Closed Bug 1983271 Opened 5 months ago Closed 1 day ago

PKIoverheid: TSP KPN Findings in 2025 ETSI Audit - Incident Report #11 – Anti-Malware Software

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: pkioverheid, Assigned: pkioverheid, NeedInfo)

Details

(Whiteboard: [ca-compliance] [audit-finding])

Preliminary Incident Report

Summary

  • Incident Description:
    • Minor Non-conformity: Anti-Malware Software
  • Relevant Policies:
    • ETSI 319 401 (REQ-7.8-15X)
  • Source of incident disclosure:
    • Annual ETSI Audit
Assignee: nobody → pkioverheid
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-compliance] [audit-finding]

Full Incident Report - ETSI Finding #11 - Anti-Malware Software

Summary

  • CA Owner CCADB unique ID: A000068

  • Incident description: The CAB noted that anti-malware software was not present on several servers. Integrity protection software was present. On other serves which did include anti-malware software, the update frequency was not in line with the requirements of ETSI 391 401 REQ-7.8-15X. This was filed as a minor non-conformity on the conformity statement/report.

  • Timeline summary:

    • Non-compliance start date: 28-Feb-2025

    • Non-compliance identified date: 11-Jul-2025

    • Non-compliance end date: Ongoing.

  • Relevant policies:

    • ETSI 319 401 REQ-7.8-15X: The TSP shall protect its network and information systems against malicious and unauthorised software by means of malware detection and removal software, which is updated at least on a daily basis.

  • Source of incident disclosure: Finding by CAB during annual ETSI audit.

Impact

  • Total number of certificates: N/A

  • Total number of "remaining valid" certificates: N/A

  • Affected certificate types: N/A

  • Incident heuristic: N/A

  • Was issuance stopped in response to this incident, and why or why not?: N/A (see point below)

  • Analysis: N/A

  • Additional considerations: KPN only operates legacy S/MIME-capable CAs, which have not issued any S/MIME certificates since 1 August 2023. At that time this was changed due to updated S/MIME regulations, under which email addresses and the EKU emailProtection were no longer included in publicly trusted certificates.

  • Incident heuristic: N/A

Timeline

  • 28-Feb-2025: Effective date of version 3.1.1 of ETSI EN 319 401 which included updated and new requirements.

  • 11-Jul-2025: Auditor identifies finding.

  • 17-Jul-2025: Created Corrective Action Plan.

  • 12-Aug-2025: Corrective Action Plan Approved by auditor.

Related Incidents

Bug Date Description
1983262 15-Aug-2025 Similar root cause.
1983273 15-Aug-2025 Similar root cause.
1983274 15-Aug-2025 Similar root cause.

Root Cause Analysis

Contributing Factor 1: New requirement not timely implemented

  • Description: Not all requirements were implemented in time, as the changes were not fully tracked or prioritized during the transition period, because there was no structured process in place to monitor updates. Responsibility for tracking and prioritizing these changes was not clearly assigned, which contributed to delays in implementation.

  • Timeline: See main timeline.

  • Detection: Audit finding by CAB.

  • Interaction with other factors: No.

  • Root Cause Analysis methodology used: N/A

Lessons Learned

  • What went well: Stringent integrity and access checks were in place.

  • What didn’t go well: N/A

  • Where we got lucky: N/A

  • Additional: N/A

Action Items

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Implement antimalware with higher frequency update cycle on in scope systems. Mitigate Root Cause #1 Frequency updated and checked 2026-11-01 In progress
Improve the structured process for tracking and implementing new requirements, including deadlines, periodic reviews and timely escalation to management. This includes assigning responsible persons for monitoring changes and integrating updates into operational procedures. Prevent Root Cause #1 Implement process and report back 2025-10-11 Ongoing
Discuss compliance requirements and the necessary resources in a recurring meeting with management. Detect Root Cause #1 Recurring meeting has been planned and has taken place at least twice 2025-10-11 Completed

Appendix

N/A

In the Action items above an error had occured while pasting the information from internal systems to markdown, so an updated version with the right Evaluation Criteria is provided below. In the meantime, PKIoverheid is monitoring this bug and we're open for additional questions or remarks people might have.

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Implement antimalware with higher frequency update cycle on in scope systems. Mitigate Root Cause #1 Frequency updated on systems, check by compliance if done and report back 2026-11-01 In progress
Improve the structured process for tracking and implementing new requirements, including deadlines, periodic reviews and timely escalation to management. This includes assigning responsible persons for monitoring changes and integrating updates into operational procedures. Prevent Root Cause #1 Implement process and report back 2025-10-11 In progress
Discuss compliance requirements and the necessary resources in a recurring meeting with management. Detect Root Cause #1 Recurring meeting has been planned and has taken place at least twice 2025-10-11 In progress

Is the due date for the first action item actually in 2026 or was this a typo?

Hello Dimitris,

There is indeed a typo in the due date for action item 1 . Not so much the year (it is in 2026) but we meant January 11, not November 1. The reason this deadline is extended and set for early 2026 has to do with a system freeze (pre-migration and end-of-year).

A small update from our end:

  • Action item #2 & #3 have been completed.
  • As indicated earlier, action item #1 has an extended due date due to freezes on the systems in scope.

The current status of the action items is now:

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Implement antimalware with higher frequency update cycle on in scope systems. Mitigate Root Cause #1 Frequency updated and checked 2026-11-01 In progress
Improve the structured process for tracking and implementing new requirements, including deadlines, periodic reviews and timely escalation to management. This includes assigning responsible persons for monitoring changes and integrating updates into operational procedures. Prevent Root Cause #1 Implement process and report back 2025-10-11 Completed
Discuss compliance requirements and the necessary resources in a recurring meeting with management. Detect Root Cause #1 Recurring meeting has been planned and has taken place at least twice 2025-10-11 Completed

PKIoverheid is currently monitoring this bug to respond to any questions and/or comments the community might have. Action item #1 is still in progress (and within the due date). The date issue seems to be persistent within the table, so to avoid any confusion we're repeating the table above this time with the right due date for Action item #1:

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Implement antimalware with higher frequency update cycle on in scope systems. Mitigate Root Cause #1 Frequency updated and checked 2026-01-11 In progress
Improve the structured process for tracking and implementing new requirements, including deadlines, periodic reviews and timely escalation to management. This includes assigning responsible persons for monitoring changes and integrating updates into operational procedures. Prevent Root Cause #1 Implement process and report back 2025-10-11 Completed
Discuss compliance requirements and the necessary resources in a recurring meeting with management. Detect Root Cause #1 Recurring meeting has been planned and has taken place at least twice 2025-10-11 Completed

This report has gone stale.

You may request a next update that's beyond the normal weekly cadence but, absent that being accepted, you are required to provide an update on a weekly basis.

PKIoverheid is monitoring this bug and we're open for additional questions or remarks people might have. Currently we don't have any updates with regards to the Action Items.

This report has gone stale. As a reminder, CA Owners may request the “Next update” Whiteboard field be set by a Root Store Operator to align with a specific date related to an open Action Item.

Flags: needinfo?(pkioverheid)

Action item #1 was closed on 2025-12-24. The current status of the action items is now:

Action Item Kind Corresponding Root Cause(s) Evaluation Criteria Due Date Status
Implement antimalware with higher frequency update cycle on in scope systems. Mitigate Root Cause #1 Frequency updated and checked 2026-01-11 Completed
Improve the structured process for tracking and implementing new requirements, including deadlines, periodic reviews and timely escalation to management. This includes assigning responsible persons for monitoring changes and integrating updates into operational procedures. Prevent Root Cause #1 Implement process and report back 2025-10-11 Completed
Discuss compliance requirements and the necessary resources in a recurring meeting with management. Detect Root Cause #1 Recurring meeting has been planned and has taken place at least twice 2025-10-11 Completed

Since all action items are now closed, a Report Closure Summary will be posted shortly.

Report Closure Summary

  • Incident description: The CAB noted that anti-malware software was not present on several servers. Integrity protection software was present. On other serves which did include anti-malware software, the update frequency was not in line with the requirements of ETSI 391 401 REQ-7.8-15X. This was filed as a minor non-conformity on the conformity statement/report.
  • Incident Root Cause(s): Not all requirements were implemented in time, as the changes were not fully tracked or prioritized during the transition period, because there was no structured process in place to monitor updates. Responsibility for tracking and prioritizing these changes was not clearly assigned, which contributed to delays in implementation.
  • Remediation description: KPN implemented an anti-malware solution on the systems to meet the new ETSI regulations. As a preventive measure, the process for tracking and implementing new requirements has been improved, as well as pre-emptive discussions with management regarding needed resources.
  • Commitment summary: Going forward on top of the action items, periodic reviews of new ETSI regulations will be conducted to ensure systems remain aligned with security and compliance requirements.

All Action Items disclosed in this report have been completed as described, and we request its closure.

This is a final call for comments or questions on this Incident Report.

Otherwise, it will be closed on approximately 2026-01-14.

Flags: needinfo?(incident-reporting)
Whiteboard: [ca-compliance] [audit-finding] → [close on 2026-01-14] [ca-compliance] [audit-finding]
Status: ASSIGNED → RESOLVED
Closed: 1 day ago
Flags: needinfo?(incident-reporting)
Resolution: --- → FIXED
Whiteboard: [close on 2026-01-14] [ca-compliance] [audit-finding] → [ca-compliance] [audit-finding]
You need to log in before you can comment on or make changes to this bug.