In the MP Procuring Secure Equipment started in 2019, ENCS is updating the security requirements developed between 2015 and 2018, such as the requirements for procuring distribution automation RTUs, electric vehicle charging stations and smart meters, and covering new domains of the grid, such as sensors and IoT devices. This member project has two main goals:

  1. The harmonization of procurement requirements for secure components. These have to adequately reflect the security risks faced by grid operators, their implementation may not disrupt normal operations and the integration of new features has to be feasible for vendors. The development and validation of the proposed requirements are based on a comprehensive risk assessment for each component and market surveys involving key vendors and devices currently available on the market. The harmonized security requirements can then be used as a basis for product certification and testing. Within this update, the existing requirements are also aligned with the ISO 27000 and/or IEC 62443 standards. Both are currently “front-runners” for a new Europe-wide certification scheme, which may become mandatory for critical infrastructure operators.
  2. The formalization of a requirements-based testing method. In the past, ENCS has often tested the same device for different grid operators, creating unnecessarily high costs for members. That is why ENCS aims to set up a more efficient and cost-effective testing approach, possibly extending the processes so that components can be tested directly for vendors.

The final deliverables provide members with a comprehensive set of procurement requirements that can be directly attached to tenders. This ensures that only equipment fulfilling minimum security standards are chosen. The alignment of the requirements with ISO 27001 ensures that the measures directly contribute to certification. The risk assessment and security architecture provide the context for the procurement requirements, helping members understand how an attacker might look at their systems and why security measures are needed in the first place.