The member project on procuring secure equipment that started in 2019 had the goal to:
- Harmonize security requirements for procuring different types of components;
- Formalize the requirements-based testing method that ENCS has developed.
Since its founding, ENCS has supported its members to procure secure equipment. ENCS has developed security requirements for different domains, and a requirements-based testing method. Combined, these have helped members to get more secure equipment in tenders. By setting a clear and achievable standard for manufacturers, they can help to raise the overall security level in the market.
The project covered four areas:
- Distribution automation
- Smart metering
- Electric vehicle charging
- IoT sensors for the grid
For each of these areas, the project delivered:
- a risk assessment
- a market survey
- a set of procurement requirements
- a test plan to verify the requirements
Harmonising the security requirements
In the member project, ENCS harmonised four requirements sets, developed over the previous years:
- DA-301-2019: Security requirements for procuring DA RTUs
- SM-301-2020: Security requirements for procuring smart meters
- SM-302-2020: Security requirements for procuring data concentrators
- EV-301-2019: Security requirements for procuring EV charging stations
The requirements were put into the same format aligned with international standards, such as ISO / IEC 27000, IEC 62443, IEC 62351, and OCPP.
ENCS performed a risk assessment for each of the above areas. It then defined a security architecture and derived procurement requirements. The feasibility of the requirements was checked in a market survey among vendors.
With harmonized requirements used by European grid operators, vendors no longer need to implement different requirements sets. They can pre-qualify based on publication of requirements before tendering processes.
Formalising requirements-based testing
The member project on procuring secure equipment also formalized the requirements-based testing. Formalisation allows test results to be shared and enables testing for equipment vendors instead of grid operators. Until now ENCS was testing the same component for different members. It would be a big efficiency gain to test the component once and share the testing results. Not only would this lower the testing cost. It would also make better use of limited testing capabilities, and reduce the time needed for testing.
To allow the test results to be shared, standardised test plans were developed:
- DA-401-2019: Security test plan for distribution automation RTUs
- SM-401-2020: Security test plan for smart meters
- SM-402-2020: Security test plan for data concentrators
- EV-401-2019: Security test plan for EV charging stations
ENCS’s strategic goal is to perform security tests directly for equipment vendors. Then grid operators know at the start of each procurement process which devices meet the security requirements. This should make it much easier to procure secure equipment.