Products & Releases

IOActive Identifies Critical Flaws In Next-Gen 'Smart Grid' Energy Infrastructure

Vulnerabilities could further expose the country to attacks on our critical power infrastructure, company says
Seattle, WA—March 23, 2009—IOActive, a leading provider of application and smart grid security services, today announced that the company has verified significant security issues within multiple Smart Grid platforms, which are being positioned to support the nation's next-generation power infrastructure. Smart Grid technology is already deployed by numerous utilities around the country and the vulnerabilities identified by IOActive could further expose the country to attacks on our critical power infrastructure.

Research conducted throughout the industry has independently concluded these technologies are susceptible to common security vulnerabilities such as protocol tampering, buffer overflows, persistent, and non-persistent rootkits, and code propagation. These vulnerabilities could result in attacks to the Smart Grid platform, causing utilities to lose momentary system control of their Advanced Metering Infrastructure (AMI) Smart Meter devices to unauthorized third parties. This would expose utility companies to possible fraud, extortion attempts, lawsuits or wide spread system interruption. If security is not addressed in the design and implementation of these emerging technologies, it may prove cost prohibitive to address them once the devices are fully deployed in the field.

In a presentation to the Committee of Homeland Security and DHS on March 16, 2009, Joshua Pennell, President and CEO of IOActive stated: "The Smart Grid infrastructure promises to deliver significant benefits for many generations, but first we need to address its inherent security flaws. Based on our research and the ability to easily introduce serious threats, IOActive believes that the relative security immaturity of the Smart Grid and AMI markets warrants the adoption of proven industry best practices including the requirement of independent third- party security assessments of all Smart Grid technologies that are being proposed for deployment in the Nation's critical infrastructure. We are also recommending that the Smart Grid industry follow a proven formal Security Development Lifecycle, as exemplified by Microsoft's Trustworthy Computing initiative of 2001, to guide and govern the future development of Smart Grid technologies."

The Smart Grid is the automated, widely distributed energy delivery network, characterized by a two-way flow of electricity and information and will be capable of monitoring everything from power plants to customer preferences to individual appliances. The grid incorporates the benefits of distributed computing and fault-tolerant communications to deliver real-time information and enable the near-instantaneous balance of supply and demand at the device level. Over 2 million Smart Meters are used in the United States today. It is estimated that the more than 73 participating utilities have ordered 17 million additional Smart Meter devices.

About IOActive IOActive is an industry leader that offers comprehensive security services including software assurance, smart grid security, infrastructure audits, training, incident response, and Governance Risk Compliance. Established in 1998 and headquartered in Seattle, IOActive has attracted many well-known security experts including Dan Kaminsky, Jason Larsen, Steve Wozniak, Wes Brown, Tiller Beauchamp, and Ilja van Sprundel. For additional information please visit:

Recommended Reading: