Apparently, every good computer-based technology has a bad guy waiting to hack it. The infrastructure hacks of a few years ago, where ransomware was used to cripple Colonial Pipeline and JBS Foods, are samples of what can come. There are vulnerabilities in most IoT installations, commercial and consumer oriented, that are waiting for someone to find them. Worse, many government and commercial installations are dependent on “old tech” such as ICS (industrial control systems) that were developed two or three technology generations ago.
Take EVs (electric vehicles) for example. In 2008, Tesla released its first models, targeting sales of 100 units per month. Today, Tesla leads the global market for EVs, selling nearly 1 million units per year. The technology behind electric vehicles has improved and now batteries provide longer range per charge, a major stumbling block to success in the early days.
While EV owners frequently charge their vehicles at home, widespread availability of charging stations would allow people with EVs to travel even greater distances more easily. The Bipartisan Infrastructure Law enacted in 2021 invests $7.5 billion in a national network of electric vehicle charging stations, with a goal of building 500,000 chargers by 2030. During the past decade, the number of EV chargers in the U.S. has increased from less than 500 to more than 115,000. California alone is home to 41,225 electric vehicle chargers, approximately one-third of the nation’s total.
As EVs become more common, the risk for cyberattacks through vehicle charging stations increases. These attacks threaten not only the electric grid and transportation systems, but also personal privacy. Researchers have found these stations are the targets for cyberattack and, in some cases, they lack appropriate security measures. EV charger vulnerabilities have been found in user and payment interfaces, maintenance ports, internet and cloud connections, and EV-to-charger communications.
Sandia National Laboratories, in partnership with several other national laboratories and government agencies, is working to address the cyber security of EVSE (electric vehicle supply equipment). Together, Sandia and its partners are creating a cyber security threat model and performing risk assessments of EVSE.
Electric vehicle charging infrastructure has several vulnerabilities ranging from skimming credit card information — just like at conventional gas pumps or ATMs — to using cloud servers to hijack an entire electric vehicle charger network. To find the areas for concern, the Sandia team looked at conventional AC chargers, DC fast chargers, and extreme fast chargers and entry points, including vehicle-to-charger connections, wireless communications, electric vehicle operator interfaces, cloud services, and charger maintenance ports.
The survey noted several vulnerabilities on each interface. For example, vehicle-to-charger communications could be intercepted and charging sessions terminated from more than 50 yards away. Electric vehicle owner interfaces were chiefly vulnerable to skimming of private information or changing charger pricing. Most electric vehicle chargers use firewalls to keep separate from the internet for protection, but Argonne National Laboratory researchers found some systems did not. Additionally, an Idaho National Laboratory team found some systems were vulnerable to malicious firmware updates.
The multi-lab team found many reports of charger WiFi, USB, or Ethernet maintenance ports allowing reconfiguration of the system. Local access could allow hackers to jump from one charger to the whole charger network through the cloud.
The team proposed several fixes and changes that would make the U.S. electric vehicle charging infrastructure less vulnerable to exploitation. These proposed fixes include strengthening electric vehicle owner authentication and authorization such as with a Plug-and-Charge public key infrastructure. They also recommended removing unused charger access ports and services and adding alarms or alerts to notify charger companies when changes are made to the charger, like if the charger cabinet is opened.
For the cloud, they recommended adding network-based intrusion detection systems and code signing firmware updates to prove that an update is authentic and unmodified before being installed. Sandia has produced a best-practices document for the charging industry.
Now that this review has been completed, the Sandia team has received follow-on funding to tackle some of these gaps. They are working with Idaho and Pacific Northwest national laboratories to develop a system for electric vehicle chargers. This system will use cyber-physical data to prevent bad guys from impacting the electric vehicle charging infrastructure.
The team has another research project that involves evaluating public key infrastructures for electric vehicle charging, providing hardening recommendations for charging infrastructure network owners, developing electric vehicle charging cybersecurity training programs and assessing the risk of the various vulnerabilities. Risk analysis looks at both the likelihood of something bad happening and the severity of that bad thing to determine which changes would be the most impactful.
While the government can say “Produce secure electric vehicle chargers,” budget-oriented companies don’t always choose the most cybersecure implementations. Instead, the government can directly support the industry by providing fixes, advisories, standards, and best practices. However, it’s impossible to create solutions if you don’t understand the state of the industry.
Want to tweet about this article? Use hashtags #construction #sustainability #infrastructure #IoT #5G #cloud #edge