Open Smart Grid Protocol + > 4m smart devices worldwide = Foolish
Before you get riled up, understand that we love the idea of a Smart Grid and securing America’s electrical infrastructure. (For example, we love the news that Tesla is building a new household battery system that could eventually help utility companies better manage power loads.) With that said, it’s important to take a closer look at the security of new systems in the wild because they are becoming so ubiquitous.
What is the Open Smart Grid Protocol?
The Open Smart Grid Protocol was developed by the Energy Service Network Association (ESNA), which has since been renamed the OSGP Alliance. According to Wikipedia, OSGP is…
” is a highly insecure family of specifications published by the European Telecommunications Standards Institute (ETSI) used in conjunction with the ISO/IEC 14908 control networking standard for smart grid applications. OSGP is optimized to provide reliable and efficient delivery of command and control information for smart meters, direct load control modules, solar panels, gateways, and other smart grid devices. With over 4 million OSGP based smart meters and devices deployed worldwide it is one of the most widely used smart meter and smart grid device networking standards.”
Snarkiness aside, this is a good definition of OSGP. (Note that OSGP is a European standard – one US professional states they’ve never even heard of OSGP.)
Where It All Went Horribly Wrong
While the Open smart grid protocol is a necessity if improvements are going to ever occur with the world’s electrical grids, forgetting about security is not a very good idea. Enter Phillip Jovanovic of the University of Passau in Germany and Samuel Neves of the University of Coimbra in Portugal. They recently published a paper about the protocol’s lack of security.
The white paper is full of technical details and is a good read if you have time and any interest in the future of the Open Smart Grid Protocol. After Jovanovic and Neves released their white paper, a lot of security experts around the world took notice.
— Matthew Green (@matthew_d_green) May 6, 2015
Adam Crain, security researcher and founder of Automatak also had some good advice. He said, “The No. 1 rule of cryptography is ‘Don’t invent your own.’” We would add, “The No. 2 rule of cryptography is that if it’s broke, you should fix it!”
Can the Problem Be Fixed Anytime Soon?
The answer to this question depends on a lot of variables. Again, OGSP is not in wide use outside of Europe, and the OSGP Alliance did issue guidelines (in April) to improve the security aspects of the protocol, though that’s not likely to be finalized until the fall. That said, with enough security experts and others making a fuss, hopefully work will begin to tighten up the security of OSGP sooner than later. Further, this issue may serve as a useful reminder on how NOT to implement cryptography in important infrastructure support software and thus improve future smart grids popping up around the world.
If not, the future may not be bright at all – literally.
Funny and Insightful Slashdot Comments
Here are a few of the stars from the Slashdot community commenting on the matter.
- Homegrown (Insightful)
- Hipster Crypto (Funny)
- OSGP? Never heard of it (Informative)
- Re:How many times do we have to say it? (Informative)
You can also read the entire thread at Slashdot if you want.
The SSL Takeaway
The Open Smart Grid Protocol is a great idea, but with over four million devices in use around the world, a lot more attention should have been paid to OSGP’s overall security design. Unfortunately, that didn’t happen. Now that the problems are known and are being talked about by security experts and armchair pundits, the biggest takeaway lesson should be hammered home: stick to tested, trusted standards when implementing cryptography – and never, ever roll your own.
Are you familiar with Open Smart Grid Protocol or crypto for smart grids, we’d love to hear from you! Leave a comment below and let us know what you think about the problem and any possible solutions you think would work to solve it. Thanks!