How big is the risk that someone will hack an EV charging network?
The Infrastructure Investment and Jobs Act, as passed by Congress last November, authorizes $7.5 billion to help meet US President Joe Biden’s goal of installing 500,000 stations by 2030. Biden aims to have EVs represent half of all new vehicles being sold in the US by 2030. But as the number of stations increases, the number of vulnerabilities does as well.
For the past several years, hackers have been busy aiming their attacks at electrical system vulnerabilities. In the case of charging stations, some of these soft spots are located inside the stations; some are located inside the equipment that controls connections between the grid and the station; and still, others are inside assets that sit on the grid side of the relationship, and these are mostly owned by utilities. Europe-based wind power companies (Deutsche Windtechnik AG, Enercon GmbH, and Nordex SE) have suffered attacks focused on stopping the flow of electrons, identity theft attacks, and stolen payments. In most cases, the results can be service disruptions affecting customers and revenue reductions for the providers of electrons and/or asset owners.
Hackers perpetually seek out ways to use any and all system vulnerabilities to their maximum advantage. This is a problem for the consumer, just as it is for commercial enterprises. Added to the stresses created by several types of hacker disruptions—physical destruction; electronic jamming; creating a “Denial of Service”—are concerns about weak control systems. From his perch at PlugInAmerica.org, Ron Freund worries that the existing supervisory control and data acquisition hardware is primate.
“It doesn’t handle the simple faults gracefully, and is not reliable, much less scalable. But it also is not yet on the Internet, so is inaccessible (for the most part). In fact, it’s scary how primitive some of these systems still are,” Freund told me.
Protect your backend
Situated at the heart of EV infrastructure are stations connected to a central control unit, commonly referred to as “the backend.” This backend communicates over a wireless network using the same technology as a SIM card (in other words, it uses machine-to-machine communications). Stations collect sensitive data such as payment data, location data, and demographic data that might include email addresses and IP numbers. Since a mobile app or an RFID card is used to access the station, sensitive data is also collected on the apps, including location data and online behavior history.
According to Thomas Russell of the National Cybersecurity Center, “this data can be used to find patterns of daily routines and location data as well as private information.” Networked stations have obvious advantages for operators, who can monitor usage and reliability in real time, but being networked means being vulnerable.
According to Joe Marshall at Cisco Talos, “The most vulnerable elements of an electric vehicle charging station will usually be the EV management system (aka the EVCSMS). Vendors who own these stations need to stay connected with them over the Internet to process payments, perform maintenance, and make their services available to EVs.” Consequently, this can expose their stations to attackers who may seek to exploit that EVCSMS.
Marshall is distressed that EVCSMSes are “vulnerable in numerous ways.” Many are developed with poor security practices—from hard-coded (and thus stealable) credentials to poor security code development that lets attackers exploit management interfaces to compromise the system. He thinks that “this is not dissimilar from many modern IoT devices, like web cameras or home routers” that traditionally have poorly designed security. EV management system is incredibly similar to other IoT products and markets, as well.