March 23, 2009FOR IMMEDIATE RELEASE Contact:Jennifer Steffens202.409.7707 jsteffens@ioactive.comwww.ioactive.com
IOACTIVE VERIFIES CRITICAL FLAWS IN NEXT GENERATION ENERGYINFRASTRUCTURE
Company Cautions Against Wider Adoption of Smart Grid Technology Until Security Risks are Mitigated and Industry Adopts a Security Development Lifecycle
Seattle, WA—March 23, 2009—IOActive, a leading provider of application and smartgrid security services, today announced that the company has verified significantsecurity issues within multiple Smart Grid platforms, which are being positioned tosupport the nation’s next-generation power infrastructure. Smart Grid technology isalready deployed by numerous utilities around the country and the vulnerabilitiesidentified by IOActive could further expose the country to attacks on our critical powerinfrastructure.Research conducted throughout the industry has independently concluded thesetechnologies are susceptible to common security vulnerabilities such as protocoltampering, buffer overflows, persistent, and non-persistent rootkits and codepropagation. These vulnerabilities could result in attacks to the Smart Grid platform,causing utilities to lose momentary system control of their Advanced MeteringInfrastructure (AMI) Smart Meter devices to unauthorized third parties. This wouldexpose utility companies to possible fraud, extortion attempts, lawsuits or widespreadsystem interruption. If security is not addressed in the design and implementation ofthese emerging technologies, it may prove cost prohibitive to address them once thedevices are fully deployed.In a presentation to the Committee of Homeland Security and DHS on March 16, 2009,Joshua Pennell, President and CEO of IOActive stated: “The Smart Grid infrastructurepromises to deliver significant benefits for many generations, but first we need toaddress its inherent security flaws. Based on our research and the ability to easilyintroduce serious threats, IOActive believes that the relative security immaturity of theSmart Grid and AMI markets warrants the adoption of proven industry best practicesincluding the requirement of independent third-party security assessments of all SmartGrid technologies that are being proposed for deployment in the Nation’s criticalinfrastructure. We are also recommending that the Smart Grid industry follow a provenformal Security Development Lifecycle, as exemplified by Microsoft’s TrustworthyComputing initiative of 2001, to guide and govern the future development of Smart Gridtechnologies.”
Leave a Comment