As electric vehicle (EV) charging infrastructure rushes to keep pace with the dramatic rise in sales of electric vehicles in the United States, cyberattackers and security researchers alike have already started focusing on security weaknesses in the infrastructure.
In February, researchers with energy-network cybersecurity firm Saiflow discovered two vulnerabilities in the Open Charge Point Protocol (OCPP) that could be used in a distributed denial-of-service (DDoS) attack and to steal sensitive information. And the Idaho National Laboratory recently found that every charger it examined — more formally known as Electric Vehicle Supply Equipment (EVSE) — was running outdated versions of Linux, had unnecessary services, and allowed many services to run as root, according to a survey of EV charging vulnerability research in the journal Energies. Other potential attacks include adversary-in-the-middle (AitM) and services exposed to the public Internet, according to the paper.
The risks are not just theoretical: A year ago, after Russia invaded Ukraine, hacktivists compromised charging stations near Moscow to disable them and display their support for Ukraine and their contempt for Russian President Vladamir Putin.
The cybersecurity concerns come as electric vehicle sales have taken off in the United States, accounting for 5.8% of all vehicles sold 2022, up from 3.2% the previous year, according to JD Power. Currently, less than 51,000 Level 2 and DC Fast charging stations are available in the US, representing the capability to charge 130,000 vehicles simultaneously, according to the US Department of Energy. With more than 1.5 million electric vehicles registered as of June 2022, that means there are 11 vehicles for every public charging port.
To keep up with demand, the major players in the EV charging sector all have significant expansion plans, and the Biden administration aims to increase the number of vehicle chargers to 500,000 by 2030.
While cybersecurity experts worry that the rush to create a comprehensive charging infrastructure could come at the expense of cybersecurity, the question of its cybersecurity preparedness is especially piquant given the connectedness of the infrastructure and the ability to potentially cause damage using access to the high voltage available, says Phil Tonkin, senior director of strategy at Dragos, a provider of industrial cybersecurity.
“Most EV chargers can be considered an Internet of Things (IoT) technology, but they are one of the first that has control over such a significant amount of electrical load,” he says. He adds, “The aggregated risk of so many devices, often connected to a small number of single systems, means that devices of this type need to be implemented with care.”
EV Chargers: IoT, OT & Critical Infrastructure
In many ways, EV charging infrastructure represents a perfect storm of technologies. The devices are connected via mobile applications and carry the same risks as other IoT devices, but they’re also set to become a critical part of transportation network in the United States, like other operational technology (OT). And because EV charging stations must be connected to public networks, ensuring that their communications are encrypted will be critical to maintaining the security of the devices, says Dragos’ Tonkin.
“Hacktivists will always be looking for poorly secured devices on public networks, it’s important that the owners of EV put in place controls to ensure they are not easy targets,” he says. “The crown jewels of the operators of EV chargers have to be their central platforms, the chargers themselves intrinsically trust the instructions pushed down from the center.”
Consumer devices are also a problem. About 80% of charging takes place in the home, according to ChargePoint session data. But unfortunately, those devices may be easier to disrupt because consumers are not focused, nor should they need to be focused, on cybersecurity, Tonkin says.
“It’s not practical for the average domestic customer to have to put in place the right security, therefore making sure the device itself and the methods it uses to communicate with cloud-based services should always be on the vendor,” he says.
Government’s Role in EV Cybersecurity
The US government should make standards and best practices available to companies to prevent cybersecurity weaknesses, some say. Sandia National Laboratories, for instance, has recommended a number of initiatives to strengthen cybersecurity, including improving EV owner authentication and authorization, adding more security to the cloud component of the charging infrastructure, and hardening the actual charging units against physical tampering.
“The government can say ‘produce secure electric vehicle chargers,’ but budget-oriented companies don’t always choose the most cyber-secure implementations,” Brian Wright, a Sandia cybersecurity expert working on the vulnerability project, said in a statement. “Instead, the government can directly support the industry by providing fixes, advisories, standards, and best practices.”