Workshop on "Certification of civil security technologies and services"
On 11 January 2011 a workshop on "Certification of civil security technologies and services" was held at DIN, the German Institute for Standardization, in Berlin. Around 100 participants from politics, business, academia and the associations attended the event, which had been organized by DIN's Coordination Office for Civil Security (KoSi). The workshop was presented by Christoph Stroschein, the Managing Director of the German European Security Institute and Deputy Chairman of the Steering Committee on Civil Security.
The main plenary session was opened by Dr Rainer Jäkel of the Federal Ministry of Economics and Technology (BMWi), where he is responsible for innovation and technology policies. Dr Jäkel began by underlining the great importance the Federal Government attaches to the topic of civil security technologies and services, and followed on by outlining the measures and programmes that form part of the Ministry's industrial policy initiative launched in November 2010. Standards and specifications that are accepted throughout Europe and the rest of the world are needed to ensure this future market can develop to its full potential. German companies must become involved and provide their expertise at an early stage so that the market remains open and no new market constraints are created due to unilateral national standards, said Dr Jäkel. The creation of the DIN's Coordination Office for Civil Security, which began its work on 24 November 2010 with the Ministry's support, is one of the measures to implement the Ministry’s industrial policy initiative for this key future market. Coordinating the national standardization process early on and representing German interests in supranational standardization from the very beginning are some of the tasks of the Coordination Office, as is involvement in the development of the certification procedures that will ultimately determine which security solutions are to gain access to markets.
Dr Jäkel’s introduction to the new Coordination Office was supplemented by more detailed information on its duties and working methods by the Director of DIN, Dr Torsten Bahke. One of the first tasks of the Coordination Office for Civil Security will be to compile an overview of standards and standards projects in the various areas of civil security. Specific areas will then be prioritized and a realistic standardization road map drawn up.
During his moderation of the event, Mr Stroschein emphasized the important role of the Coordination Office. With the support of the Steering Committee on Civil Security, which was constituted on the morning of 11 January, the Office was to identify principal areas of interest as soon as possible and coordinate efforts with the standards committees to discuss national interests with the European Commission.
"From Security Metrology to Security Label – Innovation Road for Security Standardization"
In his keynote speech Klaus Keus, representing the Institute for the Protection and Security of the Citizen of the European Commission’s Joint Research Centre (JRC) presented the Commission’s views on the rapidly growing security market and the key role standards will play in that market. Standards are applied, to great benefit, throughout the process chain, beginning with metrology and proceeding through to certification, where they are used to verify properties.
Mr Keus pointed to the enormous complexity of the security market, with security encompassing not only technologies, services and processes but also social and political aspects at national, European and global level. The difficulties are compounded by the fact that “security” is hard to measure or make visible. Security scenario profiles (SSP) take a practical approach, providing guidance on a wide and varied range of topics such as flight safety, crisis management, maritime border surveillance and supply chain security. These SSPs use a modular structure that comprises applications, risk factors, security policy, and security levels and their interdependencies, and also incorporate technologies, processes, and organizational and social structures. Standards are needed to describe and assess innovative security solutions, quality, products, and services.
One way of helping companies to access the European security market and simplify the process would be to introduce a European Security Label. This could be a general point of reference for suppliers, end users, customers, and society in general. With its transparent, verifiable and sustainable approach, it would also help engender confidence in security-related systems, processes and services. An independent European network of excellence (which Keus called a “European NIST”, on the lines of the US National Institute of Standards and Technology) could be responsible for the general administration and monitoring of the label.
"Standardization and certification in security - a manufacturer’s perspective"
In the final speech of the morning Markus Reigl, Head of Standardization and Regulation at Siemens AG, spoke about standardization and certification from a manufacturer’s perspective. He explained how manufacturers rate the importance of standardization and certification in a differentiated way, depending on whether they are thinking about security, performance or methodology. Security is a major topic for both standardization and certification. On the other hand, standardization and certification are only of limited importance when it comes to performance, as this includes an element of competition. Mr Reigl’s conclusion is that there should not be any certification that does not have added value for manufacturers, business partners and consumers, or that is not in the public interest. If a certification scheme is introduced that is to serve its purpose it must make the assessment of quality transparent, and it also needs to discourage abuse by incorporating market surveillance.
Summing up the morning’s speeches, Mr Stroschein highlighted a number of topics that would form the basis for discussions and exercises in the afternoon’s workshop. He emphasized the importance of incorporating standards in security research programmes in order to take advantage of the time factor. The definition of “security” should not only be based on economic precepts but must also include the integration of society and its citizens. Mechanisms for assessing the market for security solutions should preferably be based on standards.
In the afternoon, the participants were divided into four parallel groups to discuss the need for security solution certification and the benefits and drawbacks associated with it. Numerous ideas and topics for certification at national, European and international level were discussed with the aim of developing recommendations outlining initial approaches by which to tackle the subject.
Workshop 1: Certification of security technologies and products
Around 30 participants took part in the discussions, which were led by Mr Krapp, Manager of the Security System Division of ZVEI, the German Electrical and Electronic Manufacturers´ Association, assisted by Mrs Lehniger, the Head of DIN's Firefighting and Fire Protection Standards Committee. The resulting recommendations showed the participants were clearly in favour of certification, with those attending feeling that this should be dependent on customer requirements and make use of the systems that are already in place in Europe. The participants proposed taking a vertical approach covering product development through to certification. They recommended starting with the harmonization of minimum requirements for the private operation of critical infrastructures (such as energy networks). Cyberspace attacks were pinpointed as a vulnerable area, and it was thought essential that potential weak spots be identified and made secure. Priority should be given to overcoming the national fragmentation of the European market. With a view to international competition, efforts should be made to secure bilateral agreements between the EU and other economic areas.
Workshop 2: System integration certification (management/systems/processes)
Mr. Köhler, Head of Key Account Management of the InfoKom Division of IABG (Industrieanlagen-Betriebsgesellschaft mbH) hosted the discussion, aided by Mr von Hoegen, Project Manager in DIN's Personal Protective Equipment Standards Committee (NPS). The twenty or so participants were of the opinion that there should also be certification of systems and processes. Whether this should be carried out at national, European or international level should depend on the sector. System integration would provide added value. Certification programmes should be devised on the basis of existing structures, with the certification of management systems (e.g. ISO 9000) acting as an umbrella, supplemented by systems certification that was specific to sectors (e.g. ISO 27001, German BSI Act on Security, ISO 28000). The third stage would see the integration of certification according to product and services standards. Infrastructures, processes, persons and information were identified as core subjects. Conflicts that could weaken Germany's position in international markets were seen to be the cost-benefit relationship, sociocultural aspects and competition with other countries. Primary attention should be given to structuring existing standards, networking with the security research programme, and security service provision. The group also recommended incorporating examples of best practice.
Workshop 3: Certification of services (service, education, training)
Dr Olschok, Managing Director of the Bundesverband Deutscher Wach- und Sicherheitsunternehmen (BDWS - Federal Association of German Guard and Security Companies) supervised the discussion of the 20 group members, aided by Mr Höppner, Project Manager in DIN's Services Standards Committee. Since security services are far more diverse than technologies or products, the group recommended a sectoral approach. Rules governing IT security already exist. The group said it would welcome an overview of standardization activities involving security services. Certification should focus on processes and further training, and, where applicable, on basic training. Interesting topics for security services would be crisis management, accident handling, securing of infrastructure and business continuity planning.
Workshop 4: International competitiveness through certification, Europe and global recognition
Mr von Foerster, Director Government Association & Public Affairs, Bosch Sicherheitssysteme GmbH, led the discussions of the twenty-strong group, assisted by Mrs Schlüter, Project Manager in the Coordination Office for Civil Security of R & D Stage Standardization (EBN) at DIN. To enable Germany to secure its place in the international marketplace, first steps should be taken to draw up a German recommendation paper aiming at a unified European certification method. This would help to end the fragmentation of the European Internal Market and encourage it to become more open. At the same time, the particularities of the various aspects of security (i.e. IT security, security and safety) must be taken into account. With the support of European industry, which shares common interests, it is recommended that national certification marks should be withdrawn while at the same time it is important that today’s quality levels are maintained and test procedures simplified (one stop testing – one stop certification).
Concluding plenary session
The recommendations of the four groups were presented and discussed. Mr Stroschein gave an outline of the political dialogue with the European Commission and briefly described the follow-up work that would now fall to the Coordination Office on Civil Security after the meeting.
In preparation for the Communication from the European Commission on its security strategy in 2012, Germany can set the course by drawing up a paper setting out its recommendations. The Security Research Conference of the European Commission on the Security Research Programme is due to be held in September 2011. This will be a good opportunity to present a national viewpoint in favour of standardization and certification.
As a means of supporting the export initiative of the Federal Ministry of Economics and Technology that has arisen out of its industrial policy initiative on civil security as a key future market, it would be advisable to prepare examples of best practice in time for the delegation’s meetings in 2011 and 2012. Advantage should be taken of standards’ role in opening up markets.
The dialogue of the security technologies and services sector with the Research Programme for Civil Security of the Federal Ministry of Education and Research ensures that standards are used as an instrument for exploiting R & D findings and for transferring the results to market. In addition, the main points of the security research programme are addressed in the eighth EU Research Framework Programme. R & D programmes are expected to be increasingly market-relevant, and this is a way of supporting such demands.
Closing the meeting, Michael von Foerster, Chairman of the Steering Committee on Civil Security, thanked the participants for contributing to a lively and enthusiastic discussion.