Controlling your charger, your car, and even your entire grid!

Can a rant be an article? Let me know!

Speaking about Electric Vehicles Charging Equipment...

The ultra-fast pace of the electrification industry was always going to leave gaps in design, management and operational safety. It should not be a surprise then that safety and security world seems to be worried about that exactly – safety and security.?

Why? Ever increasing demand, confusing and contradicting regulations in an international market, and budgetary pressures mean that OEMs don't always choose the safety and security the same way the traditional industry is used to (or is made to...).

Let’s take one aspect in particular – cybersecurity.

Internet of Things (IoT) can become Internet of Threats in no time if not taken care of.

I remember being told this in one webinar...“Passwords are like underwear: don’t let people see it, change it very often, and you shouldn’t share it with strangers.”?

After some research, some experience and lot of hours on the internet, I have come to the conclusion that, unfortunately, it appears that the EV charging industry has treated cybersecurity the same way as the Internet of Things – An afterthought.

Thankfully, the UK legislators included cybersecurity in The Electric Vehicles (Smart Charge Points) Regulations 2021, which cannot be said about several other countries. But they are sure to follow.

Some OEMs are conscious of this shortcoming, and are improving their security, in many cases by bringing in OT cyber expertise. However, in the short term, they have found themselves at a disadvantage, competing against those flooding products to market. ?Careful and proportional regulation levels the playing field, and its absence can result in chaos.

What may happen?

Cyberattacks can disable a EVSE device, and even EVSE fleets, or all vendor-owned devices. As the transportation sector is electrified, wide-spread disruptions to EVSE run the risk of severely impacting a range of critical national infrastructure, emergency services, supply chains, defence etc.

Use of bank cards and personally identifiable information on EVSE devices and networks, implies that personal or corporate financial loss is likely.

The impact on functionality, financial stability and safety is all foreseeable. ?This is backed-up by research and data. The most concerning study I read was on power infrastructure – on how EVSEs can act as gateways to disable or severely damage the entire power grid. Example was dynamic load modulation on power system stability.

Communications between chargers and cloud services has issues – big issues. Take lack of authentication methods, dirty input fields and open gateways to supply chain attacks due to OEMs maintaining remote access. Hardware vulnerabilities include outdated Linux kernels running superfluous services – many of which are accessible via USB ports making upload of malicious code easy for those ‘in-the-know’. ?Have you seen a charger operating off of Raspberry Pi without secure bootloaders? There are plenty!

What about hard-coded credentials, passwords hashed without a salt, and cryptographic don't do please things?.

What to do?

The areas of OT cybersecurity protection, detection, and response are extensively studied for cloud systems, SCADAs, smart grids and power systems. Attention must be paid to EVSE device and network hardening.

EU Architecture for Multi-criticality Agile Dependable Evolutionary Open System-of-Systems (AMADEOS) project is an example of ongoing work.

It will be beneficial for the stake holders in EVSEs to understand and acknowledge security gaps as a first step. A requirement driven by the market, and the regulators will help drive OEM standards, and research into this area. There is extensive knowledge available in form of standards and experience; it needs to be implemented into EVSE infrastructure.

And it should be more that automatically tweeting “Trees saved Per Mile”! ??