Sunday, March 10, 2019

Germany's updated security requirements avoid ban on Huawei

The Bundesnetzagentur, which is the German regulatory office in charge of telecommunications, published additional security requirements for telecommunications networks and services without banning Huawei or other Chinese vendors.

The key elements of the new security policy are:

  • Systems may only be sourced from trustworthy suppliers whose compliance with national security regulations and provisions for the secrecy of telecommunications and for data protection is assured.
  • Network traffic must be regularly and constantly monitored for any abnormality and, if there is any cause for concern, appropriate protection measures must be taken.
  • Security-related network and system components (critical key components) may only be used if they have have been certified by the Federal Office for Information Security (BSI) and undergone IT security checks by a BSI-approved testing body. Critical key components may only be sourced from trustworthy suppliers/manufacturers, ie those that can provide assurance of their trustworthiness.
  • Security-related network and system components (critical key components) may only be used following an appropriate acceptance test upon supply and must be subjected to regular and ongoing security tests. The components that are security-related (critical key components) will be defined by the BSI and Bundesnetzagentur by mutual agreement.
  • Only trained professionals may be employed in security-related areas.
  • Proof must be provided that the hardware tested for the selected, security-related components and the source code at the end of the supply chain are actually deployed in the products used.
  • When planning and building the network, "monocultures" must be avoided by using network and system components from different manufacturers.
  • Where system-related processes are outsourced, only professionally competent, reliable and trustworthy contractors may be selected.
  • Adequate redundancy must be available for critical, security-related network and system components (critical key components). 

"We revise the security requirements on a regular basis in light of the current security situation and technological developments," explained Jochen Homann, Bundesnetzagentur President. "Security requirements apply to all network operators and service providers, irrespective of the technology they deploy. All networks, not just individual standards like 5G, are included."

https://www.bundesnetzagentur.de/SharedDocs/Pressemitteilungen/EN/2019/20190307_SL.html?nn=404530