This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

OWASP AppSec DC 2012/AMI Security

Jump to: navigation, search


Registration Now OPEN! | Hotel | Schedule | Convention Center |

The Presentation

Advanced Metering Infrastructure (AMI) is the most exposed part of the Smart Grid. Public-facing devices include smart meters on the sides of businesses and houses and aggregation points on the top of telephone poles. But the risks and vulnerabilities do not stop here. The back-end resources of an AMI implementation are still potentially vulnerable to all of the same threat vectors as everyday web-based business solutions. Cross-site scripting, cross site request forgery, insufficient network monitoring, and questionable web server and database configurations all play a part in increasing the risk to the AMI deployment and the electrical grid itself. This presentation will outline these vulnerabilities and provide recommendations that will increase the security of an AMI deployment and increase the reliability of the electrical infrastructure it supports. This presentation will cover the following topics:
- AMI implementation overview from Smart Meters to the back-end resources - Smart meter hacking techniques and mitigations - FHSS analysis techniques and mitigations - Network configuration and monitoring concerns and mitigations - Web application vulnerabilities and mitigations

The Speakers

John Sawyer

John Sawyer is a Senior Security Analyst with InGuardians specializing in network and web application penetration testing. John's experience in enterprise IT security includes penetration testing, system and network hardening, intrusion analysis, and digital forensics.

John has developed and taught cyber security training for a large university and spoken at events for industry and law enforcement. He has consulted with federal, state, and local law enforcement agencies on malware analysis, hacker attacks, and digital forensics. John is the author of the popular blog, "Evil Bytes", at, and a member of the winning team from DEF CON 14 and 15's Capture the Flag competition.

Don Weber

Jack of All Trades and hardware analysis expert for the InGuardians. Don specializes in physical and information technology penetration testing, web assessments, wireless assessments, architecture review, incident response/digital forensics, product research, hardware research, code review, security tool development, and the list goes on. Don is currently focusing on hardware research specifically in the technologies surrounding products comprising the SMART GRID. He has focused on implementing various communication protocols and microprocessor disassembers/emulators for research, testing, risk assessment, and anything else you can think of with these technologies.

Gold Sponsors

Aspect logo owasp.jpg AppSecDC2009-Sponsor-securicon.gif AppSecDC2009-Sponsor-mandiant.gif AppSecDC2012-ISC2.gif

Silver Sponsors


Small Business

AppSecDC2012-Sponsor-sideas.gif BayShoreNetworks.png


link= Codenomicon WhiteHat Logo.png AppSecDC2012-HP.jpg WSI - Logo.jpg