ENCS has completed the member project on procuring secure equipment that started in 2019. ENCS has been supporting its members to procure secure equipment for many years. It has developed security requirements for different equipment and a testing approach based on the requirements. These enable members to procure secure equipment in tenders.
The members project strengthened this effort by harmonising the requirements and formalising the requirement-based testing. By harmonising the requirements between ENCS members, vendors can more easily comply with them. They only need to meet one set of requirements to qualify for all members using the requirements. Formalising the testing allows the test results to be more easily shared, creating greater testing efficiency.
Harmonising the security requirements
In the member project, ENCS harmonised four requirements sets, developed over the previous years:
- DA-301-2019: Security requirements for procuring DA RTUs
- SM-301-2020: Security requirements for procuring smart meters
- SM-302-2020: Security requirements for procuring data concentrators
- EV-301-2019: Security requirements for procuring EV charging stations
The requirements were put into the same format aligned with international standards, such as ISO / IEC 27000, IEC 62443, IEC 62351, and OCPP.
ENCS performed a risk assessment for each of the above areas. It then defined a security architecture and derived procurement requirements. The feasibility of the requirements was checked in a market survey among vendors.
With harmonized requirements used by European grid operators, vendors no longer need to implement different requirements sets. They can pre-qualify based on publication of requirements before tendering processes.
Formalising requirements-based testing
The member project on procuring secure equipment also formalized the requirements-based testing. Formalisation allows test results to be shared and enables testing for equipment vendors instead of grid operators. Until now ENCS was testing the same component for different members. It would be a big efficiency gain to test the component once and share the testing results. Not only would this lower the testing cost. It would also make better use of limited testing capabilities, and reduce the time needed for testing.
To allow the test results to be shared, standardised test plans were developed:
- DA-401-2019: Security test plan for distribution automation RTUs
- SM-401-2020: Security test plan for smart meters
- SM-402-2020: Security test plan for data concentrators
- EV-401-2019: Security test plan for EV charging stations
ENCS’s strategic goal is to perform security tests directly for equipment vendors. Then grid operators know at the start of each procurement process which devices meet the security requirements. This should make it much easier to procure secure equipment.