The SEC places obligations on the DCC and DCC Users to notify the Security Sub-Committee (SSC) of any vulnerability or incident that occurs in, or causes a material adverse effect on, the security of hardware, software, firmware, or a Device. These obligations are set out in SEC Sections G2.11, G2.15, G2.30, G3.5 and G3.18.
In addition, DCC Users can make use of the Smart Metering Key Infrastructure (SMKI). SMKI provides a secure and effective means of ensuring that messages relayed to and from Smart Metering Equipment are properly authenticated, providing integrity and, where applicable, providing non-repudiation.
SMKI can become Compromised (or suspected of being Compromised) and may adversely affect the security of a DCC User. Therefore, DCC Users should inform the SSC and the SMKI Policy Management Authority (SMKI PMA) of any Compromise (or suspected Compromise) to their Cryptographic Material.
A reporting mechanism has therefore been created for the DCC and DCC Users to safely and securely notify the SSC and SMKI PMA. Once this form has been completed by the DCC or a DCC User, SECAS and a SECAS Security Expert shall be notified to review the content. Depending on the nature and information provided, SECAS and the SECAS Security Expert shall notify the SSC Chair to determine next steps.
How do I report an Incident or potential vulnerability?
Please submit the Security Vulnerability and Incident Reporting Form here. The information you provide will be made available to the SSC and/or SMKI PMA via SECAS. We use Egress secure web forms for these notifications to ensure confidentiality.
If you have any questions please contact the SECAS Helpdesk.