OSGP update doesn't use RC4 encryption that researchers say vulnerable to attack

While the Open Smart Grid Protocol (OSGP) last July released a new security suite that doesn't incorporate the vulnerable RC4 encryption method, known weaknesses of RC4, used in earlier generation OSGP devices that have not updated to the new standard, could "be exploited to successfully to attack the OSGP implementation as well," researchers Linus Feiten and Matthias Sauer wrote in May.

A year ago, after advising that better security would be implemented, the OSGP Alliance made good on that promise and released its OSGP-AES-128-PSK specification 128-bit encryption, then waited for utilities to adopt it. "New devices include the update and even OSGP smart meters installed more than 10-years ago have been remotely updated to support this," the OSGP Alliance wrote in a letter to SCMagazine.com. 

Feiten and Sauer claim to have the ability to extract the secret key used in the OSGP's RC4 stream cipher. “Our new method comprises the modification of a known attack exploiting biases in the RC4 cipher stream output to effectively calculate the secret encryption key. Once this secret key is obtained, it can be used to decrypt all intercepted data sent in an OSCP smart grid,” Sauer and Feiten explained in their research.

Decrypting the secret key can expose the energy consumption of an individual customer. An attacker out to do harm could then create messages reporting incorrect information to the grid operator.

CORRECTION: An earlier version of this story said that RC4 was hacked again and that grid operators had to wait for vendor support to switch to the new security suite. The OSGP Alliance emphasized that "the new security suite for OSGP (OSGP-AES-128-PSK) has been implemented and does not use RC4." The update has been available for utilities (grid operators) to adopt.