Hi all,

As discussed on the call, here's the news I mentioned about NIST IR 7823:

This month, the National Institute of Standards and Technology (NIST) published the final form of a document that Scott Shorter from Electrosoft coauthored with NIST scientist Michaela Iorga. NIST Interagency Report (NISTIR) 7823, entitled “Advanced Metering Infrastructure Smart Meter Upgradeability Test Framework.” NISTIR 7823 provides test methods for determining compliance with the voluntary industry standards on firmware upgradeability published by the National Electrical Manufacturers Association (NEMA). The NEMA standard provides functional and security requirements for smart meters, upgrade management systems to upgrade firmware in a secure manner. 

NEMA SG-AMI 1-2009 was published 2009-09-25 to “[define] requirements for smart meter firmware upgradeability in the context of an advanced metering infrastructure system for industry stakeholders such as regulators, utilities and vendors.”  It is currently distributed as part of NEMA's Smart Meter Standards Package which is billed as requirements and guidance on electricity meteric within the United States.  The test framework we developed is a very comprehensive test method for a fairly weakly specified standard, and in light of updated NIST guidance on protection of BIOS it is overdue for an update.  Scott Shorter will be blogging this month on the topic of firmware upgradeability as a security feature, the ways that security feature can be abused, and recommended security considerations for when the firmware upgradeability standard is revisited, whether as an update by NEMA or if adopted as an ANSI C.12 standard.

-
Scott


--
==============================================================
Scott Shorter, Principal Security Engineer
Electrosoft  Fueling Customer Success Through Outstanding Value and Trust!
Woman-Owned, Minority-Owned Small Business | ISO 9001 | CMMI Level 2 
1893 Metro Center Drive; Ste 228; Reston, VA 20190
(703) 437-9451 x21 (office);   (240) 994-7793 (cell)
sshorter@electrosoft-inc.com (Email);   http://www.electrosoft-inc.com (Web)
==============================================================