Why Stopping Cyberattacks Against EV Charging Networks Is Critical
Electrification of vehicles requires a massive infrastructure, and many are racing to deploy it.
The electric vehicle supply equipment (EVSE) industry finds itself in the midst of an explosive growth phase, with new EV charging stations popping up in parking lots and shopping areas across planet Earth. With each new installation, the options for EV drivers increase. So does the risk of cyberattacks at scale — targeting these vast charging networks, the cars that plug into them, and the power grids they link to.
There is particular risk because a race to market often means cyber preparedness — both in the vehicle and in the charging infrastructure — can become an afterthought. That's a potentially frightening scenario, as these electric chargers are connected to the grid, they're connected to the cloud, and they're connected to the vehicle — it is a new convergence point we must secure.
The National Institute of Standards and Technology (NIST) pointed out the scale of this growing cyber risk related to electric charging stations:
“EVSE is supported by electronics, both for charging the vehicle and facilitating communications, so EVSE is susceptible to cybersecurity vulnerabilities and attacks. EVSE also ties together two critical sectors — transportation and energy (specifically, the electric grid) — that have never been connected electronically before. This creates the potential for attacks that could have significant impacts in terms of money, business disruptions, and human safety.”
Now is the time to answer critical questions: What are the risks and how will we respond to them?
Warning Signs: EV Charging Stations and Cybersecurity Risks
Governments in multiple countries are pouring billions into developing electric vehicle charging networks. The United States alone is spending $5 billion in five years to create a nationwide network of EV charging stations along 75,000 miles of interstate. EV charging stations are quite literally rolling out by the truckload.
A truck hauls new EV charging stations near Phoenix, Arizona, May 2023.
But akin to the LED display on each charging station, a metaphorical warning sign is flashing a message regarding cybersecurity.
EV Charging Stations and the Internet of Things
Each charging station, and each vehicle that connects to it, is part of the Internet of Things (IoT). So are the mobile devices that control much of the charging activity and billing. And in the future, the majority of payments may be processed from digital wallets embedded in the vehicles. We’ve never had so much juice, or electrical load, controlled in this way. And each one of these things — the vehicles, the charging stations, the mobile devices, the apps, and the API (application programming interface) between them — has potential cybersecurity vulnerabilities.
This is highly concerning because increasing inter-system connectivity and its growing complexity expand the attack surface, providing threat actors with a great number of attack vectors. In the case of EVs and their charging stations, this opens up the possibility of devastating scenarios resulting from large-scale and long-term attacks.
Perhaps these attacks could cause sudden power fluctuations and power outages by suddenly shifting the demands of a charging network. Or what if a cyberattack disables an EV charging infrastructure, stranding drivers? This is akin to cutting off the fuel supply, similar to what happened in the Colonial Pipeline cyberattack. Another possibility might involve a compromised network of charging stations that fill up an EV's battery while silently installing engine-stopping malware onto vehicles, in preparation for a future attack.
These are just a few of the ugly scenarios, and cybersecurity and EVSE researchers have published many more. Some researchers are already finding vulnerabilities that could let hackers remotely shut down EV chargers or steal electricity.
Again, these are warning signs that we must address this type of cyber risk.
What Should We Do About EV Cybersecurity Risk?
The good news is that we have a long list of best practices that we can look to as we attempt to bring order to the Wild West of our growing EV charging infrastructure. Here are a few worth noting.
- Hardware and network segmentation — The industry must use trusted components and create a partitioned architecture, so that a compromise in one sector doesn't necessarily become a lateral danger to an adjacent sector.
- Software best practices — Organizations involved in the EVSE ecosystem must make sure they’re using secure software, built to boot securely, and that hasn’t been tampered with. This includes a design principle of “least privilege,” so the software runs at the lowest possible permission level. This means it is not given authority to do anything it doesn’t need to do.
- Implement UN Reg. 155 — The UNECE World Forum for Harmonization of Vehicle Regulations (WP.29 group) has created an international automotive cybersecurity regulation, UN Reg. 155, to help pave the way for mitigating the cybersecurity risks posed to connected passenger vehicles. The regulation establishes performance and audit requirements for cybersecurity and securing software update management in new types of passenger vehicles sold in the European Union and in other countries. UN Reg. 155 includes a number of best practices the EVSE industry should consider.
- Continuous monitoring and incident response planning — We believe the EVSE industry should be monitoring for malicious threat actor activity, and expecting attacks to occur. This could involve subscribing to a managed detection and response (MDR) service and should include developing an incident response plan. Having forethought as to what you will do when you're under attack is critical — because that’s the worst time to formulate a response. Also, plan how you will communicate and send notifications in the event of an attack, especially if your normal communications channels are down or compromised.
- Build security in, instead of bolting it on — Those in the EVSE ecosystem should build security into every step of software, hardware deployment, and operations. Cyber risk extends beyond the IT infrastructure; how we operate it also matters. Do we have a reliable protocol for doing software updates? Is maintenance being done by technicians that have been properly trained and authorized? If we can answer “yes” to questions like these, we are reducing risk.
Industry can accomplish much of this on its own, but in some cases, regulation may be needed to ensure consistency across this new landscape.
Developing Ongoing Cybersecurity for the IoT
“Cybersecurity is a journey, not a destination.” That’s a well-known saying in the industry. And part of the journey to secure the connected IoT frontier will involve reimagining the advances cybersecurity has made in the enterprise.
For example, applying the concepts of endpoint detection and response (EDR) functionality to this new class of endpoints — including EVs — represents an important step forward. Another useful perspective — and a best practice — that you get from the enterprise security side is monitoring nodes that should function similarly, and investigating whenever you detect that one such node is behaving differently from the others.
Today’s IoT security has been largely built up from within the IoT discipline, where systems are frequently more restricted, and networks are often different and tend to be a bit more proprietary. However, IoT and OT (operational technology) are quickly converging toward a compute infrastructure comparable to that of enterprise IT networks. It's not just a matter of running the IoT technology in this new environment. It requires rethinking the security framework, and applying lessons learned in the IT world to the emerging — and converging — IoT, OT, and embedded systems space.
If you squint a little bit, they are all quite similar. Each has high-speed networking, and significant compute power. Each has open-source software, and requires regular software maintenance (hopefully) — if it doesn't, then that's one of the most important best practices to apply because software upgradeability is key for ongoing security protection.
Flexing with the Times
Automotive software is undergoing a revolution and becoming increasingly complex, with more than 100 million lines of code in many cars. And we at BlackBerry have learned how to secure it. In fact, we are a worldwide leader in safety-certified and secure operating systems (OSs) for this embedded technology.
This also leads me to believe we can work together to secure the electric vehicle charging infrastructure, despite its complexity. While there is immediate cause for concern, there is also great cause for optimism on the electric-powered future ahead.
For similar articles and news delivered straight to your inbox, subscribe to the BlackBerry Blog.
About Charles Eagan
Appointed in June 2018, Charles Eagan is the Chief Technology Officer for BlackBerry. In this role, Charles is responsible for the advancement of new technologies, driving innovation within emerging markets and advancing security capabilities that leverage AI and Machine Learning. He is also responsible for technology partnerships and overseeing the standardization and integration of all company products with an emphasis on helping drive BlackBerry’s Internet of Things platform.