Academics Slam Insecure Smart Meter Comms

The Open Smart Grid Protocol is a communications specification published by the European Telecommunications Standards Institute (ETSI) for use with smart meters and other smart grid devices. There are over 4 million smart meters that use OSGP, making it one of the most common network standards for smart grids. However, Philipp Jovanovic of the University of Passau, Germany, and Samuel Neves of the University of Coimbra, Portugal, have published a paper which sharply criticizes the cryptography used in OSGP. Their paper is entitled: “Dumb Crypto in Smart Grids”.

As the researchers point out, the aim is to ensure the privacy of the data transmitted whilst also guaranteeing integrity and authenticity. They conclude that they designed practical attacks that would break both the confidentiality and authenticity of OSGP.

We have presented a thorough analysis of the OMA digest specified in OSGP. This function has been shown to be extremely weak, and cannot be assumed to provide any authenticity guarantee whatsoever. We described multiple attacks having different levels of applicability in the context of OSGP…

In summary, the work at hand is another entry in the long list of examples of flawed authenticated encryption schemes, and shows once more how easily a determined attacker can break the security of protocols based on weak cryptography.

Meanwhile, the OSGP Alliance, promoters of the OSGP standard, have recently announced an upgrade to OSGP that will add additional security features.

We should thank Jovanovic and Neves for their hard work. Researchers like them help to keep businessmen honest, by highlighting the dangers of taking shortcuts with security. You can download Jovanovic and Neves’ paper on OSGP security from here.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.