Under the SEC, Energy Suppliers are obliged to:
- Notify Device manufacturers of any security vulnerabilities they identify (e.g. in live operations) [G3.17 & G3.18];
- Take reasonable steps to ensure that the cause of the vulnerability is rectified, or its impact mitigated, as soon as reasonably practicable [G3.18];
- Be notified by their Device manufacturers of any security vulnerability identified [G3.20];
- Notify the Security Sub-Committee (SSC) of the steps being taken and the timetable for completion [G3.9 & G3.18].
To satisfy the SEC security obligations, it is necessary for Energy Suppliers to have contractual arrangements in place with Device manufacturers, either directly or via Meter Asset Providers (MAPs), to notify and to be notified of any security vulnerabilities.
Process Requirements for Installing Suppliers
- MAPs must have contractual agreements with Energy Suppliers and Device manufacturers that satisfy the SEC obligations;
- Energy Suppliers must enter into ‘churn’ contracts with MAPs when a Device is inherited on churn, if not covered by SSC arrangements;
- The SSC must inform Device manufacturers on a monthly basis of which Energy Suppliers are operating their Devices;
- The SSC must inform Energy Suppliers on a monthly basis of the current contact details for all Device manufacturers;
- Device manufacturers must note material vulnerabilities and rectification arrangements bilaterally to all Suppliers which are operating their Devices, updating MAPs for information;
- Energy Suppliers must note any vulnerabilities found bilaterally, and establish subsequent rectification arrangements with the Device manufacturer; and
- Energy Suppliers must notify the SSC of any material vulnerabilities, of the steps being taken to rectify the cause of the vulnerability, or to mitigate its potential impact, and the time within which those steps are intended to be completed.
These arrangements should enable any material security vulnerabilities to be notified, rectified, or the impact mitigated to meet the SEC obligations. Furthermore, this process should maintain the viability of the Device during the period of investment. Information, including diagrams detailing the processes, can be found below.
Process Requirements for Inheriting Suppliers
The Security Sub-Committee (SSC) has worked in conjunction with SECAS, NCSC and Meter Manufacturers to improve the ability for Suppliers to comply with G3.20. We are aware that commercial issues have presented reoccurring difficulties and delays for Suppliers with regards to maintaining compliance, often being raised as observations during User Security Assessments.
NCSC have now provided guidance to the Commercial Product Assurance (CPA) scheme Evaluation Facilities (Test Laboratories) on the CPA Build Standard, so that any Manufacturer looking to gain CPA Certification for a new Meter under the scheme, will be required to notify the SSC directly of any material security vulnerabilities. Additionally, we have seen fit to reach an agreement with Manufacturers to notify the SSC of any assets that were CPA Certified prior to the 22 June 2020 i.e. before the new arrangement applies.
The SSC will expect to see a contract or Letter of Intent signed by both parties where an arrangement between SSC and the manufacturer doesn’t exist.
That list of Manufacturers who have signed up to the scheme is below.