Powering ahead securely: Why EV charging stations need better protection

Jeff Hutchins, president and chief technology officer at EOS Linx, writes on the electric vehicle (EV) landscape and how its booming growth necessitates, now more than ever, a renewed focus on cybersecurity measures.

Electric vehicles are the future. As governments, companies and drivers accelerate the transition away from gas-powered cars, EVs are realizing exponential growth. The International Energy Agency (IEA) reports global sales exceeded 10 million vehicles last year and is set to grow by another 35% this year.

Charging stations are popping up at hotels, in parking garages, and alongside retailers. The IEA says more than 900,000 stations were installed worldwide in 2022, and the progress continues. According to the Department of Energy, more than 5,000 charging stations popped up in the US during the first quarter of 2023.

This momentum is excellent news for reducing emissions and dependence on fossil fuels, but realizing EVs’ full potential depends on building an infrastructure drivers can rely on. With millions more EVs expected on roads in coming years, it is imperative that charging stations are reliable and secured against cyber threats that could leave drivers stranded and compromise their data.

That puts a burden not just on charging station manufacturers, but also on utility companies.

Cybersecurity concerns range from potential payment data breaches to denial-of-service (DoS) attacks, and researchers have found some of these vulnerabilities in the wild. Addressing these concerns ahead of time can ensure the continued growth of EV adoption, uphold public trust and maintain the stability of the grid.

With proper foresight by installers and grid operators, and the right standards and compliance in place, the industry can ensure the cybersecurity of charging stations to power EV growth for the long haul.

Have you read?
Landis+Gyr acquires New Zealand’s Thundergrid
New study aims to test benefits of bidirectional EV charging

Why EV chargers are unique targets

Core infrastructure like power plants and water facilities are well guarded. Charging stations, on the other hand, are distributed infrastructure. They’re not monitored by utility workers who are always on-premise.

As unattended assets in public locations, EV chargers are more susceptible to physical tampering by malicious actors who could install skimmers or other devices to steal payment information from drivers. Similarly, false instructions could manipulate unwitting users. That’s a low-tech hack, but a potentially effective one — most EV drivers are still relatively unfamiliar with how charging stations work and may not notice if something is amiss.

This lack of knowledge makes drivers prime targets for phishing scams aimed at gaining credentials or payment information. Inconsistent standards within the industry further compound confusion and risk. Various models and networks operate differently, from connecting to a station to paying for a charge.

Unlike a gas-powered car, for which you could pay for a fill-up in cash, there’s a digital trail of breadcrumbs with EVs. The nature of the technology in the vehicles makes powering up more of an IT infrastructure dynamic. Add in that Mozilla says, “modern cars are a privacy nightmare,” and represent the worst product category ever reviewed, and there are plenty of reasons to be proactive about EV charger security.

Unsecured WiFi connections also pose a significant threat. Many stations rely on default credentials and private networks during installation. Although they are supposed to be transferred to 5G or other cellular networks after deployment, some novice installers don’t take this critical step. While back-end systems generally comply with standards like PCI, the charging stations remain exposed, particularly to remote access, if they’re left on an unprotected WiFi network.

Also of interest:
Gaps in EV codes tied to cybersecurity and grid interface issues

Where the grid comes into play

Utilities can learn lessons from the early days of residential solar, when a new draw on the grid changed power consumption trends and made financial models unpredictable. To relieve those liabilities, utilities have to create interconnectivity. Unfortunately, interconnectivity can lead to security vulnerabilities.

Data and intelligence can give utilities visibility into what to expect and when to expect it. For example, a DC fast charger could require inputs up to 1,000 volts and 500 amps — if a new EV network comes online, a utility would want to understand the implications of that. Timing is a critical component, especially considering the variations in peak and off-peak energy costs.

Utilities can get deeper visibility via several technologies like smart meters that allow the EV network to have two-way communication with the grid. This would create SCADA and other integration, machine integration, and the ability to implement a protocol to implement emergency load curtailment.

While metering integration is the path to reducing liability, it also opens the door to security risk, so utilities need to adhere to energy system compliance when connecting the EV charging networks to the grid. Beyond that, the chargers themselves need protection.

How to secure stations

Physical defences, like security cameras and locked connections between the charger and grid, can deter bad actors from physically accessing stations. Regular audits of stations should also be conducted to identify any potential tampering.

Intelligent back-end monitoring can provide insights into session mechanics, like whether a user tried multiple times to charge their vehicle or if they were misdirected. Any sudden spikes in failed authorization attempts or other suspicious activity can trigger alerts.

Clear instructions and education for drivers are equally important. Well-designed signage, quick on-screen tutorials, and customer service will reduce confusion and susceptibility to phishing or rigged stations. Using an app to authorize payment for vehicle charging can also reduce the risk of a system hack.

Beyond the standard suite of security solutions usually applied to the IT landscape, providers should develop procedures for onboarding and offboarding clients and employees, auditing system use and access, and strong credential policies. They should also work with vendors that are ISO 27001 certified, although that certification is not considered law.

Thanks to groups like the National Rural Electric Cooperative Association (NRECA), the EV industry is driving toward a compliance standard. As best practices like ISO 27001 emerge, EV charging networks must participate so collective security matures with the industry.

Building a secure foundation

Everybody looks at an EV charger differently, and those disparate perspectives are why chargers aren’t comprehensively secured. Some people think it’s just a plug like any appliance would have; others see it as a gas pump connected to a larger infrastructure. Sometimes, location hosts only have a charger because they’re compelled to by a local government agency.

Understanding an EV charger’s true capabilities, vulnerabilities and benefits could go a long way toward securing them properly. While guidelines do exist, their awareness and adoption remain limited so far. The industry is still prioritising deployment over proactive security, and that makes both EV networks and electrical grids vulnerable.

Standards specific to EV charging could encourage that mentality shift and improve reliability and delivery. Implementing requirements modeled after sectors that prioritise security, like finance and IT, would also be pragmatic. In the US, the National Institute of Standards and Technology (NIST) is reviewing public comments from its cybersecurity framework profile specific to EV chargers.

While governments may eventually regulate security, EV charging providers and utility companies have the opportunity to exceed these baseline requirements through thoughtful design. Prioritising cybersecurity before the scales tip will pay dividends as the EV future unfolds.

ABOUT THE AUTHOR:

As the president and chief technology officer at EOS Linx, where he founded and deployed the EOS network, Jeff Hutchins is responsible for maintaining the overall growth, health and maintenance of the network and its partners.