Thursday, August 31, 2023

Why EV Charging Cybersecurity Demands an Ecosystem Approach

Share this article:

EPRI leads a consortium identifying vulnerabilities and recommending solutions to protect consumers and the grid

They are the type of stories that cause electric vehicle advocates to lose sleep. On the Isle of Wight in the United Kingdom, hackers gained access to EV chargers and displayed pornography on the equipment’s screens. In the United States, hosts of a YouTube channel tweeted a video showing how to take control of the operating system of an Electrify America EV charger. A recent story in The Wall Street Journal highlighted the numerous cyber vulnerabilities that EV drivers could face when they fuel their cars and trucks.

Any successful cyberattack that leads to a driver’s personal or financial information falling into the hands of a hacker is worthy of concern. However, the impact of these sorts of attacks on the grid’s reliability remains small. That is largely due to the simple fact that EVs constitute a relatively small proportion of vehicles. But that is changing quickly. Indeed, according to the International Energy Agency, EVs’ share of the overall global car market rose from approximately 4 percent in 2020 to 14 percent in 2022 and is expected to hit 18 percent in 2023. And by 2030, U.S. auto executives expect that 50 percent of domestic new car sales will be electric.

That means cyber vulnerabilities, especially related to EVs at fast public chargers, can be expected to grow as the total number of EVs increases. “Today, the electric vehicle market is maybe five to ten percent in the U.S., depending on which part of the country you’re talking about,” said Sunil Chhaya, a senior technical executive at EPRI focused on clean transportation and low-carbon energy system integration. “But as EVs and the public charging infrastructure needed to fuel them scale, the cybersecurity problems will also scale if they haven’t been designed into the charging system. And at some point, you may have to shut charging down and start over because some of these problems can’t be fixed with patching. There are big risks and costs for not addressing this now.”

EV charging station location mark on gps navigation map

The Need for a Holistic Approach to EV Charging Cybersecurity

That’s not to say that the many stakeholders who have a stake in robust public, EV fast-charging cybersecurity—from EV and charging manufacturers to charging network operators to electric utilities—are unaware of the potentially grave consequences of not ensuring security. The challenge is that EV charging security requires the commitment and cooperation of everyone involved.

“The fast-charging ecosystem is complex as it involves a variety of different technologies, including chargers, EVs, grid management systems, payment systems, as well as the participants developing or deploying these technologies, including aggregators, car manufacturers, charge network providers, utilities, and customers,” said Xavier Francia, an EPRI principal technical leader for distributed energy resources (DER) cybersecurity. “Each of these components and entities has a unique set of security responsibilities they must fulfill. While it may be tempting for these entities only to want to focus on their own domain of technologies and the set of risks that directly impact their business, there are ecosystem-wide risks of concern that can impact everyone.”

For example, Francia points to the growing number of vehicle-to-grid (V2G) use cases—including the delivery of backup power during an outage and providing electricity during peak demand—to illustrate worrying ecosystem-level risks. “While several attack vectors and risk scenarios are possible, the root of the problem is ensuring harmonization of security across all players and technologies such that no weak links, often the target of focus by adversaries, are present in the system,” Francia said.

A Collective Approach to Charging Cybersecurity

To begin addressing ecosystem-level EV cybersecurity risks in a proactive and standardized manner, EPRI spearheaded research supported by the U.S. Department of Energy (DOE) Office of Energy Efficiency and Renewable Energy. The research findings were recently published in the Cybersecurity Platform and Certification Framework Development for Extreme Fast Charging (XFC)-Integrated Charging Ecosystem report.

The work intentionally embraced a collaborative approach, enlisting the input and involvement of utilities, national research laboratories, EV manufacturers, charging network operators, cloud computing providers, and others involved with operating extreme fast charging equipment, defined as 200 kilowatts and above. “This process was completely open,” Chhaya said. “Everyone with a stake in charging could see how we were thinking about things, what we were doing, and give feedback and the benefit of their experiences.”

The group’s approach was to first determine the main cybersecurity risks present throughout the EV charging ecosystem. After identifying risks, the group developed best practice recommendations about how to prevent and mitigate the risks. The recommendations developed have the potential to become requirements that purchasers of the equipment and networks involved with EV charging could demand suppliers meet during procurement.

“Establishing a minimum protection profile and standards for electric vehicle supply equipment (EVSE) and V2G services will enable a more uniform risk assessment of providers and services against those profiles and standards and differentiate those that offer even greater security options,” said Victor Calderon, a senior advisor for cybersecurity at Southern California Edison (SCE). “Those systems should rise to the top of utility-approved or validated lists.”

SCE recently worked with EPRI to prepare a proposed work plan, Cybersecurity Gap Analysis of Electric Vehicle Charging Equipment Products Used in Transportation Electrification Programs. The California Public Utilities Commission (CPUC) approved the plan, and work will begin this year identifying cybersecurity gaps in existing protocols and equipment and developing recommendations about closing the gaps.

Besides its collaborative and systemic approach, the EPRI-led research was also unique because it went beyond identifying specific vulnerabilities and prescribing ways to address them.

Indeed, the recommendations developed were tested in laboratories run by EPRI, the National Renewable Energy Laboratory (NREL), and the Argonne National Laboratory (ANL).

To make the group’s research findings practical and usable to those involved in EV charging, researchers also developed an open-source Secure Network Interface Card (SNIC) that demonstrates the ways EV chargers can be protected. “We gave the practitioners something to work with by developing a credit card-sized network adapter that has all the cybersecurity features built in that can be integrated into the charging station itself,” Chhaya said. “That way, if there is any hacker activity, it knows how to protect itself and protect the data or disallow the intrusion.”

In addition, an online Electric Vehicle Charging Cybersecurity Management (EVC2M) tool to guide a holistic cybersecurity assessment is being developed and will be released to the public. The tool provides those responsible for EV charging cybersecurity with guidance about how to think about the security problems they face, as well as checklists about how to develop effective protection solutions.

A Broad Ecosystem with Many Vulnerabilities

Much focus on the vulnerabilities of the public EV charging network centers on the fast chargers themselves. The truth is, however, that the cyber vulnerabilities extend well beyond the charger to include three interconnected systems.

“One is the payment system people use because they must pay to charge their EVs. Then there is the data and communication network, which leaves people vulnerable to having data of all kinds stolen,” Chhaya said. “And the third is the power network. Although the most vulnerable place may be the charging station itself, an intrusion can happen anywhere. A malicious actor can get in from any part of the network and do bad things at the charging station.”

In its research, the EPRI-led EV cybersecurity stakeholder group categorized the types of risks faced by the EV charging ecosystem and the equipment that makes up the ecosystem. For example, the four categories of risk are:

  • Reliability risk: This includes any risk that impacts the reliability of a system or sub-system in the charging ecosystem. Generally, these risks are associated with the failure or malfunctioning of a component. These risks are faced primarily by EVs, chargers, and cloud computing providers. An example of how an attack could impact reliability is if a thief tampers with or jams a cellular modem and renders payment services inoperable.
  • Privacy risk: The theft of customer data is a major concern because it violates the privacy of EV owners. The risk is most pronounced for the software systems, cloud storage providers, and systems on board EVs that store personally identifiable information (PII). Those utilizing EV chargers to fuel their vehicles are most vulnerable to this risk. One example of an attack related to privacy is when a criminal targets WiFi, Ethernet, RF, or other communication systems to steal customer information.
  • Financial risk: Both EV drivers and the operators of charging networks face the risk of fraudulent financial charges. The negative consequences can be significant, including lost revenue for consumers and charging network operators. An example is when a criminal uses a skimmer or hacks into the communication system to steal payment information.
  • Safety risk: Physical injuries and infrastructure damage are possible if the charging ecosystem is compromised. This can happen due to minor changes to software that cascade all the way to a charger or EV and result in damage to equipment and a potential accident.

To perform thorough and holistic assessments of the vulnerability of different pieces of the EV charging ecosystem, the researchers also identified the specific subsystems that are in the ecosystem. They are:

  • The Electric Vehicle Supply Equipment (EVSE) subsystem, which are the chargers
  • The electric vehicle subsystem
  • The network operator or charging station operator subsystem
  • The EVSE building/utility interface subsystem
Vulnerability Analysis Informs Recommendations to Mitigate Cybersecurity Risk

A clear categorization of the risks, their interdependencies, and the specific systems of assets that constitute the EV charging ecosystem helped researchers conduct the vulnerability analyses needed to develop best practices for mitigating cybersecurity risks. In this project, researchers conducted vulnerability assessments on each of the four EV ecosystem subsystems and developed potential mitigation suggestions.

For example, one vulnerability at charging stations is using magnetic card readers to process payments. This is standard at chargers, gas stations, and other retailers. The vulnerability arises when criminals install a skimmer that can capture payment information when a credit or debit card is inserted into the station’s card reader. When payment information is stolen, thieves can use the card until a financial institution or customer detects fraud and blocks future use of the card. Mitigating the threat requires effective and continuous monitoring of the charger to detect the installation of a skimmer or the implementation of new technology that doesn’t require the transmittal of payment information at the charger.

EV charging management software

Based on its work identifying risks, threats, and vulnerabilities to the EV charging ecosystem, EPRI and its research partners then developed various recommendations for protecting EV charging infrastructure. For example, one recommendation is to ensure that extreme fast chargers have two-way communication. The reason is that two-way communication provides the monitoring and control needed for charging service providers to receive alerts and alarms about cyberattacks and quickly address them. The recommendations developed were then tested by EPRI, ANL, and NREL.

“We really put our recommendations to the test to see if they were valid at identifying the risks and vulnerabilities correctly,” Chhaya said. “We tried to break into the equipment to see whether the mitigation efforts worked.”

More Work to be Done

The findings from the EPRI-led consortium are being applied in follow-on research led by the National Institute for Standards and Technologies (NIST) National Cybersecurity Center of Excellence. NIST is working to incorporate the findings into an EV Infrastructure Cybersecurity Framework, which can be used to implement the recommendations into certifications that verify EV charging equipment is secure. The research will also deepen utility industry-specific cybersecurity knowledge, specifically around Vehicle-Grid Integration cybersecurity.

Ultimately, all this work aims to ensure a consistent approach to EV charging cybersecurity. “The immediate need is a cybersecurity framework that all entities in this ecosystem can utilize to understand their security responsibilities and the cybersecurity capabilities that they must enable in their respective technologies and organizations,” Francia said. “EPRI’s work with the Department of Energy has made great strides in making this reality, and we look forward to working with NIST, our utility members, and other industry stakeholders as they utilize our research to socialize and operationalize the Cybersecurity Framework Profile for Electric Vehicle Extreme Fast Charging Infrastructure. One way of approaching this is to create an implementation guide for the NIST requirements. We also look forward to supporting SCE as they work with the CPUC to identify cybersecurity gaps in EVSE technologies and communication protocols expected to be utilized in their grid interconnected with EV.”

Over the longer term, EPRI will continue collaborating with its members and other stakeholders to develop even more robust cybersecurity approaches, including zero-trust architecture that requires all users and devices to be verified.

For SCE, the evolution of cybersecurity approaches and tools is critical to achieving its decarbonization objectives, known as Pathway 2045. “Cybersecurity risks arise with SCE’s externally facing connections that are necessary to operate our systems and enable our Pathway 2045 future. These are taken very seriously by SCE, and our Cyber team is inherently engaged in architectural design and operation of our networks,” according to Jordan Smith, a consulting engineer within the grid technology innovation team at Southern California Edison. “As EV penetration increases, SCE will continue to follow industry best practices and leverage a defense in depth strategy to better mitigate cybersecurity risks as they are identified.”

EPRI Technical Experts:

Sunil Chhaya, Xavier Francia
For more information, contact