In the recent months the Security Sub-Committee (SSC) has worked in conjunction with SECAS, NCSC and Meter Manufacturers to improve the ability for Suppliers to comply with G3.20. We are aware that commercial issues have presented reoccurring difficulties and delays for Suppliers with regards to maintaining compliance, often being raised as observations during User Security Assessments.
NCSC have now provided guidance to the Commercial Product Assurance (CPA) scheme Evaluation Facilities (Test Laboratories) on the CPA Build Standard, so that any Manufacturer looking to gain CPA Certification for a new Meter under the scheme, will be required to notify the SSC directly of any material security vulnerabilities. Additionally we have seen fit to reach an agreement with Manufacturers to notify the SSC of any assets that were CPA Certified prior to the 22 June 2020 i.e. before the new arrangement applies. The list of Manufacturers who have signed up to this arrangement can be found here on our website.
SECAS will notify the User CIO in advance of an assessment which Devices are covered by the direct arrangement between SSC and manufacturers, and the User CIO will expect to see a contract or Letter of Intent signed by both parties where an arrangement between SSC and the manufacturer doesn’t exist.
As a result, the SSC will only notify the SEC Panel of a non-compliance where Suppliers have no arrangement with the Manufacturer (via SSC or MAP) and are making no efforts to do so.
If no arrangement is in place directly between the Manufacturer and SSC, the SSC expect the necessary arrangements to be in place with a MAP and will accept a Letter of Intent or a Memorandum of Understanding signed by both parties and containing a definition of ‘material security vulnerability’ and a commitment to rectify the vulnerability or to mitigate its effects, pending the signing of the commercial contracts.
*These arrangements extend to Meters that have been inherited on churn. On occasions where the Supplier is procuring the Meters themselves, the SSC will expect to see a Letter of Intent or contract signed by both Parties (for example during a iFUSA).
These new arrangements will also have an impact on SEC Parties who have a Remediation Plan outstanding, that includes G3.20. If the contracts outstanding are covering meters that are covered by the SSC arrangements, you are no longer required to submit a remediation plan for that observation. Should you have any doubts regarding whether you are required to submit a remediation plan, please reach out to SSC@gemserv.com.
We have recently made amendments to the Security Controls Framework (SCF) and the Agreed Interpretations (AI) to bring them to version 2.1.
- In the SCF Part 1 we have made amendments to Appendix A – Frequently Asked Questions. This is to give guidance around the new notification arrangements regarding G3.20.
- In the SCF Part 2 we have made amendments to Appendix B and Appendix E to expand on the new arrangements.
- In the Agreed Interpretations Section 12 has been updated.