ENCS has completed the member project on procuring secure equipment that started in 2019. ENCS has been supporting its members to procure secure equipment for many years. It has developed security requirements for different equipment and a testing approach based on the requirements. These enable members to procure secure equipment in tenders.

The members project strengthened this effort by harmonising the requirements and formalising the requirement-based testing. By harmonising the requirements between ENCS members, vendors can more easily comply with them. They only need to meet one set of requirements to qualify for all members using the requirements. Formalising the testing allows the test results to be more easily shared, creating greater testing efficiency.

Harmonising the security requirements

In the member project, ENCS harmonised four requirements sets, developed over the previous years:

The requirements were put into the same format aligned with international standards, such as ISO / IEC 27000, IEC 62443, IEC 62351, and OCPP.

ENCS performed a risk assessment for each of the above areas. It then defined a security architecture and derived procurement requirements. The feasibility of the requirements was checked in a market survey among vendors.

With harmonized requirements used by European grid operators, vendors no longer need to implement different requirements sets. They can pre-qualify based on publication of requirements before tendering processes.

Formalising requirements-based testing

The member project on procuring secure equipment also formalized the requirements-based testing. Formalisation allows test results to be shared and enables testing for equipment vendors instead of grid operators. Until now ENCS was testing the same component for different members. It would be a big efficiency gain to test the component once and share the testing results. Not only would this lower the testing cost. It would also make better use of limited testing capabilities, and reduce the time needed for testing.

To allow the test results to be shared, standardised test plans were developed:

ENCS’s strategic goal is to perform security tests directly for equipment vendors. Then grid operators know at the start of each procurement process which devices meet the security requirements. This should make it much easier to procure secure equipment.