July 28, 2009 08:00 ET

IOActive's Mike Davis to Unveil Smart Grid Research at Black Hat USA

IOActive Senior Security Consultant Discusses Security Vulnerabilities and Simulates a Worm Attack in Smart Meter Platforms

SEATTLE, WA--(Marketwire - July 28, 2009) - IOActive, a leading provider of software assurance, compliance, and Smart Grid security services, today announced that Mike Davis, a Senior Security Consultant, will present Smart Grid Device Security at this week's Black Hat briefings in Las Vegas. This highly anticipated talk highlights the critical research Davis has spearheaded at IOActive over the last year, resulting in an increased industry focus on securing the Smart Grid.

The vision of the "Smart Grid" promises to combine the power of distributed computing with highly fault-tolerant data communications to deliver real-time distribution of power. Within this infrastructure, smart meters represent an important piece of the end-point distribution segment of the Smart Grid. With the stimulus package pushing for complete adoption of smart meters by utilities across the US, the promise of the Smart Grid is quickly becoming a reality.

While the benefits of the Smart Grid are undisputed, it is critical to consider the security of the infrastructure as well. In their research efforts to identify potential risks and threat vectors, Davis and a team of IOActive researchers developed proof-of-concept malicious code that self-propagated in a peer-to-peer fashion from one meter to the next. In his talk, Davis will present a simulation of this attack, showing how quickly the malicious code can propagate throughout a neighborhood, ultimately causing power disconnections and calibration modifications rendering the meters inoperable.

Davis' research uncovered that common attack techniques including buffer overflows, persistent and non-persistent root kits could be assembled into self-propagating malicious software used to attack Smart Meters. These vulnerabilities could result in attacks against the Smart Grid, causing utilities to briefly lose system control of their AMI Smart Meters and expose them to fraud, extortion attempts or widespread system interruption.

Despite the severity of his findings, Davis will discuss his optimism for the future of the Smart Grid and suggestions for developing more secure meters.

"Many of the security vulnerabilities we found are pretty frightening and most smart meters don't even use encryption or ask for authentication before carrying out sensitive functions like running software updates and severing customers from the power grid," according to Davis. "We hope that by informing people that these serious vulnerabilities exist, it will prompt vendors to mitigate existing vulnerabilities and increase security in future products."

Davis' presentation is scheduled for Thursday, July 30 from 4:45-6:00pm in the Milano Ballroom. In addition, IOActive's team will discuss their research at booth #63.

About IOActive

IOActive is an industry leader that offers comprehensive security services including software assurance, smart grid security, infrastructure audits, training, incident response, PCI compliance, and risk management. IOActive has attracted many well-known security experts including Dan Kaminsky, Jason Larsen, Steve Wozniak, Mike Davis, and Ilja van Sprundel. More information is available at

Contact Information