Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/23/2009
02:02 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

IOActive Identifies Critical Flaws In Next-Gen 'Smart Grid' Energy Infrastructure

Vulnerabilities could further expose the country to attacks on our critical power infrastructure, company says

Seattle, WA—March 23, 2009—IOActive, a leading provider of application and smart grid security services, today announced that the company has verified significant security issues within multiple Smart Grid platforms, which are being positioned to support the nation's next-generation power infrastructure. Smart Grid technology is already deployed by numerous utilities around the country and the vulnerabilities identified by IOActive could further expose the country to attacks on our critical power infrastructure.

Research conducted throughout the industry has independently concluded these technologies are susceptible to common security vulnerabilities such as protocol tampering, buffer overflows, persistent, and non-persistent rootkits, and code propagation. These vulnerabilities could result in attacks to the Smart Grid platform, causing utilities to lose momentary system control of their Advanced Metering Infrastructure (AMI) Smart Meter devices to unauthorized third parties. This would expose utility companies to possible fraud, extortion attempts, lawsuits or wide spread system interruption. If security is not addressed in the design and implementation of these emerging technologies, it may prove cost prohibitive to address them once the devices are fully deployed in the field.

In a presentation to the Committee of Homeland Security and DHS on March 16, 2009, Joshua Pennell, President and CEO of IOActive stated: "The Smart Grid infrastructure promises to deliver significant benefits for many generations, but first we need to address its inherent security flaws. Based on our research and the ability to easily introduce serious threats, IOActive believes that the relative security immaturity of the Smart Grid and AMI markets warrants the adoption of proven industry best practices including the requirement of independent third- party security assessments of all Smart Grid technologies that are being proposed for deployment in the Nation's critical infrastructure. We are also recommending that the Smart Grid industry follow a proven formal Security Development Lifecycle, as exemplified by Microsoft's Trustworthy Computing initiative of 2001, to guide and govern the future development of Smart Grid technologies."

The Smart Grid is the automated, widely distributed energy delivery network, characterized by a two-way flow of electricity and information and will be capable of monitoring everything from power plants to customer preferences to individual appliances. The grid incorporates the benefits of distributed computing and fault-tolerant communications to deliver real-time information and enable the near-instantaneous balance of supply and demand at the device level. Over 2 million Smart Meters are used in the United States today. It is estimated that the more than 73 participating utilities have ordered 17 million additional Smart Meter devices.

About IOActive IOActive is an industry leader that offers comprehensive security services including software assurance, smart grid security, infrastructure audits, training, incident response, and Governance Risk Compliance. Established in 1998 and headquartered in Seattle, IOActive has attracted many well-known security experts including Dan Kaminsky, Jason Larsen, Steve Wozniak, Wes Brown, Tiller Beauchamp, and Ilja van Sprundel. For additional information please visit: www.ioactive.com.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-12512
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
CVE-2020-12513
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
CVE-2020-12514
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd
CVE-2020-12525
PUBLISHED: 2021-01-22
M&M Software fdtCONTAINER Component in versions below 3.5.20304.x and between 3.6 and 3.6.20304.x is vulnerable to deserialization of untrusted data in its project storage.
CVE-2020-12511
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a Cross-Site Request Forgery (CSRF) in the web interface.