With more countries reaching the tipping point for electric vehicle (EV) adoption, it's more urgent than ever for the public and private sectors to invest in EV charging infrastructure. A robust and highly secure EV charging ecosystem is essential for ensuring network availability and stability, providing a seamless charging experience to drivers, and achieving zero-emission transportation.
The good news is that EV charging infrastructure build-out is gaining momentum. The downside is that cybersecurity risks are growing along with the charging infrastructure, and cybercriminals are starting to take notice.
Today, EV chargers themselves are the primary target, with hacks ranging from planting ransomware to hijacking charger message screens with politically motivated or objectionable content. In a major wakeup call to manufacturers, a white-hat security specialist demonstrated EV charger hardware and software vulnerabilities. Recent hacks have also shown that EVs, too, are at risk.
The Vulnerabilities Are Broader Than Chargers and EVs
The communications networks that connect chargers with their management system, the personal data that travels across those networks, the charge-point operators collecting payments, and the grid itself are increasingly vulnerable as the EV ecosystem grows and the attack surface expands. The risks include (but are not limited to):
- Disruption of operations for public charger networks, rendering large numbers of chargers unusable and interfering with transportation
- Takeover of charger networks to use the chargers as bots in massive distributed denial-of-service (DDoS) attacks
- Theft of customers’ personal identifiable information (PII), including payment card information
- Fraudulent payments for electricity used in EV charging
- Disruption to the power grid, leading to blackouts and equipment damage
- Damage to the EV charging provider's reputation
As IT security experts know, whenever you have digital communications between two points, you have a potential vulnerability. When an EV plugs in to a networked charger, a cascade of bidirectional communications between multiple computers ensues — between the vehicle and the charger, the charger and the driver's mobile app, the charger and the grid, the charger and the back-end management system, the management system and a payment gateway, and the management system and the charge-point operator. That's a broad attack surface.
It takes coordination and commitment across the EV charging ecosystem to achieve the end-to-end security needed for protecting EV charging networks, personal and payment data, and the grid.
Standards and Protocols Offer a Way Forward
EV charging and energy management solution providers must commit to industry protocols and standards — developed by global consortiums such as the Open Charge Alliance (OCA) and the International Organization for Standardization (ISO) — and the protections they provide. So do other industry players, such as EV charger manufacturers and their sub-suppliers, automotive manufacturers, and utilities.
Key to network security is Open Charge Point Protocol (OCPP). It governs communications between charging stations and a central management system. The latest version incorporates standards for secure connection setup, security events and logging, and secure firmware updates.
Another essential measure is ISO 27001, a comprehensive framework that covers legal, physical, and technical controls involved in a company's information security and risk management processes Compliance ensures all relevant processes, procedures, and tools are implemented and monitored to protect the EV charging platform.
ISO 15118.20 is an international standard that was updated in 2022 to tighten security requirements for bidirectional communications between a charging station and an EV. The standard provides for plug-and-charge capability, which uses security certificates to automatically identify the EV to the charger and authenticate a payment method. It also governs the exchange of data required for vehicle-to-grid (V2G), which sends energy stored in the EV battery back to the power grid.
IT Security Best Practices Provide Multilayered Protection
The first IT security best practice that EV charging ecosystem companies should consider is organizational: Hire a chief information security officer (CISO). With a broad attack surface to defend and the need to protect data from internal and external attacks, the CISO should work closely with the chief technology officer (CTO) to coordinate IT security and EV charging infrastructure security.
The communications and data exchange between management software in the cloud, EV chargers, EVs, and the grid can be protected by IT security best practices such as X.509 public key infrastructure (PKI), transport layer security (TLS), secure "tunneling" across the Internet, and data encryption.
EV charging infrastructure providers must also be concerned with data privacy regulations specific to PII. Any organization transporting, handling, or storing PII should comply with the General Data Protection Regulation (GDPR) in the EU, the Act on the Protection of Personal Information (APPI) in Japan, the California Consumer Privacy Act (CCPA), and the new California Privacy Rights Act (CPRA).
Compliance with Payment Card Industry Data Security Standards (PCI DSS) and SOC 1 security standards provides the security controls and measures to protect credit and debit card transactions during transmission and storage. Controls include using tokens rather than readable data and storing only the final four digits of a credit card. Intelligent safeguards for billing management systems should recognize and prevent fraudulent payment.
Endpoint detection and response (EDR) systems continuously monitor devices connected to the EVcharging management platform, identify intrusions, and enable rapid response so cybercriminals cannot penetrate the network and pivot to other components, whether that is the management software, the car, or the grid.
And conducting annual infrastructure and application penetration tests is essential to discovering potential vulnerabilities and building a solid plan to resolve them.
The Final Takeaway
Protecting the EV charging infrastructure from cybercriminals is a job for every participant in the ecosystem. Whether you're considering hosting EV chargers at your place of business or you're an active participant in the ecosystem, security must remain top of mind. A key takeaway from the IT security industry is the recognition that this will be a perpetual battle. The larger the EV charging ecosystem grows, the more monetary value it offers to cybercriminals. The challenge of staying ahead of bad actors, and responding quickly when unknown threats become known, never ends.