At the SSC Meeting on the 10 April 2019, the SSC approved amendments to the Agree Interpretations. Version 1.7 has now been published to include the following:
Section 11 – Compliance with an ‘ Appropriate Standard’ for an enrolled SMETS1 SMS.
- The SEC Sections G3.26 to G3.28 requires each Supplier Party to achieve and maintain an ‘Appropriate Standard’ of security for enrolled SMETS1 Smart Metering Systems. Suppliers should review the security obligations contained in SEC Section G that apply to SMETS2 since these are considered to be good industry practice and apply those obligations proportionately for the SMETS1 SMS.
- The SSC are currently in the process of updating the Security Controls Framework (SCF) to give helpful guidance on SMETS1 Device Assurance, to ensure Suppliers are maintaining an ‘Appropriate Standard’. This will be communicated to Parties in advance of the first cohort of meters being enrolled into the DCC; Initial Operating Capability (IOC).
Section 9 – Clarification for notifying the SSC of a Second or Subsequent User System:
- The Agreed Interpretation is that the requirement in SEC Section G3.9 refers to a new or additional User System and not individual components.
Section 8 – Obtaining SMKI Device Certificates:
- Having sought advice from the National Cyber Security Centre (NCSC), the SSC recommends, as a risk mitigation, that SMKI Device Certificates should only be obtained via SEC Parties who have undertaken a User Security Assessment, completed User Entry Process Tests and who accesses the DCC to obtain SMKI Device Certificates via the DCC Gateway. Where the DCC receives an application on the Authorised Subscriber application form wishing to be an Authorised Subscriber for SMKI Device Certificates, the Registration Authority shall determine, in accordance with the steps set out in Section 5.5 of the SMKI RAPP, whether there is reasonable evidence to suggest that it is necessary for the applicant organisation to become an Authorised Subscriber for Device Certificates in order for them to carry out business processes that will, or are likely to, lead to the installation of Devices in premises. In determining the evidence, the Registration Authority shall ensure that the applicant organisation has completed User Entry Process Tests and that Certificate Signing Requests (CSRs) will be submitted via a DCC Gateway Connection.
Agreed Interpretations V1.7 as well as a tracked changed version can be found on the SEC website here.