Several years ago, as part of the Smart Meter Implementation Project, we embarked on a joint initiative with the Department of Energy & Climate Change (now Business Energy & Industrial Strategy).
Our goal was to provide a level of security for GB Smart Meter equipment – using proportionate, practical security controls – such that no single compromise could significantly impact the system.
The scale of this challenge was huge. Normally, when assuring commercial products, we’re dealing with a well-established set of security expectations, and a deployment model where customers are likely to replace devices regularly. With Smart Meters, the story is very different. These products are destined to be in every house in Great Britain for many years. How do you go about assuring something with this kind of lifespan?
Before I go on – don’t worry, this post isn’t about Smart Meters. It’s about our approach to assuring them. If you want more detail on the technology and relevant security issues, read Dr Levy’s recently published article.
A new approach to Commercial Product Assurance (CPA)
Mid 2016 was a key turning point for those of us who cared about a smooth (but still robust) CPA evaluation process for Smart Meter products. Evaluation work was underway on the first few products with everyone involved being mindful of the very tight deadlines, and the severe penalties that our industry partners could face if they failed to meet their contractual obligations.
Then we began a strategic review of our assurance schemes. As part of this we ran several open workshops at which we met representatives from the Smart Meter test labs, and top brass from the DECC Smart Meter project.
Faster, faster, faster!
For me, these workshops were really interesting – not just because of their main aim, but due to the number of people who cornered me (and other CPA colleagues) to tell us exactly how they thought the CPA process might affect Smart Meter timelines. In short, it was felt we needed a more streamlined process in order to progress through the expect workload.
For Smart Meter evaluations to succeed we needed to come up with a new approach – overnight. Less emails, less paperwork, less confusion, less pedantry. Closer working, more agile, and faster, faster, faster! We accepted the challenge.
Thanks to the labs
It was a bit of a leap of faith for us – and the test labs. But, thankfully, the labs stuck with us. Even when we told them that instead of doing months of email exchanges, they’d need to come and spend a day or two debriefing us face to face. It was this change which made the biggest difference to our timeline.
While ensuring a consistent level of security challenge in the evaluations, we also worked with the labs to place more trust in the work they do. We had a ‘tough and timely’ ethos, meaning that we wanted to spend time discussing the new and tough technical issues, not going over the same old tests that had been done hundreds of times before.
To date we have three Smart Meter Communications Hubs that have been assured through this new improved CPA process. These are from Toshiba, EDMI, and WNC. And we’re currently working with our partners on a number of Gas and Electricity Smart Energy Meter evaluations.
Roll out the best bits
The new process worked well. So well in fact, that the best bits of this pilot are being rolled out to other CPA evaluations (and beyond), setting a new standard in how the NCSC works with assurance partners.
It cut an estimated four months off each evaluation, bringing it down from an original six months to just two. It also helped us, and the labs, focus on ensuring the products themselves have an acceptable level of security, by design.
This is all feeding into new initiatives and the wider strategic scheme review. But, importantly, it was external input that started us on this journey so we are keen to maintain the conversation with our partners. Things aren’t perfect yet, but this process seems to be moving us in the right direction.
Andy B
Technical Lead for Commercial Assurance
Source: National Cyber Security Centre
