The SEC requires Energy Suppliers:
- to notify Device manufacturers of any security vulnerabilities they identify (e.g. in live operations) [G3.17 & G3.18];
- to take reasonable steps to ensure that the cause of the vulnerability is rectified or its impact mitigated as soon as reasonably practicable [G3.18];
- to be notified by their Device manufacturers of any security vulnerability identified [G3.20];
- to notify the Security Sub-Committee (SSC) of the steps being taken and the timetable for completion [G3.9 & G3.18].
To satisfy the SEC security obligations, it will be necessary for Energy Suppliers to have contractual arrangements (guidance at the bottom of this page) in place with Device manufacturers either directly or via MAPs to notify and to be notified of any security vulnerabilities.
- MAPs to have contractual agreements with Energy Suppliers and Device manufacturers that satisfy the SEC obligations (based on the obligations described in Section 4 of this paper);
- Energy Suppliers to enter into ‘churn’ contracts with MAPs when a Device is inherited on churn;
- The SSC to inform Device manufacturers on a monthly basis of which Energy Suppliers are operating their Devices;
- The SSC to inform Energy Suppliers on a monthly basis of the current contact details for all Device manufacturers;
- Device manufacturers to notify material vulnerabilities and rectification arrangements bilaterally to all Suppliers they have been advised are operating their Devices, updating MAPs for information;
- Energy Suppliers to notify any vulnerabilities found bilaterally and to establish rectification arrangements with the Device manufacturer; and
- Energy Suppliers to notify the SSC of any material vulnerabilities, of the steps being taken to rectify the cause of the vulnerability, or to mitigate its potential impact, and the time within which those steps are intended to be completed.
These arrangements should enable any material security vulnerabilities to be notified, rectified or the impact mitigated to meet the SEC obligations and to maintain the viability of the Device during the period of investment. Diagrams detailing the processes can also be found in the download below.