MP203 Security Assurance of Device Triage Facilities
Proposer
Gordon Hextall
Lead Analyst
SEC Change
Date raised
10/05/2022
Stage
Implemented
Implementation date
3 November 2022
Latest update
On 26 October 2022 the Change Board voted to approve this modification under Self-Governance. This modification was implemented in the November 2022 SEC Release (Thursday 3 November 2022).
What is the issue?
The Commercial Product Assurance (CPA) Security Characteristics (SCs) for Use Case 004 (Factory Reset) have recently been agreed and published on the National Cyber Security Centre (NCSC) website which will allow the triage and refurbishment of Devices in line with relevant use cases.
The Smart Energy Code (SEC) does not currently take account of the need for regulatory assurance of Triage Facilities, Triage Tools and Triage Interfaces to provide security assurance across the end-to-end smart metering system.
What is the solution?
A new section under Section G ‘Security’ that will cover off the requirements for Triage Facilities. This will refer to the existing clauses within Section G that apply to Triage Facilities, as well as new additional clauses that are specific to Triage Activities.
The User CIO has produced analysis for SSC of which sections of SEC Section G are applicable to Triage Facilities. The SSC intends to adopt this into the equivalent of the Security Controls Framework that will be Part 3 of the SSC Guidance on Device Security Assurance and Triage. That document will list the obligations that do and do not apply and what the User CIO will look for by way of evidence that the obligation is being met.
Parties that wish to operate Triage Facilities will be subject to an initial Full User Security Assessment (FUSA) to determine whether that Facility can operate Triage Activities. These Assessment will either result in ‘approval’, ‘rejection’ or ‘approval subject to additional steps’. If approved, then the SSC will determine the category of all follow up assessments based on an assessment of the security risks. Follow up assessments will be either another FUSA, a Verification User Security Assessment or a User Security Self-Assessment.
This is the April 2024 SEC Modifications Working Group meeting, where we will be discussing: MP085B ‘Synchronisation of Smart Meter voltage measurement periods (meters currently installed)’ MP244 ‘Device Alerts
This is the April 2024 SEC Issues Group meeting, where we discussed: PPM continuity plan Please see the meeting summary here: SEC Issues Group Meeting Summary - April 2024 (CLEAR)
This is the May 2024 SEC Modifications Working Group meeting, where we will be discussing: MP235 'Enhanced Meter Data Access for Other Users' Please see the meeting documentation here:
By subscribing you consent to receiving the SECAS newsletter.
Manage Cookie Consent
This website uses cookies. Please choose which categories of cookies you would like to enable.
Functional cookies
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.