# Security and the Electric Vehicle Charging Infrastructure
Source URL:     https://www.darkreading.com/attacks-breaches/security-and-the-electric-vehicle-charging-infrastructure
Date:           20230124T1500

With more countries reaching the [tipping point][1] for electric vehicle
(EV) adoption, it's more urgent than ever for the public and private
sectors to invest in [EV charging infrastructure][2]. A robust and
highly secure EV charging ecosystem is essential for ensuring network
availability and stability, providing a seamless charging experience to
drivers, and achieving zero-emission transportation.

The good news is that EV charging infrastructure build-out is gaining
momentum. The downside is that cybersecurity risks are growing along
with the charging infrastructure, and cybercriminals are starting to
take notice.

Today, EV chargers themselves are the primary target, with hacks ranging
from planting ransomware to hijacking charger [message screens][3] with
politically motivated or objectionable content. In a major wakeup call
to manufacturers, a [white-hat security specialist][4] demonstrated EV
charger hardware and software vulnerabilities. Recent hacks have also
shown that EVs, too, are at risk.

## The Vulnerabilities Are Broader Than Chargers and EVs

The communications networks that connect chargers with their management
system, the personal data that travels across those networks, the
charge-point operators collecting payments, and the grid itself are
increasingly vulnerable as the EV ecosystem grows and the attack surface
expands. The risks include (but are not limited to):

 * Disruption of operations for public charger networks, rendering large numbers of chargers unusable and interfering with transportation
 * Takeover of charger networks to use the chargers as bots in massive distributed denial-of-service (DDoS) attacks
 * Theft of customers’ personal identifiable information (PII), including payment card information
 * Fraudulent payments for electricity used in EV charging
 * Disruption to the power grid, leading to blackouts and equipment damage
 * Damage to the EV charging provider's reputation

As IT security experts know, whenever you have digital communications
between two points, you have a potential vulnerability. When an EV plugs
in to a networked charger, a cascade of bidirectional communications
between multiple computers ensues — between the vehicle and the charger,
the charger and the driver's mobile app, the charger and the grid, the
charger and the back-end management system, the management system and a
payment gateway, and the management system and the charge-point
operator. That's a broad attack surface.

It takes coordination and commitment across the EV charging ecosystem to
achieve the end-to-end security needed for protecting EV charging
networks, personal and payment data, and the grid.

## Standards and Protocols Offer a Way Forward

EV charging and energy management solution providers must commit to
industry protocols and standards — developed by global consortiums such
as the Open Charge Alliance (OCA) and the International Organization for
Standardization (ISO) — and the protections they provide. So do other
industry players, such as EV charger manufacturers and their sub-
suppliers, automotive manufacturers, and utilities.

Key to network security is Open Charge Point Protocol (OCPP). It governs
communications between charging stations and a central management
system. The latest version incorporates standards for secure connection
setup, security events and logging, and secure firmware updates.

Another essential measure is ISO 27001, a comprehensive framework that
covers legal, physical, and technical controls involved in a company's
information security and risk management processes Compliance ensures
all relevant processes, procedures, and tools are implemented and
monitored to protect the EV charging platform.

ISO 15118.20 is an international standard that was updated in 2022 to
tighten security requirements for bidirectional communications between a
charging station and an EV. The standard provides for plug-and-charge
capability, which uses security certificates to automatically identify
the EV to the charger and authenticate a payment method. It also governs
the exchange of data required for vehicle-to-grid (V2G), which sends
energy stored in the EV battery back to the power grid.

## IT Security Best Practices Provide Multilayered Protection

The first IT security best practice that EV charging ecosystem companies
should consider is organizational: Hire a chief information security
officer (CISO). With a broad attack surface to defend and the need to
protect data from internal and external attacks, the CISO should work
closely with the chief technology officer (CTO) to coordinate IT
security and EV charging infrastructure security.

The communications and data exchange between management software in the
cloud, EV chargers, EVs, and the grid can be protected by IT security
best practices such as X.509 public key infrastructure (PKI), transport
layer security (TLS), secure "tunneling" across the Internet, and data
encryption.

EV charging infrastructure providers must also be concerned with data
privacy regulations specific to PII. Any organization transporting,
handling, or storing PII should comply with the General Data Protection
Regulation (GDPR) in the EU, the Act on the Protection of Personal
Information (APPI) in Japan, the California Consumer Privacy Act (CCPA),
and the new California Privacy Rights Act (CPRA).

[Compliance with Payment Card Industry Data Security Standards][5] (PCI DSS) and SOC 1 security standards provides the security controls and measures to protect credit and debit card transactions during transmission and storage. Controls include using tokens rather than readable data and storing only the final four digits of a credit card. Intelligent safeguards for billing management systems should recognize and prevent fraudulent payment.

Endpoint detection and response (EDR) systems continuously monitor
devices connected to the EVcharging management platform, identify
intrusions, and enable rapid response so cybercriminals cannot penetrate
the network and pivot to other components, whether that is the
management software, the car, or the grid.

And conducting annual infrastructure and application penetration tests
is essential to discovering potential vulnerabilities and building a
solid plan to resolve them.

## The Final Takeaway

Protecting the EV charging infrastructure from cybercriminals is a job
for every participant in the ecosystem. Whether you're considering
hosting EV chargers at your place of business or you're an active
participant in the ecosystem, security must remain top of mind. A key
takeaway from the IT security industry is the recognition that this will
be a perpetual battle. The larger the EV charging ecosystem grows, the
more monetary value it offers to cybercriminals. The challenge of
staying ahead of bad actors, and responding quickly when unknown threats
become known, never ends.

  [1]: https://www.bloomberg.com/news/articles/2022-07-09/us-electric-car-sales-reach-key-milestone
  [2]: https://www.darkreading.com/attacks-breaches/how-to-keep-evs-from-taking-down-the-electrical-grid
  [3]: https://electrek.co/2022/02/28/hacked-electric-car-charging-stations-russia-displays-putin-dckhead-glory-to-ukraine/
  [4]: https://www.pentestpartners.com/security-blog/smart-car-chargers-plug-n-play-for-hackers/
  [5]: https://www.darkreading.com/edge-articles/what-s-new-in-pci-dss-4-0-for-authentication-requirements-

You are viewing proxied material from tilde.team. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.