In late 2021, a vulnerability in an electric vehicle (EV) charging app revealed the full names, addresses, and charge histories of more than 140,000 UK users. Last year, Shell patched a weakness in one database that could have led to a similar fate, though exposing millions of charging logs across its EV charging network. Fortunately, the energy company caught the vulnerability in time. But not all charging providers will be as lucky unless security measures become standardized and impenetrable.
Several researchers from different organizations have purposely compromised EV-related subsystems or infrastructure over the last few years to expose vulnerabilities in the technology. The conclusion: millions of smart EV charger units are susceptible to account hijacking.
“I think cybersecurity is extremely important and has not been discussed enough in the EV and charging industries,” shares Joachim Lohse CEO of Ampcontrol, an AI-powered charging management software and payment platform. “Everyone wants to talk about the next great feature and security is simply a far less ‘exciting’ topic.”
But it’s a critical one if we’re to advance EV adoption. Although the market for electric vehicles is expanding, it’s at a slower pace than many predicted, and experts agree that establishing reliable public charging infrastructure is the key to mass adoption. In this case, reliability must cover charger availability, as well as data protection.
Where to begin
EV charging stations are complex from a security standpoint due to their network connectivity, interfaces, and integration with various systems, including vehicles, power grids, and payment processors. They’re also easily accessible to the public, putting them at risk for various security attacks.
“From my perspective, there are two main aspects to cybersecurity at EV charging sites: protection against attacks that aim to bring a charging network down and protection of drivers’ personal information,” says Lohse. “Charging station hardware always communicates with the Internet, which means it needs protection similar to websites, business software systems, and other electronic devices.”
The good news is the risk to drivers’ data, such as their credit card information, tends to be lower because these terminals or mobile apps (such as the Apple App Store) are typically subjected to greater encryption and audits.
The bigger concern, according to Lohse, is the poor protection of charging station data, which can make it easy for outsiders to interrupt entire charging networks.
“Unfortunately, we see ignorance. Companies are alerted to a security threat, but ignore it since no one will audit their system,” he says. “Companies must follow basic due diligence when connecting EV charging stations.”
Charging systems have several components, including the EV charger hardware, communication devices (such as routers), and software that typically runs on the Cloud. One might think the fastest way to hijack data is through the Cloud but, again, it tends to be much better protected than the other components.
“Where we see companies cutting corners is when the chargers connect to the software. Charging stations use WebSocket to exchange data between the charger and the cloud software. Similar to web applications, this communication goes through the Internet,” Lohse explains.
Some of the core protections used in common applications (such as apps, websites, etc.) across the IT industry include:
1. Encryption (TLS 1.3)
2. Authentication (Password protection, secrets, or highest security profile)
3. Security protocols (HTTPS, WSS)
“Essentially, if companies exchange data between their EV chargers and software without these basic protections, they risk hackers accessing or interacting with the applications,” says Lohse. For example, they can start connecting a large number of virtual charger bots to the network and overload the servers.”
This may paint a dark picture, but as charging stations scale and potentially become one of the biggest energy consumers in the grid, they also become a risk for utilities.
“Just imagine a scenario where thousands of EVs are charging in a region, and a hacker can suddenly and simultaneously interrupt the charging stations… this would drop power quickly and unexpectedly. And the utility would need to react extremely fast to avoid wider outages.”
At the same time, adds Lohse, charging stations will become more connected to the utility communication and grid management system.
“Although we’re still far from a true smart grid, utilities can only realistically realize such a grid when charging networks are more secure than today,” he says. “While several layers of protection and utilities have many more certifications that will protect them, a security risk on the EV charger side could also mean a risk to overall grid stability.”
Setting standards
The Open Charge Alliance is one of the most prominent organizations that has developed communication protocols (called, “OCPP”) to standardize the language between hardware and software. These standards include various security aspects that cover the three protections mentioned above.
The problem is the OCPP is not an industry standard, such as the International Organization for Standardization (ISO) — which offers independent, non-governmental, international standard development. So, while some countries and states oblige EV charging networks to follow OCPP protocols, they’re not globally enforced, nor do they include a large number of certifications or audits.
“Some companies follow these protocols and have very good protection, while others don’t implement everything. It’s essential to understand that using OCPP does not necessarily mean a company’s chargers are protected. It depends on how it was implemented with the OEMs and the software company.”
According to Lose, all sides of the industry — from the OEMs to the software providers — must follow these security standards, invest in continuous improvements, and make customers aware of potential security risks. This means all industry parts must commit to exchanging data to ensure cybersecurity protections. So, for example, if a software company finds that an EV charger is running with outdated encryption, it shares this with the provider and the OEM to help them improve security.
“The first step is really quite simple. Companies must follow basic cybersecurity principles — such as authentication, encryption, and secure protocols. They could use VPNs or more advanced role-based access control for their applications.”
A VPN is a virtual private network that encrypts Internet traffic, protecting online data. And note, these are not EV-industry inventions. Rather, they’re commonly implemented protections in nearly every tech or digital industry.
“In addition to the technical steps, we recommend investing in security at the company level. This means getting SOC 2 Type 2 certified and training staff to protect information, hardware, and more.”
SOC 2 Type 2 certification is a rigorous auditing process that evaluates and verifies a service provider’s ability to securely manage customer data, based on five trust principles: security, availability, processing integrity, confidentiality, and privacy. It involves a thorough examination by an independent auditor, demonstrating that a company consistently meets these standards, ensuring reliable data protection and management practices.
For now, Lohse is noticing increasingly stringent requirements in the proposal process when selecting vendors, asking for certifications and details on protecting data and their future infrastructure.
“I think this is the right step,” he says. “Companies must review encryption, authentication, and other methods potential vendors use. And I expect we will see more third-party audits and certifications as the industry and networks grow. They’re expensive and take time, which is why we don’t see them too often yet. Everyone is trying to move fast, and the market is still new.”
Eventually, artificial intelligence (AI) will play a more significant role in EV charging security by detecting anomalies in charging patterns and user behaviors, potentially identifying cyber threats in real time. The AI algorithms will also optimize charging schedules and load balancing, ensuring grid stability and preventing unauthorized access to charging networks.
“In the future, AI can also help to identify possible attacks, security gaps, and such,” agrees Lohse. “For instance, we’ve already invested in R&D resources to develop tools and alerts to identify security threats better and resolve issues automatically.”
Fortunately, most hackers look for an easy hit, an unsecured system that requires little effort to breach.
“Hackers typically don’t take the complicated route,” he says. “So, the concern right now is that the EV charging industry is sometimes looking away or not making its best effort to ensure safe and secure infrastructure. But this can be corrected with the right intent and enforced standards that ensure a secure and reliable EV ecosystem. It’s an essential fix and a necessary one for greater EV adoption.”
You may also like:
Filed Under: FAQs, Software