A new study raises questions over the security of the smart grid network, and argues that stronger encryption architecture is needed.
Philipp Jovanovic of the University of Passau, Germany, and Samuel Neves of Portugal’s University of Coimbra analysed the cryptography used in the Open Smart Grid Protocol (OSGP). This is a group of specifications published by the European Telecommunications Standards Institute and used in conjunction with the ISO/IEC 14908 control networking standard for smart grid applications.
More than 4 million OSGP-based smart meters and devices are thought to have been deployed worldwide, making OSGP one of the most widely used network protocols for smart grid applications.
But in tests of several devices, hackers could easily break into most of them.
The researchers said that the authenticated encryption scheme deployed by OSGP is a non-standard composition of RC4 and a home-brewed MAC (message authentication code), known as the ‘OMA digest’.
This function has been found to be extremely weak, and cannot be assumed to provide any authenticity guarantee whatsoever, the authors concluded.
Improvements are in the pipeline, however.
An April newsletter from the OSGP Alliance stated that the group was preparing an update to the specifications to add further security features to the existing security architecture.
It said: The OSGP Alliance undertakes this security update because the alliance understands that the systems built with the OSGP specifications are an important, vital asset for a utility, and also often an essential element for national security.
The planned security update was motivated by the latest recommended international cybersecurity practices. The group said it would enhance both the primitives used for encryption and authentication as well as the key length, usage, and update rules and mechanisms.
It is important to note that there have not been any reported security breaches of any deployed smart metering or smart grid system built with the current OSGP specifications, and that systems built with these specifications include a comprehensive multi-layer security system that has always been mandatory, the organisation added.
Time will tell whether this update is enough to convince critics that the smart grid network is completely secure.