Download as PDF - Secunet
Download as PDF - Secunet
Download as PDF - Secunet
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
The IT Security Report by<br />
Issue 1 | 2013<br />
Partnership for Security<br />
in Cyberspace<br />
Alliance for Cyber Security<br />
<strong>as</strong> a central information platform<br />
Incre<strong>as</strong>ed Security for<br />
P<strong>as</strong>sengers – including<br />
online<br />
Nicol<strong>as</strong> Hunloh, Team Leader<br />
Internet, Düsseldorf Int. Airport<br />
Automation is the Way<br />
Forward for Border Control<br />
secunet eGates securely manage<br />
incre<strong>as</strong>ing p<strong>as</strong>senger numbers at<br />
national borders<br />
Electronic management<br />
of cl<strong>as</strong>sified items without<br />
discontinuity of media<br />
SINA Workflow for security and<br />
compliance with regulations
The IT Security Report by<br />
Content<br />
National<br />
03 Local High-Quality IT Products<br />
for Local Users<br />
04 Partnership for Security in Cyberspace –<br />
Alliance for Cyber Security <strong>as</strong> a central<br />
information platform<br />
06 German Justice Plays it Safe<br />
08 Incre<strong>as</strong>ed Security for P<strong>as</strong>sengers –<br />
including online<br />
10 Challenges for PKI Systems<br />
in Vehicles<br />
International<br />
14 Automation is the Way Forward for<br />
Border Control<br />
Technologies & Solutions<br />
16 Electronic management of<br />
cl<strong>as</strong>sifi ed items without discontinuity<br />
of media<br />
09 Hackerstory #2<br />
Budget and Production Pressures<br />
<strong>as</strong> Risk Factors<br />
12 Preventive security #1<br />
FIFA World Cup Shoots Holes in IT System<br />
17 News in Brief<br />
secunet on Twitter, Xing and LinkedIn /<br />
New Agreement with National Government<br />
on IT Security Services / New Appointment<br />
at the BSI<br />
18 Events<br />
Dear Readers,<br />
irrespective of whether we operate in the public or private sector, we are<br />
all doing business more and more in cyber space; we are thus incre<strong>as</strong>ingly<br />
dependent on the secure and uninterrupted functioning of digital information<br />
and communication technologies. If we are to maintain security of information,<br />
data and processes on a permanent b<strong>as</strong>is, we must continuously adapt to<br />
the shifting level and nature of the threat posed by hackers and the methods<br />
they employ. The detailed exchange of information and experiences between<br />
industry, government agencies and experts not only facilitates a high degree<br />
of transparency but also makes the job of prevention e<strong>as</strong>ier for us all. One<br />
of the platforms for such exchanges is the Allianz für Cyber-Sicherheit (Alliance<br />
for Cyber Security) founded by the German Federal Offi ce for Information<br />
Security (BSI) and the Federal Association for Information Technology,<br />
Telecommunications and New Media (BITKOM). We spoke with Dr Hartmut<br />
Isselhorst from BSI about the aims and objectives of the Alliance.<br />
Here at secunet, we also intend to place the exchange of ide<strong>as</strong> with our<br />
customers on a more direct footing; consequently, we have undertaken an<br />
internal restructuring designed to make us more fl exible in the way we cater<br />
for your needs, <strong>as</strong>pirations and demands. We will thus be able to respond<br />
more effi ciently and quickly to current developments in the cyber world and to<br />
offer you, our customers, optimum proactive and innovative support <strong>as</strong> you<br />
rise to future challenges and implement new projects.<br />
- Our Public Sector (formerly High Security and Government Division) advises<br />
clients from the public sector and the defence industry both here in<br />
Germany and abroad, proposing current products and services that can<br />
be combined for specifi c circumstances <strong>as</strong> well <strong>as</strong> customised security<br />
solutions. These are fully compatible with any modern administration, they<br />
are capable of handling jobs at the highest level and they comply with highsecurity<br />
specifi cations for the protection of cl<strong>as</strong>sifi ed information.<br />
- Our Business Sector (formerly Business Security and Automotive Security<br />
Division) helps private business clients to fully exploit the potential of incre<strong>as</strong>ed<br />
digitisation and the <strong>as</strong>sociated electronic mapping of business processes,<br />
and also to securely map intelligent networks, mobile applications,<br />
IT-b<strong>as</strong>ed control of production/logistics operations and the digitisation<br />
of transport and traffi c systems.<br />
The are<strong>as</strong> in which we excel and our achievements to date are a matter of<br />
record. We now present some of the latest developments in this edition of<br />
secuview.<br />
I hope you enjoy reading our magazine.<br />
Best wishes<br />
19 Dates<br />
Dr Rainer Baumgart<br />
02 » 1 | 2013
National<br />
Local High-Quality<br />
IT Products for Local Users<br />
IT security technology ‘Made in Germany’ is being supplied<br />
direct to government agencies around the country<br />
Following the successful piloting of the federal government<br />
IT investment programme in 2010, the German Federal Office<br />
for Information Security (BSI) launched a follow-up project –<br />
‘Sondertatbestand’ – in 2012. The purpose of this is to support<br />
government agencies by simplifying the procurement process<br />
for IT security solutions, including the SINA range of products.<br />
This ensures not only that all data is optimally protected<br />
but also that cryptographic systems approved for the NfD<br />
(RESTRICTED) cl<strong>as</strong>sification become more widely established.<br />
cl<strong>as</strong>sified<br />
information<br />
Within the framework of the Sondertatbestand project, participating<br />
agencies received products at no extra expense for<br />
- interface control<br />
- hard disk encryption<br />
- encryption of mobile storage media<br />
- encrypted USB fl<strong>as</strong>h devices<br />
- securing mobile scenarios<br />
The use of a SINA workstation makes it e<strong>as</strong>y for authorities to<br />
securely access both uncl<strong>as</strong>sified and RESTRICTED data at<br />
any time and from any location, whether the operator is away<br />
on business or ‘teleworking’ from home.<br />
RESTRICTED<br />
Support close at hand<br />
SINA experts from secunet provided support to the various<br />
government IT departments in implementation, installation<br />
and on-site training. secunet support is then on call around<br />
the clock, seven days a week. It is a tremendous advantage<br />
when the experts are just a phone call away.<br />
When there is a total loss of IT service, it is important that<br />
response times are short and the correct action is taken. For<br />
this re<strong>as</strong>on, the Sondertatbestand project also includes a<br />
security consultancy element. secunet supports the participating<br />
agencies in complying with the criteria of the federal<br />
government action plan known <strong>as</strong> ‘UP-Bund’. This includes<br />
in particular me<strong>as</strong>ures to improve information security and the<br />
development of a continuity management plan.<br />
The BSI h<strong>as</strong> conceived the Sondertatbestand project <strong>as</strong> a way<br />
of making IT expertise available to individual authorities conveniently<br />
and without impacting on their budget. In this way,<br />
applicants procure internationally competitive products from<br />
national suppliers. And in any c<strong>as</strong>e, the German encryption<br />
industry enjoys a high reputation around the world. The evidence<br />
for this is in the many national and international projects<br />
that make use of encryption products from Germany.<br />
More information:<br />
Dirk Mangelmann<br />
dirk.mangelmann@secunet.com<br />
1 | 2013 « 03
National<br />
Partnership for Security in<br />
Cyberspace – Alliance for<br />
Cyber Security <strong>as</strong> a central<br />
information platform<br />
An Interview with Dr Hartmut Isselhorst of the BSI<br />
on the Alliance for Cyber Security<br />
secuview: The new Alliance for Cyber<br />
Security w<strong>as</strong> founded by the BSI (German<br />
Federal Office for Information<br />
Security) and BITKOM at the annual<br />
CeBIT trade show in March 2012. What<br />
w<strong>as</strong> the re<strong>as</strong>on for setting up such an<br />
organisation<br />
Dr Hartmut Isselhorst: Internet technologies<br />
in recent years have led to<br />
major advances in the IT and telecommunications<br />
industry. Indeed, information<br />
technology h<strong>as</strong> penetrated virtually<br />
all are<strong>as</strong> of our lives and every sector of<br />
the economy, making them an integral<br />
part of cyberspace today. As a result,<br />
value-added processes in the ‘real<br />
world’ are inextricably linked to the virtual<br />
world and are barely conceivable<br />
today without it. The challenge of<br />
making cyberspace more secure can<br />
now only be met through the combined<br />
efforts of business and industry, academia<br />
and the government. The Alliance<br />
for Cyber Security reflects this need for<br />
cooperation and serves <strong>as</strong> a platform<br />
for the exchange of knowledge and<br />
expertise in the field. Indeed, l<strong>as</strong>ting<br />
security can only be achieved if we<br />
continually revise our strategies for<br />
preventing, recognising and responding<br />
to security threats and the evolving<br />
methods of cyber criminals.<br />
secuview: The Alliance’s members include<br />
partners and members. How<br />
many companies joined the Alliance in<br />
2012, and what are the main re<strong>as</strong>ons for<br />
which individuals and business partners<br />
seek membership<br />
Dr Hartmut Isselhorst: We received<br />
an overwhelmingly positive response<br />
to the Alliance for Cyber Security, even<br />
„The Alliance offers a variety of<br />
services, including issuing warnings<br />
about current cyber threats,<br />
identifying best practices, unifying<br />
industry standards and providing<br />
security solutions for systems<br />
currently in use.“<br />
during the pilot ph<strong>as</strong>e. Since then, other<br />
noteworthy cyber security experts have<br />
joined our ranks, meaning that more<br />
than 200 companies and organisations –<br />
including 50 of partners – were active<br />
members of the Alliance for Cyber Security<br />
at the beginning of 2013.<br />
The Alliance offers a variety of services,<br />
including issuing warnings about current<br />
cyber threats, identifying best practices,<br />
unifying industry standards and<br />
providing security solutions for systems<br />
currently in use, <strong>as</strong> well <strong>as</strong> providing<br />
general recommendations on the se-<br />
Dr Hartmut Isselhorst,<br />
man in charge at the<br />
Department of Cyber<br />
Security of the BSI<br />
cure use of IT components. In addition<br />
to the above, the BSI publishes up-todate<br />
information regarding the ongoing<br />
security situation in cyberspace, thus<br />
enabling institutions to modify their<br />
activities accordingly. In order for this<br />
information to be <strong>as</strong> complete <strong>as</strong> possible,<br />
partners and individual members<br />
in the Alliance are also encouraged to<br />
report their own knowledge and findings<br />
regarding cyber attacks to the BSI.<br />
Finally, alongside acting <strong>as</strong> a central hub<br />
for information distribution, the Alliance<br />
seeks to promote direct knowledge<br />
exchanges in smaller groups such <strong>as</strong> in<br />
regional and industrial working groups<br />
or informal meetings.<br />
secuview: What security threats do you<br />
expect to emerge over the next few<br />
years, and what me<strong>as</strong>ures will the Alliance<br />
be implementing to counter them<br />
Dr Hartmut Isselhorst: The growing<br />
trend of using information services on<br />
the move is going to have a knock-on<br />
04 » 1 | 2013
National<br />
effect on cyberspace security threats.<br />
Smartphones and tablets are now established<br />
internet terminals, and their<br />
position in the market h<strong>as</strong> been<br />
strengthened by their integration into<br />
corporate IT systems – both formally<br />
and through BYOD policies. This h<strong>as</strong> incre<strong>as</strong>ed<br />
the attraction of these devices<br />
to cyber criminals and malware developers.<br />
The topic of ‘mobile malware’ will<br />
therefore remain on the agenda for the<br />
foreseeable future.<br />
Other<br />
organisations<br />
The Alliance for Cyber Security w<strong>as</strong> established in March 2012 by the<br />
Federal Office for Information Security (BSI) and BITKOM. This joint<br />
initiative acts <strong>as</strong> a platform for the sharing of information and experiences<br />
in the general area of cyber threats. At the international level,<br />
it promotes cross-border collaboration with other Alliance partners.<br />
BSI<br />
Government<br />
agencies<br />
Multipliers<br />
Businesses<br />
We are also preparing for attacks and<br />
attempted attacks against specific companies<br />
or institutions. Cyberspace is an<br />
attractive point of attack for criminals because<br />
it provides e<strong>as</strong>y access to potential<br />
targets and a myriad of opportunities<br />
for deception, <strong>as</strong> well <strong>as</strong> an incredibly<br />
diverse range of vulnerabilities which<br />
can be exploited. We expect hackers<br />
to draw on their experiences of launching<br />
targeted attacks in recent years to<br />
further improve their methods and carry<br />
out incre<strong>as</strong>ingly sophisticated attacks.<br />
We are also anticipating some positive<br />
developments, however. Indeed, whilst<br />
companies are still very reticent to disclose<br />
information about cyber attacks<br />
on their own systems, the BSI is incre<strong>as</strong>ingly<br />
hearing from companies willing to<br />
share their experiences in small groups.<br />
If this trend continues, it will most certainly<br />
help to raise user awareness and<br />
provide a more complete picture of the<br />
current security situation, thus serving<br />
to boost cyberspace’s ‘immune system’<br />
over the long term.<br />
secuview: Nowadays, the entire world<br />
is connected via the internet, and so attacks<br />
can be carried out from far beyond<br />
our national borders. Will the BSI also be<br />
working with the Alliance to contact and<br />
exchange information with other groups<br />
internationally<br />
Dr Hartmut Isselhorst: The international<br />
exchange of knowledge and expertise<br />
is indispensable when it comes to cyber<br />
security. Within the Alliance for Cyber<br />
Operators<br />
of critical<br />
infr<strong>as</strong>tructures<br />
Partners<br />
Security, this is achieved not only<br />
through the BSI’s various international<br />
partnerships, but also through the crossborder<br />
activities of the Alliance’s partner<br />
companies. The knowledge and expertise<br />
gained through this international cooperation<br />
contributes a great deal to the<br />
„In light of the overwhelmingly<br />
positive feedback received from<br />
companies involved in the Alliance<br />
for Cyber Security in 2012, we<br />
intend to continue implementing<br />
and building upon the organisation’s<br />
activities in 2013.“<br />
Alliance’s work and is always analysed<br />
and shared in such a way that it benefits<br />
all members <strong>as</strong> much <strong>as</strong> possible.<br />
In practical terms, the Alliance for Cyber<br />
Security’s partners and key communicators<br />
can also contribute by upholding<br />
knowledge exchange between the Alliance<br />
and international groups or initiatives<br />
abroad.<br />
secuview: One final question: What’s<br />
next for the Alliance in 2013<br />
Dr Hartmut Isselhorst: In light of the<br />
overwhelmingly positive feedback received<br />
from companies involved in the<br />
Alliance for Cyber Security in 2012, we<br />
Other<br />
institutions of<br />
particular interest to<br />
the state (INSI)<br />
intend to continue implementing and<br />
building upon the organisation’s activities<br />
in 2013. In my view, it is important<br />
to always keep in mind the expectations<br />
that are communicated to the BSI in the<br />
course of major events and private discussions.<br />
This is why we will be organising<br />
more industry-specific events for<br />
various target groups in 2013 – to raise<br />
awareness of cyber security issues on<br />
the one hand, and to maintain a direct<br />
dialogue with and between companies<br />
on the other. We have started the ball<br />
rolling this year with the first ever Cyber<br />
Security Day for members of the Alliance<br />
in January. In February, this event h<strong>as</strong><br />
been followed by a major conference<br />
in partnership with the logistics industry<br />
and knowledge exchange across<br />
different sector. We also have several<br />
other events in the pipeline. In addition<br />
to the above, I am very much looking<br />
forward to the numerous contributions<br />
recently announced by our partners<br />
which will create significant added value<br />
for all of the Alliance for Cyber Security’s<br />
members.<br />
secunet is a partner company in<br />
the Alliance for Cyber Security<br />
and draws on the extensive<br />
knowledge and expertise of its<br />
IT security specialists to support<br />
the organisation’s members.<br />
1 | 2013 « 05
National<br />
German Justice<br />
Plays it Safe<br />
secunet connects Bavaria to S.A.F.E.<br />
central registry<br />
The introduction of mandatory electronic commercial<br />
registration in 2007 coincided with the launch of a new communication<br />
infr<strong>as</strong>tructure in the German judicial system. The<br />
opportunity of having direct access to courts and authorities<br />
via EGVP proved hugely popular right from the start; in fact,<br />
projected user numbers were far exceeded after only three<br />
months in operation. Because everyone registering <strong>as</strong> an<br />
EGVP user is <strong>as</strong>signed a unique mailbox address by the identity<br />
management system and this data must be constantly<br />
replicated to all other active EGVPs in the system, the registration<br />
service is of paramount importance.<br />
What is EGVP<br />
The electronic legal and administrative mailbox, in Germany known <strong>as</strong><br />
EGVP (Elektronisches Gerichts- und Verwaltungspostfach), can be used<br />
by courts and government authorities in communication with each other<br />
<strong>as</strong> well <strong>as</strong> with other parties to certain judicial proceedings (e. g. lawyers,<br />
notaries, businesses and private citizens) for the safe, legal and effi cient<br />
transmission of messages, documents and pleadings in the OSCI format<br />
(Online Services Computer Interface). EGVP automatically encrypts the<br />
entire data exchange. Messages can also have fi les attached and, if<br />
necessary, bear an electronic signature. This speeds up legal processes,<br />
and all parties benefi t from the incre<strong>as</strong>ed effi ciency. No wonder then that<br />
more than 40,000 parties to proceedings in all 16 federal states and in<br />
most federal courts in Germany are making use of the EGVP, a trend that<br />
is even expected to grow further.<br />
Separation of registration process<br />
from EGVP: S.A.F.E.<br />
In order to be optimally positioned in the future in terms of<br />
performance and interfaces, the Bund-Länder-Kommission<br />
für Datenverarbeitung und Rationalisierung in der Justiz (Joint<br />
Federal and State Commission for Data Processing and Rationalisation<br />
in Judicial Processes) h<strong>as</strong> prescribed the architecture<br />
of a federated identity management system for the<br />
German judiciary. This goes by the name of ‘Secure Access<br />
to Federated E Justice / E Government’, or S.A.F.E. for short.<br />
The underlying idea is essentially straightforward: the ‘Identity<br />
Providers’ which are spread out over a number of different<br />
domains are combined on a single platform and are addressed<br />
via standard interfaces. The so-called ‘Trust Domain’ (TD) is<br />
the central structuring element. This consists of a set of services<br />
and service users that co-exist in a mutual trust relationship.<br />
It ensures a unified communications infr<strong>as</strong>tructure<br />
within the justice system that operates across federal state<br />
boundaries.<br />
06 » 1 | 2013
National<br />
Bavaria creates own Trust Domain<br />
Up to now, there h<strong>as</strong> been a centralised S.A.F.E. identity<br />
management system operating from the data centre in North<br />
Rhine-Westphalia, which is responsible for<br />
the mailboxes of user parties in all the<br />
federal states. Bavaria h<strong>as</strong> now become<br />
the first German federal state to set up<br />
its own trust domain which is operated<br />
in its own data centre. This means that<br />
the management of Bavarian identities<br />
takes place regionally, thus<br />
restoring data sovereignty.<br />
sources that store information about the digital identities<br />
of users and their operational role. secunet also took on the<br />
t<strong>as</strong>k of integrating the technical b<strong>as</strong>is – the Oracle Identity<br />
Management Suite – into the existing infr<strong>as</strong>tructure.<br />
Flexible and fit for the future<br />
The Bavarian justice system is already in a position to communicate<br />
confidentially via S.A.F.E. in such administrative<br />
are<strong>as</strong> <strong>as</strong> the central register of wills or the electronic land<br />
registry. Thanks to its open and highly scalable architecture,<br />
many more administrative procedures, citizen portals and<br />
e-government services will follow in the near future.<br />
In this matter the Bavarian justice<br />
relied on comprehensive <strong>as</strong>sistance<br />
from secunet, the IT security<br />
experts have provided<br />
organisational and technical<br />
support to the IT officers of<br />
the Bavarian judiciary who<br />
are b<strong>as</strong>ed at the Munich<br />
Higher Regional Court<br />
in the planning, design<br />
and implementation of<br />
the S.A.F.E. compliant<br />
trust domain ‘Justiz<br />
Bayern’. This involved<br />
the analysis of the<br />
administrative procedures<br />
and of the<br />
user groups that are<br />
to be integrated in<br />
the preliminary stage<br />
<strong>as</strong> well <strong>as</strong> the analysis<br />
and evaluation of the data<br />
More information:<br />
Norbert Müller<br />
norbert.mueller@secunet.com<br />
1 | 2013 « 07
National<br />
Incre<strong>as</strong>ed Security<br />
for P<strong>as</strong>sengers –<br />
including online<br />
Nicol<strong>as</strong> Hunloh, Team Leader Internet,<br />
Düsseldorf International Airport<br />
The air transport hub of Flughafen Düsseldorf handles over<br />
20 million p<strong>as</strong>sengers per year, making it the largest airport<br />
in North Rhine-Westphalia. 70 airlines operate here, serving<br />
more than 190 destinations. Located in one of Europe’s<br />
strongest-performing economic regions, with 18 million<br />
people living within a radius of 100 kilometres, Düsseldorf<br />
International plays a key role in fulfilling the mobility needs of<br />
private individuals and businesses in the federal state of North<br />
Rhine-Westphalia and the south-e<strong>as</strong>t of the Netherlands.<br />
Furthermore, <strong>as</strong> the largest single employer in Düsseldorf<br />
with a workforce of around 19,700, the airport h<strong>as</strong> a major<br />
impact on the jobs market in NRW.<br />
As traffic h<strong>as</strong> incre<strong>as</strong>ed over recent years, the corporate<br />
website h<strong>as</strong> had to adapt and grow to meet the demands<br />
of p<strong>as</strong>sengers <strong>as</strong> well <strong>as</strong><br />
those who are picking<br />
them up from the airport<br />
and other target groups.<br />
These users visit the site to<br />
check flight times,<br />
to find out about<br />
local conditions,<br />
to reserve parking<br />
spaces, to retrieve<br />
general information<br />
about the airport,<br />
and much more<br />
besides. The website<br />
is thus a main<br />
point of contact for<br />
By undertaking regular<br />
security checks, including<br />
around 11 million<br />
its online platforms,<br />
users per year.<br />
Düsseldorf airport<br />
upholds consistently high<br />
security standards.<br />
Various extranets<br />
provide B2B partners<br />
and customers<br />
with helpful<br />
tools. Data that is<br />
stored there requires<br />
secure protection.<br />
Flughafen<br />
Düsseldorf GmbH<br />
therefore took the<br />
decision in 2012<br />
to submit its main<br />
corporate website<br />
<strong>as</strong> well <strong>as</strong> those<br />
of its subsidiaries<br />
to an extensive security check. Their<br />
search for a professional, flexible and<br />
reliable service provider quickly brought<br />
them to secunet.<br />
For the operator, it is particularly important<br />
that the standards which are<br />
rigorously adhered to in the everyday<br />
working environment of the airport’s offline sector (where<br />
security is at a premium) apply equally to its website. Because<br />
even data on p<strong>as</strong>sengers and partners requires the protection<br />
of a highly secure and efficient infr<strong>as</strong>tructure against<br />
externally launched attempts to gain unauthorised access.<br />
The secunet team therefore set about identifying potential<br />
vulnerabilities using a detailed penetration test and applying<br />
recognised standards with particular reference to OWASP<br />
Top 10 2012. In order to avoid overloading the server infr<strong>as</strong>tructure<br />
during the procedure, the tests were conducted<br />
during the low-traffic period between 11pm and 6am.<br />
08 » 1 | 2013
News in Brief<br />
HACKERSTORY #2<br />
Budget and<br />
Production Pressures<br />
<strong>as</strong> Risk Factors<br />
In many companies, security h<strong>as</strong> become an integral part<br />
of the production process. In the course of penetration tests,<br />
secunet nonetheless continues to identify critical vulnerabilities<br />
in internal systems that threaten the organisation’s<br />
security and, in the worst-c<strong>as</strong>e scenario, its most vital<br />
functions.<br />
In subsequent discussions with the relevant system administrators,<br />
it will usually transpire that the vulnerabilities<br />
have already been recognised, though not necessarily their<br />
potential impact. These vulnerabilities are consciously<br />
accepted, since the affected system is directly involved in<br />
critical business processes and not every company h<strong>as</strong> a<br />
sophisticated staging process whereby changes can be<br />
tested on multiple pre-production systems. The decisionmakers<br />
are confronted with a dilemma: in order to incre<strong>as</strong>e<br />
system security, a temporary reduction in functionality h<strong>as</strong><br />
to be accepted. Subsequent corrective me<strong>as</strong>ures – if at all<br />
fe<strong>as</strong>ible – result in correspondingly high costs. Yet failure to<br />
take the necessary action could ultimately lead to substantially<br />
higher costs.<br />
The results were then presented in the form of a detailed<br />
report, with me<strong>as</strong>ures identified for optimisation then being<br />
implemented within a short time by the specialist departments<br />
of Flughafen Düsseldorf GmbH and its service providers.<br />
At the same time, the company used the project to<br />
introduce new mandatory security standards at all levels.<br />
Flughafen Düsseldorf GmbH h<strong>as</strong> expressed its intention to<br />
call on secunet’s anti-hacking expertise in future.<br />
However, if IT security teams are involved at the planning<br />
ph<strong>as</strong>e of a new application, these problems can at le<strong>as</strong>t be<br />
minimised. If, at an early stage, IT security is considered<br />
of equal importance to functionality, this can obviate the<br />
need for complex re-designs or bug fixing in the finished<br />
product.<br />
More information:<br />
Dirk Reimers<br />
dirk.reimers@secunet.com<br />
More information:<br />
Christian Reichardt<br />
christian.reichardt@secunet.com<br />
IN THE NEXT ISSUE:<br />
The Trojan Mouse<br />
1 | 2013 « 09
National<br />
Challenges for PKI Systems<br />
in Vehicles<br />
Conventional solutions are not enough<br />
Because of the special nature of the clients<br />
(vehicles, charging infr<strong>as</strong>tructure, traffic<br />
signals etc) which – unlike the computers in<br />
the company network – are not constantly<br />
reachable and which to some extent have<br />
much longer life cycles, they make specific<br />
requirements of their PKI systems that do<br />
not apply to most company PKIs. Similarly,<br />
specifications for Car2Car communication or<br />
Plug&Charge in the c<strong>as</strong>e of e-mobility define<br />
precisely what a PKI is expected to do.<br />
PKI systems have long been an established feature of inhouse<br />
networks and the internet. B<strong>as</strong>ed on <strong>as</strong>ymmetric cryptography,<br />
authentication mechanisms have been created with<br />
which more people work than you might imagine. Whether for<br />
online banking, remote login to the corporate network from a<br />
home office or even the new German national identity card, a<br />
PKI working away in the background is generally responsible<br />
for secure communication.<br />
More recently, various applications requiring a PKI have been<br />
introduced in vehicles:<br />
- digital tachographs<br />
- securing diagnostic access and information consistent<br />
with Euro 5 and Euro 6<br />
- securing onboard fl<strong>as</strong>hware for vehicle programming<br />
- securing TeleX services such <strong>as</strong> remote diagnostics and<br />
programming<br />
- internet in the vehicle<br />
- Car2Car communication<br />
- Plug&Charge for e-mobility<br />
For example, procedures and processes<br />
must be introduced to take into account<br />
the fact that parts of the PKI system may<br />
be available for online communication only<br />
on an intermittent b<strong>as</strong>is. The distribution of<br />
revocation information is just one example of<br />
this problem. In a PKI for Car2Car or Car2X<br />
communication, the number of subscribers can rise exponentially.<br />
There will be hundreds of CA systems and millions of<br />
vehicles all around the world that have to be supplied with key<br />
material and certificates, and at the same time, data privacy<br />
protection legislation will require that each vehicle is equipped<br />
with several hundreds or even thousands of certificates.<br />
Car manufacturers may already be aware of some of these<br />
problems <strong>as</strong> a result of similar issues with their own company<br />
PKIs for employee badges or SSL certificates for web<br />
services. Nevertheless, these new special c<strong>as</strong>es present them<br />
with unprecedented challenges in the management of cryptographic<br />
keys and certificates that cannot be resolved with the<br />
already established processes of introduced PKI systems and<br />
therefore require new approaches to the issue of PKI.<br />
More information:<br />
Andre<strong>as</strong> Ziska<br />
andre<strong>as</strong>.ziska@secunet.com<br />
10 » 1 | 2013
National<br />
What a PKI does<br />
PKI involves more than just technology; it is also a question of infr<strong>as</strong>tructure and<br />
processes. At the heart of the matter is key management, with the complete lifecycle<br />
of cryptographic keys and/or certifi cates. The main t<strong>as</strong>ks to be performed<br />
by a PKI are:<br />
Key generation – determination of algorithms, the type of key generation<br />
(central <strong>as</strong> opposed to decentralised) and the processes for certifi cation of the<br />
public key <strong>as</strong> well <strong>as</strong> the identifi cation data of the certifi cate holder.<br />
Key distribution / Directory – the distribution of public keys and/or certifi -<br />
cates takes place via directory services such <strong>as</strong> LDAP. For the <strong>as</strong>signment of<br />
private keys, secure distribution paths or media are used.<br />
Blocking management / Revocation – for revoking a certifi cate (in c<strong>as</strong>e of<br />
a lost key or loss of confi dence), technical mechanisms such <strong>as</strong> revocation<br />
lists (CRLs) or online services (OCSP) are used. The CA operator receives the<br />
revocation requests, reviews and authorises them, revokes the certifi cate and<br />
publishes the revocation information.<br />
Key recovery / Destruction – by means of key recovery, data can be read and<br />
verifi ed even if key material h<strong>as</strong> been lost. In addition, old or invalid key material<br />
is securely deleted.<br />
Key exchange (root, CA, client) – appropriate processes (e. g. online provisioning,<br />
the replacement of a secure element or mobile with NFC technology)<br />
specifi cally ensure the secure exchange of the public root and CA keys. There<br />
must be safeguards against a hacker insinuating his own root keys.<br />
Blocking management /<br />
Revocation (CRL / OCSP)<br />
Key recovery /<br />
Destruction<br />
Key generation<br />
Key distribution /<br />
Directory<br />
Key exchange<br />
(root, CA, client)<br />
Example of an eMob PKI complying with ISO 15118<br />
eMob Root CA<br />
Already established because of<br />
the applicable standardisation<br />
regulations for smart metering<br />
in Germany<br />
optional<br />
optional<br />
EV OEM<br />
Root CA<br />
Energy supplier<br />
Root CA<br />
Charging supplier<br />
Root CA<br />
Meter<br />
Root CA<br />
Daimler<br />
BMW<br />
AUDI RWE EnBW e.on A B<br />
C<br />
A<br />
B<br />
C<br />
Vehicle certificates Contract certificates Charging station certificates SmartMeter certificates<br />
The companies named here have been chosen <strong>as</strong> examples only. This should not<br />
be taken <strong>as</strong> an indication of which ones will eventually appear under eMob Root CA.<br />
1 | 2013 « 11
National<br />
PREVENTIVE SECURITY #1<br />
Preventive security is in this respect a key concept: specific organisational, infr<strong>as</strong>tructural, technical and<br />
staffing strategies that are tailored to individual circumstances and to constructing a defence that kicks<br />
in before something bad happens. In subsequent issues of secuview, you can read interesting and sometimes<br />
even amusing c<strong>as</strong>e studies (anonymised, of course) compiled by our secunet experts.<br />
FIFA World Cup<br />
Shoots Holes in<br />
IT System<br />
Directives from above defeat even the best<br />
technical defences<br />
There are many IT systems that, technically speaking, are well<br />
protected. But unfortunately, these too fall victim to elementary<br />
attacks because individually appropriate organisational<br />
processes have not been implemented or upheld.<br />
“How could they overcome the formidable barriers that we<br />
now have in place The way they were byp<strong>as</strong>sed makes us<br />
look like amateurs!” Unfortunately, this quote is genuine and<br />
the circumstances that permitted this successful IT attack are<br />
by no means exceptional. The technology and the administrators<br />
really were high calibre. The problem lay entirely elsewhere.<br />
The vulnerability w<strong>as</strong> caused by the instruction issued<br />
by a senior executive to allow certain IT services during the<br />
World Cup so that he could follow games live on his PC.<br />
Although the administrators expressly advised of the <strong>as</strong>sociated<br />
security risks, the desire of this senior person to watch<br />
the matches live at work obviously outweighed the concerns<br />
of the lower-ranking technical staff. The expert in this c<strong>as</strong>e –<br />
i. e. the system administrator – had no recourse against the<br />
decision.<br />
This real-life scenario is by no means exceptional. secunet<br />
is often called out to deal with emergencies that have been<br />
caused by the absence of organisational security me<strong>as</strong>ures.<br />
In the c<strong>as</strong>e cited above, a clearly defined and auditable documented<br />
process that gave the administrator suitable veto<br />
rights would have helped to uphold the high level of security<br />
afforded by the systems in place. It would then have been<br />
possible to take secure and responsible action, overriding the<br />
personal preferences of the boss.<br />
Security must be integral to<br />
corporate culture<br />
Experience h<strong>as</strong> shown that, although many government agencies<br />
and private businesses have put appropriate security<br />
me<strong>as</strong>ures in place, these are not upheld rigorously due to the<br />
organisational <strong>as</strong>pects of information security. At the same<br />
time, however, there is no shortage of standards and best<br />
practices to provide support here. For example, the IT security<br />
management standards typified by the ISO 27000 family and<br />
those implemented in accordance with BSI b<strong>as</strong>eline protection<br />
or the recommendations of ITIL (IT Infr<strong>as</strong>tructure Library) and<br />
COBIT (Control Objectives for Information and Related Technology).<br />
secunet experts with many years of experience are<br />
available to support any appropriate customisation or tailored<br />
implementation.<br />
More information:<br />
René Seydel<br />
rene.seydel@secunet.com<br />
IN THE NEXT ISSUE:<br />
Well confi gured – one click for enhanced security<br />
12 » 1 | 2013
Neben dem Beruf zum<br />
Bachelor & M<strong>as</strong>ter<br />
Bachelor-Abschlüsse:<br />
Europäische BWL (B.A.)<br />
Wirtschaftspsychologie (B.A.)<br />
Finance & Mangement (B.Sc.)<br />
Logistikmanagement (B.Sc.)<br />
Wirtschaftsrecht (LL.B.)<br />
M<strong>as</strong>ter-Abschlüsse:<br />
Wirtschaftspsychologie (M.Sc.)<br />
Business Coaching &<br />
Change Management (M.A.)<br />
MBA<br />
Hochschulkurse mit Zertifikat<br />
Jetzt<br />
4 Wochen<br />
kostenlos<br />
testen!<br />
Jederzeit starten<br />
Freie Zeiteinteilung<br />
Ortsunabhängig per Fernstudium<br />
Jetzt informieren:<br />
www.Euro-FH.de 0800 / 33 44 377<br />
(gebührenfrei)<br />
Infos anfordern:<br />
600 AA
International<br />
Automation is the Way<br />
Forward for Border Control<br />
secunet eGates securely manage incre<strong>as</strong>ing p<strong>as</strong>senger numbers at national borders<br />
Globalisation h<strong>as</strong> led to a steady incre<strong>as</strong>e in private and professional<br />
mobility. Short-haul flights have become an attractive<br />
alternative to travelling by train or car. For airports, this means<br />
that more and more p<strong>as</strong>sengers have to be cleared on arrival.<br />
The International Air Transport Association (IATA) estimates<br />
that, in 2013, the milestone of three billion p<strong>as</strong>sengers worldwide<br />
will be exceeded. 1 This development poses multiple challenges<br />
for airports, <strong>as</strong> p<strong>as</strong>sengers should not be expected to<br />
wait in unre<strong>as</strong>onably long queues to p<strong>as</strong>s through the security<br />
gate or border control. At the same time, security considerations<br />
must under no circumstances be compromised <strong>as</strong> the<br />
threat of terrorism remains acute<br />
The solution lies in biometric data<br />
A good option for managing incre<strong>as</strong>ed p<strong>as</strong>senger volume<br />
at borders is to provide electronic control gates – so-called<br />
‘Automated Border Control Systems’ or eGates for short.<br />
Utilising the biometric data stored in electronic travel documents<br />
(e.g. the digitised facial image of the traveller),<br />
eGates allow partial automation of border control<br />
processes whilst retaining the same high level of<br />
security: When the p<strong>as</strong>sport is placed on the document<br />
reader, its electronic and optical security features<br />
are checked and the biometric data is read.<br />
P<strong>as</strong>sengers authorised to use the system can then<br />
step into the eGate. Here, a camera integrated into<br />
the exit door automatically takes a photo of the<br />
traveller’s face. This data is then compared to the<br />
p<strong>as</strong>sport-picture read before. If the biometric data<br />
matches, the p<strong>as</strong>senger is cleared to p<strong>as</strong>s, i. e. to<br />
cross the border.<br />
As the eP<strong>as</strong>sport is read and the<br />
p<strong>as</strong>senger’s face is scanned, the<br />
same data is also displayed on<br />
the immigration control officer’s<br />
monitor.<br />
The process offers significant benefits to all parties<br />
involved: on the one hand, it reduces queuing time for<br />
p<strong>as</strong>sengers and airport operators benefit from optimised<br />
p<strong>as</strong>senger flows; on the other hand, border<br />
police officers get valuable support without losing<br />
control over the process.<br />
1<br />
See http://www.iata.org/pressroom/facts_figures/Documents/<br />
economic-outlook-media-day-dec2012.pdf<br />
14 » 1 | 2013
International<br />
secunet’s face recognition<br />
technology<br />
makes use of a smart<br />
camera integrated<br />
into the exit door.<br />
Adaptive LED lights<br />
provide optimum<br />
levels of illumination.<br />
secunet eGates<br />
are already in<br />
operational use<br />
<strong>as</strong> part of the<br />
E<strong>as</strong>yPASS and<br />
E<strong>as</strong>yGO projects.<br />
Pioneering work to provide<br />
sustainable solutions<br />
As a pioneer in this field, secunet w<strong>as</strong> commissioned in late<br />
2007 by the German Federal Office for Information Security<br />
(BSI) to take on the design and implementation of the<br />
E<strong>as</strong>yPASS eGate solution at Frankfurt Airport. Following its<br />
successful operational launch, the secunet experts have made<br />
it available for use with the new German ID card. This h<strong>as</strong> not<br />
only set the benchmark for the future design of immigration<br />
control systems at German airports but h<strong>as</strong> also convinced<br />
the Czech border police: going by the name of E<strong>as</strong>yGO, the<br />
automated border control system w<strong>as</strong> implemented at Prague’s<br />
Vaclav Havel airport in late 2012, and after only a twelve-month<br />
pilot period, it h<strong>as</strong> been incorporated into day-to-day operation<br />
and h<strong>as</strong> even been extended.<br />
The evident advantages and positive experience of automated<br />
border control have won over airport operators and border<br />
police in equal me<strong>as</strong>ure. Experts agree that the trend in<br />
coming years at national and international airports will be<br />
towards further automation of border control. Years of experience<br />
coupled with the ‘Made in Germany’ label – perceived<br />
around the world <strong>as</strong> a hallmark of quality – mean that secunet<br />
eGates are set to play a crucial role.<br />
More information:<br />
Georg H<strong>as</strong>se<br />
georg.h<strong>as</strong>se@secunet.com<br />
What makes the solution from<br />
secunet so unique<br />
The decisive USP of eGate solutions from secunet is the modu-<br />
lar approach: The unique flexibility of this complex system is<br />
made possible by secunet biomiddle, a software that acts <strong>as</strong><br />
an intermediary between client applications and the various<br />
biometric technologies. Due to this original components can<br />
be updated at any time and further devices can be added.<br />
The Automated Border Control System sets standards in other<br />
ways; for example, the BSI acting <strong>as</strong> an independent body<br />
h<strong>as</strong> verified its security and reliability. Furthermore, the system<br />
is characterised by exceptional user-friendliness. The entire<br />
process is adapted to the natural flow of the p<strong>as</strong>sengers who<br />
are given clear step-by-step guidance <strong>as</strong> they p<strong>as</strong>s through<br />
the system. High acceptance and rapid, straightforward processing<br />
are thus guaranteed.<br />
The benefi ts of<br />
secunet eGates at a glance<br />
Secure<br />
- BSI-approved security and reliability of the system by means of<br />
- Testing of the optical and electronic security features<br />
- Biometric comparison at a high level of security<br />
- Monitoring by immigration control offi cers<br />
Economical<br />
- Airports are able to process a higher volume of p<strong>as</strong>sengers<br />
through the same physical area<br />
- Investment protected thanks to modular and standard<br />
architecture of the overall system<br />
F<strong>as</strong>t<br />
- Conventional immigration controls are relieved by partial<br />
automation and thereby accelerated<br />
- Travellers are guided intuitively through the gate, thus reducing<br />
the length of queues<br />
1 | 2013 « 15
Technologies & Solutions<br />
Electronic management of cl<strong>as</strong>sified<br />
information without discontinuity of media<br />
SINA Workflow for security and compliance with regulations<br />
Anyone who h<strong>as</strong> experience of working with cl<strong>as</strong>sified<br />
electronic data and processes is familiar with<br />
the dilemma of complying with VSA (the national<br />
regulations governing cl<strong>as</strong>sified information) while<br />
still coping with the job in hand. This conflict h<strong>as</strong><br />
incre<strong>as</strong>ed steadily over recent years, because<br />
the existing regulations were originally conceived<br />
for an age in which everything w<strong>as</strong> committed to<br />
paper. But rapidly incre<strong>as</strong>ing information flows<br />
have long since made electronic processing indispensable,<br />
and there are currently no software<br />
systems which have been approved and are sufficiently<br />
productive to be used for VSA-compliant<br />
processing.<br />
SINA Workflow represents a comprehensive, VSA-compliant<br />
solution to the aforementioned dilemma:<br />
- The compilation, processing and distribution of cl<strong>as</strong>sified<br />
data takes place without any discontinuity of media<br />
- Unlike other solutions, SINA workflow does not merely<br />
address individual <strong>as</strong>pects of VSA<br />
- There is a logical, cryptographically secured enforcement<br />
of the ‘Need to Know’ principle<br />
- Uncontrolled outflow of cl<strong>as</strong>sified data is prevented<br />
- Every activity that VSA requires to be verified is securely<br />
logged to legal audit standard<br />
SINA Workflow comprises central registry, control and storage<br />
systems <strong>as</strong> well <strong>as</strong> remote clients b<strong>as</strong>ed on the SINA<br />
Workstation.<br />
The complete lifecycle of cl<strong>as</strong>sified documents and operations<br />
is mapped, so that a user is supported and guided<br />
through the system right from the start. The creation of a draft<br />
cl<strong>as</strong>sified document takes place within a SINA Workflowspecific<br />
session on a SINA Workstation. When the draft of the<br />
cl<strong>as</strong>sified item is registered, it is encrypted and saved to a<br />
Using<br />
SINA Workstation<br />
for cl<strong>as</strong>sified<br />
information<br />
central location. From that point onwards, other contributors<br />
can be allowed access to the draft cl<strong>as</strong>sified document. In this<br />
way, SINA Workflow guarantees VSA-compliant processing of<br />
cl<strong>as</strong>sified documents within a group and also offers support<br />
for addenda and co-signing processes. After the completion<br />
and registration of the finalised item, the cl<strong>as</strong>sified document<br />
itself can then be distributed. Cl<strong>as</strong>sified documents can, of<br />
course, also be printed or exported.<br />
In addition to supporting users, SINA Workflow also <strong>as</strong>sists<br />
system administrators, e.g. by automatically keeping a log, or<br />
by generating an inventory of cl<strong>as</strong>sified documents.<br />
Work is in progress with a German federal government office<br />
on the prototypical installation and integration of SINA Workflow<br />
into the existing network infr<strong>as</strong>tructure.<br />
More information:<br />
Peter Janitz<br />
peter.janitz@secunet.com<br />
SINA Workflow is able to map the entire lifecycle<br />
of cl<strong>as</strong>sified documents and processes.<br />
This now facilitates electronic, VSA-compliant<br />
processing of cl<strong>as</strong>sified information.<br />
Subscribe to secuview<br />
Would you like to receive secuview on a regular b<strong>as</strong>is, free of charge<br />
Ple<strong>as</strong>e choose between the print and electronic versions and subscribe at https://www.secunet.com/en/the-company/it-security-report-secuview.<br />
There you can also change your preference or unsubscribe.<br />
Illustrations: Cover People: plainpicture/OJO; S. 3 (Ordner), 6, 7, 12: shutterstock.com; Airport Düsseldorf S. 8 - 9: Andre<strong>as</strong> Wiese; S. 10: iStockphoto.com;<br />
S. 19: EUROFORUM Deutschland SE. Others: secunet.<br />
16 » 1 | 2013
News in Brief<br />
secunet on Twitter, Xing and LinkedIn<br />
Social media have not only changed<br />
the way we interact with each other <strong>as</strong><br />
individuals but have also become an essential<br />
means of communication in the<br />
business world. In 2012, we extended<br />
our online presence to Twitter, Xing and<br />
LinkedIn, aiming to use these media<br />
to incre<strong>as</strong>e our availability to secunet<br />
customers and partners, and to explore<br />
with them the issues of the moment surrounding<br />
IT security.<br />
Via our corporate profiles on the Xing<br />
and LinkedIn business platforms, we<br />
offer existing and future customers <strong>as</strong><br />
well <strong>as</strong> potential recruits to our ranks a<br />
quick and convenient way of getting in<br />
touch with us.<br />
Professional <strong>as</strong>sociations and the German<br />
Federal Chancellery have long had<br />
their own presence here. We are now<br />
using our Twitter page – @secunet_AG –<br />
to inform our customers and other interested<br />
users about the latest developments<br />
in the world of IT security. We go<br />
beyond relaying news from and about<br />
our own company, picking up on a wide<br />
range of IT security issues <strong>as</strong> these<br />
affect the private and public sectors. We<br />
publish up-to-the-minute alerts on current<br />
security vulnerabilities and engage<br />
in a fruitful exchange of views and opinions<br />
with the online communities.<br />
Visit our website at www.secunet.com<br />
and follow us on Twitter at @secunet_AG<br />
This QR code will<br />
take you directly to<br />
our Twitter page:<br />
http://www.twitter.com/<br />
secunet_AG<br />
New Federal Framework<br />
Agreement on IT Security<br />
Services<br />
New Appointment<br />
at the<br />
BSI<br />
Since August 2012, federal authorities<br />
have been able to call on secunet to<br />
provide IT security services under the<br />
terms of two new framework agreements<br />
with the German Federal Office<br />
for Information Security (BSI). In <strong>as</strong>sociation<br />
with HiSolutions AG, secunet w<strong>as</strong><br />
once again successful in its bid for the<br />
contract to supply IT security consulting<br />
services to the German federal government.<br />
The new agreements cover general<br />
consulting services for IT security<br />
in federal authorities, consultancy in the<br />
field of e-government t<strong>as</strong>ks and projects,<br />
the implementation of security<br />
audits and reviews, and the drafting of<br />
IT security and emergency concepts.<br />
secunet will further be supporting the<br />
federal government in the performance<br />
of security analyses designed to identify<br />
and resolve vulnerabilities in IT systems<br />
and processes. More information can<br />
be found on the federal government’s<br />
online procurement portal Kaufhaus<br />
des Bundes at https://www.kd-bund.de<br />
(NB: access only with certificate) and<br />
on the federal government intranet at<br />
http://kdb.intranet.bund.de.<br />
More information:<br />
Dirk Ossenbrüggen<br />
dirk.ossenbrueggen@secunet.com<br />
Federal Office<br />
for Information Security<br />
With effect from 1st January 2013,<br />
Andre<strong>as</strong> Könen is the new Vice-President<br />
of the BSI. His predecessor in the<br />
office, Horst Flätgen, h<strong>as</strong> moved to the<br />
Federal Ministry of Finance. Könen’s<br />
previous role w<strong>as</strong> <strong>as</strong> Director of Advice<br />
and Coordination. In previous years,<br />
he held responsibility for the are<strong>as</strong> of<br />
Coordination and Control <strong>as</strong> well <strong>as</strong><br />
Security in Applications and Critical<br />
Infr<strong>as</strong>tructures. The new man in charge<br />
at the Department of Advice and Coordination<br />
is Horst Samsel.<br />
Imprint<br />
Editor<br />
secunet Security Networks AG<br />
Kronprinzenstraße 30<br />
45128 Essen, Germany<br />
www.secunet.com<br />
Responsible in terms of the<br />
press law: Christine Skropke,<br />
christine.skropke@secunet.com<br />
Chief Editor: Claudia Roers,<br />
claudia.roers@secunet.com<br />
Chief Conception & Design<br />
Dominik Maoro,<br />
dominik.maoro@secunet.com<br />
Design<br />
www.knoerrich-marketing.de<br />
Copyright: © secunet Security Networks AG. All rights reserved. All contents and structures are copyright protected. All and any use not<br />
expressly permitted by copyright law requires prior written permission.<br />
1 | 2013 « 17
Events<br />
Lively exchange of views at it-sa<br />
Cornelia Rogall-Grothe (Federal Government Commissioner<br />
for Information Technology and Secretary of State in the Ministry<br />
of the Interior) joined Franz Josef Pschierer (Bavarian State<br />
Government Commissioner for Information Technology and<br />
State Secretary of the Bavarian Ministry of Finance) in a visit to<br />
the secunet stand at the it-sa trade fair held in October 2012.<br />
Cornelia Rogall-Grothe<br />
deep in discussion<br />
with secunet CEO<br />
Dr Rainer Baumgart<br />
(second from left)<br />
IT Summit Working Group 4 visits secunet<br />
Dr Karsten Ottenberg, Federal Interior Minister Dr Hans-Peter Friedrich,<br />
Dr Rainer Baumgart and Prof Dr Claudia Eckert (l to r)<br />
In the context of the IT Summit in Essen, German Interior Minister<br />
Hans-Peter Friedrich visited secunet on 12th November<br />
2012. Together with Dr Karsten Ottenberg (G&D), he chaired<br />
the meeting of the Working Group 4 on ‘Trust, Privacy and<br />
Security on the Internet’. The title of event at the company’s<br />
premises in Kronprinzenstr<strong>as</strong>se w<strong>as</strong> ‘Cybersicherheit in<br />
Deutschland gestalten’ (Shaping Cyber Security in Germany).<br />
More than 100 participants and members of the press were<br />
in attendance to discuss the topic with the Minister of the<br />
Interior, BSI President Michael Hange, Professor Claudia<br />
Eckert (TU Munich and Fraunhofer AISEC), Reinhard Clemens<br />
(Deutsche Telekom), Dr Rainer Baumgart and Dr Karsten<br />
Ottenberg.<br />
Always online – always secure<br />
The IT Security on Board workshop in Munich l<strong>as</strong>t October<br />
w<strong>as</strong> an opportunity for experts to compare notes on recent<br />
developments and implications for the future in e-mobility<br />
and Car-2-Car technology. Standards and methods by which<br />
vehicle IT security can be evaluated and the need for protection<br />
can be determined were also major themes of the<br />
presentations and of the lively conversations and discussions<br />
that followed. The secunet live hacking demo met with particular<br />
interest; some of the participants immediately took a<br />
critical look at their own phones when they learned about the<br />
sophistication of attacks currently being made on iPhones and<br />
Android devices.<br />
Experts swap ide<strong>as</strong> at biometrics conference<br />
secunet in London:<br />
The biometrics trade<br />
fair w<strong>as</strong> characterised<br />
by interesting discussions<br />
and new ide<strong>as</strong>.<br />
From 29th to 31st October, biometrics experts from around<br />
the world attended the aptly named ‘biometrics’ trade fair<br />
in London. In the context of the conference and exhibition,<br />
there w<strong>as</strong> a lively exchange of views on hot topics, the latest<br />
developments and current biometric practice. In a series of<br />
interesting discussions, secunet experts set various balls<br />
rolling and also returned to b<strong>as</strong>e with new ide<strong>as</strong> and issues<br />
to resolve.<br />
secunet ACU in Tokyo<br />
L<strong>as</strong>t October, representatives from secunet attended the<br />
FTF Freescale conference in Tokyo. They joined our partners<br />
from OpenSynergy at their stand to show off a demo unit of<br />
the secunet Application Control Unit (ACU), which is almost<br />
ready to go into series production. Where communication<br />
from external networks does not comply with the rules specified,<br />
the ACU prevents this from reaching the on-board electrical<br />
system. In this way, the ACU enables open networked<br />
infotainment applications. At the same time, valuable <strong>as</strong>sets<br />
such <strong>as</strong> operational security are safeguarded.<br />
18 » 1 | 2013
Dates<br />
SINA meets the Secretary of Defence<br />
February until<br />
June 2013<br />
Participants at the Handelsblatt conference on ‘Security<br />
Policy and the Defence Industry’ had a chance to hear<br />
the views of Defence Minister de Maizière on the dialogue<br />
between society, politics, military and economy. As one of<br />
the conference sponsors, secunet w<strong>as</strong> invited to present its<br />
SINA product portfolio.<br />
SINA presentation at NATO Symposium<br />
SINA made its debut appearance on our own exhibition<br />
stand at the NIAS symposium held in the Belgian city of Mons<br />
l<strong>as</strong>t September.<br />
SINA in Rome<br />
12 - 14 Feb 2013<br />
» Security Document World /<br />
Prague, Czech Republic<br />
17 - 21 Feb 2013 » IDEX / Abu Dhabi, UAE<br />
25 Feb -<br />
1 March 2013<br />
» RSA Conference /<br />
San Francisco, USA<br />
5 - 9 March 2013 » CeBIT / Hannover<br />
12 April 2013<br />
» Workshop<br />
‚IT Security on Board‘ /<br />
Munich<br />
23 - 25 April 2013 » Infosecurity Europe / London, UK<br />
24 - 25 April 2013<br />
» AFCEA exhibition /<br />
Bonn-Bad Godesberg<br />
7 May 2013 » SINA User Day / Berlin<br />
SINA on tour in Warsaw<br />
Johan Hesse<br />
of secunet<br />
presenting SINA<br />
solutions to the<br />
international<br />
audience.<br />
AFCEA TechNet International took place in Rome l<strong>as</strong>t October<br />
under the patronage of Italian Defence Minister Giampaolo<br />
Di Paola. The event w<strong>as</strong> well attended by representatives<br />
from various NATO countries and from the NCIA (NATO Communications<br />
and Information Agency) who were f<strong>as</strong>cinated by<br />
the demonstrations of SINA solutions at the secunet stand.<br />
In October 2012, all of the international SINA reseller partners<br />
gathered in Warsaw to exchange information and experiences,<br />
to listen to a series of presentations and to engage<br />
in some general networking.<br />
14 - 16 May 2013<br />
» 13 th Deutscher IT-Sicherheitskongress<br />
/ Bonn-Bad Godesberg<br />
21 - 23 May 2013 » Security Document World /<br />
London, UK<br />
15 May 2013 » General Annual Meeting<br />
secunet /<br />
Essen, C<strong>as</strong>tle of Borbeck<br />
15 - 16 May 2013 » Datenschutzkongress /<br />
Berlin<br />
5 and » SINA User Day /<br />
6 June 2013 Bonn<br />
Would you like to arrange an appointment with us<br />
Then send an e-mail to events@secunet.com.<br />
1 | 2013 « 19
Caution! Insecure Structure!<br />
Customized IT security provides a solid foundation for your success.<br />
Protect your most important <strong>as</strong>sets. IT security is essential for a stable<br />
IT infr<strong>as</strong>tructure and for all processes. secunet is your trump card: Our<br />
vision and expertise will help you achieve even the most demanding IT<br />
security solutions.<br />
www.secunet.com<br />
IT security partner of the<br />
Federal Republic of Germany