At the SSC meeting on the 28th November 2018, the SSC noted that greater clarity was needed for users in relation to SEC Obligations G3.18 and G3.20.
Users are required to be compliant with these obligations as part of their User Security Assessments. As a result, Users often have to make commitments to these two obligations when submitting their Management Response and their Director’s Letter.
The User management response and Director’s Letter is expected to confirm that the User will take reasonable steps to not install SMETS2 Devices without a contract being in place that satisfactorily meets the SEC obligation to notify and to be notified of material security vulnerabilities and to confirm what reasonable steps are being taken to rectify those vulnerabilities.
The User management response and Director’s Letter is also expected to confirm that the User will not inherit SMETS2 Devices on churn without taking reasonable steps to contract with the MAP and meter manufacturer to meet the SEC obligations. This enables the User to operate the inherited Device through the DCC provided that reasonable steps are being taken to put a satisfactory contract in place to meet the SEC obligations. The Energy Supply Licence conditions require that the:
- old supplier must notify new supplier of MAP that relates to asset (LC50.3);
- old supplier must notify MAP of the new supplier (LC50.3);
- new supplier must take reasonable steps to contract with MAP to provide the metering equipment within six months (LC50.5); and
- where terms cannot be agreed then asset must be returned within one month (LC50.6).
Further guidance can be found in the Security Controls Framework part 2 V1.15 – Appendix E. This is due to be published shortly after the SSC meeting on the 12th December 2018, please check here for updates.