This blog was originally posted on Comverge.com. Itron acquired Comverge on June 1, 2017, and  all future demand response blogs will be posted here. 

As I outlined in my first blog post, Comverge’s cybersecurity approach is based on a Defense in Depth strategy that includes a security-aware systems IntelliDEFENSEBlogdevelopment life cycle (SDLC) that promotes threat reduction through vulnerability research.

As part of Comverge’s ongoing commitment to ensure the security and integrity of our DirectLink load control switches and smart thermostats and all related sensitive information, Comverge engaged Optiv, the largest comprehensive pure-play cyber security solutions provider in North America, to perform a research assessment of the DirectLink Server. Optiv has served more than 12,000 clients of various sizes across multiple industries, offers an extensive geographic footprint, and has premium partnerships with more than 300 of the leading security product manufacturers.

Optiv researchers worked with Comverge to construct a detailed threat model that enumerated the system’s various components, realistic attack vectors, as well as the “threat actors” who may wish to misuse this technology. Optiv researchers and Comverge developers collaborated to derive a testing methodology tailored to DirectLink and the needs of Comverge’s customers.

Optiv performed a review of the relevant hardware platforms. These efforts included disassembly and analysis of Comverge’s devices as they pertain to the established threat model. Researchers performed a hardware teardown of the devices, analyzed their components.

Optiv researchers also reviewed the source code using automated tools and manual analysis looking for security related vulnerabilities or more general best practice violations. Optiv researchers used debugging hardware and software to analyze a DirectLink system while it was operational. These efforts allowed researchers to search for vulnerabilities that might arise during the product’s day-to-day operation. This dynamic analysis is similar to the actions taken by active reverse engineering efforts used in sophisticated attacks against infrastructure.

At the conclusion of the assessment Optiv expressed the opinion that Comverge partners can be assured that we performed proper due diligence by engaging an experienced and trusted third party to independently evaluate our products from an information security standpoint. Finally, our clients can be assured that Comverge is following a best practices approach to continually improve our organizations maturity and meet or exceed industry standards for information security.

Fernando Alvarez