Increased Security for Passengers – including onlineNicolas Hunloh, Team Leader Internet, Düsseldorf Int. Airport

Automation is the Way Forward for Border Control

secunet eGates securely manage increasing passenger numbers at national borders

Electronic management of classifi ed items without discontinuity of media SINA Workfl ow for security and compliance with regulations

Issue 1 | 2013

Partnership for Security in Cyberspace

Alliance for Cyber Security as a central information platform

The IT Security Report by

Dear Readers,

irrespective of whether we operate in the public or private sector, we are

all doing business more and more in cyber space; we are thus increasingly

dependent on the secure and uninterrupted functioning of digital information

and communication technologies. If we are to maintain security of information,

data and processes on a permanent basis, we must continuously adapt to

the shifting level and nature of the threat posed by hackers and the methods

they employ. The detailed exchange of information and experiences between

industry, government agencies and experts not only facilitates a high degree

of transparency but also makes the job of prevention easier for us all. One

of the platforms for such exchanges is the Allianz für Cyber-Sicherheit (Alli-

ance for Cyber Security) founded by the German Federal Of� ce for Informa-

tion Security (BSI) and the Federal Association for Information Technology,

Telecommunications and New Media (BITKOM). We spoke with Dr Hartmut

Isselhorst from BSI about the aims and objectives of the Alliance.

Here at secunet, we also intend to place the exchange of ideas with our

customers on a more direct footing; consequently, we have undertaken an

internal restructuring designed to make us more � exible in the way we cater

for your needs, aspirations and demands. We will thus be able to respond

more ef� ciently and quickly to current developments in the cyber world and to

offer you, our customers, optimum proactive and innovative support as you

rise to future challenges and implement new projects.

- Our Public Sector (formerly High Security and Government Division) ad-

vises clients from the public sector and the defence industry both here in

Germany and abroad, proposing current products and services that can

be combined for speci� c circumstances as well as customised security

solutions. These are fully compatible with any modern administration, they

are capable of handling jobs at the highest level and they comply with high-

security speci� cations for the protection of classi� ed information.

- Our Business Sector (formerly Business Security and Automotive Security

Division) helps private business clients to fully exploit the potential of in-

creased digitisation and the associated electronic mapping of business pro-

cesses, and also to securely map intelligent networks, mobile applications,

IT-based control of production/logistics operations and the digitisation

of transport and traf� c systems.

The areas in which we excel and our achievements to date are a matter of

record. We now present some of the latest developments in this edition of

secuview.

I hope you enjoy reading our magazine.

Best wishes

Dr Rainer Baumgart

Content

02 » 1 | 2013

The IT Security Report by

Best wishes

Dr Rainer Baumgart

National

03 Local High-Quality IT Products for Local Users

04 Partnership for Security in Cyberspace – Alliance for Cyber Security as a central information platform

06 German Justice Plays it Safe

08 Increased Security for Passengers – including online

10 Challenges for PKI Systems in Vehicles

International

14 Automation is the Way Forward for Border Control

Technologies & Solutions

16 Electronic management of classi� ed items without discontinuity of media

09 Hackerstory #2 Budget and Production Pressures as Risk Factors

12 Preventive security #1 FIFA World Cup Shoots Holes in IT System

17 News in Brief secunet on Twitter, Xing and LinkedIn / New Agreement with National Government on IT Security Services / New Appointment at the BSI

18 Events

19 Dates

1 | 2013 « 03

National

Local High-Quality IT Products for Local Users

The BSI has conceived the Sondertatbestand project as a way

of making IT expertise available to individual authorities con-

veniently and without impacting on their budget. In this way,

applicants procure internationally competitive products from

national suppliers. And in any case, the German encryption

industry enjoys a high reputation around the world. The evi-

dence for this is in the many national and international projects

that make use of encryption products from Germany.

� More information:

Dirk Mangelmann

dirk.mangelmann@secunet.com

IT security technology ‘Made in Germany’ is being supplied

direct to government agencies around the country

Following the successful piloting of the federal government

IT investment programme in 2010, the German Federal Offi ce

for Information Security (BSI) launched a follow-up project –

‘Sondertatbestand’ – in 2012. The purpose of this is to support

government agencies by simplifying the procurement process

for IT security solutions, including the SINA range of products.

This ensures not only that all data is optimally protected

but also that cryptographic systems approved for the NfD

(RESTRICTED) classifi cation become more widely established.

Within the framework of the Sondertatbestand project, par-

ticipating agencies received products at no extra expense for

- interface control

- hard disk encryption

- encryption of mobile storage media

- encrypted USB fl ash devices

- securing mobile scenarios

The use of a SINA workstation makes it easy for authorities to

securely access both unclassifi ed and RESTRICTED data at

any time and from any location, whether the operator is away

on business or ‘teleworking’ from home.

Support close at hand

SINA experts from secunet provided support to the various

government IT departments in implementation, installation

and on-site training. secunet support is then on call around

the clock, seven days a week. It is a tremendous advantage

when the experts are just a phone call away.

When there is a total loss of IT service, it is important that

response times are short and the correct action is taken. For

this reason, the Sondertatbestand project also includes a

security consultancy element. secunet supports the partici-

pating agencies in complying with the criteria of the federal

government action plan known as ‘UP-Bund’. This includes

in particular measures to improve information security and the

development of a continuity management plan.

classifiedinformation

RESTRICTED

04 » 1 | 2013

An Interview with Dr Hartmut Isselhorst of the BSI

on the Alliance for Cyber Security

Partnership for Security in Cyberspace – Alliance for Cyber Security as a central information platform

National

secuview: The new Alliance for Cyber

Security was founded by the BSI (Ger-

man Federal Office for Information

Security) and BITKOM at the annual

CeBIT trade show in March 2012. What

was the reason for setting up such an

organisation?

Dr Hartmut Isselhorst: Internet tech-

nologies in recent years have led to

major advances in the IT and telecom-

munications industry. Indeed, informa-

tion technology has penetrated virtually

all areas of our lives and every sector of

the economy, making them an integral

part of cyberspace today. As a result,

value-added processes in the ‘real

world’ are inextricably linked to the vir-

tual world and are barely conceivable

today without it. The challenge of

making cyberspace more secure can

now only be met through the combined

efforts of business and industry, aca-

demia and the government. The Alliance

for Cyber Security reflects this need for

cooperation and serves as a platform

for the exchange of knowledge and

expertise in the field. Indeed, lasting

security can only be achieved if we

continually revise our strategies for

preventing, recognising and respon-

ding to security threats and the evolving

methods of cyber criminals.

secuview: The Alliance’s members in-

clude partners and members. How

many companies joined the Alliance in

2012, and what are the main reasons for

which individuals and business partners

seek membership?

Dr Hartmut Isselhorst: We received

an overwhelmingly positive response

to the Alliance for Cyber Security, even

during the pilot phase. Since then, other

noteworthy cyber security experts have

joined our ranks, meaning that more

than 200 companies and organisations –

including 50 of partners – were active

members of the Alliance for Cyber Se-

curity at the beginning of 2013.

The Alliance offers a variety of services,

including issuing warnings about cur-

rent cyber threats, identifying best prac-

tices, unifying industry standards and

providing security solutions for systems

currently in use, as well as providing

general recommendations on the se-

cure use of IT components. In addition

to the above, the BSI publishes up-to-

date information regarding the ongoing

security situation in cyberspace, thus

enabling institutions to modify their

activities accordingly. In order for this

information to be as complete as pos-

sible, partners and individual members

in the Alliance are also encouraged to

report their own knowledge and findings

regarding cyber attacks to the BSI.

Finally, alongside acting as a central hub

for information distribution, the Alliance

seeks to promote direct knowledge

exchanges in smaller groups such as in

regional and industrial working groups

or informal meetings.

secuview: What security threats do you

expect to emerge over the next few

years, and what measures will the Alli-

ance be implementing to counter them?

Dr Hartmut Isselhorst: The growing

trend of using information services on

the move is going to have a knock-on

Dr Hartmut Isselhorst,

man in charge at the

Department of Cyber

Security of the BSI

„The Alliance offers a variety of

services, including issuing warn-

ings about current cyber threats,

identifying best practices, unifying

industry standards and providing

security solutions for systems

currently in use.“

1 | 2013 « 05

National

effect on cyberspace security threats.

Smartphones and tablets are now es-

tablished internet terminals, and their

position in the market has been

strengthened by their integration into

corporate IT systems – both formally

and through BYOD policies. This has in-

creased the attraction of these devices

to cyber criminals and malware devel-

opers. The topic of ‘mobile malware’ will

therefore remain on the agenda for the

foreseeable future.

We are also preparing for attacks and

attempted attacks against specific com-

panies or institutions. Cyberspace is an

attractive point of attack for criminals be-

cause it provides easy access to poten-

tial targets and a myriad of opportunities

for deception, as well as an incredibly

diverse range of vulnerabilities which

can be exploited. We expect hackers

to draw on their experiences of launch-

ing targeted attacks in recent years to

further improve their methods and carry

out increasingly sophisticated attacks.

We are also anticipating some positive

developments, however. Indeed, whilst

companies are still very reticent to dis-

close information about cyber attacks

on their own systems, the BSI is increas-

ingly hearing from companies willing to

share their experiences in small groups.

If this trend continues, it will most cer-

tainly help to raise user awareness and

provide a more complete picture of the

current security situation, thus serving

to boost cyberspace’s ‘immune system’

over the long term.

secuview: Nowadays, the entire world

is connected via the internet, and so at-

tacks can be carried out from far beyond

our national borders. Will the BSI also be

working with the Alliance to contact and

exchange information with other groups

internationally?

Dr Hartmut Isselhorst: The internation-

al exchange of knowledge and expertise

is indispensable when it comes to cyber

security. Within the Alliance for Cyber

Security, this is achieved not only

through the BSI’s various international

partnerships, but also through the cross-

border activities of the Alliance’s partner

companies. The knowledge and exper-

tise gained through this international co-

operation contributes a great deal to the

Alliance’s work and is always analysed

and shared in such a way that it ben-

efits all members as much as possible.

In practical terms, the Alliance for Cyber

Security’s partners and key communi-

cators can also contribute by upholding

knowledge exchange between the Alli-

ance and international groups or initia-

tives abroad.

secuview: One final question: What’s

next for the Alliance in 2013?

Dr Hartmut Isselhorst: In light of the

overwhelmingly positive feedback re-

ceived from companies involved in the

Alliance for Cyber Security in 2012, we

intend to continue implementing and

building upon the organisation’s activ-

ities in 2013. In my view, it is important

to always keep in mind the expectations

that are communicated to the BSI in the

course of major events and private dis-

cussions. This is why we will be organ-

ising more industry-specific events for

various target groups in 2013 – to raise

awareness of cyber security issues on

the one hand, and to maintain a direct

dialogue with and between companies

on the other. We have started the ball

rolling this year with the first ever Cyber

Security Day for members of the Alliance

in January. In February, this event has

been followed by a major conference

in partnership with the logistics indus-

try and knowledge exchange across

different sector. We also have several

other events in the pipeline. In addition

to the above, I am very much looking

forward to the numerous contributions

recently announced by our partners

which will create significant added value

for all of the Alliance for Cyber Security’s

members.

secunet is a partner company in the Alliance for Cyber Security and draws on the extensive knowledge and expertise of its IT security specialists to support the organisation’s members.

The Alliance for Cyber Security was established in March 2012 by the Federal Office for Information Security (BSI) and BITKOM. This joint initiative acts as a platform for the sharing of information and experi-ences in the general area of cyber threats. At the international level, it promotes cross-border collaboration with other Alliance partners.

„In light of the overwhelmingly

positive feedback received from

companies involved in the Alliance

for Cyber Security in 2012, we

intend to continue implementing

and building upon the organisation’s

activities in 2013.“

Government agencies

Other organi- sations

Busi- nesses

Operators of critical infrastructures

Other institutions of

particular interest to the state (INSI)

BSI

Multipliers

Partners

06 » 1 | 2013

What is EGVP?The electronic legal and administrative mailbox, in Germany known as EGVP (Elektronisches Gerichts- und Verwaltungspostfach), can be used by courts and government authorities in communication with each other as well as with other parties to certain judicial proceedings (e. g. lawyers, notaries, businesses and private citizens) for the safe, legal and effi cient transmission of messages, documents and pleadings in the OSCI format (Online Services Computer Interface). EGVP automatically encrypts the entire data exchange. Messages can also have fi les attached and, if necessary, bear an electronic signature. This speeds up legal processes, and all parties benefi t from the increased effi ciency. No wonder then that more than 40,000 parties to proceedings in all 16 federal states and in most federal courts in Germany are making use of the EGVP, a trend that is even expected to grow further.

German Justice Plays it Safe

The introduction of mandatory electronic commercial

registration in 2007 coincided with the launch of a new com-

munication infrastructure in the German judicial system. The

opportunity of having direct access to courts and authorities

via EGVP proved hugely popular right from the start; in fact,

projected user numbers were far exceeded after only three

months in operation. Because everyone registering as an

EGVP user is assigned a unique mailbox address by the iden-

tity management system and this data must be constantly

replicated to all other active EGVPs in the system, the regis-

tration service is of paramount importance.

Separation of registration process from EGVP: S.A.F.E.

In order to be optimally positioned in the future in terms of

performance and interfaces, the Bund-Länder-Kommission

für Datenverarbeitung und Rationalisierung in der Justiz (Joint

Federal and State Commission for Data Processing and Ra-

tionalisation in Judicial Processes) has prescribed the archi-

tecture of a federated identity management system for the

German judiciary. This goes by the name of ‘Secure Access

to Federated E Justice / E Government’, or S.A.F.E. for short.

The underlying idea is essentially straightforward: the ‘Identity

Providers’ which are spread out over a number of different

domains are combined on a single platform and are addressed

via standard interfaces. The so-called ‘Trust Domain’ (TD) is

the central structuring element. This consists of a set of ser-

vices and service users that co-exist in a mutual trust rela-

tionship. It ensures a unifi ed communications infrastructure

within the justice system that operates across federal state

boundaries.

secunet connects Bavaria to S.A.F.E.

central registry

National

1 | 2013 « 07

Bavaria creates own Trust Domain

Up to now, there has been a centralised S.A.F.E. identity

management system operating from the data centre in North

Rhine-Westphalia, which is responsible for

the mailboxes of user parties in all the

federal states. Bavaria has now become

the fi rst German federal state to set up

its own trust domain which is operated

in its own data centre. This means that

the management of Bavarian iden-

tities takes place regionally, thus

restoring data sovereignty.

In this matter the Bavarian justice

relied on comprehensive assist-

ance from secunet, the IT secu-

rity experts have provided

organisational and technical

support to the IT offi cers of

the Bavarian judiciary who

are based at the Munich

Higher Regional Court

in the planning, design

and implementation of

the S.A.F.E. compliant

trust domain ‘Justiz

Bayern’. This involved

the analysis of the

administrative pro-

cedures and of the

user groups that are

to be integrated in

the preliminary stage

as well as the analysis

and evaluation of the data

National

sources that store information about the digital identities

of users and their operational role. secunet also took on the

task of integrating the technical basis – the Oracle Identity

Management Suite – into the existing infrastructure.

Flexible and fit for the future

The Bavarian justice system is already in a position to com-

municate confi dentially via S.A.F.E. in such administrative

areas as the central register of wills or the electronic land

registry. Thanks to its open and highly scalable architecture,

many more administrative procedures, citizen portals and

e-government services will follow in the near future.

� More information:

Norbert Müller

norbert.mueller@secunet.com

08 » 1 | 2013

The air transport hub of Flughafen Düsseldorf handles over

20 million passengers per year, making it the largest airport

in North Rhine-Westphalia. 70 airlines operate here, serv-

ing more than 190 destinations. Located in one of Europe’s

strongest-performing economic regions, with 18 million

people living within a radius of 100 kilometres, Düsseldorf

International plays a key role in fulfi lling the mobility needs of

private individuals and businesses in the federal state of North

Rhine-Westphalia and the south-east of the Netherlands.

Furthermore, as the largest single employer in Düsseldorf

with a workforce of around 19,700, the airport has a major

impact on the jobs market in NRW.

As traffi c has increased over recent years, the corporate

website has had to adapt and grow to meet the demands

of passengers as well as

those who are picking

them up from the airport

and other target groups.

These users visit the site to

check fl ight times,

to fi nd out about

local conditions,

to reserve parking

spaces, to retrieve

general information

about the airport,

and much more

besides. The web-

site is thus a main

point of contact for

around 11 million

users per year.

Various extranets

provide B2B part-

ners and custom-

ers with helpful

tools. Data that is

stored there re-

quires secure pro-

tection. Flughafen

Düsseldorf GmbH

therefore took the

decision in 2012

to submit its main

corporate website

as well as those

of its subsidiaries

to an extensive security check. Their

search for a professional, fl exible and

reliable service provider quickly brought

them to secunet.

For the operator, it is particularly im-

portant that the standards which are

rigorously adhered to in the everyday

working environment of the airport’s offl ine sector (where

security is at a premium) apply equally to its website. Because

even data on passengers and partners requires the pro-

tection of a highly secure and effi cient infrastructure against

externally launched attempts to gain unauthorised access.

The secunet team therefore set about identifying potential

vulnerabilities using a detailed penetration test and applying

recognised standards with particular reference to OWASP

Top 10 2012. In order to avoid overloading the server infra-

structure during the procedure, the tests were conducted

during the low-traffi c period between 11pm and 6am.

Nicolas Hunloh, Team Leader Internet,

Düsseldorf International Airport

National

By undertaking regular security checks, including

its online platforms, Düsseldorf airport

upholds consistently high security standards.

Increased Security for Passengers – including online

1 | 2013 « 09

HACKERSTORY #2HACKERSTORY #2

IN THE NEXT ISSUE:

The Trojan Mouse

In many companies, security has become an integral part

of the production process. In the course of penetration tests,

secunet nonetheless continues to identify critical vulner-

abilities in internal systems that threaten the organisation’s

security and, in the worst-case scenario, its most vital

functions.

In subsequent discussions with the relevant system ad-

ministrators, it will usually transpire that the vulnerabilities

have already been recognised, though not necessarily their

potential impact. These vulnerabilities are consciously

accepted, since the affected system is directly involved in

critical business processes and not every company has a

sophisticated staging process whereby changes can be

tested on multiple pre-production systems. The decision-

makers are confronted with a dilemma: in order to increase

system security, a temporary reduction in functionality has

to be accepted. Subsequent corrective measures – if at all

feasible – result in correspondingly high costs. Yet failure to

take the necessary action could ultimately lead to substan-

tially higher costs.

However, if IT security teams are involved at the planning

phase of a new application, these problems can at least be

minimised. If, at an early stage, IT security is considered

of equal importance to functionality, this can obviate the

need for complex re-designs or bug fi xing in the fi nished

product.

� More information:

Dirk Reimers

dirk.reimers@secunet.com

The results were then presented in the form of a detailed

report, with measures identifi ed for optimisation then being

implemented within a short time by the specialist depart-

ments of Flughafen Düsseldorf GmbH and its service pro-

viders. At the same time, the company used the project to

introduce new mandatory security standards at all levels.

Flughafen Düsseldorf GmbH has expressed its intention to

call on secunet’s anti-hacking expertise in future.

� More information:

Christian Reichardt

christian.reichardt@secunet.com

News in Brief

Budget and Production Pressures as Risk Factors

Increased Security for Passengers – including online

10 » 1 | 2013

Challenges for PKI Systems in Vehicles

Because of the special nature of the clients

(vehicles, charging infrastructure, traffi c

signals etc) which – unlike the computers in

the company network – are not constantly

reachable and which to some extent have

much longer life cycles, they make specifi c

requirements of their PKI systems that do

not apply to most company PKIs. Similarly,

specifi cations for Car2Car communication or

Plug&Charge in the case of e-mobility defi ne

precisely what a PKI is expected to do.

For example, procedures and processes

must be introduced to take into account

the fact that parts of the PKI system may

be available for online communication only

on an intermittent basis. The distribution of

revocation information is just one example of

this problem. In a PKI for Car2Car or Car2X

communication, the number of subscribers can rise exponen-

tially. There will be hundreds of CA systems and millions of

vehicles all around the world that have to be supplied with key

material and certifi cates, and at the same time, data privacy

protection legislation will require that each vehicle is equipped

with several hundreds or even thousands of certifi cates.

Car manufacturers may already be aware of some of these

problems as a result of similar issues with their own com-

pany PKIs for employee badges or SSL certifi cates for web

services. Nevertheless, these new special cases present them

with unprecedented challenges in the management of crypto-

graphic keys and certifi cates that cannot be resolved with the

already established processes of introduced PKI systems and

therefore require new approaches to the issue of PKI.

� More information:

Andreas Ziska

andreas.ziska@secunet.com

Conventional solutions are not enough

PKI systems have long been an established feature of in-

house networks and the internet. Based on asymmetric crypto-

graphy, authentication mechanisms have been created with

which more people work than you might imagine. Whether for

online banking, remote login to the corporate network from a

home offi ce or even the new German national identity card, a

PKI working away in the background is generally responsible

for secure communication.

More recently, various applications requiring a PKI have been

introduced in vehicles:

- digital tachographs

- securing diagnostic access and information consistent

with Euro 5 and Euro 6

- securing onboard fl ashware for vehicle programming

- securing TeleX services such as remote diagnostics and

programming

- internet in the vehicle

- Car2Car communication

- Plug&Charge for e-mobility

National

What a PKI does PKI involves more than just technology; it is also a question of infrastructure and processes. At the heart of the matter is key management, with the complete life-cycle of cryptographic keys and/or certifi cates. The main tasks to be performed by a PKI are:

Key generation – determination of algorithms, the type of key generation (central as opposed to decentralised) and the processes for certifi cation of the public key as well as the identifi cation data of the certifi cate holder.

Key distribution / Directory – the distribution of public keys and/or certifi -cates takes place via directory services such as LDAP. For the assignment of private keys, secure distribution paths or media are used.

Blocking management / Revocation – for revoking a certifi cate (in case of a lost key or loss of confi dence), technical mechanisms such as revocation lists (CRLs) or online services (OCSP) are used. The CA operator receives the revocation requests, reviews and authorises them, revokes the certifi cate and publishes the revocation information.

Key recovery / Destruction – by means of key recovery, data can be read and verifi ed even if key material has been lost. In addition, old or invalid key material is securely deleted.

Key exchange (root, CA, client) – appropriate processes (e. g. online pro-visioning, the replacement of a secure element or mobile with NFC technology) specifi cally ensure the secure exchange of the public root and CA keys. There must be safeguards against a hacker insinuating his own root keys.must be safeguards against a hacker insinuating his own root keys.

1 | 2013 « 11

National

Daimler BMW

Vehicle certifi cates Contract certifi cates Charging station certifi cates SmartMeter certifi cates

AUDI RWE EnBW e.on A AB BC C

eMob Root CA

EV OEMRoot CA

Energy supplier Root CA

Charging supplierRoot CA

optionaloptional

MeterRoot CA

Example of an eMob PKI complying with ISO 15118

Key generation

Blocking management / Revocation (CRL / OCSP)

Key recovery / Destruction

Key exchange (root, CA, client)

Key distribution / Directory

The companies named here have been chosen as examples only. This should not be taken as an indication of which ones will eventually appear under eMob Root CA.

Already established because of the applicable standardisation regulations for smart metering in Germany

12 » 1 | 2013

National

PREVENTIVE SECURITY #1

FIFA World Cup Shoots Holes in IT System

There are many IT systems that, technically speaking, are well

protected. But unfortunately, these too fall victim to elemen-

tary attacks because individually appropriate organisational

processes have not been implemented or upheld.

“How could they overcome the formidable barriers that we

now have in place? The way they were bypassed makes us

look like amateurs!” Unfortunately, this quote is genuine and

the circumstances that permitted this successful IT attack are

by no means exceptional. The technology and the adminis-

trators really were high calibre. The problem lay entirely else-

where. The vulnerability was caused by the instruction issued

by a senior executive to allow certain IT services during the

World Cup so that he could follow games live on his PC.

Although the administrators expressly advised of the asso-

ciated security risks, the desire of this senior person to watch

the matches live at work obviously outweighed the concerns

of the lower-ranking technical staff. The expert in this case –

i. e. the system administrator – had no recourse against the

decision.

This real-life scenario is by no means exceptional. secunet

is often called out to deal with emergencies that have been

caused by the absence of organisational security measures.

In the case cited above, a clearly defi ned and auditable docu-

mented process that gave the administrator suitable veto

rights would have helped to uphold the high level of security

afforded by the systems in place. It would then have been

possible to take secure and responsible action, overriding the

personal preferences of the boss.

Security must be integral to corporate culture

Experience has shown that, although many government agen-

cies and private businesses have put appropriate security

measures in place, these are not upheld rigorously due to the

organisational aspects of information security. At the same

time, however, there is no shortage of standards and best

practices to provide support here. For example, the IT security

management standards typifi ed by the ISO 27000 family and

those implemented in accordance with BSI baseline protection

or the recommendations of ITIL (IT Infrastructure Library) and

COBIT (Control Objectives for Information and Related Tech-

nology). secunet experts with many years of experience are

available to support any appropriate customisation or tailored

implementation.

� More information:

René Seydel

rene.seydel@secunet.com

Directives from above defeat even the best

technical defences

Preventive security is in this respect a key concept: specifi c organisational, infrastructural, technical and

staffi ng strategies that are tailored to individual circumstances and to constructing a defence that kicks

in before something bad happens. In subsequent issues of secuview, you can read interesting and some-

times even amusing case studies (anonymised, of course) compiled by our secunet experts.

IN THE NEXT ISSUE:

Well con� gured – one click for enhanced security

Jederzeit starten

Freie Zeiteinteilung

Ortsunabhängig per Fernstudium

Jederzeit starten

Freie Zeiteinteilung

Ortsunabhängig per FernstudiumOrtsunabhängig per Fernstudium

www.Euro-FH.de 0800 / 33 44 377

(gebührenfrei)

Infos anfordern:

Neben dem Beruf zum

Bachelor & Master

Bachelor-Abschlüsse:

Europäische BWL (B.A.)

Wirtschaftspsychologie (B.A.)

Finance & Mangement (B.Sc.)

Logistikmanagement (B.Sc.)

Wirtschaftsrecht (LL.B.)

Master-Abschlüsse:

Wirtschaftspsychologie (M.Sc.)

Business Coaching & Change Management (M.A.)

MBA

Hochschulkurse mit Zertifi kat

Change Management (M.A.)Change Management (M.A.)

Jetzt4 Wochen

kostenlos testen!

600 A

A

Jetzt informieren:

Image 210x297_600AA.indd 1 01.02.2013 17:26:59 Uhr

14 » 1 | 2013

Automation is the Way Forward for Border Control

Globalisation has led to a steady increase in private and pro-

fessional mobility. Short-haul fl ights have become an attractive

alternative to travelling by train or car. For airports, this means

that more and more passengers have to be cleared on arrival.

The International Air Transport Association (IATA) estimates

that, in 2013, the milestone of three billion passengers world-

wide will be exceeded.1 This development poses multiple chal-

lenges for airports, as passengers should not be expected to

wait in unreasonably long queues to pass through the security

gate or border control. At the same time, security considera-

tions must under no circumstances be compromised as the

threat of terrorism remains acute

The solution lies in biometric data

A good option for managing increased passenger volume

at borders is to provide electronic control gates – so-called

‘Automated Border Control Systems’ or eGates for short.

Utilising the biometric data stored in electronic travel docu-

ments (e.g. the digitised facial image of the traveller),

eGates allow partial automation of border control

processes whilst retaining the same high level of

security: When the passport is placed on the docu-

ment reader, its electronic and optical security fea-

tures are checked and the biometric data is read.

Passengers authorised to use the system can then

step into the eGate. Here, a camera integrated into

the exit door automatically takes a photo of the

traveller’s face. This data is then compared to the

passport-picture read before. If the biometric data

matches, the passenger is cleared to pass, i. e. to

cross the border.

The process offers signifi cant benefi ts to all parties

involved: on the one hand, it reduces queuing time for

passengers and airport operators benefi t from opti-

mised passenger fl ows; on the other hand, border

police offi cers get valuable support without losing

control over the process.

secunet eGates securely manage increasing passenger numbers at national borders

International

As the ePassport is read and the passenger’s face is scanned, the same data is also displayed on the immigration control offi cer’s monitor.

1 See http://www.iata.org/pressroom/facts_fi gures/Documents/economic-outlook-media-day-dec2012.pdf

1 | 2013 « 15

Pioneering work to provide sustainable solutions

As a pioneer in this fi eld, secunet was commissioned in late

2007 by the German Federal Offi ce for Information Security

(BSI) to take on the design and implementation of the

EasyPASS eGate solution at Frankfurt Airport. Following its

successful operational launch, the secunet experts have made

it available for use with the new German ID card. This has not

only set the benchmark for the future design of immigration

control systems at German airports but has also convinced

the Czech border police: going by the name of EasyGO, the

automated border control system was implemented at Prague’s

Vaclav Havel airport in late 2012, and after only a twelve-month

pilot period, it has been incorporated into day-to-day operation

and has even been extended.

What makes the solution from secunet so unique?

The decisive USP of eGate solutions from secunet is the modu-

lar approach: The unique fl exibility of this complex system is

made possible by secunet biomiddle, a software that acts as

an intermediary between client applications and the various

biometric technologies. Due to this original components can

be updated at any time and further devices can be added.

The Automated Border Control System sets standards in other

ways; for example, the BSI acting as an independent body

has verifi ed its security and reliability. Furthermore, the system

is characterised by exceptional user-friendliness. The entire

process is adapted to the natural fl ow of the passengers who

are given clear step-by-step guidance as they pass through

the system. High acceptance and rapid, straightforward pro-

cessing are thus guaranteed.

The evident advantages and positive experience of automated

border control have won over airport operators and border

police in equal measure. Experts agree that the trend in

coming years at national and international airports will be

towards further automation of border control. Years of experi-

ence coupled with the ‘Made in Germany’ label – perceived

around the world as a hallmark of quality – mean that secunet

eGates are set to play a crucial role.

� More information:

Georg Hasse

georg.hasse@secunet.com

International

secunet eGates are already in operational use as part of the EasyPASS and EasyGO projects.

secunet’s face rec-ognition technology makes use of a smart camera integrated into the exit door. Adaptive LED lights provide optimum levels of illumination.

The benefi ts of secunet eGates at a glanceSecure- BSI-approved security and reliability of the system by means of

- Testing of the optical and electronic security features- Biometric comparison at a high level of security- Monitoring by immigration control offi cers

Economical- Airports are able to process a higher volume of passengers

through the same physical area- Investment protected thanks to modular and standard

architecture of the overall system

Fast- Conventional immigration controls are relieved by partial

automation and thereby accelerated- Travellers are guided intuitively through the gate, thus reducing

the length of queues

secunet so unique?

lar approach: The unique fl exibility of this complex system is

made possible by secunet biomiddle, a software that acts as

16 » 1 | 2013

Technologies & Solutions

Electronic management of classified information without discontinuity of media

SINA Workfl ow for security and compliance with regulations

Illustrations: Cover People: plainpicture/OJO; S. 3 (Ordner), 6, 7, 12: shutterstock.com; Airport Düsseldorf S. 8 - 9: Andreas Wiese; S. 10: iStockphoto.com; S. 19: EUROFORUM Deutschland SE. Others: secunet.

Subscribe to secuviewWould you like to receive secuview on a regular basis, free of charge? Please choose between the print and electronic versions and subscribe at https://www.secunet.com/en/the-company/it-security-report-secuview. There you can also change your preference or unsubscribe.

Anyone who has experience of working with clas-

sifi ed electronic data and processes is familiar with

the dilemma of complying with VSA (the national

regulations governing classifi ed information) while

still coping with the job in hand. This confl ict has

increased steadily over recent years, because

the existing regulations were originally conceived

for an age in which everything was committed to

paper. But rapidly increasing information fl ows

have long since made electronic processing in-

dispensable, and there are currently no software

systems which have been approved and are suf-

fi ciently productive to be used for VSA-compliant

processing.

SINA Workfl ow represents a comprehensive, VSA-compliant

solution to the aforementioned dilemma:

- The compilation, processing and distribution of classifi ed

data takes place without any discontinuity of media

- Unlike other solutions, SINA workfl ow does not merely

address individual aspects of VSA

- There is a logical, cryptographically secured enforcement

of the ‘Need to Know’ principle

- Uncontrolled outfl ow of classifi ed data is prevented

- Every activity that VSA requires to be verifi ed is securely

logged to legal audit standard

SINA Workfl ow comprises central registry, control and stor-

age systems as well as remote clients based on the SINA

Workstation.

The complete lifecycle of classifi ed documents and opera-

tions is mapped, so that a user is supported and guided

through the system right from the start. The creation of a draft

classifi ed document takes place within a SINA Workfl ow-

specifi c session on a SINA Workstation. When the draft of the

classifi ed item is registered, it is encrypted and saved to a

central location. From that point onwards, other contributors

can be allowed access to the draft classifi ed document. In this

way, SINA Workfl ow guarantees VSA-compliant processing of

classifi ed documents within a group and also offers support

for addenda and co-signing processes. After the completion

and registration of the fi nalised item, the classifi ed document

itself can then be distributed. Classifi ed documents can, of

course, also be printed or exported.

In addition to supporting users, SINA Workfl ow also assists

system administrators, e.g. by automatically keeping a log, or

by generating an inventory of classifi ed documents.

Work is in progress with a German federal government offi ce

on the prototypical installation and integration of SINA Work-

fl ow into the existing network infrastructure.

� More information:

Peter Janitz

peter.janitz@secunet.com

SINA Workfl ow is able to map the entire life-cycle of classifi ed documents and processes. This now facilitates electronic, VSA-compliant processing of classifi ed information.

Using SINA Workstation

for classifi ed information

1 | 2013 « 17

Copyright: © secunet Security Networks AG. All rights reserved. All contents and structures are copyright protected. All and any use notexpressly permitted by copyright law requires prior written permission.

Editor secunet Security Networks AGKronprinzenstraße 3045128 Essen, Germanywww.secunet.com

Responsible in terms of the press law: Christine Skropke,christine.skropke@secunet.comChief Editor: Claudia Roers,claudia.roers@secunet.com

Chief Conception & DesignDominik Maoro,dominik.maoro@secunet.com Designwww.knoerrich-marketing.de

This QR code will take you directly to our Twitter page:http://www.twitter.com/secunet_AG

Social media have not only changed

the way we interact with each other as

individuals but have also become an es-

sential means of communication in the

business world. In 2012, we extended

our online presence to Twitter, Xing and

LinkedIn, aiming to use these media

to increase our availability to secunet

customers and partners, and to explore

with them the issues of the moment sur-

rounding IT security.

Via our corporate profi les on the Xing

and LinkedIn business platforms, we

offer existing and future customers as

well as potential recruits to our ranks a

quick and convenient way of getting in

touch with us.

Professional associations and the Ger-

man Federal Chancellery have long had

their own presence here. We are now

using our Twitter page – @secunet_AG –

to inform our customers and other inter-

ested users about the latest develop-

ments in the world of IT security. We go

Since August 2012, federal authorities

have been able to call on secunet to

provide IT security services under the

terms of two new framework agree-

ments with the German Federal Offi ce

for Information Security (BSI). In associ-

ation with HiSolutions AG, secunet was

once again successful in its bid for the

contract to supply IT security consulting

services to the German federal govern-

ment. The new agreements cover gen-

eral consulting services for IT security

in federal authorities, consultancy in the

fi eld of e-government tasks and pro-

jects, the implementation of security

audits and reviews, and the drafting of

IT security and emergency concepts.

secunet will further be supporting the

federal government in the performance

of security analyses designed to identify

and resolve vulnerabilities in IT systems

and processes. More information can

be found on the federal government’s

online procurement portal Kaufhaus

des Bundes at https://www.kd-bund.de

(NB: access only with certifi cate) and

on the federal government intranet at

http://kdb.intranet.bund.de.

� More information:

Dirk Ossenbrüggen

dirk.ossenbrueggen@secunet.com

New Federal Framework Agreement on IT Security Services

beyond relaying news from and about

our own company, picking up on a wide

range of IT security issues as these

affect the private and public sectors. We

publish up-to-the-minute alerts on cur-

rent security vulnerabilities and engage

in a fruitful exchange of views and opin-

ions with the online communities.

Visit our website at www.secunet.com

and follow us on Twitter at @secunet_AG

News in Brief

secunet on Twitter, Xing and LinkedIn

Imprint

Federal Officefor Information Security

New Appoint-ment at the BSI

With effect from 1st January 2013,

Andreas Könen is the new Vice-Presi-

dent of the BSI. His predecessor in the

offi ce, Horst Flätgen, has moved to the

Federal Ministry of Finance. Könen’s

previous role was as Director of Advice

and Coordination. In previous years,

he held responsibility for the areas of

Coordination and Control as well as

Security in Applications and Critical

Infrastructures. The new man in charge

at the Department of Advice and Coor-

dination is Horst Samsel.

18 » 1 | 2013

Cornelia Rogall-Grothe deep in discussion with secunet CEO Dr Rainer Baumgart (second from left)

secunet in London: The biometrics trade fair was characterised by interesting discus-sions and new ideas.

Experts swap ideas at biometrics conference

From 29th to 31st October, biometrics experts from around

the world attended the aptly named ‘biometrics’ trade fair

in London. In the context of the conference and exhibition,

there was a lively exchange of views on hot topics, the latest

developments and current biometric practice. In a series of

interesting discussions, secunet experts set various balls

rolling and also returned to base with new ideas and issues

to resolve.

Lively exchange of views at it-sa

Cornelia Rogall-Grothe (Federal Government Commissioner

for Information Technology and Secretary of State in the Minis-

try of the Interior) joined Franz Josef Pschierer (Bavarian State

Government Commissioner for Information Technology and

State Secretary of the Bavarian Ministry of Finance) in a visit to

the secunet stand at the it-sa trade fair held in October 2012.

Events

secunet ACU in Tokyo

Last October, representatives from secunet attended the

FTF Freescale conference in Tokyo. They joined our partners

from OpenSynergy at their stand to show off a demo unit of

the secunet Application Control Unit (ACU), which is almost

ready to go into series production. Where communication

The IT Security on Board workshop in Munich last October

was an opportunity for experts to compare notes on recent

developments and implications for the future in e-mobility

and Car-2-Car technology. Standards and methods by which

vehicle IT security can be evaluated and the need for pro-

tection can be determined were also major themes of the

Always online – always secure?

IT Summit Working Group 4 visits secunet

In the context of the IT Summit in Essen, German Interior Min-

ister Hans-Peter Friedrich visited secunet on 12th November

2012. Together with Dr Karsten Ottenberg (G&D), he chaired

the meeting of the Working Group 4 on ‘Trust, Privacy and

Security on the Internet’. The title of event at the company’s

premises in Kronprinzenstrasse was ‘Cybersicherheit in

Deutschland gestalten’ (Shaping Cyber Security in Germany).

More than 100 participants and members of the press were

in attendance to discuss the topic with the Minister of the

Interior, BSI President Michael Hange, Professor Claudia

Eckert (TU Munich and Fraunhofer AISEC), Reinhard Clemens

(Deutsche Telekom), Dr Rainer Baumgart and Dr Karsten

Ottenberg.

presentations and of the lively conversations and discussions

that followed. The secunet live hacking demo met with par-

ticular interest; some of the participants immediately took a

critical look at their own phones when they learned about the

sophistication of attacks currently being made on iPhones and

Android devices.

from external networks does not comply with the rules spe-

cified, the ACU prevents this from reaching the on-board elec-

trical system. In this way, the ACU enables open networked

infotainment applications. At the same time, valuable assets

such as operational security are safeguarded.

Dr Karsten Ottenberg, Federal Interior Minister Dr Hans-Peter Friedrich, Dr Rainer Baumgart and Prof Dr Claudia Eckert (l to r)

1 | 2013 « 19

Johan Hesse of secunet presenting SINA solutions to the international audience.

Participants at the Handelsblatt conference on ‘Security

Policy and the Defence Industry’ had a chance to hear

the views of Defence Minister de Maizière on the dialogue

between society, politics, military and economy. As one of

the conference sponsors, secunet was invited to present its

SINA product portfolio.

SINA meets the Secretary of Defence

SINA presentation at NATO Symposium

SINA made its debut appearance on our own exhibition

stand at the NIAS symposium held in the Belgian city of Mons

last September.

SINA on tour in WarsawIn October 2012, all of the international SINA reseller part-

ners gathered in Warsaw to exchange information and ex-

periences, to listen to a series of presentations and to engage

in some general networking.

Dates

Would you like to arrange an appointment with us?

Then send an e-mail to events@secunet.com.

AFCEA TechNet International took place in Rome last Octo-

ber under the patronage of Italian Defence Minister Giampaolo

Di Paola. The event was well attended by representatives

from various NATO countries and from the NCIA (NATO Com-

munications and Information Agency) who were fascinated by

the demonstrations of SINA solutions at the secunet stand.

SINA in Rome

» Security Document World / Prague, Czech Republic

» IDEX / Abu Dhabi, UAE

» RSA Conference / San Francisco, USA

» CeBIT / Hannover

» Workshop ‚IT Security on Board‘ / Munich

» Infosecurity Europe / London, UK

» AFCEA exhibition / Bonn-Bad Godesberg

» SINA User Day / Berlin

» 13th Deutscher IT-Sicherheits- kongress / Bonn-Bad Godesberg

» Security Document World / London, UK

» General Annual Meeting secunet / Essen, Castle of Borbeck

» Datenschutzkongress / Berlin

» SINA User Day / Bonn

12 - 14 Feb 2013

17 - 21 Feb 2013

25 Feb - 1 March 2013

5 - 9 March 2013

12 April 2013

23 - 25 April 2013

24 - 25 April 2013

7 May 2013

14 - 16 May 2013

21 - 23 May 2013

15 May 2013

15 - 16 May 2013

5 and 6 June 2013

February until June 2013

IT security partner of theFederal Republic of Germanywww.secunet.com

Caution! Insecure Structure!Customized IT security provides a solid foundation for your success.

Protect your most important assets. IT security is essential for a stable IT infrastructure and for all processes. secunet is your trump card: Our vision and expertise will help you achieve even the most demanding IT security solutions.

secunet-Kundenmag-0212.indd 2 06.02.12 17:27