Under the SEC, Energy Suppliers are obliged to:
- Notify Device manufacturers of any security vulnerabilities they identify (e.g. in live operations) [G3.17 & G3.18];
- Take reasonable steps to ensure that the cause of the vulnerability is rectified, or its impact mitigated, as soon as reasonably practicable [G3.18];
- Be notified by their Device manufacturers of any security vulnerability identified [G3.20];
- Notify the Security Sub-Committee (SSC) of the steps being taken and the timetable for completion [G3.9 & G3.18].
To satisfy the SEC security obligations, it is necessary for Energy Suppliers to have contractual arrangements in place with Device manufacturers, either directly or via Meter Asset Providers (MAPs), to notify and to be notified of any security vulnerabilities.
- MAPs must have contractual agreements with Energy Suppliers and Device manufacturers that satisfy the SEC obligations;
- Energy Suppliers must enter into ‘churn’ contracts with MAPs when a Device is inherited on churn;
- The SSC must inform Device manufacturers on a monthly basis of which Energy Suppliers are operating their Devices;
- The SSC must inform Energy Suppliers on a monthly basis of the current contact details for all Device manufacturers;
- Device manufacturers must note material vulnerabilities and rectification arrangements bilaterally to all Suppliers which are operating their Devices, updating MAPs for information;
- Energy Suppliers must note any vulnerabilities found bilaterally, and establish subsequent rectification arrangements with the Device manufacturer; and
- Energy Suppliers must notify the SSC of any material vulnerabilities, of the steps being taken to rectify the cause of the vulnerability, or to mitigate its potential impact, and the time within which those steps are intended to be completed.
These arrangements should enable any material security vulnerabilities to be notified, rectified, or the impact mitigated to meet the SEC obligations. Furthermore, this process should maintain the viability of the Device during the period of investment. Information, including diagrams detailing the processes, can be found below.