SSC Guidance »

SSC Guidance

SSC and SMKI PMA – Standards, Procedures and Guidelines

The SMKI PMA and the SSC has developed bespoke guidance to ensure that the DCC and Users can continue to abide by relevant and essential guidelines to maintain the integrity of smart metering security and SMKI and DCCKI operations.

The guidance (link below) has been developed to supersede the discontinued NCSC Good Practice Guides (GPG):

  • GPG 45 – Verifying Individual Identity
  • GPG 46 – Verifying Organisation Identity
  • GPG 13 – Protective Monitoring
  • GPG 18 – Forensic Readiness

SSC Guidance on Device Security Assurance and Triage

The security controls and assurance arrangements for the end-to-end Smart Metering System are defined in the Smart Energy Code (SEC) and aim to provide confidence to all SEC Parties that the systems and Devices supporting smart metering are appropriately secure.

The SEC Section G7.19 places an obligation on the Security Sub-Committee (SSC): “The Security Sub-Committee shall: …….

(g) develop and maintain documents to be known as “SSC Guidance for Device Security Assurance and Triage” which shall set out the SSC’s guidance on the requirements and processes to be followed in respect of Devices (including their triage and refurbishment) in order to:

(i) achieve appropriate levels of security assurance in accordance with the requirement of this Code; and

(ii) obtain and maintain CPA Certification.”

The SSC Guidance for Device Security Assurance and Triage is in three parts:

  • Part 1 provides the methodology, a process and a template for any party to raise a change to the NCSC Commercial Product Assurance (CPA) Security Characteristics (SCs) or to raise a Use Case for Device Triage.
  • Part 2 provides details of the arrangements and the Security Requirements and Guidance to be applied to Use Cases that have been approved by the SSC with advice from NCSC.
  • Part 3 provides details of the assurance arrangements for Triage Facilities in the form of a Triage Security Controls Framework (TSCF):
    • Section 1 of the TSCF describes the purpose and what the TSCF aims to achieve; the different types of Security Assessment and their frequency; and the role of the User CIO;
    • Section 2 of the TSCF provides greater detail at a practical level for the User Assessment lifecycle with information and logistical requirements for how a User should engage with the User CIO; the timeline for User Assessments; and the detailed questions the User CIO might ask, and the evidence it might expect to see from a User to support its assessment.

[Note that Manufacturer’s Triage Systems, Triage Tools and Triage System Interfaces are assured via an extension to the CPA Build Standard, as defined in “CPA Security Characteristic Triage interface updates to GSME, ESME, & SAPC SCs and CPA Build Standard Extensions”.]

The SSC Guidance for Device Security Assurance and Triage forms part of the SEC Materials defined in SEC Section M5.1, and the document is regularly reviewed and updated by the SSC.

SSC and SMKI PMA – Standards, Procedures and Guidelines

SMKI PMA and SSC Guidance - Standards, Procedures and Guidelines v1.0

SSC Guidance for Device Security Assurance and Triage

CPA Security Characteristics and Risk Review

See main page here.