With the spread of electric vehicles, the risks and dangers of a cyber attack on charging devices and systems for electric vehicles are also increasing. Jay Johnson, an electrical engineer at Sandia National Laboratories, has been investigating the multiple vulnerabilities of electric vehicle charging infrastructure for the past four years.
Johnson and his team recently published an open-access summary of known vulnerabilities in electric vehicle chargers in the journal energies.
EV communication ecosystem with EVSE components and external entities. The four numbered boxes represent attack vectors for attackers trying to affect EVSE operations. These include (1) EV connectors; (2) user terminals; (3) internet connections; (4) Maintenance terminals from physical access or disassembly. Johnson et al.
EV charging infrastructure has multiple weaknesses, ranging from skimming credit card information — just like at a traditional gas pump or ATM — to using cloud servers to take over an entire EV charging network.
Sandia researchers are collaborating with experts from Argonne, Idaho and the Pacific Northwest National Laboratories; the National Renewable Energy Laboratory; and others as the National Security Laboratory Team.
We are focused on larger impacts on critical infrastructure while electrifying more of the transportation industry. We have investigated possible impacts on the power grid. As law enforcement and other government agencies consider the move to electric vehicles, we thought about how the inability to charge vehicles might impact operations.
The team examined a few entry points, including vehicle-to-charger connections, wireless communications, EV operator interfaces, cloud services and charger service ports. They looked at traditional AC chargers, DC fast chargers, and ultra-fast chargers.
The survey identified multiple vulnerabilities on each interface. For example, communication between the vehicle and the charging station could be intercepted and charging sessions terminated from a distance of more than 50 meters. EV owner interfaces were mainly vulnerable to skimming private information or changing charging prices. Most electric vehicle chargers use firewalls to disconnect from the internet for protection, but researchers at Argonne National Laboratory found that some systems didn’t. Additionally, a team from the Idaho National Laboratory found that some systems were vulnerable to malicious firmware updates.
The multi-lab team found many reports of Wi-Fi, USB, or Ethernet service ports for chargers allowing for system reconfiguration. Local access could allow hackers to jump from one charger to the entire charger network via the cloud, Johnson said.
In the paper, the team proposed several fixes and changes that would make the US electric vehicle charging infrastructure less vulnerable to exploitation.
These proposed fixes include strengthening EV owner authentication and authorization, for example with a plug-and-charge public key infrastructure. They also recommended removing unused charging access ports and services and adding alarms or alerts to notify charger companies when changes are made to the charger, e.g. B. when the charging cabinet is opened.
For the cloud, they recommended adding network-based intrusion detection systems and code-signing firmware updates to prove an update is authentic and unmodified before installing it. Sandia has created a best practices document for the charging industry.
With this review complete, the Sandia team has secured follow-on funding to fill some of these gaps. Researchers are collaborating with national laboratories in Idaho and the Pacific Northwest to develop a system for electric vehicle chargers. This system will use cyber-physical data to prevent hackers from affecting EV charging infrastructure.
The team is conducting another research project that includes evaluating public-key infrastructures for EV charging, providing security recommendations to owners of charging infrastructure networks, developing training programs on cybersecurity in EV charging, and assessing the risk of the various vulnerabilities includes.
The government may say, “Produce secure electric vehicle chargers,” but budget-minded companies don’t always choose the most cyber-secure implementations. Instead, the government can support the industry directly by providing fixes, advice, standards, and best practices. It’s impossible to come up with solutions if you don’t understand the state of the industry. This is where our project comes in; We did research to find out where we stand and which gaps would be the fastest and most effective to fix.
—Brian Wright, a Sandia cybersecurity expert for the project
This work was supported by the Department of Energy Vehicle Technologies Office and the Office of Cybersecurity, Energy Security and Emergency Response.
Johnson, Jay, Timothy Berg, Benjamin Anderson, and Brian Wright (2022) “Review of Cybersecurity Vulnerabilities, Potential Impacts, and Defenses of Electric Vehicle Chargers” energies 15, No. 11: 3931. doi: 10.3390/en15113931