MP203 Security Assurance of Device Triage Facilities

The Commercial Product Assurance (CPA) Security Characteristics (SCs) for Use Case 004 (Factory Reset) have recently been agreed and published on the National Cyber Security Centre (NCSC) website which will allow the triage and refurbishment of Devices in line with relevant use cases.
The Smart Energy Code (SEC) does not currently take account of the need for regulatory assurance of Triage Facilities, Triage Tools and Triage Interfaces to provide security assurance across the end-to-end smart metering system.

A new section under Section G ‘Security’ that will cover off the requirements for Triage Facilities. This will refer to the existing clauses within Section G that apply to Triage Facilities, as well as new additional clauses that are specific to Triage Activities.

The User CIO has produced analysis for SSC of which sections of SEC Section G are applicable to Triage Facilities. The SSC intends to adopt this into the equivalent of the Security Controls Framework that will be Part 3 of the SSC Guidance on Device Security Assurance and Triage. That document will list the obligations that do and do not apply and what the User CIO will look for by way of evidence that the obligation is being met.

Parties that wish to operate Triage Facilities will be subject to an initial Full User Security Assessment (FUSA) to determine whether that Facility can operate Triage Activities. These Assessment will either result in ‘approval’, ‘rejection’ or ‘approval subject to additional steps’. If approved, then the SSC will determine the category of all follow up assessments based on an assessment of the security risks. Follow up assessments will be either another FUSA, a Verification User Security Assessment or a User Security Self-Assessment.

Other SEC Parties

Section G ‘Security’