Michael Mimoso discusses a paper deconstructing and analyzing the cryptography in use with the Open Smart Grid Protocol and how homebrewed Smart Grid cryptography will likely be a disastrous choice:
The paper, “Dumb Crypto in Smart Grids: Practical Cryptanalysis of the Open Smart Grid Protocol” explains how the authenticated encryption scheme used in the OSGP is open to numerous attacks—the paper posits a handful—that can be pulled off with minimal computational effort. Specifically under fire is a homegrown message authentication code called OMA Digest.
“This function has been found to be extremely weak, and cannot be assumed to provide any authenticity guarantee whatsoever,” the researchers wrote.
Most security researchers even anecdotally knowledgable in cryptography understand homegrown crypto is a terrible design decision. It’s use in the Open Smart Grid Protocol is anything but smart.
Adam Crain, security researcher and founder of Automatak who has published research on the DNP3 protocol used in industrial control system communication, said the use of a homegrown digest function is a “big red flag.”
“Protocol designers should stick to known good algorithms or even the ‘NIST-approved’ short list,” Crain said. “In this instance, the researchers analyzed the OMA digest function and found weaknesses in it. The weaknesses in it can be used to determine the private key in a very small number of trials.”
Scary design choices in what is generally considered the next major security frontier. This is where we need the brightest minds applying sound security principles, not security through obscurity.