Gemserv

Please note: If you require URGENT Assistance or Response you should also contact the DCC Service Desk, which is manned 24/7, on completion of this form.

The Security Sub-Committee (SSC) inbox is only manned during working hours - Monday to Friday, 9am-5pm.

Forms received outside of working hours will only be processed on the next available working day.

Failed to send your application. Please check your application and try again.

Which form are you filling in?

(Required)

Manufacturer’s Form to report Material Security Vulnerabilities to the SEC Security Sub-Committee (SSC)

Smart Energy Code (SEC) Security Vulnerability and Incident Reporting Form

The NCSC has provided CPA Evaluation Facility Guidance to clarify the obligations for compliance with the CPA Build Standard Requirement 2 as follows:

"CPA Evaluation Facilities assessing manufacturers of Smart Metering products (at time of writing covering ESME, GSME, Comms Hub and HCALCS devices) against CPA Build Standard Requirement 2 must take the following interpretations into account.

The terms "customers" and "supported customers" must also include the Smart Energy Code (SEC) Panel’s Security Sub-Committee (SSC). By interpreting the SSC as a manufacturer's customer, the SSC can ensure that regardless of which energy supplier a CPA'd device churns to during its operational life, security flaws relating to that device are always disclosed promptly to the responsible supplier.
The terms "security flaw" and "flaw" must include satisfying the manufacturer's duty to notify material security vulnerabilities as set out in the SEC Section G3.20 "arrangements designed to ensure that the User will be notified where any such manufacturer or developer (as the case may be) becomes aware of any material security vulnerability in, or likely cause of a material adverse effect on the security of, such hardware, software, firmware or Device."

For these purposes the following definition of "Material Security Vulnerability", applies:

"Material Security Vulnerability" means a weakness or exposure in (or in connection with) a Relevant Metering System which:

renders the Metering System (and/or the data stored thereon) materially vulnerable to unauthorised access or operation, or unauthorised interference causing theft or corruption of data; and/or
is likely to have a material adverse effect on the security of any hardware, software or firmware which forms part of the Metering System.

Confidentiality Provisions

The SSC (and SECAS acting on its behalf) adheres to the SEC Panel Information Policy which ensures the safeguarding of the confidentiality, privacy and security of information handled by the SSC. The SSC uses Egress (approved by NCSC) as a secure, encrypted format to handle, store and retain confidential information and access is restricted to ‘those who have a need to know’.

SSC Members have signed ‘Non-Disclosure Agreements’ and use information about material security vulnerabilities and security incidents to undertake risk assessments as required by the Smart Energy Code (SEC) and to monitor risk mitigations. The SSC will ensure that parties affected by a vulnerability are made aware as required by the CPA Build Standard.

The information you provide within this form will be made available to the SSC who will notify SEC User Parties that are currently operating one or more of the affected Devices. This is to ensure that obligations under G3.17 – G3.21 are met.

Please note that (Required) denotes a mandatory field that the manufacturer must fill in.

Name of Manufacturer

Contact name

Contact email address

Contact telephone number

Affected device information
Device Model	Device Description	CPL Entry Number(s)	Action
(Plain-English-description) e.g. SIMCH DB	(S1/S2 CH/ESME/GSME) e.g. S2 ESME	e.g. 000651, 000705

indicates required field

Description of the material security vulnerability (E.g. CVE details, CVSS details) and whether it is in a third-party component or within your own hardware, software or firmware.

Date/Time when the material security vulnerability was discovered

How was the material security vulnerability detected? (If via a Security Advisory Note from a third-party, please enclose):

What is the impact of the security vulnerability? e.g. if exploited by an attacker, can it affect:

Scale of the impact:

Steps being taken to rectify the vulnerability:

Timeline to remediate the vulnerability

Type

Complete Part 1 for:

Security Vulnerability (e.g. access control, cross site scripting, cryptographic implementation, input validation etc)

Security Incident (e.g. denial of service, unauthorised access, malicious code, inappropriate usage, reconnaissance or information gathering, exploitation of backdoor or vulnerability, unauthorised use of resources, technical failure, targeted or advanced attack)

Complete Part 2 for:

SMKI Recovery Event (e.g. a suspected Compromise or actual Compromise of Smart Metering Key Infrastructure (SMKI) related Cryptographic Material) where you intend to use Method 1 of the SMKI Recovery Key Guidance (SEC Appendix L)

Complete Part 3 for:

SMKI Recovery Event (e.g. a suspected Compromise or Compromise of Smart Metering Key Infrastructure (SMKI) where your intent is to use Method 2 or Method 3 of the SMKI Recovery Key Guidance (SEC Appendix L)

Part 1: Report of a Security Vulnerability or Security Incident

This report will be reviewed by the SSC and SMKI PMA and referred to any governance groups as appropriate.

Have you informed the DCC Service Desk? If so, please provide the Incident (ticket) number

Description of Issue

How was the issue detected

What is the suspected or known cause

Is the Security Vulnerability or Security Incident being addressed (if so, what action is being taken?)

Has the Security Vulnerability or Security Incident been resolved? If so, please provide the root cause analysis (if unknown, please state 'unknown')

Systems that have been, or might be, affected

Part 2

Report of a SMKI Recovery Event (Method 1)

Brief description of the background to the Security Incident that may require SMKI Recovery

Please explain whether this is a known loss or Compromise to Private Key Material or if it is a suspected Compromise (please provide details)

Estimated number of Compromised (or suspected of being Compromised) Devices

Estimated breakdown between Gas (GSME) and Electricity (ESME)

Estimated GSME (Credit)

Estimated ESME (Credit)

Estimated GSME (PPM)

Estimated ESME (PPM)

Part 3

To be completed if using Methods 2 or 3

Have you identified any impact for any other SEC Party? (if so, please explain)

How many individual consumers are affected?

What is the estimated cost to the User organisation of running SMKI Recovery?

What is the estimated cost to the User of not running SMKI Recovery?

What is the estimated cost to the User organisation of replacing meters? (include costs per gas / electricity meter)

What is the estimated timescale to replace the meters? (explain how many meters in store and how many installers available)

Are there any Health and Safety issues involved? (if so, please explain the details how they have been assessed and resolved including details of the impact)

Are there any threats to the continuation of energy supply? (if so, please explain)

Has there been any loss of confidential data? (if so, please explain)

Is there any future risk of compromise to confidential data because of this incident? (if so, explain)

Has there been any confusing or ambiguous communication to the consumer that a) might need a follow-up communication or b) that may not have been completely clear at the time and needs a follow-up?

Are there any other adverse consequences to be addressed by other means? (please explain). If so, are there any associated costs

Upload your support files

Use the uploader to submit additional files.

Drop files here
or

Attachment Security Check Failed

500 - Internal Server Error

Which form are you filling in?

Confidentiality Provisions

Confidentiality Provisions

Type

Part 1: Report of a Security Vulnerability or Security Incident

Nature of Impact

Part 2

Part 3

Upload your support files