The Bavarian IT Security and Safety Cluster
The Bavarian IT Security Cluster is an affiliation of IT companies, institutes of technology, businesses which themselves use security technology, universities of applied science, institutes of further education and law firms.
Aims and functions
- To initiate and promote collaborations, particularly between the scientific and economic community
- To further the development of IT security research and training
- To provide information about security risks and their technical and organisational solutions
- To present the Cluster’s members and their security expertise
- To launch and mentor company start-ups
Technological focus/fields of work
The Bavarian IT Cluster’s fields of work, which can be divided according to content into the areas ‘IT Security’ and ‘IT Safety’, emerge from the differing expertise and interests of its members and from issues which are the focus of public attention at the time. ‘IT Security’ includes all issues of IT or information security which are concerned in the broadest sense with protection against intelligent, strategic attack. ‘IT Safety’ applies to the technical/functional issues of information security and is primarily concerned with protection against harmful influences.
Services for members
- Support for company collaborations
- Public relations
- Support in the evaluation and recruitment of staff
National and international networking
The Cluster’s external network is designed to offer still greater potential for collaboration between its members. Branches in Augsburg and Nuremberg are the driving force behind the national network. Internationally, the Bavarian IT Security Cluster cooperates with clusters in Belgium, Denmark and Poland.
Working groups: IT-Security
- Cloud security
- Data protection
- Information security management
- Industrial IT security
- Secure smart grids (S3GEN)
- Cyber Security
- Data Protection
This topic area addresses the current legal and organisational issues of information security, with particular reference to data protection.
- Transfer of information to the companies to ensure that legal requirements are fulfilled and legal procedures swiftly executed
- Exchange of knowledge and expertise
- Training and professional development of company data protection officers
- Organisation of regular talks by experts
- The holding of a data protection day every two years
- Working group of company data protection officers:
Objectives are the exchange of knowledge and expertise; the discussion of problems and their solutions and the constant improvement of data protection in the companies. The eight data protection officers in the working group are drawn from companies which are members of the cluster. Meetings on a range of different topics are held four times a year.
- Cloud data protection and information security
- Cloud Security
This topic area is chiefly concerned with legally compliant security solutions for cloud computing and with secure SMB services in the cloud.
In just a few short years, cloud computing has developed into a very complex and dynamic area of IT. Nevertheless, some users have their reservations, using cloud services such as Evernote, Doodle or Google docs themselves, whilst being reluctant to make use of their equivalents at company level. This sceptical attitude is bound to change with time, primarily because the effects of deliberations about data protection and IT security are beginning to make themselves felt and are increasingly being implemented.
When it comes to compliance with the law, cloud computing confronts businesses with a variety of practical problems. In practice, compliance with data protection and confidentiality laws, evidence of compliance certification and contract law are often particularly neglected.
- Industrial IT Security
In this area, members of the Bavarian IT Security Cluster deal with the development of products and solutions for the manufacturing industry and with the design of industrial IT processes.
At the heart of this area are working groups whose task is to develop products, solutions and processes for the manufacturing industry. What triggered this development was an attack on a uranium enrichment plant in Iran in July 2010, an attack which no one had thought possible. Faith in the security of IT systems in processing and manufacturing control facilities was shattered. Up until then, IT systems of this kind had been considered secure due to their being self-contained, a condition achieved by the strict separation of manufacturing from administrative IT environments. IT experts have, in fact, long been aware of the problems posed by the areas of manufacturing and infrastructure, but there was simply a lack of realistic, affordable solutions and products. The solutions and concepts used in typical office or administrative environments are of little or no use to the areas of manufacturing or infrastructure.
Most modern-age cyber warfare attacks are no longer carried out via the ‘highways’ of the classic hacker, nor, as a rule, in the office environment, but at the production level. Malware which poses a threat or is as potentially damaging as ‘Stuxnet’ or ‘doqu’ subtly overcomes any firewalls, opening, as it were, secure ‘gates’ from the inside. It attacks its targets systematically and with well-nigh surgical precision, encountering an area at the manufacturing and control level, which has been poorly protected up to now.
This chink in security quickly revealed a gap in the market for ‘Industrial IT Security’. Under this heading there is a range of products as well as analysis and consulting services designed to meet the needs of manufacturing and processing. At the heart of their observations and solutions is the manufacturing and control process.
- Information Security Management: ISIS12 – Information security for small and medium-sized businesses
Small and medium-sized businesses still attach too little importance to IT security. Technical solutions such as virus scanners, firewalls and spam filters may have become standard in SMBs, but an integrated information security management system is still a rarity in smaller businesses.
A network of 10 businesses and 2 universities has created ISIS12, a security management system for smaller businesses, which is easily installed and can be introduced in just 12 steps. It was recognised that the Federal Office for Information Security’s (BSI) basic IT security recommendations and the de jure ISO/IEC 27001 or 27002 standards would be used for this purpose. For ISIS12, a catalogue of measures was developed which contained only those measures relevant to smaller businesses. This made it possible to strike a balance between the catalogues of measures listed in the two standards, thus making it easier for businesses to convert to an information security management system.
As a rule it is very difficult for smaller businesses to introduce standards such as ISO 27001 or those of the BSI. ISIS12, a newly developed procedure tailor-made for these businesses, enables them to take the first steps towards achieving information security.
With the introduction of ISIS12, structures are established in the company, which are essential for ISO 27001 or BSI basic security accreditation.
Smaller businesses which introduce ISIS12 receive the ISIS12 manual, which covers the efficient design of information security systems in smaller businesses, as well as the supporting ISIS12 software tool. Appropriately trained ISIS12 service personnel supervise and support the businesses during the introduction of ISIS 12.
The first client-based ISIS 12 project was launched in October 2012.The intention is to minimise the risks to the business in the pilot project by introducing an ISIS12 information security management system, which is designed to optimise and monitor any process relevant to security. Numerous other businesses are also interested in introducing an ISIS12 information security management system.
- Secure Smart Grids (S3GEN)
Smart grids –new, intelligent electricity networks –are a necessary prerequisite of a structural change in the power supply. The area ‘Secure Smart Grids’ is concerned with the secure operation of the electricity distribution network.
Intelligent electricity networks are needed on the one hand because of a constant rise in energy consumption due to the use of devices such as electric cars, and on the other because large, centralised power stations are being replaced by small, energy suppliers distributed across a wider area. However, the new smart grid infrastructure also poses new risks.
Several members of the cluster are concerned with the topic of smart grids. Central to their work is the funded project S3GEN, in which eleven businesses and the University of Regensburg, represented by the Laboratory for Safe and Secure Systems (LaS3), research the design of a secure electricity distribution network and develop solutions.
Working Group – IT-Safety
In the area of ‘IT Safety’, the reliability and safety of software-based functions in the automotive sector is the focus of the Bavarian Security Cluster. The parties involved with the issue of automotive safety are concerned with the development of safe software-intensive automotive systems.
Aims and responsibilities
- Transfer of information and exchange of knowledge and expertise
- Presentation outside the region
- Organisation of talks by experts and information sessions
- Exchange of information, networking and the formation of collaborations on the subject of automotive safety
- Research projects: S3Core, S3EMO
- ISA+ – Information-Security-Analysis – with 50 Questions to Information Security
- ISIS12 – Information Security Management System in 12 Steps