July 28, 2009
FOR IMMEDIATE RELEASE		 Contact:
Jennifer Steffens
202.409.7707
marketing@ioactive.com
www.ioactive.com

IOACTIVE'S MIKE DAVIS TO UNVEIL SMART GRID RESEARCH AT BLACK HAT USA

IOActive Senior Security Consultant discusses security vulnerabilities and simulates a worm attack in smart meter platforms.

Seattle, Wash—July 28, 2009. IOActive, a leading provider of software assurance, compliance, and Smart Grid security services, today announced that Mike Davis, a Senior Security Consultant, will present Smart Grid Device Security at this week's Black Hat briefings in Las Vegas. This highly anticipated talk highlights the critical research Davis has spearheaded at IOActive over the last year, resulting in an increased industry focus on securing the Smart Grid.

The vision of the "Smart Grid" promises to combine the power of distributed computing with highly fault-tolerant data communications to deliver real-time distribution of power. Within this infrastructure, smart meters represent an important piece of the end-point distribution segment of the Smart Grid. With the stimulus package pushing for complete adoption of smart meters by utilities across the US, the promise of the Smart Grid is quickly becoming a reality.

While the benefits of the Smart Grid are undisputed, it is critical to consider the security of the infrastructure as well. In their research efforts to identify potential risks and threat vectors, Davis and a team of IOActive researchers developed proof-of-concept malicious code that self-propagated in a peer-to-peer fashion from one meter to the next. In his talk, Davis will present a simulation of this attack, showing how quickly the malicious code can propagate throughout a neighborhood, ultimately causing power disconnections and calibration modifications rendering the meters inoperable.

Davis' research revealed that common attack techniques including buffer overflows, persistent, and non-persistent root kits could be assembled into self-propagating malicious software used to attack smart meters. These vulnerabilities could result in attacks against the Smart Grid, causing utilities to briefly lose system control of their AMI meters and expose them to fraud, extortion attempts, or widespread system interruption.

Despite the severity of his findings, Davis will discuss his optimism for the future of the Smart Grid and suggestions for developing more secure meters.

"Many of the security vulnerabilities we found are pretty frightening and most smart meters don't even use encryption or ask for authentication before carrying out sensitive functions like running software updates and severing customers from the power grid," Davis reported. "We hope that by informing people that these serious vulnerabilities exist, it will prompt vendors to mitigate existing vulnerabilities and increase security in future products."

Davis' presentation is scheduled for Thursday, July 30 from 4:45-6:00pm in the Milano Ballroom. In addition, IOActive's team will discuss their research at booth #63.

About IOActive

IOActive is an industry leader that offers comprehensive security services including software assurance, smart grid security, infrastructure audits, training, incident response, PCI compliance, and risk management. IOActive has attracted many well-known security experts including Dan Kaminsky, Jason Larsen, Steve Wozniak, Mike Davis, and Ilja van Sprundel. More information is available at www.ioactive.com.

About Mike Davis

Mike Davis is a Senior Security Consultant at IOActive, experienced in enterprise-level application assessment and consultation. At IOActive he performs penetration testing, identifies system vulnerabilities, and designs custom security solutions for clients in software development, telecommunications, financial services, and professional services. He and fellow IOActive researchers recently discovered significant security vulnerabilities in meters being deployed in the Smart Grid, and he helped disclose this information to White House officials. Davis is also responsible for driving IOActive's efforts to perform cutting-edge security assessments on retailer point of sale terminals, advanced computing chipsets, and gas station management infrastructure.

-###-