GO-201-2020: ENCS security program plans for 2020

This document describes the plan for the ENCS security programs for 2020. ENCS is running three long term programs on policy, architecture and operations. The programs gather, develop and share knowledge on common security problems that ENCS members face. They aim to address the needs of different groups of security experts working at grid operators.


EV-401-2019: Security test plan for EV charging stations

Plan to test an EV charging station against the ElaadNL and ENCS security requirements.

ElaadNL and ENCS have developed a set of security requirements for procuring electric vehicle (EV) charging stations . The requirements are based on a risk assessment and a security architecture for the whole EV charging infrastructure. The security requirements can be used directly in the procurement process.

This document provides a standardized test plan to evaluate the charging stations against the security requirements. By standardizing the test plan, the test results can be shared between charge point operators. The vendor of the charging station can order a security test according to the test plan. If the charging station passes the tests, the vendor can use the test report to show compliance in all tenders that use the security requirements. This reduces the cost of testing and can give charge point operators assurance in advance that there are charging stations meeting the requirements.

The test plan consists of three phases:

  1. Functional tests and a vulnerability assessment by the vendor, usually performed during development;
  2. A review of development processes and security design and OCPP security conformance testing by an external lab;
  3. A penetration test by an external lab.

DA-401-2019: Security test plan for distribution automation RTUs

Plan to test an distribution automation RTU against the ENCS security requirements.

ENCS has developed a set of security requirement for procuring distribution automation (DA) remote terminal units (RTUs). When the requirements are used, the need arises to evaluate the RTU against the requirements. This document provides a standardized test plan to do this.

By standardizing the test plan, the test results can be more easily shared between grid operators. The vendor of the RTU can perform security tests according to the test plan and then use the test report to show compliance in all tenders that use the security requirements. This reduces the cost of testing and can give grid operators assurance in advance that there are RTUs meeting the requirements.

The test plan consists of three phases:

  1. Functional tests and a vulnerability assessment by the vendor, usually performed during development;
  2. A review of development processes and security design by the grid operator, usually performed during selection;
  3. A penetration test by an external lab, usually performed after the RTU has been selected.

EV-301-2019: Security requirements for procuring EV charging stations

This document specifies security requirements that charge point operators can use when procuring charging stations. The requirements can be used directly in tender documents. They cover the technical security features that the charging station should have, and the measures vendors should take to ensure the correct implementation of these features.

The document is an update of the EV Charging Systems Security Requirements from 2016. ENCS has created this document together with ElaadNL.


EV-201-2019: Security architecture for EV charging infrastructure

This document describes a security architecture for electric vehicle charging infrastructure specifying the technical security measures charge poin operators can implement. The architecture can act as a blueprint for system integrators and the departments maintaining the system. The architecture is intended to be used together with an information security management system (ISMS) based on ISO 27001:2013 or similar.

ENCS is creating this document in collaboration with ElaadNL.


DA-301-2019: Security requirements for procuring DA RTUs

This document gives requirements for procuring secure RTUs for use in distribution automation systems, including:

  • medium to low voltage transformer substations;
  • medium voltage transport substations;
  • automatic circuit recloser controllers applied to overhead distribution lines.

The requirements concern the interfaces to the distribution automation system and the users on these interfaces. The measures are aligned with ISO/IEC 27001:2013. They are designed to fit as much as possible into the processes and procedures already in place in the organizations, and to find the needed balance between the assured security level, feasibility by vendors and the operational impact.

This harmonized set of requirements allows grid operators to get secure automation equipment more cost-effectively, saving their time and effort in developing requirements, as they are already freely available. It has been ensured that the requirements are feasible, as they have been tested in a market survey as well as in previous tenders by other operators. Lastly, these requirements save on implementation costs, as vendors get a common baseline to aim at, and only need to implement the security requirements once and then implement updates in their product roadmap.

The requirements are meant for procuring new RTUs, not for legacy systems, although grid operators may analyze which systems can be upgraded, updated or patched, once more, without disrupting the processes and procedures already in place.


SM-301-2019: Security requirements for procuring smart meters and data concentrators

This document contains security requirements for procuring Smart Meters and Data Concentrators. They are intended as a common baseline that in line with more strict requirements or more detailed specifications used in different European countries.
The requirements are formulated in a technology-independent manner. They describe the security measures that need to be taken functionally, and do not make assumptions on communication protocols or technologies. The requirements cover both technical security measures, and process measures that Vendors should take to ensure secure development, production, and delivery of the devices.
The requirements have been written with an eye towards testing. For each requirement, recommendations are given for evaluating if it has been fulfilled. These recommendations are based on experience with testing many meters from different countries.