By Prof. Thomas R. Köhler, Member of the Board of Juice Technology AG
The International Energy Agency estimates the global number of electric cars, buses, vans and heavy trucks on the road to reach 145 million by 2030. In the U.S. estimates are that 28 million EVs will be sold within that timeframe, in concert with the administration’s goal of 50% of new car sales to be electric by 2030. This will create a significant demand for more public charging stations and for flexible options like portable chargers that operate at home or on the road. Within each charging operation lies millions of lines of code and a wealth of personal and network data. The global cybercriminal community, always looking for new ransomware possibilities, will find this highly valuable data ripe for attack. One U.K.-based security research company, Pen Test Partners, already found, with several charging devices tested, that a cybercriminal could remotely gain control of the device, enabling the criminal to read user data or even hack into the owner’s home network via a wallbox. Researchers found vulnerabilities occurring in both home devices and charging networks.
Unfortunately, the EV industry – car manufacturers, charging station suppliers, networking solutions and service providers – have not made cybersecurity a top-of-mind priority. While businesses in other sectors have made strides in better protection of their data and networks, many vending machines, for example, are better protected than charging stations.
The specific risks caused by vulnerable charging stations and unprotected components are plentiful. Insufficient data protection can lead to user data leaks, manipulation of billing systems, ransomware demands to infrastructure operators to prevent denial of service attacks and gaining illegal access to businesses’ internal networks.
Lack of advanced cybersecurity measures can also have devastating impact on the charging station operations, causing distress to operators and consumers. Cybercriminals can steal charging current, bring down the network with a denial-of-service attack, and even risk the stability of the local or area-wide electricity network due to repeated, simultaneous switching on/off of the charging current. It can also damage the vehicle battery being charged.
All of these risk factors make a good case for the EV industry to implement cybersecurity practices that will protect EV customer data, as well as prevent network hacking and the potential costly loss of operation. In this era of concerns about compliance and data privacy the EV industry, notably charging station networks and suppliers, also cannot afford data breaches that will damage customer confidence and corporate image.
ISO/IEC 27001 Certification
First and foremost, ISO cybersecurity certification should be required for any business charging station supplier – whether they be portable chargers or networking applications that drive the charging operation, or any component that is tied to a network and thus vulnerable to a cyber threat. Compliance with ISO/IEC 27001 is considered the most important cybersecurity certification worldwide. It demonstrates that measures for ensuring information security and data protection have been implemented and are regularly monitored and reviewed. This proof is essential to developing a secure charging infrastructure and to protecting data generated by EV users, industry business partners, other supplier partners and investors.
A Software-First Strategy
Bringing the charging industry into advanced 21st century cyber defense practices will be challenging. Many suppliers are “old world” thinkers, the “plugs and cables” hardware companies. The other side of this are startups who look at software security as an add-on, who’ve never focused that closely on software. They tend to underestimate the diverse range of sources of cyber threats that deficient software security can pose.
Both types need to change their mindset to “software-first.” After all, charging stations have long since been highly complex, software-controlled systems that are equivalent to IoT nodes. They must cope with huge volumes of data streams, whether in communication with the vehicle to be charged, in communication with the electricity network, or in communication with user authentication and usage billing services.
These are data streams that offer numerous points of attack for malicious parties, not to mention the physical access to the actual devices. U.K. researchers found that, in one case, a simple screwdriver was all that was needed to access the inner workings of the devices. The issue of vulnerability applies to popular charging stations and portable chargers with IoT connectivity. What is also notable is that security research in this area is lagging in spite of the growing adoption of EVs and increase in private and public charging stations.
Going forward, EV dealers, charging infrastructure suppliers and partners should look for products that are built with a software-first approach, products that are designed from the start with data and networking security in mind. In this manner, charging stations can offer consumers a safe, secure method of charging their EVs.
Lastly, to make charging cyber safe will take a holistic approach that frankly doesn’t exist yet in the EV industry. When suppliers do consider security, they usually only think about their own domains. For example, the car manufacturer only thinks about their vehicle, the charging network operator about their stations, the energy providers about their network, and the billing service providers about their payment transactions.
Given how the EV industry is still early days in the U.S. the industry has a great opportunity to share cybersecurity research, share ideas on common data security problems and, working in concert, present consumers with a growing choice of secure charging options.
If a major data breach were to hit a charging network that will no doubt create a lack of consumer confidence. However, if the EV industry gets ahead of the game in cybersecurity, everybody – consumers, suppliers, and network operators – can win.
About the Author
Thomas R. Koehler is CEO of German technology consultancy CE21 and a board member of Swiss charging specialist JUICE TECHNOLOGY. Thomas has a degree in business informatics from Wuerzburg University and was appointed research professor from the Center of International Innovation at Hankou University (CN). He has founded multiple companies (web development, software) and has a background in strategy consulting. He is the author of more than a dozen books on technology topics, including the English language books “Reorganizing Data and Voice Networks” (Artech House), “Understanding Cyber Risk” (Routledge Publishers / Taylor&Francis) and “The Digital Transformation of the Automobile” (Mediamanufaktur”).