involved at the planning 

phase of a new application, these problems can at least be 

minimised. If, at an early stage, IT security is considered 

of equal importance to functionality, this can obviate the 

need for complex re-designs or bug fixing in the finished 

product. 


Dirk Reimers 

dirk.reimers@secunet.com 


Christian Reichardt 

christian.reichardt@secunet.com 

IN THE NEXT ISSUE: 

The Trojan Mouse 

1 | 2013 « 09

National 

Challenges for PKI Systems 

in Vehicles 

Conventional solutions are not enough 

Because of the special nature of the clients 

(vehicles, charging infrastructure, traffic 

signals etc) which – unlike the computers in 

the company network – are not constantly 

reachable and which to some extent have 

much longer life cycles, they make specific 

requirements of their PKI systems that do 

not apply to most company PKIs. Similarly, 

specifications for Car2Car communication or 

Plug&Charge in the case of e-mobility define 

precisely what a PKI is expected to do. 

PKI systems have long been an established feature of inhouse 

networks and the internet. Based on asymmetric cryptography, 

authentication mechanisms have been created with 

which more people work than you might imagine. Whether for 

online banking, remote login to the corporate network from a 

home office or even the new German national identity card, a 

PKI working away in the background is generally responsible 

for secure communication. 

More recently, various applications requiring a PKI have been 

introduced in vehicles: 

- digital tachographs 

- securing diagnostic access and information consistent 

with Euro 5 and Euro 6 

- securing onboard flashware for vehicle programming 

- securing TeleX services such as remote diagnostics and 

programming 

- internet in the vehicle 

- Car2Car communication 

- Plug&Charge for e-mobility 

For example, procedures and processes 

must be introduced to take into account 

the fact that parts of the PKI system may 

be available for online communication only 

on an intermittent basis. The distribution of 

revocation information is just one example of 

this problem. In a PKI for Car2Car or Car2X 

communication, the number of subscribers can rise exponentially. 

There will be hundreds of CA systems and millions of 

vehicles all around the world that have to be supplied with key 

material and certificates, and at the same time, data privacy 

protection legislation will require that each vehicle is equipped 

with several hundreds or even thousands of certificates. 

Car manufacturers may already be aware of some of these 

problems as a result of similar issues with their own company 

PKIs for employee badges or SSL certificates for web 

services. Nevertheless, these new special cases present them 

with unprecedented challenges in the management of cryptographic 

keys and certificates that cannot be resolved with the 

already established processes of introduced PKI systems and 

therefore require new approaches to the issue of PKI. 


Andreas Ziska 

andreas.ziska@secunet.com 

10 » 1 | 2013

National 

What a PKI does 

PKI involves more than just technology; it is also a question of infrastructure and 

processes. At the heart of the matter is key management, with the complete lifecycle 

of cryptographic keys and/or certifi cates. The main tasks to be performed 

by a PKI are: 

Key generation – determination of algorithms, the type of key generation 

(central as opposed to decentralised) and the processes for certifi cation of the 

public key as well as the identifi cation data of the certifi cate holder. 

Key distribution / Directory – the distribution of public keys and/or certifi - 

cates takes place via directory services such as LDAP. For the assignment of 

private keys, secure distribution paths or media are used. 

Blocking management / Revocation – for revoking a certifi cate (in case of 

a lost key or loss of confi dence), technical mechanisms such as revocation 

lists (CRLs) or online services (OCSP) are used. The CA operator receives the 

revocation requests, reviews and authorises them, revokes the certifi cate and 

publishes the revocation information. 

Key recovery / Destruction – by means of key recovery, data can be read and 

verifi ed even if key material has been lost. In addition, old or invalid key material 

is securely deleted. 

Key exchange (root, CA, client) – appropriate processes (e. g. online provisioning, 

the replacement of a secure element or mobile with NFC technology) 

specifi cally ensure the secure exchange of the public root and CA keys. There 

must be safeguards against a hacker insinuating his own root keys. 

Blocking management / 

Revocation (CRL / OCSP) 

Key recovery / 

Destruction 

Key generation 

Key distribution / 

Directory 

Key exchange 

(root, CA, client) 

Example of an eMob PKI complying with ISO 15118 

eMob Root CA 

Already established because of 

the applicable standardisation 

regulations for smart metering 

in Germany 

optional 

optional 

EV OEM 

Root CA 

Energy supplier 

Root CA 

Charging supplier 

Root CA 

Meter 

Root CA 

Daimler 

BMW 

AUDI RWE EnBW e.on A B 

C 

A 

B 

C 

Vehicle certificates Contract certificates Charging station certificates SmartMeter certificates 

The companies named here have been chosen as examples only. This should not 

be taken as an indication of which ones will eventually appear under eMob Root CA. 

1 | 2013 « 11

National 

PREVENTIVE SECURITY #1 

Preventive security is in this respect a key concept: specific organisational, infrastructural, technical and 

staffing strategies that are tailored to individual circumstances and to constructing a defence that kicks 

in before something bad happens. In subsequent issues of secuview, you can read interesting and sometimes 

even amusing case studies (anonymised, of course) compiled by our secunet experts. 

FIFA World Cup 

Shoots Holes in 

IT System 

Directives from above defeat even the best 

technical defences 

There are many IT systems that, technically speaking, are well 

protected. But unfortunately, these too fall victim to elementary 

attacks because individually appropriate organisational 

processes have not been implemented or upheld. 

“How could they overcome the formidable barriers that we 

now have in place The way they were bypassed makes us 

look like amateurs!” Unfortunately, this quote is genuine and 

the circumstances that permitted this successful IT attack are 

by no means exceptional. The technology and the administrators 

really were high calibre. The problem lay entirely elsewhere. 

The vulnerability was caused by the instruction issued 

by a senior executive to allow certain IT services during the 

World Cup so that he could follow games live on his PC. 

Although the administrators expressly advised of the associated 

security risks, the desire of this senior person to watch 

the matches live at work obviously outweighed the concerns 

of the lower-ranking technical staff. The expert in this case – 

i. e. the system administrator – had no recourse against the 

decision. 

This real-life scenario is by no means exceptional. secunet 

is often called out to deal with emergencies that have been 

caused by the absence of organisational security measures. 

In the case cited above, a clearly defined and auditable documented 

process that gave the administrator suitable veto 

rights would have helped to uphold the high level of security 

afforded by the systems in place. It would then have been 

possible to take secure and responsible action, overriding the 

personal preferences of the boss. 

Security must be integral to 

corporate culture 

Experience has shown that, although many government agencies 

and private businesses have put appropriate security 

measures in place, these are not upheld rigorously due to the 

organisational aspects of information security. At the same 

time, however, there is no shortage of standards and best 

practices to provide support here. For example, the IT security 

management standards typified by the ISO 27000 family and 

those implemented in accordance with BSI baseline protection 

or the recommendations of ITIL (IT Infrastructure Library) and 

COBIT (Control Objectives for Information and Related Technology). 

secunet experts with many years of experience are 

available to support any appropriate customisation or tailored 

implementation. 


René Seydel 

rene.seydel@secunet.com 

IN THE NEXT ISSUE: 

Well confi gured – one click for enhanced security 

12 » 1 | 2013

Neben dem Beruf zum 

Bachelor & Master 

Bachelor-Abschlüsse: 

Europäische BWL (B.A.) 

Wirtschaftspsychologie (B.A.) 

Finance & Mangement (B.Sc.) 

Logistikmanagement (B.Sc.) 

Wirtschaftsrecht (LL.B.) 

Master-Abschlüsse: 

Wirtschaftspsychologie (M.Sc.) 

Business Coaching & 

Change Management (M.A.) 

MBA 

Hochschulkurse mit Zertifikat 

Jetzt 

4 Wochen 

kostenlos 

testen! 

Jederzeit starten 

Freie Zeiteinteilung 

Ortsunabhängig per Fernstudium 

Jetzt informieren: 

www.Euro-FH.de 0800 / 33 44 377 

(gebührenfrei) 

Infos anfordern: 

600 AA

International 

Automation is the Way 

Forward for Border Control 

secunet eGates securely manage increasing passenger numbers at national borders 

Globalisation has led to a steady increase in private and professional 

mobility. Short-haul flights have become an attractive 

alternative to travelling by train or car. For airports, this means 

that more and more passengers have to be cleared on arrival. 

The International Air Transport Association (IATA) estimates 

that, in 2013, the milestone of three billion passengers worldwide 

will be exceeded. 1 This development poses multiple challenges 

for airports, as passengers should not be expected to 

wait in unreasonably long queues to pass through the security 

gate or border control. At the same time, security considerations 

must under no circumstances be compromised as the 

threat of terrorism remains acute 

The solution lies in biometric data 

A good option for managing increased passenger volume 

at borders is to provide electronic control gates – so-called 

‘Automated Border Control Systems’ or eGates for short. 

Utilising the biometric data stored in electronic travel documents 

(e.g. the digitised facial image of the traveller), 

eGates allow partial automation of border control 

processes whilst retaining the same high level of 

security: When the passport is placed on the document 

reader, its electronic and optical security features 

are checked and the biometric data is read. 

Passengers authorised to use the system can then 

step into the eGate. Here, a camera integrated into 

the exit door automatically takes a photo of the 

traveller’s face. This data is then compared to the 

passport-picture read before. If the biometric data 

matches, the passenger is cleared to pass, i. e. to 

cross the border. 

As the ePassport is read and the 

passenger’s face is scanned, the 

same data is also displayed on 

the immigration control officer’s 

monitor. 

The process offers significant benefits to all parties 

involved: on the one hand, it reduces queuing time for 

passengers and airport operators benefit from optimised 

passenger flows; on the other hand, border 

police officers get valuable support without losing 

control over the process. 

1 

See http://www.iata.org/pressroom/facts_figures/Documents/ 

economic-outlook-media-day-dec2012.pdf 

14 » 1 | 2013

International 

secunet’s face recognition 

technology 

makes use of a smart 

camera integrated 

into the exit door. 

Adaptive LED lights 

provide optimum 

levels of illumination. 

secunet eGates 

are already in 

operational use 

as part of the 

EasyPASS and 

EasyGO projects. 

Pioneering work to provide 

sustainable solutions 

As a pioneer in this field, secunet was commissioned in late 

2007 by the German Federal Office for Information Security 

(BSI) to take on the design and implementation of the 

EasyPASS eGate solution at Frankfurt Airport. Following its 

successful operational launch, the secunet experts have made 

it available for use with the new German ID card. This has not 

only set the benchmark for the future design of immigration 

control systems at German airports but has also convinced 

the Czech border police: going by the name of EasyGO, the 

automated border control system was implemented at Prague’s 

Vaclav Havel airport in late 2012, and after only a twelve-month 

pilot period, it has been incorporated into day-to-day operation 

and has even been extended. 

The evident advantages and positive experience of automated 

border control have won over airport operators and border 

police in equal measure. Experts agree that the trend in 

coming years at national and international airports will be 

towards further automation of border control. Years of experience 

coupled with the ‘Made in Germany’ label – perceived 

around the world as a hallmark of quality – mean that secunet 

eGates are set to play a crucial role. 


Georg Hasse 

georg.hasse@secunet.com 

What makes the solution from 

secunet so unique 

The decisive USP of eGate solutions from secunet is the modu- 

lar approach: The unique flexibility of this complex system is 

made possible by secunet biomiddle, a software that acts as 

an intermediary between client applications and the various 

biometric technologies. Due to this original components can 

be updated at any time and further devices can be added. 

The Automated Border Control System sets standards in other 

ways; for example, the BSI acting as an independent body 

has verified its security and reliability. Furthermore, the system 

is characterised by exceptional user-friendliness. The entire 

process is adapted to the natural flow of the passengers who 

are given clear step-by-step guidance as they pass through 

the system. High acceptance and rapid, straightforward processing 

are thus guaranteed. 

The benefi ts of 

secunet eGates at a glance 

Secure 

- BSI-approved security and reliability of the system by means of 

- Testing of the optical and electronic security features 

- Biometric comparison at a high level of security 

- Monitoring by immigration control offi cers 

Economical 

- Airports are able to process a higher volume of passengers 

through the same physical area 

- Investment protected thanks to modular and standard 

architecture of the overall system 

Fast 

- Conventional immigration controls are relieved by partial 

automation and thereby accelerated 

- Travellers are guided intuitively through the gate, thus reducing 

the length of queues 

1 | 2013 « 15

Technologies & Solutions 

Electronic management of classified 

information without discontinuity of media 

SINA Workflow for security and compliance with regulations 

Anyone who has experience of working with classified 

electronic data and processes is familiar with 

the dilemma of complying with VSA (the national 

regulations governing classified information) while 

still coping with the job in hand. This conflict has 

increased steadily over recent years, because 

the existing regulations were originally conceived 

for an age in which everything was committed to 

paper. But rapidly increasing information flows 

have long since made electronic processing indispensable, 

and there are currently no software 

systems which have been approved and are sufficiently 

productive to be used for VSA-compliant 

processing. 

SINA Workflow represents a comprehensive, VSA-compliant 

solution to the aforementioned dilemma: 

- The compilation, processing and distribution of classified 

data takes place without any discontinuity of media 

- Unlike other solutions, SINA workflow does not merely 

address individual aspects of VSA 

- There is a logical, cryptographically secured enforcement 

of the ‘Need to Know’ principle 

- Uncontrolled outflow of classified data is prevented 

- Every activity that VSA requires to be verified is securely 

logged to legal audit standard 

SINA Workflow comprises central registry, control and storage 

systems as well as remote clients based on the SINA 

Workstation. 

The complete lifecycle of classified documents and operations 

is mapped, so that a user is supported and guided 

through the system right from the start. The creation of a draft 

classified document takes place within a SINA Workflowspecific 

session on a SINA Workstation. When the draft of the 

classified item is registered, it is encrypted and saved to a 

Using 

SINA Workstation 

for classified 

information 

central location. From that point onwards, other contributors 

can be allowed access to the draft classified document. In this 

way, SINA Workflow guarantees VSA-compliant processing of 

classified documents within a group and also offers support 

for addenda and co-signing processes. After the completion 

and registration of the finalised item, the classified document 

itself can then be distributed. Classified documents can, of 

course, also be printed or exported. 

In addition to supporting users, SINA Workflow also assists 

system administrators, e.g. by automatically keeping a log, or 

by generating an inventory of classified documents. 

Work is in progress with a German federal government office 

on the prototypical installation and integration of SINA Workflow 

into the existing network infrastructure. 


Peter Janitz 

peter.janitz@secunet.com 

SINA Workflow is able to map the entire lifecycle 

of classified documents and processes. 

This now facilitates electronic, VSA-compliant 

processing of classified information. 

Subscribe to secuview 

Would you like to receive secuview on a regular basis, free of charge 

Please choose between the print and electronic versions and subscribe at https://www.secunet.com/en/the-company/it-security-report-secuview. 

There you can also change your preference or unsubscribe. 

Illustrations: Cover People: plainpicture/OJO; S. 3 (Ordner), 6, 7, 12: shutterstock.com; Airport Düsseldorf S. 8 - 9: Andreas Wiese; S. 10: iStockphoto.com; 

S. 19: EUROFORUM Deutschland SE. Others: secunet. 

16 » 1 | 2013

News in Brief 

secunet on Twitter, Xing and LinkedIn 

Social media have not only changed 

the way we interact with each other as 

individuals but have also become an essential 

means of communication in the 

business world. In 2012, we extended 

our online presence to Twitter, Xing and 

LinkedIn, aiming to use these media 

to increase our availability to secunet 

customers and partners, and to explore 

with them the issues of the moment surrounding 

IT security. 

Via our corporate profiles on the Xing 

and LinkedIn business platforms, we 

offer existing and future customers as 

well as potential recruits to our ranks a 

quick and convenient way of getting in 

touch with us. 

Professional associations and the German 

Federal Chancellery have long had 

their own presence here. We are now 

using our Twitter page – @secunet_AG – 

to inform our customers and other interested 

users about the latest developments 

in the world of IT security. We go 

beyond relaying news from and about 

our own company, picking up on a wide 

range of IT security issues as these 

affect the private and public sectors. We 

publish up-to-the-minute alerts on current 

security vulnerabilities and engage 

in a fruitful exchange of views and opinions 

with the online communities. 

Visit our website at www.secunet.com 

and follow us on Twitter at @secunet_AG 

This QR code will 

take you directly to 

our Twitter page: 

http://www.twitter.com/ 

secunet_AG 

New Federal Framework 

Agreement on IT Security 

Services 

New Appointment 

at the 

BSI 

Since August 2012, federal authorities 

have been able to call on secunet to 

provide IT security services under the 

terms of two new framework agreements 

with the German Federal Office 

for Information Security (BSI). In association 

with HiSolutions AG, secunet was 

once again successful in its bid for the 

contract to supply IT security consulting 

services to the German federal government. 

The new agreements cover general 

consulting services for IT security 

in federal authorities, consultancy in the 

field of e-government tasks and projects, 

the implementation of security 

audits and reviews, and the drafting of 

IT security and emergency concepts. 

secunet will further be supporting the 

federal government in the performance 

of security analyses designed to identify 

and resolve vulnerabilities in IT systems 

and processes. More information can 

be found on the federal government’s 

online procurement portal Kaufhaus 

des Bundes at https://www.kd-bund.de 

(NB: access only with certificate) and 

on the federal government intranet at 

http://kdb.intranet.bund.de. 


Dirk Ossenbrüggen 

dirk.ossenbrueggen@secunet.com 

Federal Office 

for Information Security 

With effect from 1st January 2013, 

Andreas Könen is the new Vice-President 

of the BSI. His predecessor in the 

office, Horst Flätgen, has moved to the 

Federal Ministry of Finance. Könen’s 

previous role was as Director of Advice 

and Coordination. In previous years, 

he held responsibility for the areas of 

Coordination and Control as well as 

Security in Applications and Critical 

Infrastructures. The new man in charge 

at the Department of Advice and Coordination 

is Horst Samsel. 

Imprint 

Editor 

secunet Security Networks AG 

Kronprinzenstraße 30 

45128 Essen, Germany 

www.secunet.com 

Responsible in terms of the 

press law: Christine Skropke, 

christine.skropke@secunet.com 

Chief Editor: Claudia Roers, 

claudia.roers@secunet.com 

Chief Conception & Design 

Dominik Maoro, 

dominik.maoro@secunet.com 

Design 

www.knoerrich-marketing.de 

Copyright: © secunet Security Networks AG. All rights reserved. All contents and structures are copyright protected. All and any use not 

expressly permitted by copyright law requires prior written permission. 

1 | 2013 « 17

Events 

Lively exchange of views at it-sa 

Cornelia Rogall-Grothe (Federal Government Commissioner 

for Information Technology and Secretary of State in the Ministry 

of the Interior) joined Franz Josef Pschierer (Bavarian State 

Government Commissioner for Information Technology and 

State Secretary of the Bavarian Ministry of Finance) in a visit to 

the secunet stand at the it-sa trade fair held in October 2012. 

Cornelia Rogall-Grothe 

deep in discussion 

with secunet CEO 

Dr Rainer Baumgart 

(second from left) 

IT Summit Working Group 4 visits secunet 

Dr Karsten Ottenberg, Federal Interior Minister Dr Hans-Peter Friedrich, 

Dr Rainer Baumgart and Prof Dr Claudia Eckert (l to r) 

In the context of the IT Summit in Essen, German Interior Minister 

Hans-Peter Friedrich visited secunet on 12th November 

2012. Together with Dr Karsten Ottenberg (G&D), he chaired 

the meeting of the Working Group 4 on ‘Trust, Privacy and 

Security on the Internet’. The title of event at the company’s 

premises in Kronprinzenstrasse was ‘Cybersicherheit in 

Deutschland gestalten’ (Shaping Cyber Security in Germany). 

More than 100 participants and members of the press were 

in attendance to discuss the topic with the Minister of the 

Interior, BSI President Michael Hange, Professor Claudia 

Eckert (TU Munich and Fraunhofer AISEC), Reinhard Clemens 

(Deutsche Telekom), Dr Rainer Baumgart and Dr Karsten 

Ottenberg. 

Always online – always secure 

The IT Security on Board workshop in Munich last October 

was an opportunity for experts to compare notes on recent 

developments and implications for the future in e-mobility 

and Car-2-Car technology. Standards and methods by which 

vehicle IT security can be evaluated and the need for protection 

can be determined were also major themes of the 

presentations and of the lively conversations and discussions 

that followed. The secunet live hacking demo met with particular 

interest; some of the participants immediately took a 

critical look at their own phones when they learned about the 

sophistication of attacks currently being made on iPhones and 

Android devices. 

Experts swap ideas at biometrics conference 

secunet in London: 

The biometrics trade 

fair was characterised 

by interesting discussions 

and new ideas. 

From 29th to 31st October, biometrics experts from around 

the world attended the aptly named ‘biometrics’ trade fair 

in London. In the context of the conference and exhibition, 

there was a lively exchange of views on hot topics, the latest 

developments and current biometric practice. In a series of 

interesting discussions, secunet experts set various balls 

rolling and also returned to base with new ideas and issues 

to resolve. 

secunet ACU in Tokyo 

Last October, representatives from secunet attended the 

FTF Freescale conference in Tokyo. They joined our partners 

from OpenSynergy at their stand to show off a demo unit of 

the secunet Application Control Unit (ACU), which is almost 

ready to go into series production. Where communication 

from external networks does not comply with the rules specified, 

the ACU prevents this from reaching the on-board electrical 

system. In this way, the ACU enables open networked 

infotainment applications. At the same time, valuable assets 

such as operational security are safeguarded. 

18 » 1 | 2013

Dates 

SINA meets the Secretary of Defence 

February until 

June 2013 

Participants at the Handelsblatt conference on ‘Security 

Policy and the Defence Industry’ had a chance to hear 

the views of Defence Minister de Maizière on the dialogue 

between society, politics, military and economy. As one of 

the conference sponsors, secunet was invited to present its 

SINA product portfolio. 

SINA presentation at NATO Symposium 

SINA made its debut appearance on our own exhibition 

stand at the NIAS symposium held in the Belgian city of Mons 

last September. 

SINA in Rome 

12 - 14 Feb 2013 

» Security Document World / 

Prague, Czech Republic 

17 - 21 Feb 2013 » IDEX / Abu Dhabi, UAE 

25 Feb - 

1 March 2013 

» RSA Conference / 

San Francisco, USA 

5 - 9 March 2013 » CeBIT / Hannover 

12 April 2013 

» Workshop 

‚IT Security on Board‘ / 

Munich 

23 - 25 April 2013 » Infosecurity Europe / London, UK 

24 - 25 April 2013 

» AFCEA exhibition / 

Bonn-Bad Godesberg 

7 May 2013 » SINA User Day / Berlin 

SINA on tour in Warsaw 

Johan Hesse 

of secunet 

presenting SINA 

solutions to the 

international 

audience. 

AFCEA TechNet International took place in Rome last October 

under the patronage of Italian Defence Minister Giampaolo 

Di Paola. The event was well attended by representatives 

from various NATO countries and from the NCIA (NATO Communications 

and Information Agency) who were fascinated by 

the demonstrations of SINA solutions at the secunet stand. 

In October 2012, all of the international SINA reseller partners 

gathered in Warsaw to exchange information and experiences, 

to listen to a series of presentations and to engage 

in some general networking. 

14 - 16 May 2013 

» 13 th Deutscher IT-Sicherheitskongress 

/ Bonn-Bad Godesberg 

21 - 23 May 2013 » Security Document World / 

London, UK 

15 May 2013 » General Annual Meeting 

secunet / 

Essen, Castle of Borbeck 

15 - 16 May 2013 » Datenschutzkongress / 

Berlin 

5 and » SINA User Day / 

6 June 2013 Bonn 

Would you like to arrange an appointment with us 

Then send an e-mail to events@secunet.com. 

1 | 2013 « 19

Caution! Insecure Structure! 

Customized IT security provides a solid foundation for your success. 

Protect your most important assets. IT security is essential for a stable 

IT infrastructure and for all processes. secunet is your trump card: Our 

vision and expertise will help you achieve even the most demanding IT 

security solutions. 

www.secunet.com 

IT security partner of the 

Federal Republic of Germany

Download as PDF - Secunet

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?