Security in focus - Bund.de

Page created by Roger Zimmerman
 
CONTINUE READING
Security in focus - Bund.de
BSI Magazine 2020/01

           Security in focus

                                  In Talks:
                                  Post Quantum
                                  Cryptography
BSI INTERNATIONAL                 THE BSI                      IT SECURITY IN PRACTICE

EU Council Presidency:            Cooperation between DEU      Energy Sector: Rollout of
Shaping Cyber Security            CyberInfoDS HQ and the BSI   Smart Metering Systems
Security in focus - Bund.de
Cyber Security in Times of Crisis
            It became clear to us already in the spring of 2020 which incident will have
EDITORIAL   the greatest impact this year: the coronavirus. It is turning all our lives upside
            down and forcing us to rethink many of our everyday routines. Instead of
            driving to work, we work from our home offices. School suddenly means
            home schooling. Family visits take place on the smartphone. And we are
            permanent guests of social media on the lookout for the latest information on
            the virus pandemic.
            Cyber criminals know how to accept such opportunities as gifts. As if the
            virus wasn’t demanding enough from us already, many people are now
            being confronted with old and new issues related to cyber security: How do
            I protect company secrets and confidential data in my home office? How do I
            design a secure video conference? How do I distinguish between trustworthy
            and false messages? Does my bank really want to chat with me or are hackers
            in action by sending new fake e-mails?
            Even in a crisis situation like this, the BSI fulfils its legal mandate and
            supports you in making your information technology secure. We provide
            recommendations to governmental, business and social target audiences on
            how they can communicate securely in the current crisis and remain capable
            of taking action.
            At the same time, we are not losing sight of other topics. This issue of BSI
            Magazine is dedicated to post-quantum cryptography. Since Google pro-
            claimed “quantum superiority”, the discussion on the importance of quan-
            tum technology has been transported from specialised tech magazines to
            the consciousness of a broader, interested and concerned public. And indeed,
            there is every reason to take a comprehensive and critical look at this topic,
            which could, in the long term, decisively change all our lives. Like nearly all
            developments in the area of digitalisation, quantum technology has a bright
            and a dark side. Although criminal applications such as the decryption of
            digital encryption algorithms, which today guarantee secure communication
            on the Internet, are not reality yet, the clock has been ticking since Google’s
            experiment. For the BSI, post-quantum cryptography is therefore one of the
            important future topics that we are already working on intensively.
            Beyond the focus on quantum computers, we once again present a broad
            spectrum of BSI topics in this issue. We are delighted that important national
            and international partners of the BSI, such as the German Cyber and Infor-
            mation Domain Service of the German Armed Forces, the Consumer Associa-
            tion of North Rhine-Westphalia and the European Union Agency for Cyberse-
            curity, are presenting themselves here.
            Who knows? Maybe you will read this magazine as a PDF in your home office.
            Perhaps you will be pleased to see the print edition once you return to the
            office again after spending a long time at home. Whichever way you find us,
            I wish you pleasant reading.

            Sincerely Yours,

            Arne Schönbohm,
            President of the Federal Office for Information Security
Security in focus - Bund.de
TABLE OF CONTENTS   | 3

          TABLE OF CONTENTS

         NEWS
     4     News
15       BSI INTERNATIONAL
     6     EU Council Presidency: Shaping Cyber Security
     8     Interview: Juhan Lepassaar, ENISA

         CYBER SECURITY
     10    Alice and Bob in Quantum Land
     12    Frodo is the "New Hope"
     15    Quantum Computers and Quantum Superiority
     18    29th Cyber Security Day of the Alliance for Cyber Security
     20    Certification: IT-Grundschutz Consultant
18   22    Qualified Approval Procedure
     24    Smartphone: Secure Mobile Identities
     26    Secure Online Access to Administrative Services

         THE BSI
     28    Cyber Security for Critical Infrastructures
     32    Five Years of Minimum Standards: a Look Back
     34    Welcome: Onboarding at the BSI
     36    A Day at the BSI
     38    The Year 2019 for the BSI
     40    The National Cyber Response Centre
26   42    Cooperation between DEU CyberInfoDS HQ and the BSI

         IT SECURITY IN PRACTICE
     44    Secure Digitalisation: Scanning Replaces Paper
     46    BSI Study: How Secure is Blockchain?
     50    Product-Driven Implementations of a CIS Cloud
     54    Cyber Security in the Process Industry
     58    Success Story: C5 Criteria Catalogue

         DIGITAL SOCIETY
     60    5G Campus Network at BASF
     62    Energy Sector: Rollout of Smart Metering Systems
     64    Interview: Wolfgang Schuldzinski, VZ NRW
     66    Effective Security Measures for Online Accounts
     68    Basic Tip: Checklists in Case of Emergency

42       AND FINALLY
     70    Imprint

60
Security in focus - Bund.de
4 |   BSI MAGAZINE 2020/01

  NEWS

  NEW BSI BUILDING

Bonn City Council Approves
Development Plan
The City Council of the Federal City of Bonn has approved the development plan for the area on Ludwig-Erhard-
Allee, where the new service property of the Federal Office for Information Security (BSI) is to be built, as a statute.
This represents an important milestone in terms of urban development law, on the basis of which the project can be
further advanced. Located in the immediate vicinity of Bonn’s Rheinauen, the new service property is intended to reflect
the character of the BSI as a progressive cyber security authority of the Federal Government, while optimally supporting
the authority’s business processes and integrating into the existing urban development environment. As the central
real estate service provider for the federal government, the Institute for Federal Real Estate (BImA) will assume the role
of the developer and carry out the procedure.

                               MEETING

                             First “Cyber Security Directors’
                             Meeting” in Advance of the
                             Munich Security Conference
                             Many heads of Europe’s cyber security authorities met for the first time for an informal ex-
                             change of information in advance of the Munich Security Conference (MSC) at the initiative and
                             invitation of the Federal Office for Information Security (BSI). In cooperation with the MSC, the
                             BSI offered the authorities in attendance an exclusive framework for an exchange of informa-
                             tion at management level on current national and European cyber security challenges.
                             The BSI thus expanded its position as a thought leader on information security and made an im-
                             portant contribution to better networking between the authorities that are responsible for the
                             topic in their respective countries. At the European level, The BSI has been considered an expert
                             and strategic partner on matters of information security for many years.
Security in focus - Bund.de
NEWS    | 5

  CYBER SECURITY2

Video Series with Smartphone
Security Experts
Citizens often ask themselves questions when using mobile devices: How secure are fingerprint and facial scans? How
can I back up my data? What do I need updates for? Answers to these questions are provided by the new BSI video series,
in which two experts each deal with a digital security topic.
The first eight episodes are a cooperation between the BSI and the Verbraucherzentrale NRW (North Rhine-Westphalia
Consumer Advice Centre) and deal with a wide range of questions about smartphones. Another series on Cyber Securi-
ty² will follow in the spring and deal with online payments and online banking. The expertise of the BSI will be comple-
mented by that of an expert from the LKA NRW (State Criminal Investigation Office of North Rhine Westphalia).

                                              RAISING AWARENESS

                                           Joint Information Campaign
                                           by the BMI and the BSI on
                                           IT Security
                                           The Federal Ministry of the Interior, Building and Community (BMI) and the
                                           Federal Office for Information Security (BSI) will launch a joint nationwide infor-
                                           mation and awareness campaign this year. It goes back to the doxing incident at
                                           the end of 2018/beginning of 2019, when huge volumes of personal data on many
                                           public figures were published on the Internet.
                                           According to a representative online survey by the BSI involving 20,000 partic-
                                           ipants, more than 70% of the respondents would like to have more information
                                           about risks on the Internet and more support in the area of digital security. At
                                           the same time, they perceive unauthorised access to sensitive data and personal
                                           information by third parties as the greatest threat on the Internet.
Security in focus - Bund.de
6 |   BSI MAGAZINE 2020/01

   BSI INTERNATIONAL

Shaping Cyber Security
in Europe
  The German EU Council Presidency in the Second Half of 2020
By Joshua Breuer, Section International Relations

In recent years, the European Union has become increasingly important in the area
of cyber security policy. In the second half of 2020, Germany will again assume the
presidency of the Council of the European Union after 2007. This will also provide
the BSI with great opportunities to shape European cyber security.

T
         he Council of the European Union (Council of             linked to the Council presidency. In the area of cyber secu-
         Ministers or Council) is composed of the govern-         rity, for example, the presidency is responsible for chairing
         ments of the Member States who are represented by        the NIS Cooperation Group. The group was created by the
their ministers. The Council meets in various formations          Directive on security of network and information systems
and acts as a co-legislator in the EU institutional framework     (NIS Directive). For Germany, this task is traditionally per-
together with the European Parliament. Important prepa-           formed by the BMI in cooperation with the Federal Office
ratory work for the Council’s activities is carried out in over   for Information Security (BSI). Especially here and in the
300 Council working groups. In the area of cyber security,        associated “work streams” which deal with individual topics
this is primarily the Horizontal Working Party on Cyber           of the Directive implementation as well as newly emerging
Issues, in which Germany is represented under the leader-         topics (e.g. 5G), the already existing broad participation of
ship of the Federal Ministry of the Interior, Building and        BSI experts offers the opportunity to specifically promote
Community (BMI) and the Federal Foreign Office.                   German approaches and to advance and shape European
                                                                  cyber security.
One of the tasks of the presidency of the Council is to lead
the work of the Council, which is expressed in concrete           CYBER SECURITY DURING THE COUNCIL PRESIDENCY
terms in chairing various Council bodies. Following the           AND THE ROLE OF THE BSI
entry into force of the Treaty of Lisbon, the legal basis for     Preparations for the German Council presidency have been
the so-called “trio presidency” was created in 2009 with the      underway at the BSI since the beginning of 2019 in close
aim of ensuring a certain degree of continuity in the Coun-       cooperation with the BMI. Thematically, one aim will be to
cil’s work. Accordingly, three Member States each coordi-         advance current initiatives in the area of cyber security at
nate their presidencies with each other and develop a joint       the European level. For example, an evaluation of the NIS
eighteen-month programme. Germany is the first country            Directive is planned. On the other hand, the presidency
of the trio to hold the presidency, followed by Portugal and      offers the BSI the opportunity to position itself as a leading
Slovenia. The three states had already acted as a trio in this    cyber security authority in the EU and to drive important
constellation in 2007, thus marking the beginning of an           issues itself. In this sense, Germany will introduce its own
institutional innovation in the EU. Next to responsibilities      initiatives and organise a major cyber security conference
concerning the “official” Council bodies, further tasks are       in Berlin from 9 to 10 November 2020. As the federal cyber
Security in focus - Bund.de
BSI INTERNATIONAL    | 7

security authority, the BSI contributes its expertise to the       2007, it should be noted that Europe is facing a completely
programme and is closely involved in the planning.                 different environment in the area of cyber security. With
A third pillar of the Council presidency is the exchange and       the NIS Directive, a pivotal legislative project was passed in
coordination with the new European Commission, which               2016, and the Cybersecurity Act, which came into force in
intends to follow up on the previous announcements with            2019, also offers completely new possibilities for Europe-
actions in the months to come. For example, the “mission           wide IT security certification, especially in regulating the
letter” from Commission President Ursula von der Leyen to          “Internet of Things”. In concrete terms, the new framework
Thierry Breton, Commissioner for the Internal Market, en-          for EU-wide IT security certification of products, services
visages the establishment of a “joint cyber unit”. Besides, the    and processes will create many new “European certificates”.
topic of “Artificial Intelligence” and the implementation of       Germany and above all the BSI, with its significant position
the 5G Toolbox, which has just been adopted, will probably         in certification throughout Europe, serve as a model and
also fall within the term of the German Council presidency.        this expertise will be put to use during the Council presi-
Compared to Germany’s previous Council presidency in               dency to fill the new framework with life.

For more information see:

                   https://www.consilium.europa.eu/de/council-eu/presidency-council-eu/
Security in focus - Bund.de
8 |   BSI MAGAZINE 2020/01

Filling the New
Mandate with Life
  An Interview with the EU Agency for Cybersecurity New Executive Director Juhan Lepassaar

On 16 October 2019, Juhan Lepassaar took up his new role as Executive Director
of the European Union Agency for Cybersecurity (ENISA), taking over from Udo
Helmbrecht, the former BSI President, who completed his 10-year mandate in
the position. This transition has fallen in a particularly interesting time. Only a few
months earlier, on 27 June 2019, the Cybersecurity Act entered into force. Marking
a new era for ENISA, this EU-regulation not only gave a permanent mandate to the
Agency, but also new tasks, such as responsibilities under the European cyber
security certification framework. Bringing this new mandate to life is now an
important part of Juhan Lepassaar’s new responsibilities.

   Mr. Lepassaar, in your previous position as Head of Cabinet      Putting ENISA in the bigger context of the new Commis-
  for former Commission Vice-President Andrus Ansip you          sion under Ursula von der Leyen: how do you see ENISA’s
  have already worked in the field of digital policy. What are   role regarding new policy priorities?
  the lessons-learned you have taken with you that are now       Our role is to help policy makers understand the challeng-
  relevant in your new role?                                     es ahead of us given the extremely fast developing digital
The digital world is intertwined and interconnected. This        world and to assist the different communities involved in
adds complexity, which from the outset can be daunting,          implementing cyber security policies once they have been
especially if you are in the process of trying to make sense     agreed. A key challenge for the future will be to develop
of it or even, propose to regulate it. The key lesson from my    policy in an innovative and flexible manner to ensure that
previous work is the importance of finding right triggers        approaches to cyber security achieve a high level of security
and incentives, which can help to increase trustworthiness       whilst remaining economically viable. The Agency is in a
or promote good governance and self-regulation of the            unique position to address the policy aspects of future cyber
digital environment.                                             challenges and to that end we are looking forward to work-
                                                                 ing closely with the new Commission. As always, we aim to
   ENISA’s new mandate comes also with new resources,            achieve this by building proactive cyber security communi-
   personnel- and budget-wise. What do you want ENISA to         ties that bring together diverse stakeholders to solve issues
   look like at the end of your mandate?                         of common interest.
I want the Agency to engage with a diverse variety of
talented people, covering various fields and competences.          Regarding ENISA’s different fields of activity, where do
This is probably the best assurance for being future-proof         you see its most important added-value vis-à-vis the
in this age where everything is in flux. But I would also          Member States?
like to explore ways how this talent-pool could be shared        The Agency acts as a reference point for the Member States,
with other cyber security actors in Europe, not to feed the      providing a platform where effective pan-European collab-
growing skills-gap.                                              oration can take place. In this context, it is important that
Security in focus - Bund.de
BSI INTERNATIONAL   | 9

the Agency maintains a good understanding of the specific             Given the connected nature of modern technology, we
needs of each Member State and how these needs can be                 must use EU coordination to ensure that the confidentiali-
met whilst pursuing EU-wide objectives. We aim to develop             ty, integrity and availability of the data and security of the
closer cooperation within the EU at all levels, working to-           technologies meet our societal needs. Policy frameworks
gether with Member States to include all related stakehold-           need to integrate all parameters to safeguard the values of
ers to improve cyber security approaches in all walks of life.        the European Union enshrined in its policy without stifling
Over the years, ENISA has developed a set of networks                 innovation.
throughout many of these communities. We will contin-
ue to use these networks in the service of the EU and the                The German presidency of the Council of the European
Member States.                                                           Union is beginning on 1 July 2020. What are your expecta-
                                                                         tions and hopes for the German presidency?
   Next to already existing EU approaches, what are other             We expect that the expertise and experience developed
   areas in the digital field where you see needs for European        in Germany will be used to benefit all stakeholders on the
   solutions?                                                         national and European level. It is interesting to note that
There are many areas where European approaches can add                Germany adopted its first Cybersecurity Law in 2015 before
value in the digital sphere. In many cases a lot of work has          the NIS directive was adopted1). Germany invests a lot in
already been carried out with significant benefits. Good              research to protect IT infrastructures and systems and has
examples include the approach to security breach notifica-            already created competence centres for IT security. They
tions across the Union and legislation introduced in the area         concentrate the skills and competences of the best univer-
of electronic identity (eIDAS). Examples of areas that still          sities and non-university research and encourage interdis-
present challenges include autonomous systems, artificial             ciplinary cooperation in areas such as security by design,
intelligence (AI) and 5G amongst others.                              optical-electronic technologies and quantum communi-
The increasing sophistication of new technologies improve             cations. We are eager to engage in closer collaboration and
the way society operates but also generates new threats and           discussions under the German presidency to welcome their
risks. Extended cyber-attacks, dissemination of credible              contribution to the EU effort in securing our EU digital
fake news and attacks on autonomous vehicles, are among               world.
those potential security threats.

                                                                                         "The agency
                                                                                         provides a platform
                                                                                         for pan-European
                                                                                          collaboration."

    Brief Profile: Juhan Lepassaar
  Juhan Lepassaar previously worked as Head of Cabinet for former
  Commission Vice-President Andrus Ansip assigned to the Digital
  Single Market portfolio. Before, he was Member of Cabinet of
  former Commission Vice-President Siim Kallas, European
  Commissioner for Transport, and served as Director for EU Affairs
  at the Government Office in Estonia.
                                                                      1)
                                                                           https://www.bsi.bund.de/it-sig
Security in focus - Bund.de
10 |   BSI MAGAZINE 2020/01

  CYBER SECURITY

Alice and Bob in
Quantum Land
  BSI Presents Initial Recommendations on Quantum Computer-Resistant Key Transport
By Dr. Heike Hagemeier, Section Information Assurance Technology Requirements

The security of digital infrastructures bases upon algorithms for key agreement and
digital signatures. These cryptographic mechanisms cannot be broken using current
means. This no longer applies when universal quantum computers of sufficient perfor-
mance are available (see page 15).

C
        ryptographic mechanisms that are supposed to be              errors. Therefore, the BSI recommends using Post-Quan-
        resistant to attacks by quantum computers (Post-             tum Cryptography only in a “hybrid” way if possible, i.e. in
        Quantum Cryptography, see BSI Magazine 2018/2)               combination with conventional algorithms.
are currently being standardised in a process organised
by the US National Institute of Standards and Technology             Besides security, other aspects such as performance also
(NIST). This process will conclude in 2022/23 at the earliest.       play an important role in the NIST standardisation process.
                                                                     Several research activities and experiments on the integra-
The BSI welcomes the activities of the NIST on the stan-             tion of the quantum resistant algorithms into cryptograph-
dardisation of Post-Quantum Cryptography. These have                 ic protocols (such as Transport Layer Security - TLS) mainly
led to a significant intensification of research on quantum          focus on efficiency.
resistant algorithms. Nevertheless, these algorithms are not
yet analysed as well as the algorithms currently in use. This        The BSI considers the security of cryptographic algorithms
is especially true with regard to weaknesses that become             to be of paramount importance. For key transport, the algo-
apparent in application, such as typical implementation              rithms FrodoKEM (see page 12) and Classic McEliece are the
CYBER SECURIT Y   | 11

most conservative choice. Considering the time scale of the     This recommendation will be adapted, if necessary, if the
NIST process, the BSI has decided not to wait for the NIST to   development in the NIST process reaches a more advanced
make a decision and recommends these two algorithms in          stage.
the new version of the Technical Guideline “BSI TR-02102-
1: Cryptographic Mechanisms: Recommendations and
Key Lengths” as suitable in principle (in hybrid solutions).
12 |   BSI MAGAZINE 2020/01

                              Frodo is the
                              “New Hope”
                                Lattice-Based Cryptographic Algorithms
                              By Dr. Heike Hagemeier, Section Information Assurance Technology Requirements

                              What does a mathematician mean when she talks about
                              a lattice? How relates this to cryptography? How does
                              “The Lord of the Rings” come into play? A foray into the
                              world of lattice-based cryptography.
CYBER SECURIT Y    | 13

WHAT IS A LATTICE?
In mathematics, a lattice is a discrete subset of an n-dimen-       A simple example of such a system is
sional real vector space. Roughly speaking, this definition
means that you can add two lattice points and obtain                a11 ⋅ s1 + a12 ⋅ s2 + e1 = b1,
another point in the lattice, and that there is no other lattice    a21 ⋅ s1 + a22 ⋅ s2 + e2 = b2,
point in a “small” environment surrounding a lattice point.
The two-dimensional example below clarifies the name                in which all ai and bi are known integers and all si and ei are
‘lattice’ (see Figure 1).                                           unknown. One can write this in short form as
In a lattice one can formulate many problems that are
difficult to solve. For example, finding a shortest vector in       As + e = b.
a lattice. In the lattice in Figure 1, one can solve this task by
simply looking at it (red arrow). The computational effort          The values ai are combined in matrix A (a type of table; here
increases exponentially with the dimension of the lattice,          with two rows and two columns) and the values si, ei and bi
however.                                                            in the vectors s, e and b.
Problems that have been shown to be at least as difficult to
solve as a lattice problem, such as the Learning-with-Errors        The LWE problem thus consists of finding the unknown
(LWE) problem, serve as the basis for lattice-based cryptog-        vectors s and e if the matrix A and the vector b are given.
raphy. One can roughly summarize the LWE problem as the             Again, the dimension (the number of equations and the
difficulty of solving a linear system of equations that has         number of unknowns) must be sufficiently large. Therefore,
been disturbed by a “small” error.                                  the matrix A can easily reach several kilobytes in size

Figure 1
14 |   BSI MAGAZINE 2020/01

HOW RELATES THIS TO CRYPTOGRAPHY?
It is assumed that the problems described above could not
be solved efficiently even with a quantum computer. Thus,
they offer an approach to Post-Quantum Cryptography.
The security of lattice-based cryptography bases on the dif-
ficulty of these problems, in fact. Therefore, one considers
lattice-based mechanisms as quantum-resistant.
The first practicable lattice-based algorithms for key
agreement sought to save the well-known Diffie-Hellman
key exchange into a post-quantum world. Figure 2 roughly
outlines this approach.

An essential difference to the classic Diffie-Hellman
method is that Alice and Bob initially only receive approx-
imately the same result. A mechanism (“reconciliation”) is
still needed to calculate a common secret. For this purpose,
further information in addition to the public keys b and b'
must be sent.

WHAT IS THE STATE OF ART?
This approach is no longer being pursued. Currently,
thefocus is on key transport mechanisms. This is partly
due to the fact that the National Institute of Standards and
Technology (NIST) explicitly asked for key transport mech-
anisms in its standardisation process. On the other hand,
this facilitates reconciliation, as there is no need to transmit        However, it also means that there is not yet the same level
additional information.                                                 of confidence in security. Although no attacks that exploit
                                                                        the additional structure are currently known, algorithms
Many lattice-based algorithms use a cyclic matrix. The                  whose security is based on standard LWE problems are the
elements of the first row completely define such a matrix.              more conservative choice.
Therefore, it is sufficient to store or transmit only this first
row. In addition, this also simplifies some of the calcula-             HOW DOES “THE LORD OF THE RINGS”
tions. The corresponding problem is called Ring-LWE. ’New               COME INTO PLAY?
hope’ is an example of an algorithm based on Ring-LWE.                  The key transport FrodoKEM is an example. FrodoKEM is
In 2017, Google implemented this algorithm in its browser               one of the candidates of the NIST standardisation process
Chrome on a test basis.                                                 and NIST selected it for the second round. The BSI recom-
                                                                        mends FrodoKEM as one of the first quantum computer-
The security of lattice-based mechanisms is based on either             resistant key transport mechanisms in the Technical Guide-
standard LWE problems or LWE problems (e.g. Ring-LWE),                  line TR-02102-1 (see article on page 11). Anyone wondering
where the matrix has a special structure (as described                  why the inventors named their algorithm after a character
above). The additional structure has the advantage that                 from “The Lord of the Rings” should know that the title of
the algorithms are more efficient and require smaller keys.             the first publication was “Frodo: Take off the ring!”

                           Public parameters: q, n, matrix A with n rows and n columns, with integer
                                                    elements between 0 and q.

                             Alice                                                                Bob
                   Select "small" vectors s, e.                                        Select "small" vectors s', e'.
                 Calculate public key b = As + e.                                    Calculate public key b' = s'A + e'.
                                                                   b
                                                                   b'
                      b's = (s'A + e')s ≈ s' As                                            s'b = s'(As + e) ≈ s' As

Figure 2
CYBER SECURIT Y        | 15

Quantum Computers and
Quantum Superiority
By Univ. Prof. Dr. Frank Wilhelm-Mauch, Department of Physics, Saarland University

Everyone is talking about quantum computers these days. There are signs of a hype,
especially since a reserach group at Google published an experiment that shows the
superiority of their quantum computer over the world’s largest supercomputers. This
breakthrough result is difficult to grasp and there is a lot of uncertainty. What is behind
the headlines claiming Google’s quantum supremacy and what impact is this having on
information security?

T
        he concept of a quantum computer can be grasped in two
        ways – theoretically and in terms of actual hardware.
        In theory, the difference between quantum computers
and today’s traditional computers is the way in which classical
binary data is processed between input and output. In quan-
tum physics, systems such as elementary particles can assume
several classically allowed coordinates in superposition. Here,
“in superposition” means that several positions are possible at
the same time and that different locations appear with certain
probabilities when an attempt is made to measure the particle’s
position.

In a quantum computer, this principle is applied to the contents
of binary data registers: a quantum computer can be in a state
that is a superposition of the classical binary values in the same
sense. The effect can be understood as massive quantum paral-
lel computing – the quantum computer executes an algorithm
on a superposition of any number of register values but only
requires a single processor core for this. Parallelism is currently
                                                                                     Brief Profile: Prof. Dr. Frank Wilhelm-Mauch
also the biggest driver of acceleration in normal computers, but
there, an additional processor core is needed for each parallel                      Prof. Dr. Frank Wilhelm-Mauch studied and received
strand of the calculation.                                                           his doctorate in physics at the University of Karlsruhe,
                                                                                     today’s KIT. After positions at TU Delft, Ludwig-Max-
It would however not be justified to proclaim the quantum                            imilians-Universität München and the University of
                                                                                     Waterloo, he has been University Professor of Theo-
computer as the ultimate parallel computer, because the aspect
                                                                                     retical Physics at Saarland University since 2011.
of probability must be taken into account: The user, of course,
would like to obtain the correct result with high propability. At                    Wilhelm-Mauch has been working on various ques-
the end of the calculation, the superposition must be reassem-                       tions involving quantum computing and the hardware
bled into one or a few results (“un-computing”). To this extent                      platform of superconducting circuits since 1999. He is
(and due to properties of the instruction set), classical applica-                   a member of the Strategic Research Agenda Working
                                                                                     Group of the EU Quantum Technology Flagship for
tions cannot be simply transferred to the quantum computer
                                                                                     Quantum Computing and Strategic Resources and
and simply parallelized.                                                             coordinates the flagship project “An Open Supercon-
                                                                                     ducting Quantum Computer” (OpenSuperQ). He is
In practice, the hardware of quantum computers is still quite                        also the lead author of the BSI study entitled “Status
heterogeneous – quite comparable to the history of the classical                     of quantum computer development.”
computer, which ranges from relays to tubes to modern chips.
16 |   BSI MAGAZINE 2020/01

Quantum computer engineers must perform quite a bal-             The error rate of quantum operations is at least as import-
ancing act: On the one hand, quantum physics is the physics      ant. This is initially quite surprising. Hardware errors rarely
of the smallest, isolated elements of matter – therefore the     play a role in normal computers because the semiconductor
components (qubits) must be isolated. On the other hand,         logic used stabilises itself. This is not the case with quantum
the quantum computer must be able to perform read and            computers:
write operations and be flexibly usable and connectable –
which is a challenge with isolated elementary particles.         • On the one hand, the rich structure of quantum states al-
                                                                   lows significantly more error options than in the classical
Among the various candidates for technologies, two plat-           case.
forms are currently regarded as leading (other platforms         • On the other hand, with analogue errors as well as with
are being successfully researched, but are currently less          the tendency of open systems to behave classically after
advanced):                                                         a long time – i.e. to lose their quantum properties – error
                                                                   mechanisms occur that have no equivalent on traditional
• Atomic ions trapped in a high vacuum are a technology            digital computers. Today, error rates of 1:1000 are the
  related to atomic clocks. Input and output are performed         start of good qubits and 1:1000000 is the best that has ever
  by using lasers and cameras.                                     been achieved. But even that means that at a MHz clock
• On the other hand, there are chips made of superconduct-         frequency, an error occurs every second.
  ing metals (aluminum and niobium) that are operated at
  very low temperatures.                                         There are two basic approaches to address this problem:
                                                                 Noisy Intermediate-Scale Quantum Technology (NISQ)
Other platforms are being researched, but are currently less     is used to test how far you can go with faulty computers.
developed.                                                       The number of computing steps limited by the error rate
                                                                 allows only short algorithms. The potential of quantum
What both platforms have in common is that they are              acceleration lies in algorithms that classically fail because of
still experimental technologies that must find their way         memory rather than time, e.g. in theoretical chemistry.
from the laboratory to application. This includes extreme
conditions: ultra-high vacuum or temperatures close to           If one wants to go beyond that, active error correction and
absolute zero, which is quite manageable on the scale of data    fault-tolerant computing are required. Here, logical qubits
centres. This is also where we would expect to find quantum      – qubits that the algorithm needs – are encoded in a larger
computers because of the possible applications.                  number of physical qubits (i.e. real components) and cor-
                                                                 rected by comparison measurement. As long as the qubits
WHERE CAN QUANTUM COMPUTERS BE USED?                             are good enough, the effective error rate can be further
As described above, the art in developing quantum algo-          suppressed. The resulting overhead is considerable, howev-
rithms is to take advantage of massive quantum parallelism       er. The route to error tolerance is described in detail in the
and still end up with a result that is not masked by chance.     BSI study www.bsi.bund.de/qcstudie. It outlines five layers
This results in acceleration. The number of steps to the         of intermediate steps that allow progress in this direction to
result can increase significantly more slowly with the size of   be evaluated.
the task than on normal computers.
                                                                 QUANTUM SUPERIORITY AT GOOGLE
This was shown for a number of tasks, including search-          In October, the hardware group at Google, led by John Mar-
ing unstructured databases and various tasks in machine          tinis, published a decisive result on quantum superiority.
learning. One example is prime factorisation, which has a        What was shown there? A hardware platform in the form of
profound influence on the security of cryptographic pro-         a chip made of superconducting qubits connected in a 6 x 9
cesses, as well as the simulation of molecules and materials     rectangle. 53 of the 54 qubits worked. The processor is oper-
for the chemical and other industries. The latter is generally   ated as NISQ. The error probabilities for the limiting 2-qubit
regarded as the first application, as it places lower demands    gates were consistently below one percent.
on the hardware than the others.
                                                                 As a benchmark for quantum superiority, the Google team
WHERE DOES HARDWARE DEVELOPMENT STAND?                           set up a task that made it easy for the quantum computer to
In the media, the number of qubits is often cited as an indi-    play to its strengths. A suitable random algorithm was pro-
cator of development. The initially modest numbers of bits       cessed, which simulated the physical phenomenon of quan-
become more impressive when compared to what a normal            tum chaos. Reproducing this result on a normal computer
computer needs to simulate a quantum computer – N qubits         would require 253 complex numbers in memory – more than
require 2N complex floating-point numbers.                       the largest supercomputer currently has available.
CYBER SECURIT Y      | 17

                                                                                        Typical cooling machine for the
                                                                                        operation of qubits (chip at the bottom).
                                                                                        The copper plates are used for
                                                                                        temperature equalization.

This is undoubtedly a technological masterstroke that            this encryption will be irretrievable. This refers first and
will enable the further development of larger and better         foremost only to public-key cryptography, however. Sym-
quantum processors. It is just as unlikely to be considered      metric procedures can still be quantum secure if the key
“useful” as the Wright brothers’ first flight, but could yield   length is sufficient.
similar key results.
                                                                 The compiled algorithms are long and complex though –
REFERENCE TO CRYPTANALYSIS                                       about 1012 time steps. This will require active error correc-
Cryptanalysis is a possible application of quantum com-          tion at human discretion. Although Google’s breakthrough
puters. Current RSA cryptography is based on the difficulty      was an important step in this direction, the actual relevance
and exploding efforts to decompose large integers into their     for cryptanalysis is still a long way off. Nevertheless, for
prime factors on normal computers. Quantum computers             long-term information security, it is important to enter
do not have this limitation, they can achieve this in a time     into a process to make cryptographic infrastructures
that increases with the size of the integer only very slowly.    quantum-safe now. It would hardly by appropriate to panic,
Therefore, once quantum computers have decoded RSA,              however.
18 |   BSI MAGAZINE 2020/01

A New Approach
  29th Cyber Security Day of the Alliance for Cyber Security
By Till Kleinert, Section Cyber Security for the Private Sector and Alliance for Cyber Security

The Alliance for Cyber Security (ACS) and the German Chambers of Industry and Com-
merce (DIHK) attracted many interested parties to the 29th Cyber Security Day in Berlin
on 26th September 2019 by launching a new event concept. After all, even if many issues
in the context of cyber security can be solved individually, it is much easier and better if
you can learn from the experiences and insights of others.

A
          n exhibition, interactive formats and expert presen-               Projects already completed for the ECSM – such as the IT
          tations on current cyber security challenges – the                 emergency card, which many cyber security initiatives and
          29th Cyber Security Day at the Haus der Deutschen                  partners as well as the BSI had realised under the umbrella
Wirtschaft in Berlin had a lot to offer to participating com-                of ACS – were presented in an exhibition. At the same time,
panies, cyber security initiatives, associations and authori-                the Alliance for Cyber Security reported live via social
ties. The Alliance for Cyber Security pursued a new concept                  media and captured the event on video (https://www.
for this event, which was noticeably different from previous                 allianz-fuer-cybersicherheit.de/ACS/CSTVideo) for the first
Cyber Security Days.                                                         time.

The focus was not only on presentations, but also on                         An event of this magnitude demanded a huge commitment
offering many opportunities to cooperate on various cyber                    from the organisers, not only on the day itself, but also in
security topics. The moderators used barcamps to guide the                   advance. The DIHK and ACS had already started coordinat-
creativity of the participants and to realize tangible work                  ing it several months earlier. The effort proved to be worth
results. Project proposals for the European Cyber Security                   it: With more than 300 representatives of German organisa-
Month (ECSM), which started only a few days later, were                      tions, the 29th Cyber Security Day experienced a previously
shared at short notice in workshops.                                         unattained level of interest. The feedback from the guests
CYBER SECURIT Y          | 19

                                                                                      Cyber Security Days

                                                                                     The Alliance for Cyber Security organises
                                                                                     six Cyber Security Days per year at different
                                                                                     locations throughout Germany under the
                                                                                     patronage of the BSI in cooperation with
                                                                                     multipliers such as associations, chambers,
                                                                                     initiatives or networks. The events are
                                                                                     designed for a group of up to 200 participants
                                                                                     and deal with a current topic of cyber security.
                                                                                     Guests get to know different perspectives in
                                                                                     expert presentations, brief workshops and
                                                                                     discussion groups.

                                                                                     Upcoming events will be announced on the
                                                                                     webpage of the Alliance for Cyber Security.

also reflected that the new concept was well received.
The team of the Alliance for Cyber Security will therefore
again incorporate various interactive elements into the
event planning for the next Cyber Security Days.

Here you can find out why you should attend a Cyber Security Day:

                   https://www.allianz-fuer-cybersicherheit.de/cybersicherheitstag
20 |   BSI MAGAZINE 2020/01

Professional Companions
  Certification as an IT-Grundschutz Consultant
By Johannes Oppelt, Section BSI Standards and IT-Grundschutz

The BSI Report on the state of IT Security in Germany 2019 recently demonstrated quite
impressively, once again, that the danger of companies and authorities becoming victims
of a cyber-attack is still high. At the same time, the attacks are becoming increasingly
professional. In addition, there are the fundamentally important internal challenges:
clearly defined processes and responsibilities for information security issues, well-trained
employees – ideally a management system for information security in accordance with
IT-Grundschutz. This is where the certification of individual persons as IT-Grundschutz
consultants comes into play.

M
            any companies and authorities are in need of a        of IT-Grundschutz. Trained IT-Grundschutz consultants
            knowledgeable consultant on their side to plan        can advise institutions on all IT-Grundschutz topics thanks
            and implement IT security measures and pro-           to their proven expertise. For example, they can support
cesses. Smaller institutions in particular are often unable to    authorities and companies in developing security concepts
handle on their own the extensive tasks this involves due to      or an ISMS. In day-to-day operations, they can define mea-
a lack of personnel or financial resources. External expertise    sures based on IT-Grundschutz, together with the respon-
is usually also needed to implement, subsequently estab-          sible employees of the institution, and implement them in
lish and maintain a comprehensive Information Security            operations. Certified IT-Grundschutz consultants can also
Management System (ISMS).                                         help prepare an ISO 27001 audit based on IT-Grundschutz.

INFORMATION SECURITY ACCORDING TO                                 “With its certification offer, the BSI, as the national cyber se-
IT-GRUNDSCHUTZ                                                    curity authority, sets the standard for a uniformly high level
The BSI therefore offers interested users personal certifi-       in the training of experts,” explains the President of the BSI,
cation as IT-Grundschutz consultants. The certification           Arne Schönbohm. “They can pass on the recommendations
offering is based on a two-stage training concept. In the first   and measures from IT-Grundschutz in a well-founded and
stage, a certificate as an IT-Grundschutz practitioner can be     competent manner in actual practice.
obtained before personal certification as an IT-Grundschutz
consultant is possible (see Figure 1).                            Each individual IT-Grundschutz consultant can thus make
                                                                  an important contribution to the resilience of the German
The aim of this certification option, which is still quite new,   economy and public administration in the area of informa-
is to achieve a uniform and high level of training in the area    tion security in the future,” he adds.
CYBER SECURIT Y        | 21

      "With its certification offer, the BSI as the federal
       cyber security authority sets the standard for a
      uniformly high level in the training of experts."

IT-GRUNDSCHUTZ EXPERTISE IS IN DEMAND
More than 20 providers now offer training courses in ac-
cordance with the BSI’s guidelines. In 2019, over 300 people                  Certified IT-Grundschutz-
                                                                                      Consultant
were already trained as IT-Grundschutz practitioners and
more than 50 people were certified as IT-Grundschutz
consultants. The high demand for the new personal certi-
fication reflects the need for expert support and consulting
on the introduction, operation and further development of
information security in institutions.
                                                                               Examination at the BSI
• Interested users can first complete the basic training course
  to become an IT-Grundschutz practitioner and take an
  examination. This training is suited for everyone interest-
  ed in information security and provides basic knowledge                         Advanced training
                                                                                   with a provider
  about IT-Grundschutz.

• An advanced training course is concluded by receiving a
  personal certification as an IT-Grundschutz consultant.
  This path is recommended for users who already have ex-                    IT-Grundschutz-Practitioner
  tensive practical experience in the area of IT-Grundschutz.

The BSI cooperates with training providers who offer inter-
ested users the basic training course to become an IT-Gr-                     Examination by a training
                                                                                     provider
undschutz practitioner and the advanced training course to
                                                                                                                  self studies

become an IT-Grundschutz consultant. It provides a curricu-
lum for this. The examinations to become an IT-Grundschutz
consultant are also conducted by the BSI.                                        Basic training with a
                                                                                  traning providing

                                                                  Figure 1

For more information see:

                   https://www.bsi.bund.de/gsberater
22 |   BSI MAGAZINE 2020/01

Qualified Approval
Procedure
  IT Security Products for the Protection of Classified Information
By Frank Sonnenberg, Thomas Borsch, Section Classified Information Product Approvals

The BSI has the obligation to strengthen and maintain IT security as part of its legal
mandate. This includes providing the federal government, the federal states (Länder) and
industries that are obliged to secrecy with IT security solutions that are approved for
the processing of classified information. Increasing digitalisation, ever shorter innova-
tion cycles and constantly changing threats represent a major challenge for the security
of IT systems protecting classified information. Therefore, innovative methods must be
developed at an early stage to identify the need for IT security-relevant technologies,
to define the corresponding requirements, to implement these into realisable product
developments and to provide the respective market with an approved solution for the
protection of classified information in a timely manner.

A
         pproval procedures required by the German                    fication level “VS – NUR FÜR DEN DIENSTGEBRAUCH
         administrative directive VSA are generally very              (VS-NfD),” (internationally comparable to a RESTRICED
         extensive and time-consuming due to their                    classification level) which make up a high percentage of the
complexity. This is particularly attributable to the fact that        approval procedures.
the evaluation methodology used for the procedures is
closely aligned with the common criteria and their formal             QUALIFIED DEVELOPERS
approach. This means that IT security products with short             The basic approach of the Qualified Approval Procedure
innovation cycles do not appear suitable for such evaluation          is to systematically value the security of the development
procedures at first glance.                                           environment and the processes of the product developer
                                                                      in addition to merely technical evaluation criteria. The
Software products and mobile communication devices                    suitability assessment in this area is expressed by the title
in particular are highly exposed to constantly changing               “Qualified Developer” that is assigned by the BSI In contrast
attack vectors. In order to be able to use them as products           to pure product evaluation, this is an up-to-date approach
protecting classified information, effective approaches must          that takes a global view of IT security over the entire life
be newly developed as quickly as possible and they must be            cycle of a IT security product.
used for the approval of IT security products. The resulting
more difficult time frame poses a major challenge for the             With the Qualified Approval Procedure, VS-NfD products
approval of products protecting classified information,               from Qualified Developers are to pass through a well-de-
as the short reaction times required by the industry are              fined evaluation process efficiently and yet effectively. In
contrary to the established evaluation and approval process.          this context, “efficient” and “effective” are understood to
It is therefore important to make the approval procedures             mean the realisation of timely evaluation results, with an
more efficient in the future, while maintaining the same              optimised and resource-saving procedure while main-
level of assurance. In order to meet this objective, the BSI          taining the level of assurance of the approved IT security
has developed the “Qualified Approval Procedure” for IT               product. However, the regular approval procedure remains
products protecting classified information of the classi-             valid and is used for approvals on classification levels higher
CYBER SECURIT Y     | 23

                                                                                           one-time additional
                                                            Evaluation
                                                                                           time and effort
                                                                                                                                                     100%
                                                                                                                                              (standard procedure)
               Evaluation
                                                         approx. 4% processes

                                                                                                                          57%
                                                                                                                 efforts saved by trend
                                                           approx. 52%
              approx. 48%
                                                  Development documentation

                                        100%

                                                                                          109%
       Developer documentation                                                                             approx. 3% conceptual evaluation

                                                         approx. 5% processes                             Developer documentation

                                                                                                                                                 43%
                                                                                                                    approx. 1.2% *                * informal architecture
              approx. 52%                                     ca. 57%                                              approx. 40%                      & informal crypto
                                                                                                                                                    concept

      Standard Approval Procedure                    Developer Qualification                            Qualified Approval Procedure

Figure 1: Expenditure standard procedure vs. qualified procedure

than VS-NfD, as well as for developers who have not yet                           developed a product in accordance with the developer
been qualified.                                                                   processes reviewed by the BSI and has generated all the
                                                                                  product evidence required within the scope of a regular
To achieve this goal, an alternative procedure for the ap-                        evaluation and could, if necessary, submit this to the BSI
proval of IT security products had to be defined. Before this,                    for review.
the assurance of an approval statement was based exclusive-
ly on a purely technical evaluation of the entire IT product                    The figure below illustrates the benefit that results from
being subject to approval. In order to reduce the time-con-                     the application of the Qualified Approval Procedure and is
suming and extensive individual product evaluations, it                         actually confirmed by the procedures already completed
was necessary to compensate these by using different, but                       (see Figure 1).
technically equivalent assurance criteria.
                                                                                EVALUATION EFFORT IS REDUCED SIGNIFICANTLY
This is achieved by integrating and evaluating compa-                           The efforts caused by the Qualified Approval Procedure
ny-wide process-oriented security requirements as part of                       are reduced to less than 50 percent after the developer has
the approval assurance statement. Based on the Common                           successfully completed the developer qualification. This is
Criteria, they comprise all phases of the entire life cycle                     offset by only a one-time additional expenditure of approx-
of an IT security product, from the early planning phase                        imately 9 percent. This additional expenditure is caused
(requirement phase), through development, market launch,                        by the initial process evaluation of the company during its
maintenance and support, to regulated discontinuation and                       developer qualification that also needs to be performed.
end-of-life of the product.                                                     Once this has been successfully completed, all subsequent
                                                                                VS-NfD approval procedures that make use of these de-
Thus, the Qualified Approval Procedure is based on the                          velopment processes can be carried out with the Qualified
following assurance aspects:                                                    Approval Procedure.
• Assurance of development processes and the develop-                           Besides the reduction in expenditure, the duration of a
  ment environment: A Qualified Developer has to meet                           Qualified Approval Procedure is also reduced significantly,
  special requirements of the BSI for the development and                       since only a conceptual product evaluation of certain eval-
  evaluation of its IT security products. Developer Qual-                       uation aspects is required. The detailed, in-depth and itera-
  ification is granted by the BSI on the basis of specific                      tive evaluation applied in the standard approval procedure,
  well-defined criteria.                                                        which essentially leads to an extension of the procedure, is
• Conceptual product evaluation: The regular purely                             no longer necessary in the Qualified Approval Procedure.
  technical evaluation of the entire product is reduced to a                    In summary, the Qualified Approval Procedure thus leads
  conceptual evaluation in the Qualified Approval Proce-                        to more efficient coverage of the demand for approved
  dure. It is an informal but systematic way to assess the                      products. For the participating companies, the focus is
  basic architecture and security features of the IT security                   on the aspect “time to market,” in addition to a financial
  product to be approved.                                                       advantage from the procedure, better controllability and
• Mandatory developer declaration: The developer assures                        timely market introduction of improved and secure IT
  the BSI in writing in a developer declaration that he has                     security products.
24 |   BSI MAGAZINE 2020/01

Electronic Identities
on the Smartphone
  How to Use Mobile Identities Securely
By Rainer Schönen, Section Cyber Security in Health and Finance

Shopping is done via web shops, media is streamed online, social interaction takes place
via social media and (bank) transactions are completed on the tablet or mobile phone.
Much of today’s life is digital. That’s why the BSI is collaborating on the OPTIMOS 2.0
research project to ensure that electronic identities can be stored securely on smart-
phones. The goal is to ensure that even data-sensitive services can be used on mobile
devices.
CYBER SECURIT Y         | 25

A
        n electronic identity (eID) is needed to be able to      the guideline provides specifications for the issuance and
        use a wide range of online services. The term eID        administration of an eID, but also on which authentication
        is actually quite generic and can stand for a wide       mechanisms must be used. From this, it can be deduced
range of online accesses, such as:                               that at least a substantial assurance level is necessary to
                                                                 store and manage eIDs in a smartphone in a sufficiently
• the pseudonym with which one is active in an online            secure manner.
  forum,
• the account in a social network,                               To meet this substantial assurance level, the system must
• the holder of a digital car key stored on the smartphone,      be able to prevent an attack with the attack potential
• a buyer in an online shop or                                   “moderate” in the sense of the Common Criteria Evalu-
• the bank client during online banking.                         ation Methodology or ISO 18045. In order to implement
                                                                 these requirements securely, the BSI recommends using
Each of these eIDs must be protected against misuse, with        a hardware anchor, as otherwise a successful attack on
the level of protection varying depending on the type of         cryptographic material protected only by software means
electronic identity. Sometimes it suffices to enter simple       cannot be ruled out.
access data (e.g. user name and password), but this type
of protection is not sufficient for sensitive data or access     Modern smartphones have such a hardware anchor in the
to high-priced goods. For example, if you want to gain           form of a secure element. These are available in the form
access to a building or display your annual public transport     of embedded security elements or an embedded SIM card.
ticket on your smartphone, these functionalities should be       Both variants of a secure element are functionally closely
protected better than by simply entering a user name and         related to the well-known plastic smart cards and achieve
a password. Otherwise, these forms of eIDs can fall into         a very good security level by using advanced security
unauthorised hands too easily.                                   functions.
Of course, it is not necessary to comply with the highest se-
curity requirements for all applications. However, the user      OPTIMOS 2.0
rightly expects that his identity cannot simply be stolen or     A consortium of universities, public authorities and
manipulated.                                                     companies is developing solutions in the OPTIMOS 2.0
                                                                 research project funded by the German Federal Ministry
PROTECTION OF EIDS                                               of Economics and Energy on how eIDs can be securely
Like any networked device, smartphones are constantly            and practically transferred to smartphones according
exposed to the danger of a cyber-attack. Therefore, special      to the above-mentioned criteria. With OPTIMOS 2.0,
requirements must be met to ensure that eIDs are stored          an infrastructure is to be created that is accessible to all
safely on the smartphone. Here, a look at the “Regulation        service providers without discrimination and meets the
(EU) No. 910/2014 on electronic identification and trust         highest security and data protection standards. The central
services for electronic transactions in the internal market      element here is the Trusted Service Provider, which acts as
and repealing Directive 1999/93/EC,” 1) or eIDAS Regulation      an interface between service providers and end customers
for short, and its defined assurance levels is worthwhile.       and takes over the task of placing the eIDs on the hardware
                                                                 anchor. The user only needs to install his apps from the
The eIDAS Regulation distinguishes between three assur-          respective app store as usual. To make this possible, the BSI
ance levels: low, substantial and high. Each of these levels     is involved in standardising the necessary components, in-
is associated with a resistance to a defined attack potential.   terfaces and processes so that the technology that has been
The BSI Technical Guideline TR-03107 is the national             developed is available to as many end users as possible.
version of the eIDAS regulation. It offers many indications
as to which requirements must be met in order to achieve
the above-mentioned assurance levels and thus a certain
degree of resistance to cyber-attacks. Among other things,       1)
                                                                      https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32014R0910&from=EN

For more information see:

                   https://www.bundesdruckerei.de/de/Unternehmen/Innovation/Optimos
You can also read