At present there is no recognition within the SEC of Suppliers relationships with Meter Asset Managers (MAM) and Meter Asset Providers (MAP). In SEC Section G, under ‘Manufacturers: Duty to Notify and Be Notified’, if a User identifies a security vulnerability in a Smart Metering System that they are the Responsible Supplier for, they shall notify the manufacturer of the device, rectify or mitigate the vulnerability, and report the vulnerability and steps taken to the Security Sub-Committee (G3.17 & G3.18). Reporting of security vulnerabilities to the Security Sub-Committee is also outlined in SEC Section G3.9. The Responsible Supplier for a Smart Metering System shall also make arrangements with the Device Manufacturer to be notified of security vulnerabilities that the manufacturer identifies (G3.20).
In many cases for non-domestic suppliers, there is no formal relationship between the Supplier and the MAP, or the Supplier and the manufacturer, as is assumed in the
duty to notify guidance. In such cases the Supplier may have a formal contract with a MAM, or with the end consumer who may have specified certain requirements.
The Full Draft Proposal can be found
here.
Latest Progress
The Change Sub-Committee has agreed that there is scope for the issue to be resolved in the SEC and have recommended to the SEC Panel that this Proposal goes into a Refinement Process. This Draft Proposal will be presented to the SEC Panel on 14 June 2019.
Does this issue affect your company? Send us your comments to
SEC.change@gemserv.com
Please see
here for all comments we have had on DP0075.
Number of comments: 4
Updated: 16/05/2019
The proposed solution at this stage is clarification of the duty to notify and who can preform this.