JavaScript Required!

We're sorry, this form requires JavaScript to be enabled.

Please enable JavaScript in the browser's settings menu and refresh the page or browse to this form in a browser that supports JavaScript.

Which form are you filling in?

The NCSC has provided CPA Evaluation Facility Guidance to clarify the obligations for compliance with the CPA Build Standard Requirement 2 as follows:

"CPA Evaluation Facilities assessing manufacturers of Smart Metering products (at time of writing covering ESME, GSME, Comms Hub and HCALCS devices) against CPA Build Standard Requirement 2 must take the following interpretations into account.

  • The terms "customers" and "supported customers" must also include the Smart Energy Code (SEC) Panel’s Security Sub-Committee (SSC). By interpreting the SSC as a manufacturer's customer, the SSC can ensure that regardless of which energy supplier a CPA'd device churns to during its operational life, security flaws relating to that device are always disclosed promptly to the responsible supplier.

  • The terms "security flaw" and "flaw" must include satisfying the manufacturer's duty to notify material security vulnerabilities as set out in the SEC Section G3.20 "arrangements designed to ensure that the User will be notified where any such manufacturer or developer (as the case may be) becomes aware of any material security vulnerability in, or likely cause of a material adverse effect on the security of, such hardware, software, firmware or Device."

For these purposes the following definition of "Material Security Vulnerability", applies:

"Material Security Vulnerability" means a weakness or exposure in (or in connection with) a Relevant Metering System which:

  1. renders the Metering System (and/or the data stored thereon) materially vulnerable to unauthorised access or operation, or unauthorised interference causing theft or corruption of data; and/or

  2. is likely to have a material adverse effect on the security of any hardware, software or firmware which forms part of the Metering System.

Confidentiality Provisions

The SSC (and SECAS acting on its behalf) adheres to the SEC Panel Information Policy which ensures the safeguarding of the confidentiality, privacy and security of information handled by the SSC. The SSC uses Egress (approved by NCSC) as a secure, encrypted format to handle, store and retain confidential information and access is restricted to ‘those who have a need to know’.

SSC Members have signed ‘Non-Disclosure Agreements’ and use information about material security vulnerabilities and security incidents to undertake risk assessments as required by the Smart Energy Code (SEC) and to monitor risk mitigations. The SSC will ensure that parties affected by a vulnerability are made aware as required by the CPA Build Standard.

The information you provide within this form will be made available to the SSC who will notify SEC User Parties that are currently operating one or more of the affected Devices. This is to ensure that obligations under G3.17 – G3.21 are met.

Please note that * denotes a mandatory field that the manufacturer must fill in.

The Smart Energy Code (SEC) places obligations on DCC Users (SEC Parties who have completed the User Entry Process) to notify the Security Sub-Committee (SSC) of any Vulnerabilities or Incidents that occur in, or cause a material adverse effect on the security of, hardware, software, firmware or a Device. These obligations are G2.11, G2.15, G2.30, G3.5 and G3.18.

In addition, DCC Users make use of the Smart Metering Key Infrastructure (SMKI). SMKI provides a secure and effective means of ensuring that messages to and from Smart Metering Equipment are properly authenticated, provide integrity and, where applicable, provide non-repudiation. SMKI can become Compromised (or suspected of being Compromised) and may adversely affect the security of a DCC User. DCC Users should inform the SSC and the SMKI Policy Management Authority (SMKI PMA) of a Compromise (or suspected Compromise) of their Cryptographic Material.

This form has been created for DCC Users to notify the SSC and/or the SMKI PMA of any Security Vulnerabilities or Security Incidents, or Compromises (or suspected Compromises) of Cryptographic Material. Egress is a secure and effective mechanism using encryption for sharing sensitive information and has been selected as the secure web-based platform to share confidential smart metering related information.

The information you provide within this form will be made available to the SSC and/or SMKI PMA via SECAS – who are the Smart Energy Code Secretariat and Administrator.

Please note that * denotes a mandatory field that the DCC or DCC User must fill in

Type

Complete Part 1 for:
Complete Part 2 for:
Complete Part 3 for:

Part 1: Report of a Security Vulnerability or Security Incident

This report will be reviewed by the SSC and SMKI PMA and referred to any governance groups as appropriate.

Nature of Impact

Has it affected confidentiality of personal data or consumption data?
Has it affected the integrity of the system e.g. is trust in the SMKI Private Key Material Compromised?
Has it affected system availability and the operation of smart services?
Nature of Impact
Are you reporting the Security Vulnerability or Security Incident as required by the SEC or are you requesting that the SSC convenes urgently to assist as per SEC G7.21?

Part 2

Report of a SMKI Recovery Event (Method 1)

Part 3

To be completed if using Methods 2 or 3

Upload your support files

Use the uploader to submit additional files.

File Upload

  • Allowed Types
    Captcha Image