User Security Assessments
To become eligible to use the DCC Systems, SEC Parties will need to pass a User Security Assessment conducted by the User Competent Independent Organisation (User CIO) . The User Security Assessment process, as well as wider security obligations, can be found in SEC Section G: Security.
Prior to becoming a User, all SEC Parties are required to have an Initial Full User Security Assessment. After this, there is an annual Assessment cycle, and the type of User Security Assessment that is required depends on the number of Smart Meter Systems that you interact with via your User System.
Assurance Statuses and what they mean for the User Entry Process
There are four possible outcomes, known as Assurance Statuses, from a Security Assessment. These are:
- ‘Approved, subject to the Party’;
- ‘Provisionally approved, subject to the Party’; and
The first two will enable you to pass the User Entry Process and become a DCC User. The last two indicate that there are areas of concern that are deemed too great by the Security Sub-Committee (SSC) and SEC Panel to allow you to access the DCC System. This means you cannot pass the User Entry Process until you have addressed the concerns and had a Follow-up Security Assessment.
Who is the User CIO?
Deloitte MCS Limited were appointed the User Competent Independent Organisation (User CIO) by the SEC Panel following a competitive procurement process.
The User CIO undertake the User Security Assessments on behalf of the SEC Panel and produce a User Security Assessment Report. SEC Parties and/or DCC Users will be assessed for compliance against the Security Controls Framework (SCF), a document which has been developed by the SSC to ensure consistency across all User Security Assessments. The SSC has also developed a document known as the Agreed Interpretations (AIs) – this is a document which contains User Security Assessment related terms that industry or the User CIO requested clarity.
SEC Parties and/or DCC Users must read the SCF and AI – these documents provide the information required to ensure an efficient User Security Assessment.
Booking process and indicative costs for a User Security Assessment
To book a User Security Assessment, SEC Parties and/or DCC Users are required to submit the Assessment Application Form (found on this page here). This must be submitted to SECAS at least 12 weeks in advance of the date in which you wish to be assessed.
Following submission of the Assessment Application Form, the User CIO will undertake a conflict of interest check. Afterwards, if the User CIO has no conflict of interest, a User Security Assessment timetable and Indicative Cost for the User Security Assessment will be provided. This cost is indicative as the User CIO will only charge the SEC Party and/or DCC User for the number of days that it has taken to undertake the User Security Assessment and produce the User Security Assessment Report. The final cost of the User Security Assessment will appear within your DCC monthly charges (likely as a new line) after this work is invoiced by the User CIO.
If you wish to reschedule your User Security Assessment, then the SEC Party and/or DCC User must do so at least four weeks in advance of the assessment date. If you provide less than four weeks’ notice, then you can be charged 25% of the total cost of the User Security Assessment (unless the User CIO can redeploy the User CIO resource to another User Security Assessment).
Second Year User Security Assessments
SECAS has received questions from Large Suppliers and Electricity Networks regarding their second year User Security Assessment. The SEC states that you must surpass more than 250,000 Domestic Premises which you supply via a Smart Metering System to qualify as a ‘Large Supplier’ or ‘Large Electricity Distributor’. Until you have surpassed this number (e.g. your User System interacts and communicates with more than 250,000 Smart Metering Systems), you shall be assessed as that of a ‘Small Supplier’ or ‘Small Network Party’ – e.g., the lifecycle set out in SEC Section G8.42 (for Supplier Parties) and SEC Section G8.45 (For Network Parties).