Academics Slam Insecure Smart Meter Comms

The Open Smart Grid Protocol is a communications specification published by the European Telecommunications Standards Institute (ETSI) for use with smart meters and other smart grid devices. There are over 4 million smart meters that use OSGP, making it one of the most common network standards for smart grids. However, Philipp Jovanovic of the University of Passau, Germany, and Samuel Neves of the University of Coimbra, Portugal, have published a paper which sharply criticizes the cryptography used in OSGP. Their paper is entitled: “Dumb Crypto in Smart Grids”.

As the researchers point out, the aim is to ensure the privacy of the data transmitted whilst also guaranteeing integrity and authenticity. They conclude that they designed practical attacks that would break both the confidentiality and authenticity of OSGP.

We have presented a thorough analysis of the OMA digest specified in OSGP. This function has been shown to be extremely weak, and cannot be assumed to provide any authenticity guarantee whatsoever. We described multiple attacks having different levels of applicability in the context of OSGP…

In summary, the work at hand is another entry in the long list of examples of flawed authenticated encryption schemes, and shows once more how easily a determined attacker can break the security of protocols based on weak cryptography.

Meanwhile, the OSGP Alliance, promoters of the OSGP standard, have recently announced an upgrade to OSGP that will add additional security features.

We should thank Jovanovic and Neves for their hard work. Researchers like them help to keep businessmen honest, by highlighting the dangers of taking shortcuts with security. You can download Jovanovic and Neves’ paper on OSGP security from here.

Eric Priezkalns
Eric Priezkalns
Eric is a recognized expert on communications risk and assurance. He was Director of Risk Management for Qatar Telecom and has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and others.

Eric was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He was a member of Qatar's National Committee for Internet Safety and the first leader of the TM Forum's Enterprise Risk Management team. Eric currently sits on the committee of the Risk & Assurance Group. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.

Commsrisk is edited by Eric. Look here for more about Eric's history as editor.