Incident and Vulnerability notification to the Security Sub-Committee and SMKI Policy Management Authority ((SMKI PMA) (if applicable))
The SEC places obligations on the DCC and DCC Users to notify the Security Sub-Committee (SSC) of any vulnerability or incident that occur in, or cause a material adverse effect on the security of, hardware, software, firmware or a Device. These obligations are set out in SEC Sections G2.11, G2.15, G2.30, G3.5 and G3.18.
In addition, DCC Users make use of the Smart Metering Key Infrastructure (SMKI). SMKI provides a secure and effective means of ensuring that messages to and from Smart Metering Equipment are properly authenticated, provide integrity and, where applicable, provides non-repudiation. SMKI can become Compromised (or suspected of being Compromised) and may adversely affect the security of a DCC User. Therefore, DCC Users should inform the SSC and the SMKI Policy Management Authority (SMKI PMA) of a Compromise (or suspected Compromise) of their Cryptographic Material.
A reporting mechanism has therefore been created for the DCC and DCC Users to safely and securely notify the SSC and SMKI PMA.
Once this form has been completed by the DCC or a DCC User, SECAS and a SECAS Security Expert shall be notified and will then review the content. Depending on the nature and information provided, SECAS and the SECAS Security Expert shall notify the SSC Chair to determine next steps.
Incident and Vulnerability Form
SECAS uses Egress secure web forms for this notifications to ensure confidentiality. The form can be found here.
If you have any further questions, please do not hesitate to get in touch with SECAS (firstname.lastname@example.org or 020 7090 7755).