In a complex ecosystem, with as many moving parts as the smart metering implementation programme (SMIP), it can be easy for seemingly small but crucial activities to get lost in the noise. The importance of cyber security and the protection of customers’ privacy is clearly at the heart of the smart energy code and the SMIP assurance regime. However, the multi-party nature of the SMIP can make it difficult for participants to identify what they have to do and where they are on the critical path. Commercial product assurance (CPA) requirements are fundamental to help ensure smart metering devices are secured before deployment, adequately planning this workstream is therefore paramount to the SMIP.
The SMIP is a large, complex programme, with a structure that is almost unique in smart metering projects globally. Specific features of the Great Britain programme include the creation of new entities such as the Data Communications Company (DCC), the central body responsible for the management of implementing the data and communications infrastructure smart meters will use, and new regulation governing smart energy in the form of the smart energy code. All of this requires complex interworking between many industry stakeholders, working toward the same objective – to have a smart metering system in every home and small business in Great Britain by 2020.
The testing and assurance regime associated with the SMIP is a critical component of the programme. Many phases need to be completed and milestones reached to ensure that all stakeholders are ready to start mass rollout. The recent delays to the start of the mass rollout (it will now begin in 2016) mean that more and more tasks are being compressed into a shorter delivery period. It is more important than ever to de-risk delivery and to remove every potential roadblock to clear the way to success. That includes manufacturers, communications providers, and energy suppliers completing certification and assurance steps as early as possible. In some instances, in parallel.
Testing and assurance includes many different phases and obligations on different stakeholders. For example, the DCC is responsible for systems integration testing across its supply chain, while energy suppliers are responsible for ensuring that the smart meters they select are compliant with approved smart meter specifications. It is a complex set of interrelated commitments and can be confusing to navigate even for those close to the programme.
The need to ensure that the smart meter infrastructure is secure, and that consumers’ energy usage data measured by the smart meters is private, have both, rightly, long been concerns of the SMIP. As such, CESG (the information security arm of GCHQ, and the national technical authority for information assurance within the UK) was involved in defining the security aspects of the SMIP assurance regime. The involvement of CESG and the requirements its standards put on the programme will ensure that the valuable assets being created are protected, and most critically provide assurance that consumers’ data privacy is secured.
CPA certification is one component of security assurance and is a certification process for devices established and approved by CESG. SMIP participants (with a particular emphasis on meter and communications hub manufacturers and energy suppliers) should be aware that CPA is a separate requirement, independent from other areas of the smart energy code. The smart metering device assurance initiative supported by many device manufacturers and administered by BEAMA, for example, will provide confirmation that the components of smart metering systems are compliant but does not address or provide CPA certification. Participants will either have to seek this certification separately or it may be an exit criteria and so successful completion of the smart meter device assurance process becomes contingent on achieving CPA.
All parts of the smart metering system (both the gas and electricity meters, and the associated communications hub) need to be CPA approved. Energy suppliers are responsible for ensuring that their selected components are compliant, and device manufacturers will be asked to confirm they have certification in place.
There are only a small number of CPA certified test laboratories in the UK, and the process itself is defined and overseen by CESG to a stringent set of criteria and timescales, which everyone has to adhere to in the same way to achieve certification.
The commercial product assurance of SMETS2-compliant devices is a relatively small part of ensuring readiness of the smart metering system but is critical to it staying on track. The specification of SMETS2 is complete, and the CPA process is well-defined, so CPA certification is a step that can be started now. If not, the programme runs the risk of encountering bottlenecks in the supply of test resources, or that commercial product assurance becomes another step to be completed within short timescales as the testing and assurance reaches its later and more complex phases.
KPMG is one of the largest of the UK’s CPA-approved laboratories with 300 small and medium-sized enterprises ready to support device manufacturers through this process.
Amy Marshall is power & utilities director at KPMG; Alejandro Rivas-Vasquez is principal advisor in the KPMG’s cyber security practice