Electric vehicle charging infrastructure offers several vulnerabilities that range from skimming credit card information — just like at conventional gas pumps or ATMs — to using cloud servers to hijack an entire electric vehicle charger network.
A team of researchers from Argonne, Idaho, Pacific Northwest, and Sandia national laboratories; the National Renewable Energy Laboratory; and others compiled a list of potential impacts to the power grid. Their work appeared in the journal Energies.
Brian Wright, a Sandia cybersecurity expert said, “Can the grid be affected by electric vehicle charging equipment? Absolutely. Would that be a challenging attack to pull off? Yes.” But, he said such a disruption is “within the realm of what bad guys could and would do” in the next 10 to 15 years.
The team looked at a few entry points, including vehicle-to-charger connections, wireless communications, electric vehicle operator interfaces, cloud services and charger maintenance ports, as well as conventional AC chargers, DC fast chargers and extreme fast chargers.
The survey noted several vulnerabilities on each interface. For example, vehicle-to-charger communications could be intercepted and charging sessions terminated from more than 50 yards away.
Electric vehicle owner interfaces were chiefly vulnerable to skimming private information or changing charger pricing. Most electric vehicle chargers use firewalls to keep separate from the internet for protection, but Argonne National Laboratory researchers found some systems did not. Additionally, an Idaho National Laboratory team found some systems were vulnerable to malicious firmware updates.
The multi-lab team found many reports of charger Wi-Fi, USB or Ethernet maintenance ports allowing reconfiguration of the system. Local access could allow hackers to jump from one charger to the whole charger network through the cloud.
The team proposed several fixes that would make the U.S. electric vehicle charging infrastructure less vulnerable to exploitation.
The proposed fixes include strengthening electric vehicle owner authentication and authorization such as with a Plug-and-Charge public key infrastructure.
They also recommended removing unused charger access ports and services and adding alarms or alerts to notify charger companies when changes are made to the charger, like if the charger cabinet is opened.
For the cloud, they recommended adding network-based intrusion detection systems and code signing firmware updates to prove that an update is authentic and unmodified before being installed.
Follow-on funding will have researchers from Sandia, Idaho and Pacific Northwest national laboratories develop a system for electric vehicle chargers that uses cyber-physical data to prevent bad guys from impacting the electric vehicle charging infrastructure.
A second research project involves evaluating public key infrastructures for electric vehicle charging, providing hardening recommendations for charging infrastructure network owners, developing electric vehicle charging cybersecurity training programs and assessing the risk of the various vulnerabilities. Risk analysis looks at both the likelihood of something bad happening and the severity of that bad thing to determine which changes would be the most impactful.
This work was supported by the Department of Energy Vehicle Technologies Office and the Office of Cybersecurity, Energy Security and Emergency Response.
