Spotlight on the SEC Seminar 23 rd October 2015 10:00 15:00
Welcome Jill Ashby Head of Code 10:00 10:10 Gemserv 2
Housekeeping Gemserv 3
Speakers Today Jill Ashby Alys Garrett David Barber George McGregor Alistair Grange (User CIO) Darren Calam Gemserv 4
Agenda SEC Governance and Sub-Committee Update Overview of the Modifications Pathways Coffee & Tea Break Security and Privacy Controls Frameworks Security and Privacy Assessment Processes Lunch Recent Changes to the SEC Key Infrastructure Overview Coffee & Tea Break User Entry Qualifications Q and A Session Gemserv 5
SEC Governance and Sub-Committee Update Alys Garrett 10:10 10:40 Gemserv 6
The Smart Energy Code A multi-party agreement: o DCC licence obligation for the SEC o Defines the rights and obligations between the DCC and the Users of the DCC Services o Specifies other provisions that govern the end-to-end management of Smart Metering in GB Smart Energy Code Schedules Appendices SEC Subsidiary Documents Gemserv 7
SEC Document Architecture SEC Secretary of State Authority Currently 865 pages - 16 Sections, 7 Schedules and 9 SEC Subsidiary Documents Schedules SMKI Document Set Technical Specifications Security characteristics Other SEC Documents SEC Subsidiary Documents are part of the SEC and are subject to the SEC Modification Process Gemserv 8
SEC Governance Structure SECCo Board SEC Panel Change Board SMKI Policy Management Authority Security Sub- Committee Technical Sub- Committee Other Panelled Sub- Committees Modification Working Groups Expert Groups Testing Advisory Group Dormant Under Establishment Gemserv 9
CM SEC Panel Ch Chair Ch LS Large Supplier SS Small Supplier SEC Panel SS EN GN Energy Networks Gas Networks Ot Other DCC DCC CM Consumer Add Additional Chair Appointee
SEC Panel and SECCo Board Panel Pursue the Panel Objectives and Panel Duties using the powers set out in the SEC (SEC Section C2) Establishes budgets, Sub-Committee constitution and expert infrastructure Develops capabilities to take-on responsibilities emerging from future SEC content Board Act as the corporate vehicle to support Panel business Board of Directors of SECCo Looks at the corporate governance of the Code e.g. contractholder with SECAS, Independent Chairs, PKI Expert, Lawyers and SECCo Auditor Gemserv 11
SMKI PMA Sub-Committee Function Membership SMKI Policy Management Authority (PMA) Activities to Date Governs the SMKI Document Set and to gain assurance of the DCC operation of SMKI services 2 Large and 1 Small Suppliers, 1 Network, 1 SSC & 1 TSC Representative, PKI Specialist, DCC, Ofgem, SoS and independent Chair Approved Assurance Scheme and Service Provider Contributing to Design Activities Approved SMKI Documentation Producing Recovery Key Guidance PMA monitoring SRT reports Gemserv 12
Security Sub-Committee Sub-Committee Function Membership Security Sub-Committee (SSC) Develop & maintain security documents under the end-toend security architecture 8 Suppliers (6 Large and 2 Small), 2 Networks, 1 Other, DCC, SoS and independent Chair Monitoring and Advice Document Development and Maintenance Security Assurance Gemserv 13
Technical (and Business) Sub- Committee Sub-Committee Function Membership Technical Sub-Committee (TSC) Provides support & advice on the Technical Specifications and end-to-end Technical Architecture 8 Suppliers (6 Large and 2 Small), 2 Networks (1 Gas and 1 Electricity), 2 Others, DCC, an independent Chair, SoS and Authority representative Gemserv 14
Change Board Sub-Committee Function Membership Change Board Review the Modification Report Consultation responses and vote on whether to Accept/Reject or defer a Modification Proposal Large Suppliers from Voting Group of that Category, 3 Small Suppliers, 3 Other, 3 Networks, Consumer, DCC, Ofgem, SoS and SECAS Chair Annual Member Nominations commence - November Switch on of Modifications expected early 2016 Change Board dormancy removed Gemserv 15
Testing Advisory Group Sub-Committee established by the Panel Duties and remit determined by the Panel Duties Supporting Panel with their obligations throughout the testing stages Reviewing Testing documentation Providing views on testing reports Gemserv 16
SEC Panel Role in DCC Live The Panel have a number of duties leading up to DCC Live Approving testing documentation Receiving testing reports Approving exit criteria Gemserv 17
Gemserv 18
Transition Governance Work Groups to SEC Sub-Committees SMIP Transition Work Groups TPMAG TSEG TBDG IMF FSG SMSG SMDG BMRG RG TDEG SEC Sub-Committees SMKI PMA SSC TSC Change Board TAG Gemserv 10
Keeping Parties Updated All non-confidential meeting documentation provided on the SEC Website Meeting Headlines provided 1 Working Day after each meeting Transition Governance Update provided to the Panel each month Newsletter Gemserv 20
Questions? Gemserv 21
Overview of the Modifications Pathways David Barber 10:40 11:10 Gemserv 22
Introduction The SEC and SEC Subsidiary Documents can be modified in accordance with the process set out in SEC Section D SEC Parties and a number of interested bodies are entitled to raise Modification Proposals which will follow one of four Modification Paths However, currently only Urgent and Fast-Track Modification Proposals may be raised Gemserv 23
Overview of the SEC Modification Paths Modification Paths Authority Led (Urgent and Non Urgent) Authority Determination (Urgent and Non-Urgent) Path Description Modifications arising from Significant Code Reviews (SCR) or submitted by the Authority, or by the Data and Communications Company (DCC) at the direction of the Authority. Section D2.4 D2.5 Modifications which have material effect on consumers, competition, data, security, privacy, governance or discriminates between parties. Section D2.6 Self Governance (Urgent and Non-Urgent) Modifications which are neither of the above. Section D2.7 Fast-Track (Urgent and Non-Urgent) Modifications to correct typographical and minor inconsistencies and errors in the SEC. Section D2.8 Gemserv 24
Modification Process Roles Proposer The person that can raise Modification Proposals (Section D1.3), and who owns that Modification SEC Panel oversees the: Progression of Modifications through the Modifications Process; Implementation of approved Modification Proposals; and Decides on the resolution of Fast Track Proposals (Section C2.3(d)). SEC Sub-Committees: Provide support and advice on Modification Proposals which provide for variations to the technical and/or security specifications in the SEC and/or SEC Subsidiary Documents. Can raise certain Modification Proposals in relation to the remit of the Sub- Committee as per Terms of Reference Gemserv 25
Enduring Governance Arrangement Roles Working Groups, established by the SEC Panel to support the refinement of Modification Proposals. SEC Change Board includes representation from all SEC Party Categories as well as a Consumer Member and a DCC (non-voting) representative. Reviews responses from the industry consultation (Modification Report Consultation, Section D7.8); Votes by majority on the resolution for Path 3 Modifications Proposals and for Path 1 and 2 votes on a recommendation to the Authority. The Authority makes the final determination on whether a Modification should be approved and implemented (for Path 1 and 2 Modification Proposals). Gemserv 26
Modification Reports Stage Modification Reports produced for Urgent Modifications and all other Modifications in the enduring phase (apart from Fast-Track) Modification Proposal Initial Modification Report (IMR) Draft Modification Report (DMR) Final Modification Report (FMR) Modification Proposal Form completed by raising Party Lead Analyst(s) compiles high level summary of the Modification for the Panel SECAS compiles the DMR, including the Consultation Summary from the Working Group Assessment (if Refinement Process followed), before issuing for industry consultation SECAS collates all consultation responses into the FMR, before issuing to the Change Board for vote Gemserv 27
High-Level Key Steps Initial Validation Initial Consideration by the SEC Panel Refinement Process (conditional) Modification Report Phase Change Board Authority Approval Modification Proposal Form validated by the Code Administrator IMR prepared and issued to the SEC Panel for initial consideration Determines the Modification Path, Urgency Status, whether Proposal requires refinement, including the Modification Timetable Where the SEC Panel determine further analysis is necessary, a Working Group is established (must be within Authority set timescales for Urgent Proposals) Where refinement is followed, a Working Group Assessment is submitted to the SEC Panel in the DMR to determine if Modification is to be issued for consultation with the industry Review the consultation responses, vote on the outcome and state if Modification better facilitates SEC Objectives Make a recommendation to the Authority or the SEC Panel The Authority has the overall decision on whether to approve or reject the Modification Report Gemserv 28
Urgent and Fast Track Proposals Urgent (SEC D4.6) Modification Proposal expressed by the Proposer and/or the SEC Panel as Urgent; and The SEC Panel directed by the Authority to treat the Proposal as an Urgent Modification. Fast Track (SEC D2.8) SEC Panel-led Modification Proposal raised to correct typographical, other minor errors or inconsistencies. Urgent Proposals are assessed in accordance with Ofgem's published Code Modification Urgency Criteria.
Fast-Track Modification Path Raised by the Panel and do not require Modification Reports due to their non-material nature Panel consideration no earlier than 15 Working Days after raising Modification Proposal SECAS receives a Modification Proposal and validates for completeness Panel Determination Lead Analyst presents the Modification Proposal to the Panel where they will decide the resolution (approve or withdraw) Disagree with Resolution If a Party disagrees with Panel s decision, then this can be raised to the Panel and also, appealed to the Authority Gemserv 30
Proposals in July 2015 consultation Proposal in July consultation to activate Modification Paths Non-Urgent Path 2 and Path 3 Modifications to be activated Proposal to activate in early 2016, subject to certain variations where the Secretary of State will perform the following functions: Approval of Modification Proposals; Direction of additional steps necessary; Hearing of appeals on Path 3 Modification decisions; and Direction of a new implementation timetable Non-Urgent Path 1 Modifications To be activated at a later date following DCC Live yet to be notified by the Secretary of state. The outcomes of the July 2015 consultation likely to be issued in late October/early November Gemserv 31
Where to find more information Guidance on the Modification Process is available on the SEC website, including: Process guidance; and indicative progression timelines Gemserv 32
Questions? Gemserv 33
Coffee & Tea Break 11:10 11:30 Gemserv 34
Security and Privacy Controls Frameworks Alistair Grange (User CIO) 11:30 12:15 Gemserv 35
Agenda 1. Overview of the controls frameworks 2. Types of assessment 3. Using the controls frameworks 4. Summary 36
CONTROLS FRAMEWORKS: OVERVIEW 37
What are the SCF and PCF? The Security Controls Framework (SCF) and Privacy Controls Framework (PCF) are documents developed by the User CIO with the support of the Security Working Group (User CIO, DECC, SECAS), and SSC (through review). The controls frameworks serve a number of functions: Describing the type of evidence the CIO would seek to receive to demonstrate compliance with the SEC. Describing the assessment protocols, regarding how the assessments will work. Creating a consistent approach to the way in which Users are assessed for compliance. 38
Assessment logistics The SCF & PCF set out (amongst other topics): When and how to engage the CIO; What to expect during the assessment, and requirements on the User; Indicative timescales, and how to manage changes to these; Who the CIO would expect to meet with; How to achieve an efficient review; Minimising disagreements; The approach taken to ensuring data confidentiality; Assessment variations. 39
Control descriptions The controls frameworks describe: The different types of User Assessment including the applicable assessment criteria and frequency of assessment. The activities and requirements of each stage of the assessment lifecycle: prior to an assessment, during an assessment and postassessment. Key information and logistical requirements around how a User should engage with the User CIO, as well as indicative timetables and example schedules for the assessments. The questions the User CIO might ask, and the evidence it might expect to see from a User to support the assessment. The controls frameworks will not be: Overly prescriptive. A replacement for the regulation. Exhaustive in their description of the questions / evidence that the CIO may seek to support its work. 40
TYPES OF ASSESSMENT 41
Types of security assessment Full User Security Assessment Carried out by the User CIO to checks compliance with System, Organisational and Information Security obligations. Verification User Security Assessment Carried out by the User CIO to checks for any material increase in security risk since the last Full User Security Assessment User Security Self-Assessment Carried out by a User and reviewed by the User CIO. Follow-Up Security Assessment Carried out by the User CIO following an assessment to verify implementation of actions detailed within the User Security Assessment Response 42
Security assessment frequency Supplier Parties Smart Metering Systems Entry/Year One Year Two Year Three More than 250,000 Full Assessment Full Assessment Full Assessment Full Verification Less than 250,000 Assessment Assessment Self-Assessment Network Parties Smart Metering Systems Entry/Year One Year Two Year Three More than 250,000 Full Assessment Verification Assessment Verification Assessment Full Verification Less than 250,000 Assessment Assessment Self-Assessment Other Users Entry/Year One Year Two Year Three Full Assessment Self-Assessment Self-Assessment 43
Types of privacy assessment Full User Privacy Assessment User CIO checks compliance with I1.2 to I1.5 and review the systems / processes in place for ensuring compliance. User Privacy Self-Assessment Carried out by a User and reviewed by the CIO to identify material change in the systems in place to comply and the quantity of data being obtained Random Sample Privacy Assessment User CIO checks compliance in relation to a limited (sample) number of Energy Consumers (I1.2 I1.5). Three Year Privacy Assessment Cycle On instruction from the Panel Other Users Entry/Year One Year Two Year Three Full User Full Privacy Assessment User Privacy Full Self- Assessment User Privacy Full Self- Assessment Full Random Sample Privacy Assessment Assessment 44
Prior to an assessment Engaging with the CIO Engagement with the User CIO shall be managed via SECAS; Users should seek to engage with the User CIO at least [x] weeks prior to their desired review date. Early engagement to schedule an assessment is strongly recommended; It is the responsibility of the User to engage the User CIO in accordance with the review cycle; Users should seek to engage with the User CIO when they have system stability and are confident that significant change will not occur; Users wishing to change the dates of an assessment must inform the User CIO at least [x] weeks prior to the original assessment start date. Failure to comply with this period may see the User incur a cancellation charge; Cancellation charges [TBC]. 45
Prior to an assessment Information required by the User CIO The User CIO will engage with the User to determine the scope of the assessment as well as determine the scale, length, and involvement of User Personnel; User System scope document including key definitions; Locations within the scope of the User Systems and therefore the assessment; A nominated point of contact for the administration and planning of the assessment. Information to be provided by the User CIO The User CIO will engage with the User to determine the scope of the assessment as well as determine the scale, length, and involvement of User Personnel. Where applicable, a preliminary schedule and assessment timetable; A list of key User Personnel, by role, who the User CIO may need to meet with during the assessment. This may include third party suppliers; A document request list to be returned complete [X] weeks prior to the start of the assessment; A proposed assessment team with a User CIO key point of contact. 46
During a full User security assessment A Full User Security Assessment is an assessment carried out by the User CIO to assess compliance against the obligations specified in SEC Sections G3 to G6 in each of its User Roles. It is performed onsite and should take between 3 and 10 days on site depending on the size, scale and nature of the User, and the scope of its User Systems. A Full User Security Assessment may be broken down into two phases. We are exploring whether the User can have the flexibility to complete these phases to differing timescales if required. 47
During a full User security assessment During an Assessment: Phase 1 Phase 1 will likely consist of a document review to include the ISMS governance documentation and Information Security Policy, Risk Management methodology and the documented scope of the User s User System. Phase 2 This will involve an onsite assessment conducting document reviews, interviews with key stakeholders, and the evidence and testing of identified controls. The onsite assessment will take up to 10 working days onsite. The User CIO will require access to key documentation, physical locations and key stakeholders as agreed with the User, prior to the assessment as part of any pre-assessment communication. 48
During a verification User security assessment A Verification User Security Assessment is an assessment carried out by the User CIO to identify any material increase in security risk since the last Full User Security Assessment. The scope of this assessment focuses on those areas exposed to any material increase in security risks as indicated by a User s obligation to identify and manage risk (in accordance with G5.14). 49
During a verification User security assessment A Verification User Security Assessment will be conducted to identify any material increase in the security risk since the last Security Assessment. It is likely it will be completed in a single phase of review work; It is likely to require an onsite assessment by the User CIO of between 3-10 working days; The User CIO will require access to key documentation as well as key stakeholders as agreed with the User prior to the assessment as part of the pre-assessment communication; The User CIO will require physical access to the User s facilities (potentially including data centres), as arranged prior to the assessment as part of the pre-assessment communication. 50
During a User security self-assessment A User Security Self-Assessment is an assessment carried out by the User to identify any material increase in the security risk since the last occasion on which either a Full User Security Assessment or Verification User Security Assessment was carried out. The scope of this assessment focuses on those areas exposed to any material increase in security risks as indicated by a User s obligation to identify and manage risk (in accordance with G5.14). The User is required to produce a report for review and corroboration by the User CIO prior to presentation to the SEC Panel. 51
During a follow-up security assessment A Follow-Up Security Assessment is an assessment carried out by the User CIO at the request of the Security Sub-Committee (SSC). The scope of the Follow-Up Security Assessment is determined by the SSC and the subsequent time required for this review will be dependent upon the agreed scope. At the request of the SSC the User CIO will conduct a Follow Up Security Assessment of a User to: (a) identify the extent to which the User has taken the steps that have been accepted or agreed (as the case may be) within the timetable that has been accepted or agreed (as the case may be); and (b) assess any other matters related to the User Security Assessment Response that are specified by the Security Sub-Committee. 52
After the assessment Following the completion of an Assessment, or on receipt of a Self- Assessment report, the User CIO, with support from the User, will produce a written report. The User will submit a draft copy of the report to the User CIO for review. The User shall have [X] days to request changes for consideration and a full report shall be published [X] days thereafter. The User CIO will submit a copy of each User Security Assessment Report to the SSC and to the User. The User will then be expected to produce a User Security Assessment Response to address the findings of the User Security Assessment Report and submit this to the SSC and User CIO by a date determined by the SSC. 53
USING THE CONTROLS FRAMEWORKS 54
Organisation The SCF and PCF are ordered in alignment with the SEC obligations, with guidance supplementing each obligation. SEC Obligation # What the CIO may take into consideration What evidence the CIO might expect to see SEC Text Description Description 55
Security Controls Framework SEC Obligation G3.5 Each User shall, on the occurrence of a Major Security Incident in relation to its User Systems, promptly notify the Panel and the Security Sub-Committee. What the CIO may take into consideration: What evidence the CIO might expect to see: How have you interpreted the definition of a Major Security Incident? How do you classify Security Incidents to determine which are Major Security Incidents? Upon the occurrence of a Major Security Incident, what process do you follow for notifying the SEC Panel and the Security Sub-Committee, and within what timeframe do you aim to provide this notification? What level of detail do you provide as part of that notification (e.g. does it include the incident type, number of affected users within your organisation etc.)? Security Incident Management policy and procedures, including documented incident triage and classification criteria. Evidence of testing of the security incident management procedure, technical solution and reporting mechanism. Detailed roles and responsibilities including who is responsible for notifying the Panel and Security Sub-Committee in the event of a Major Security Incident. 56
Security Controls Framework SEC Obligation G3.16 Each Supplier Party shall: (a) use its reasonable endeavours to ensure that its User Systems detect all Anomalous Events; and (b) ensure that, on the detection by its User Systems of any Anomalous Event, it takes all of the steps required by its User Information Security Management System. What the CIO may take into consideration: What evidence the CIO might expect to see: What steps does your User ISMS specify you follow upon the detection of an Anomalous Event? How do you ensure these steps are followed and enforced? How does this relate to your incident management processes? The inclusion of Anomalous Event management within the User ISMS. Evidence of testing the detection of Anomalous Event capability. Evidence of the live operation of the Anomalous Event detection capability, including the completion of the steps set out in the User ISMS. 57
Privacy Controls Framework SEC Obligation I1.2 (Reproduced partially) What the CIO may take into consideration: What evidence the CIO might expect to see: Each User undertakes that it will not request, in respect of a Smart Metering System, a Communication Service or Local Command Service that will result in it obtaining Consumption Data, unless: (a) the User has the Appropriate Permission in respect of that Smart Metering System; and (b) the User has [ ] notified the Energy Consumer in writing of: (i) the time periods [ ]; (ii) the purposes for which that Consumption Data is, or may be, used by the User; and (iii) the Energy Consumer s right to object or withdraw consent [ ]. What procedures and controls are in place to capture consent and opt out preferences from Energy Consumers? Do these apply across all mediums used to initiate collection of energy consumption data? Is consent gathered prior to accessing, or issuing each request to access energy consumption data? Documented procedures to obtain a clear an indication of Energy Consumers' explicit consent to the collection and processing of energy consumption data. Ability to provide evidence that consent has been gathered prior to, or at the point of collection of energy consumption data from Energy Consumers. 58
Privacy Controls Framework SEC Obligation I1.5 Each User shall put in place and maintain arrangements designed in accordance with Good Industry Practice to ensure that each person from whom it has obtained consent pursuant to Section I1.2 to I1.4 is the Energy Consumer. What the CIO may take into consideration: What evidence the CIO might expect to see: What do you consider to be good practice and how have you made this assessment? What procedures are in place to verify that the individual that has provided consent is the energy consumer? If yes, how is this achieved? Do these procedures apply across all mediums through which consent is collected form Energy Consumers? How do you keep this approach under review? Documented procedures to confirm the identity of the person from whom consent has been obtained for the processing of energy consumption data. Implementation of these procedures/consent verification mechanisms across all mediums used to initiate collection of smart metering data from consumers - for instance, online, telephone, mobile applications. Documented procedures in the event of a change of energy consumer at a premises at which consumption data is collected. 59
Self-assessment report To support the User Security Self-Assessment the User CIO has developed a Self-Assessment Report within the SCF consisting of three key questions, supplemented within the document by sub-bullets: 1. How has the scope or method of operation of your User System changed, if at all, since your last Full Assessment? i. Has your technical solution changed? ii. Have you entered into any new relationships with third party suppliers? iii. Have your business processes changed in a way that could impact upon the security of your system? 2. How do you consider the risks have changed, if at all, since your last Full Assessment? i. How, if at all, has your customer base changed? ii. Has the scope of your User System changed? 3. How has your approach to risk mitigation changed, if at all, since your last Full Assessment? i. Have you modified the security controls used to mitigate risk? ii. Has there been a shift in your organisation s risk appetite? 60
SUMMARY 61
Summary Users will be subject to Security assessments upon User Entry (and each year thereafter) which are proportionate to the risk they introduce into the system. Other Users will also be subject to Privacy assessments, to verify their compliance with relevant SEC obligations. Early engagement with the User CIO will be beneficial to Users in securing their desired assessment date. The SCF and PCF are documents which have been produced to guide the assessments they provide clarification of the protocols applying to the assessment process and examples of the types of evidence the CIO may wish to see, and questions which are likely to be asked of the User. 62
Questions? Gemserv 63
Security and Privacy Assessment Processes George McGregor 12:15 12:45 Gemserv 64
Introduction The SEC includes a range of security and privacy requirements and makes provision for a Competent Independent Organisation (CIO) to assess Parties compliance Parties security and privacy requirements vary on the basis of DCC User type, this includes assessment requirements Gemserv 65
Topics Covered Who needs what? Assessment Processes Handling of Information Assessment Outcomes Scheduling & Booking Supporting Materials Gemserv 66
Initial Assessments: Who Needs What? Assessments form a key part of the User Entry Process. Security All Users Privacy All Parties acting in the capacity of an Other User Gemserv 67
Types of Security Assurance Assessment Full User Security Assessment Checks compliance with System, Organisational and Information Security Verification User Security Assessment Checks for any material increase in security risk since the last Full User Security Assessment User Security Self-Assessment Carried out by a User and reviewed by the CIO Follow Up Security Assessment Carried out by the CIO following an assessment to verify actions detailed within the User Security Assessment Response Gemserv 68
Security Assessment Frequency Supplier Parties Smart Metering Systems Entry/Year One Year Two Year Three More than 250,000 Full Assessment Full Assessment Full Assessment Full Verification Less than 250,000 Assessment Assessment Self-Assessment Network Parties Smart Metering Systems Entry/Year One Year Two Year Three More than 250,000 Full Assessment Verification Assessment Verification Assessment Full Verification Less than 250,000 Assessment Assessment Self-Assessment Other Users Entry/Year One Year Two Year Three Full Assessment Self-Assessment Self-Assessment Gemserv 69
Privacy Assessment Full User Privacy Assessment Checks compliance with I1.2 to I1.5 and review the systems / processes in place for ensuring compliance. User Privacy Self-Assessment Carried out by a User and reviewed by the CIO to identify material change in the systems in place to comply and the quantity of data being obtained Random Sample Privacy Assessment Checks compliance in relation to a limited (sample) number of Energy Consumers (I1.2 I1.5). Three Year Privacy Assessment Cycle On instruction from the Panel Other Users Entry/Year One Year Two Year Three Full User Full Privacy Assessment User Privacy Full Self- Assessment User Privacy Full Self- Assessment Full Random Sample Privacy Assessment Assessment Gemserv 70
Business Process Diagrams SECAS have broken the process down into the following 3 stages: Pre-Assessment Areas that the CIO may be looking for during the security assessment to aid user preparation During Assessment Guidance on the type of questions, the CIO maybe asking during the security assessment Post Assessment Guidance on timelines, reporting and next steps for the user Gemserv 71
Required Processes Before Pre-Assessment Scheduling Cancellation Shared Resources Random Sampling During Communicated by CIO After Invoicing Remediation Reporting Confidentiality Gemserv 72
Pre-Assessment Gemserv 73
CIO Invoicing and Payments Gemserv 74
Handling of Information Given the sensitive nature of information exchanged during an assessment, a secure means of storing information is required. SECAS have identified the requirements for the platform and will propose the solution to the Security Sub-Committee for their review and approval Gemserv 75
Handling of Information Platform Principles Data in Transit Protection Asset Protection and Resilience Separation Between Clients Governance Framework Operational Security Auditing Capabilities Secure Use Non-Repudiation Dissemination Gemserv 76
Assessment Outcomes The SEC Panel will review the outcomes of Assessments and assign one of four statuses to a Party: Approved Approved, subject to: Provisionally approved, subject to: Deferred, subject to: The Party s Security and/or Privacy requirements are fulfilled The Party taking some agreed steps to achieve compliance A Follow-up Security Assessment is required but is not a pre-requisite to being granted access The Party taking some agreed steps to achieve compliance A Follow-up Security Assessment by the User CIO to ensure that the proposed actions have been met The Party amending the steps they are proposing to take to achieve compliance The Panel then reassigns the Party with one of the other 3 statuses Gemserv 77
Booking & Scheduling Bookings will be handled by the SECAS Helpdesk SECAS have issued an RFI to assist with the scheduling arrangements for Security Assessments SEC Parties will be informed once booking Contact Us: is made available For all enquires or further advice, please contact SECAS at: W: smartenergycodecompany.co.uk T: 020 7090 7755 E: secas@gemserv.com Gemserv 78
User Guidance SECAS produce guidance materials to aid Parties Guides for sections I and G are already available on our website SECAS will produce User Assessment guidance and host on the SEC website Gemserv 79
Next Steps All supporting materials in place by end of the year SECAS will inform SEC Parties once booking is made available Check the SEC Website for guidance and information releases Gemserv 80
Questions? Gemserv 81
Lunch Break 12:45 13:30 Gemserv 82
Recent Changes to the SEC David Barber & Alys Garrett 13:30 13:50 Gemserv 83
What this section covers Recent Designated changes SEC Subsidiary Document update Consultations and Consultation Conclusions Other SEC Documents update Guidance update Gemserv 84
Which version of the SEC are we up to? SEC 1 Initial provisions for the establishment of SEC Governance and Charging Methodology SEC 2 SEC 2.0 - Communications Hubs Financing Provisions SEC 2.1 - Provisions on Parse and Correlate and Intimate Communications Hub Interface Specifications (ICHIS) SEC 2.2 - Fast- Track Modification (SECMP 0001) SEC 3 Smart Metering Key Infrastructure (SMKI) and the Policy Management Authoirty (PMA), plus SMKI Certificate and Compliance Policies Provisions for Testing during Transition Provisions for the Technical Sub-Committee SEC 4.0 Provision/ Charging of Communications Hubs Provisions for the Security Sub- Committee Security assurance arrangements and privacy audits SMETS1 Meters definition of DCC Services SEC4.1 4.2 SEC4.1 - DCC Gateway Connection Code of Connection SEC4.2 - User/ Party IDs, Test Certificates and Compliance Policy Independence Requirements SEC4.3 Communications Hubs Procurement DCC Services (Section H1- H10) Specimen Enabling Services Agreement (Schedule 7) SEC4.4-4.5 SEC4.4 - Communications Hubs Handover Support Materials (Appendix H) SEC4.5 - Enduring Testing Approach Document (Appendix J) SEC4.6 SMKI and Repository Test Scenarios Document (Appendix K) Still to Come Remote Testing Services Smart Meter Inventory and Enrolment Services SMKI/ DCC Key Infrastructure (DCCKI)/ Infrastructure Key Infrastructure (IKI) changes Non-Domestic Opt Out Enrolment of Advanced Domestic Meters (ADM) Migration of Registration to DCC 868MHz and Alternate HAN Gemserv 85
More recent changes to the SEC SEC4.4 (14 th September 2015 Appendix H CH Handover Support Materials SEC4.5 (28 th September 2015) Appendix J Enduring Testing Approach Document SEC4.6 (21 st October 2015) New Appendix K SMKI and Repository Test Scenarios Document Activation of Section L7 SMKI and Repository Entry Process Tests Gemserv 86
Status of Subsidiary Documents 3 Designated in September/October Majority of the others have been baselined by transitional governance The SEC Subsidiary Document and SEC Document tracker is kept maintained with up to date information Including baselined dates Including links to baselined versions (where possible) Gemserv 87
Conclusions Outcomes of the July consultation still to be issued Items in the July consultation were: DCC Enrolment Mandate DCC Enrolment and Communication Services SEC amendments to support Smart Metering Testing Public Key Infrastructure changes Security Independence Requirements Communications Hubs Incident Management Switch on of Modifications Gemserv 88
Status of SEC Documents Panel Release Management Policy Completed industry consultation, responses and revised Panel Release Management Policy to November Panel ID Allocation Procedure Completely approved and published on the SEC Website Panel Information Policy Undergoing legal review and information commissioner review. Final version targeted for final Panel approval in December Gemserv 89
Guidance SECAS continue to develop an expanding suite of Guidance and support information. Specific more focussed guides will continue to be developed Developing SEC expanding to include SoS variation info (as green footnotes) Gemserv 90
Questions? Gemserv 91
Key Infrastructure Overview Darren Calam 13:50 14:20 Gemserv 92
Topics Covered Quick overview of SMKI, IKI and DCCKI Latest view of SMKI Latest view of IKI Latest view of DCCKI Obtaining SMKI, IKI and DCCKI Certificates
Quick recap of SMKI Gemserv 94
What does SMKI do? SMKI issues certificates to Organisations and Devices and is used for securing end-to-end communications between Remote Parties and Devices SMKI is the trusted authority for all of these communications Therefore: all users who wish to communicate with a Smart Metering Device will require a certificate issued under SMKI; and all Devices who wish to communicate with Remote Parties will require a certificate issued under SMKI SMKI supports the cryptographic standards as defined in the GBCS
SMKI Certificates SMKI Certificate requests are made by Authorised Responsible Officers using a variety of SMKI interfaces made available by the DCC. The processes for subscribing for SMKI Certificates are laid out in the SMKI Registration Authority Policy and Procedures SEC document. Gemserv 96
Quick recap of IKI Gemserv 97
What does IKI do? IKI issues certificates to Organisations used for securing communications with the following SMKI interfaces: SMKI Portal access over DCC Gateway Connection SMKI Portal Web Service over DCC Gateway Connection SMKI Portal Batched CSR Web Service over DCC Gateway Connection SMKI Portal over the Internet (SPOTI) IKI also issues certificates used for the purposes of file signing IKI is a part of SMKI
Quick recap of DCCKI Gemserv 99
What is DCCKI? DCCKI stands for DCC Key Infrastructure DCCKI is used in GB Smart Metering to secure communications from SEC Parties and RDPs to DCC interfaces/services such as: Self Service Interface (SSI); Registration Interface (REGIS); and DCC User Interface (DUIS). Gemserv 100
What does DCCKI do? DCCKI issues Infrastructure certificates used to establish secure communication channels to DCC. DCCKI issues User Personnel certificates used to authenticate SEC Party personnel to the Self Service Interface. The DCCKI RAPP lays out the procedures for request and issuance of DCCKI Certificates. Gemserv 101
SMKI Delivery Plan DCC Controlled
Other SMKI Related Items Minor SEC amendments in the July 2015 DECC consultation DECC will publish responses in due course. A number of SEC Subsidiary documents baselined: IKI Certificate Policy - TPMAG approved base-lining 08/09/15; SMKI RAPP - TPMAG approved base-lining 08/09/15 and rebase-lined 13/10/15; SMKI 4 Documents - TPMAG approved base-lining 08/09/15 and re-base-lined SMKI Repository IDS 13/10/15; SMKI & Repository Test Scenarios - to be designated 21/10/15; Enduring Test Approach Document (Initial version) - designated 28/09/15; and SMKI Recovery Procedures - likely to be base-lined 10/11/15 and may be designated 16/12/15. Gemserv 103
Questions? Gemserv 104
User Entry Qualifications Jill Ashby 14:30 15:00 Gemserv 105
Introduction The SEC establishes pre-conditions to be eligible to become a DCC User the User Entry Process - which comprise specific testing, assurance and other prerequisites SEC includes a range of testing requirements and makes provision for testing services to support these both during Transition and Enduring Gemserv 106
Pre-conditions in a nutshell User Entry Process Tests (UEPT) In accordance with the Common Test Scenarios (CTS) User ID Obtained from Panel via SECAS EUI-64 compliant Notified to DCC User Security Assessment Carried out by the User Independent Security Assurance Service Provider the CIO procured by Panel Section G3-6 requirements SMKI & Repository Entry Process Tests (SREPT) In accordance with the SR Test Scenarios Credit Cover If applicable, lodged with DCC Privacy Audit Carried out by the Independent Privacy Auditor the CIO procured by the Panel Section I2 requirements Gemserv 107
Who does what? Requirement By From? User ID RDP ID User Entry Process Test (UEPT) SMKI & Repository Entry Process Test (SREPT) Security Assurance Other User* Privacy Audit User Role eligibility through Users notifying DCC of their EUI-64 identifier and DCC accepts User successfully completing UEPT for each User Role you will operate in line with the common tests scenarios document (CTSD) Note: RDPs are not a DCC User Role User successfully completing SREPT for being an Authorised Subscriber for Organisation and/or Device Certificates User completes their CIO Assessment under Security Controls Framework Other Users complete their CIO Assessment under Privacy Controls Framework Panel (Section B2) SECAS issue these DCC (Section H14) Party demonstrates to DCC s satisfaction that they meet the criteria to enter and exit DCC (Section L7) sets out that DCC confirms complete Panel (Section G8) via SSC consideration of CIO report Panel - (Section I2) Credit Cover Provide credit support to DCC for User Role DCC (Section J3) *Note: Licensees have privacy conditions in their licences. However, if you also operate in the role of Other User the SEC privacy audit arrangements apply Gemserv 108
Where are we EUI-64 User IDs issued and Party Signifiers Credit Cover lodged User CIO Security Assessments and Privacy Audits scheduling in development User Testing the SEC contains provisions for testing during Transition and Enduring Gemserv 109
Testing UEPT Enduring SIT/SRT SEC E2E IT SREPT Gemserv 110
SIT and SRT arrangements under the SEC The predominantly DCC phases of SIT and SRT SIT tests that the DCC System and Communications Hubs interoperate with each other in accordance with the SIT Approach Document approved by the Panel Region by Region DCC reports to Panel on achievement of exit criteria, including by reference to an audit RDPs are involved Devices are used SRT tests that the SMKI Service and Repository in accordance with the SRT Approach Document approved by the Panel (with advice from SMKI PMA) DCC only test phase, but two Large Suppliers must pass SREPT as part of demonstrating that SRT has been met Gemserv 111
IT arrangements under the SEC Interface Testing with Users and DCC for the purposes of transition IT demonstrates DCC can interoperate with Users: in accordance with the IT Approach Document approved by Panel (advised by TAG) Exit Criteria specified in IT Approach to be met, including two large Suppliers and an electricity Network completing in each Region (Section T3.8(j)) Section T3: Advance notice of IT commencement date Large Suppliers ready to commence UEPT Networks may be directed to be ready Gemserv 112
User Entry Process Testing Section H14 UEPT tests the capability of a User to interoperate with the DCC For each User Role and in accordance with the Common Test Scenarios Using Devices selected by the DCC Communications to and from the User and DCC Test scripts and sequences developed by Party, approved by DCC Completed when DCC considers the Party has met the requirements of its UEPT Can establish a DCC Gateway Connection Can use the DCC User Interface Can use the Self- Service Interface Gemserv 113
SMKI & Repository Entry Process Testing Section H14 and L7 become an Authorised Subscriber and interoperate with the Repository In accordance with the SMKI & Repository Test Scenarios Is an Authorised Subscriber and a Subscriber under the Organisation and/or Device Certificate Policies Is eligible to access the Repository as set out in the SMKI RAPP Completed when DCC considers the Party has met the requirements of its SREPT Can fulfil the requirements to be an Authorised Subscriber Can access the SMKI Repository Gemserv 114
Further Testing arrangements under the SEC UEPT and SREPT are pre-conditions to becoming a User UEPT can take place during Interface Testing Shared Systems if can evidence equivalence the SEC also makes provision for DCC Testing Services for: Device and User System Testing including for non- SEC Parties E2E and Enduring Testing SEC Modification Implementation tests Gemserv 115
E2E Enduring testing E2E testing = UEPT + Device & User System Testing Device & User System testing contemplates Users testing their devices and (e.g. back-office and business) systems with the DCC systems for Interoperability of devices Interoperability of systems Interoperability of devices and system Devices: Section F4 - Suppliers are to ensure that their Devices have been tested as interoperable and retain evidence of that testing. Organisations who wish to test devices with the DCC system, e.g. manufacturers or test services, need to be SEC Parties to be able to use the DCC Test Services. Gemserv 116
Enduring Testing How and in what circumstances UEPT and E2E will be provided into enduring Testing Services, covering: Provision of any Testing Services remotely; Connection to the WAN for Device and User System Tests; Test Certificates; and Obligations on DCC and Testing Participants in respect of Testing Services (including security). Modifications and DCC internal change testing the SEC provisions and supporting procedures for testing in either of these circumstances will be developed in the future Gemserv 117
Logical View of Testing Stages Sept Pre-Integration Testing Systems Integration Testing SMKI & Repository Testing SIT Approach (SITA) SRT Approach (SRTA) Interface Testing User Entry Process Testing SMKI & Repository Entry Process Testing IT Approach (ITA) Common Test Scenarios (CTSD) SMKI & Repository Test Scenarios (SRTSD) End-to-End Testing Enduring E2E Test Approach (E2EA) Enduring Test Approach (ETA) Gemserv 118
Testing on a page SIT and SRT are DCC phases, results reported to Panel/SMKI PMA Set out in SIT and SRT Approach Documents Interface Testing readiness by all Large Suppliers, with completion by 2. Networks also participate Test Issue Management SIT & SRT + Interface Testing User Entry Process Testing All Users for their Role(s) Must cover the Common Test Scenarios Users prepare scripts and data Entry readiness assessed by DCC by reference to criteria in CTS Test Issue Management Party and non-party testing participants Participant scripts Entry Criteria set by DCC Test Issue Management Device & User System Testing SMKI & Repository Entry Process Testing All prospective SMKI Users must complete using Test certificates Must cover the SMKI & Repository Test Scenarios 2 Large Suppliers must complete as part of SRT exit criteria Gemserv 119
Timing of testing considerations Large Suppliers* are already required to be ready to participate from Interface Testing RDPs ready for SIT DECC conclusions introduce other considerations on timing to complete testing early rollout obligation for Large Suppliers: the lower of 1,500 SMETS2 meter installations or 0.025% of their total meter points, enrolled within 6 months of DCC live User Mandate for other participants: All Suppliers who do not fall under the early rollout within 12 months of DCC Live Networks: electricity DNOs should be ready to support the rollout of SMETS2 meters from DCC Live electricity idnos to be DCC Users from DCC Live +12 months GTs and igts before 2020 Non-domestic DECC reviewing opt out policy, response due in Autumn *Large = supply electricity and/or gas to 250,000 or more domestic premises as at 15 th Feb 2015 Gemserv 120
SEC User Entry Process Next Steps We will develop a matrix of who needs to complete what pre-conditions as further SEC conclusions are published Timescales for undertaking CIO assessments/audits will be issued We are compiling guidance on the SEC User Entry Process arrangements SEC Guides and other useful materials are currently available on our website Gemserv 121
Questions? Gemserv 122
End of the Spotlight on the SEC Seminar 15:00 Gemserv 123
Q&A Session 15:00 16:00 Gemserv 124
Contact Us: For all enquires or further advice, please contact SECAS at: W: smartenergycodecompany.co.uk T: 020 7090 7755 E: secas@gemserv.com Gemserv 125
Appendix 1: Glossary The following table lists the acronyms used within the Spotlight on the SEC Seminar Slide Pack. Acronym ADM BMRG CH CIO CSR CTS CTSD DCC DCCKI DCCKI RAPP DECC DMR DNO DUIS E2E E2EA ESME ETA FMR FSG GBCS GT HAN ICHIS idno igt IKI IMF IMR ISMS Definition Advanced Domestic Meters Benefits Monitoring Review Group Communications Hub Competent Independent Organisation Certificate Signing Requests Common Testing Scenarios Common Testing Scenarios Document Data and Communications Company DCC Key Infrastructure DCC Key Infrastructure Registration Authority Policies and Procedures Department of Energy and Climate Change Draft Modification Report Distribution Network Operator DCC User Interface Specification (formally DCC User Gateway Interface Specification (DUGIS)) End-to-End Testing E2E Test Approach Electricity Smart Metering Equipment Enduring Test Approach Final Modification Report Foundation Strategy Group Great Britain Companion Specification Gas Transporter Home Area Network Intimate Communications Hub Interface Specification Independent Distribution Network Operators Independent Gas Transporter Infrastructure Key Infrastructure Implementation Managers Forum Initial Modification Report Information Security Management System Spotlight on the SEC Seminar: Appendix 1- Glossary Page 1 of 3
Acronym IT ITA PCF PKI PMA RAPP RDP REGIS RFI RG SCF SEC SECAS SECCo SECMP SIT SITA SMETS SMIP SMSG SMKI SMKI PMA SoS SPOTI SREPT SRT SRTA SRTSD SSC SSI TAG TBDG TDEG TPMAG Definition Interface Testing IT Approach Privacy Controls Framework Public Key Infrastructure Policy Management Authority Registration Authority Policies and Procedures Registration Data Provider Registration Data Interface Specification Request For Information Regulation Group Security Controls Framework Smart Energy Code Smart Energy Code Administrator and Secretariat Smart Energy Code Company SEC Modification Proposal Systems Integration Testing SIT Approach Smart Metering Equipment Technical Specification Smart Metering Implementation Programme Smart Meter Steering Group Smart Metering Key Infrastructure Smart Metering Key Infrastructure Policy Management Authority Secretary of State SMKI Portal over the Internet (SPOTI) SMKI & Repository Entry Process Tests SMKI and Repository Testing SRT Approach SMKI & Repository Test Scenarios Security Sub-Committee Self Service Interface Testing Advisory Group Technical and Business Design Group Testing and Design Execution Group Transitional Policy Management Authority Group Spotlight on the SEC Seminar: Appendix 1- Glossary Page 2 of 3
Acronym TSC TSEG UEPT WAN Definition Technical Sub-Committee Transitional Security Expert Group User Entry Process Testing Wide Area Network Spotlight on the SEC Seminar: Appendix 1- Glossary Page 3 of 3