Data and cyber security threats for Electric Mobility Charging Infrastructure – How to protect the energy and transportation infrastructure?

The electric mobility charging infrastructure sector (‘EVI’) is growing exponentially with hundreds of thousands of new EV chargers connecting to critical energy infrastructure globally. In parallel, new heat pumps, renewables, batteries, and more distributed energy resources (DER) are added.

EVI is a very particular new energy asset. Why?

• located at various different places (residential, commercial, public);
• different types of low-power and high-power chargers (DC fast chargers, extreme fast chargers, and megawatt charging systems);
• creates a significant amount of new demand for load (can be x-times more than pre-EVI for a single location);
• volatile demand profiles;
• increased predictability and pattern recognition (over time);
• can support the grid via storage and vehicle2grid (V2G) options.

Because of these particularities, EVI provides several interesting functionalities and capabilities to the electric power system (e.g. grid management, load balancing (EV infrastructure communicates with the grid and helps to prevent congestion), support of renewables (use green electrons in time of overproduction), virtual power plants, storage, and more.

With the rise of EVI, increased interoperability with the energy infrastructure(e.g. the distribution grid control room) is a must (especially for high-power charging) and an increasing dependency from digital technologies is obvious. This will increase the vulnerability and open new pathways for malicious actorsto attack critical energy and transportation infrastructure. 

Some of the vulnerabilities of EVI for digital attacks is caused by the complexityof different hardware and software components that make up the EVI ecosystem: EV’s and their batteries, charging & car apps, EV chargers, metering equipment, communication equipment, charging control systems, switches, controllers, clouds, grid connections and integration, network management systems, and more.

EVI security therefore is a significant challenge. Most of these components are exposed to an ever-evolving list of attacks such as malware/ransomware, insider threats, spoofing, tampering, supply chain vulnerabilities, and more. This can have severe negative consequences for businesses, customers, and infrastructure: service disruptions, financial loss, data and privacy breaches, safety risks, grid instability, damaged hardware and more.

Latest research suggests that there is an incomplete industry understanding of threat vectors, the attack surface, connections, and unsecured interfaces in EVI. Also, significant knowledge gaps concerning these risks are observed. The research even identified weaknesses and security concerns appearing in the communication-focused ISO 15118 EV-to-charger interface standard and the underlying public key cryptography and public key infrastructure (PKI) components. It also identifies that data security is not extensive. To make things even worse: the cryptography deployed today is not quantum safe and cannot be replaced easily (limited crypto-agility).[1]

In addition to the known security concepts such as encryption, access control, and additional IoT-oriented concepts, zero-trust based secure system approaches following the NIST guidelines should also be evaluated.[2] These are based on devices-oriented approaches, adding additional layers of security for these devices and the data they generate. Data needs full protection when ‘at rest’ as well as when being processed. This is where the current approaches for EVI fail.

[1] Cybersecurity for Electric Vehicle Charging Infrastructure, for Department of Energy, July 2022 (https://www.osti.gov/servlets/purl/1877784)

[2] Zero Trust Architecture: The Unapologetic Approach To Cybersecurity In A Digital Jungle, September 2023   https://www.forbes.com/sites/forbestechcouncil/2023/09/14/zero-trust-architecture-the-unapologetic-approach-to-cybersecurity-in-a-digital-jungle/?sh=52ee6852682a