Image via Freepik
As does any leading-edge technology, the field of EV charging is up against more than a few challenges. EV charging infrastructure cybersecurity has surfaced as one of the most pressing concerns the industry must face.
What are the cybersecurity threats that EV charging infrastructure companies might face? What is the industry doing about these threats? And, most importantly, how can EV charging station owners protect themselves from cyberattacks?
The scientists at Sandia National Laboratories concluded a comprehensive study of the EV charging industry’s cybersecurity challenges, releasing their report late in 2022. The study identified the most critical challenges and recommended solutions to help the industry gain a secure foothold in the nation’s transportation sector.
Currently, petroleum fuels supply 90% of the energy for the United States transportation industry. Here are some cybersecurity challenges the EV charging infrastructure industry must overcome to emerge as the dominant player in the transportation energy supply sector.
1. A Lack of Industry-Wide Cybersecurity Standards and Best Practices
The Sandia study pointed out that the EV infrastructure industry has not yet adopted a “comprehensive…cybersecurity approach and…best practices.” Since EV charging stations connect to the nation’s electrical grid, lacking such an approach could give rise to grid failure — a massive catastrophe.
However, the EV charging infrastructure industry has taken several steps to standardize approaches to security and other issues. The rise of industry-wide EV charging infrastructure seminars and events allows cybersecurity industry experts to make their case for a standardized approach to EV cybersecurity worldwide.
2. A Need for Organizational Change Among EV Charging Companies
In Dark Reading, a leading cybersecurity publication, Drivz’s head of information security, Shachar Inbar, singles out the need for better organization within an EV charging company’s corporate structure.
He recommends that EV charging infrastructure companies appoint a chief information security officer to nail down the security parameters for the company’s digital assets. This C-suite executive, he says, should coordinate their approach with the company’s chief technology officer to harden both IT and EV charging infrastructure security.
3. Securing the Nation’s EV Charging Equipment
The explosive growth of the EV charging industry has sparked an interest in adding EV charging stations to existing gas stations and convenience stores. However, although the stations’ owners and managers might have expertise in retail management, they often lack knowledge of the finer points of cybersecurity as it applies to EV charging technology.
Enter DEKRA. This cybersecurity company now offers three levels of certification that can give station operators the confidence that their equipment is up to speed with the growing industry’s increased cybersecurity needs.
- Level 1 certification assures a station that its equipment meets basic cybersecurity requirements.
- Level 2 certification includes an SPLDC (a software program line design choice) assessment and requires the station’s equipment to meet advanced security requirements.
- Level 3 certification provides stations with penetration testing for station owners’ ultimate peace of mind.
4. Protecting the Grid From Massive Cyberattacks From EV Charging Entry Points
Image via Freepik
One of the most startling facts to emerge from the Sandia study is the grid’s vulnerability to cyberattacks from entry points within the EV charging infrastructure industry.
Researchers found widespread vulnerabilities in chargers themselves. They discovered that the equipment’s Ethernet, USB, and Wi-Fi maintenance ports presented opportunities for hackers to affect an entire charger network through a single charger.
Brian Wright, a researcher who participated in the study, said, “Can the grid be affected by electric vehicle charging equipment? Absolutely. Would that be a challenging attack to pull off? Yes. It is within the realm of what bad guys could and would do in the next 10 to 15 years. That’s why we need to get ahead of the curve in solving these issues.”
Solution A: Use Plug-and-Charge Public Key Infrastructure
Fortifying EV owners’ authentication and authorization with “plug-and-charge” public key infrastructure would go a long way toward preventing hackers from accessing the grid through EV charging infrastructure entry points. The study also recommended that charging companies install an alert system to notify owners when someone changes the charging equipment.
Solution B: Consider Code-Signing Firmware Updates and Intrusion Detection Systems
Image via Freepik
In addition, EV charging infrastructure providers must prevent hackers from intruding through cloud updates. Adding code-signing firmware updates and intrusion detection systems, the researchers said, would ensure the authenticity of any updates before installing them on the system.
5. A Need for Governmental Oversight on EV Charging Cybersecurity Issues
Image via Freepik
The EV charging industry has one vulnerability many businesses lack — a direct connection to the nation’s electrical grid. The data exchange necessary to conduct vehicle-to-grid (V2G) energy transfers that serve as backups during power outages presents an opportunity for bad actors to do significant harm to the grid.
Since the electrical grid impacts national security, many cybersecurity experts contend that the nation should create a sensible regulatory structure to protect the grid from a hacker-induced disaster.
Some preliminary steps are already underway as the US government strives to get a handle on this rapidly growing industry. For instance, companies who apply for National Electric Vehicle Infrastructure (NEVI) funding must meet minimum cybersecurity standards to qualify for federal assistance, as GCN’s Chris Teale notes.
That’s a great start. However, Congress should consider putting a comprehensive regulatory framework into law to provide the protection our EV charging networks need to stay safe from cyberattacks.
Solution A: Prohibit Sales of EV Charging Infrastructure That Don’t Adhere to Strict Standards
Teale suggests that US lawmakers adopt a version of Singapore’s standards for IoT devices to govern EV infrastructure. Singapore law requires IoT vendors to adhere to strict cybersecurity guidelines to sell their products legally throughout the country. Indeed, the US legislature could create such standards for EV charging stations and supporting infrastructure.
Solution B: Partner With Other Advanced Nations in Creating Common Standards
Partnering with other advanced nations, the US government could lead the way in creating common standards for building EV infrastructure. “If there were a common infrastructure or software for EV charging,” Teale points out, “technologists could quickly assess the damage, regardless of the manufacturer.”
In the Dark Reading piece cited earlier, Shachar Inbar also offers some suggestions for US lawmakers to consider.
Solution C: Adopt the Open Charge Point Protocol
The Open Charge Alliance (OCA) developed what it calls the “Open Charge Point Protocol” (OCPP), a set of standards that govern setting up secure connections, logging security events, and firmware updates between a central management system and charging stations. Adopting this protocol nationwide could go a long way toward finding a solution to the United States EV charging infrastructure security vulnerabilities.
Solution D: Use ISO Standards to Create Nationwide EV Cybersecurity Law
Congress need not reinvent the wheel in creating a regulatory framework for the US EV charging infrastructure industry. The International Organization for Standardization (ISO) has already produced two standards that the US legislature could easily adapt to create law: ISO 27001 and ISO 15118.20.
- ISO 27001: This comprehensive framework covers a broad range of “legal, physical, and technical” aspects of the EV charging industry. When an EV charging infrastructure company complies with all ISO 27001, its leadership can rest assured that its technology has leading-edge protection from cybersecurity threats that could affect the nation’s grid.
- ISO 15118.20: This standard tightens security requirements for communication between EVs and charging stations. It uses security certificates to identify each EV that uses its services, authenticating the owner’s payment. Most importantly, it provides strict requirements for exchanging data in V2G transactions that otherwise would put the entire grid at risk.
Arm Yourself With the Latest EV Charging Cybersecurity Information
In addition to reading EV charging industry journals, academic papers, blog posts, and reports, you can augment your cybersecurity research with conversations with some of the most prominent names in the EV charging industry at one of our EV Charging Summit Events. Register to attend our soon-upcoming event today!
