March 23, 2009

FOR IMMEDIATE RELEASE Contact:

Jennifer Steffens
202.409.7707
jsteffens@ioactive.com
www.ioactive.com

IOACTIVE VERIFIES CRITICAL FLAWS IN NEXT GENERATION ENERGY

INFRASTRUCTURE

Company Cautions Against Wider Adoption of Smart Grid Technology Until Security
Risks are Mitigated and Industry Adopts a Security Development Lifecycle

Seattle, WA—March 23, 2009—IOActive, a leading provider of application and smart

grid security services, today announced that the company has verified significant
security issues within multiple Smart Grid platforms, which are being positioned to
support the nation’s next-generation power infrastructure. Smart Grid technology is
already deployed by numerous utilities around the country and the vulnerabilities
identified by IOActive could further expose the country to attacks on our critical power
infrastructure.

Research conducted throughout the industry has independently concluded these

technologies are susceptible to common security vulnerabilities such as protocol
tampering, buffer overflows, persistent, and non-persistent rootkits and code
propagation. These vulnerabilities could result in attacks to the Smart Grid platform,
causing utilities to lose momentary system control of their Advanced Metering
Infrastructure (AMI) Smart Meter devices to unauthorized third parties. This would
expose utility companies to possible fraud, extortion attempts, lawsuits or widespread
system interruption. If security is not addressed in the design and implementation of
these emerging technologies, it may prove cost prohibitive to address them once the
devices are fully deployed.

In a presentation to the Committee of Homeland Security and DHS on March 16, 2009,
Joshua Pennell, President and CEO of IOActive stated: “The Smart Grid infrastructure
promises to deliver significant benefits for many generations, but first we need to
address its inherent security flaws. Based on our research and the ability to easily
introduce serious threats, IOActive believes that the relative security immaturity of the
Smart Grid and AMI markets warrants the adoption of proven industry best practices
including the requirement of independent third-party security assessments of all Smart
Grid technologies that are being proposed for deployment in the Nation’s critical
infrastructure. We are also recommending that the Smart Grid industry follow a proven
formal Security Development Lifecycle, as exemplified by Microsoft’s Trustworthy
Computing initiative of 2001, to guide and govern the future development of Smart Grid
technologies.”
The Smart Grid is the automated, widely distributed energy delivery network that is
characterized by a two-way flow of electricity and information and will be capable of
monitoring everything from power plants to customer preferences to individual
appliances. The grid incorporates the benefits of distributed computing and fault-tolerant
communications to deliver real-time information and enable the near-instantaneous
balance of supply and demand at the device level. Over 2 million Smart Meters are
used in the United States today. It is estimated that the more than 73 participating
utilities have ordered 17 million additional Smart Meter devices.

About IOActive
IOActive is an industry leader that offers comprehensive security services including
software assurance, smart grid security, infrastructure audits, training, incident
response, and Governance Risk Compliance. Established in 1998 and headquartered in
Seattle, IOActive has attracted many well-known security experts including Dan
Kaminsky, Jason Larsen, Steve Wozniak, Wes Brown, Tiller Beauchamp, and Ilja van
Sprundel. For additional information please visit: www.ioactive.com.