Over the last decade, technological advances in smart grids have permitted the modernization of legacy electricity networks. As Internet of Things(IoT)-based smart grids are becoming an efficient response to managing changing electric demand, the heterogeneous network of equipment required to make these Cyber-Physical Systems a reality poses some security threats. This paper proposes a novel mutual authentication and key agreement scheme to ensure communications security and protect users’ privacy in smart grid applications. In the proposed scheme (named EPSG), an Elliptic Curve Cryptography (ECC) module and a Physical Unclonable Function (PUF) are used simultaneously to provide acceptable confidentiality and integrity levels. The security analysis demonstrates that the EPSG has a robust security posture regarding transferred messages on the communication channel and physical attacks. In addition, EPSG is resistant to modeling attacks as one of the main vulnerabilities of PUF modules. Furthermore, 1 by implementing the EPSG on an Arduino UNO microcontroller, a comparative performance evaluation in terms of computational complexity, communication overhead, and power consumption demonstrates the efficiency of the proposed EPSG.