Not so - from Threat Post:
Weak Homegrown Crypto Dooms Open Smart Grid Protocol
In the three years since its inception, the Open Smart Grid Protocol has found its way into more than four million smart meters and similar devices worldwide.
And like its SCADA, industrial control system, and embedded system brethren, it’s rife with security issues.
A bit more - stupid mistake:
The paper, “Dumb Crypto in Smart Grids: Practical Cryptanalysis of the Open Smart Grid Protocol” explains how the authenticated encryption scheme used in the OSGP is open to numerous attacks—the paper posits a handful—that can be pulled off with minimal computational effort. Specifically under fire is a homegrown message authentication code called OMA Digest.
“This function has been found to be extremely weak, and cannot be assumed to provide any authenticity guarantee whatsoever,” the researchers wrote.
And more:
Adam Crain, security researcher and founder of Automatak who has published research on the DNP3 protocol used in industrial control system communication, said the use of a homegrown digest function is a “big red flag.”
“Protocol designers should stick to known good algorithms or even the ‘NIST-approved’ short list,” Crain said. “In this instance, the researchers analyzed the OMA digest function and found weaknesses in it. The weaknesses in it can be used to determine the private key in a very small number of trials.”
By comparison, Crain said he implements DNP3 Secure Authentication, which is an IEEE standard.
“By contrast, they use the NIST-approved digest functions known as HMAC-SHA256 and AES-GMAC which are currently considered ‘strong authentication,'” Crain said. “The No. 1 rule of cryptography is ‘Don’t invent your own.'”
Wikipedia has a decent writeup on SmartGrid technology - the idea is that the flow of power can be directed to manage peak loads (substation and distribution automation) as well as measurement and metering. Someone could bring this to a screeching halt with a few keystrokes and all because some idiot programmer thought it would be cool to write their own encryption routine. Talk about hubris - I hope that person gets fired ASAP - this is an unconscionable lapse in judgment.
Leave a comment