Modern cars, especially electric vehicles (EVs), are computers on wheels. EVs, hybrids and gas-powered vehicles all use sophisticated software running on processors distributed throughout the vehicle, and they communicate with other computer systems over cellular and Wi-Fi networks. Where EVs take this to another level though, is in the charging systems.

EVs “talk” to their chargers, exchanging data as needed, and these chargers are connected to networks of computers. This growing level of connectivity creates significant cybersecurity risks, something the EV and electric vehicle supply equipment (EVSE) technicians who work on these systems should appreciate more fully.

Why are Modern Vehicles Connected?

Currently, the reasons vehicles connect to external networks are:

• To support telematics functions: Sharing information on vehicle condition, maintenance requirements, and faults.
• To receive firmware updates: Manufacturers are increasingly able to send Over The Air (OTA) updates to on-vehicle systems.
• For efficient charging and billing: This applies to EVs and plug-in hybrids only. Gas pumps don’t require this kind of connectivity.

In the near future, a fourth reason will join this list: V2X.

V2X stands for vehicle-to-everything. The concept is that every vehicle will continuously exchange data with vehicles and infrastructure in its vicinity. This is expected to dramatically improve safety, and at the same time, reduce congestion. However, what is potentially an exponential increase in connectivity poses a host of cybersecurity challenges.

The Automotive Cybersecurity Challenge

The multiple software-controlled functions in modern vehicles pose a tempting target for many “bad actors”, and high levels of connectivity offer many potential vectors of attack.

Installing malware on a vehicle could let a hacker take control of critical systems, if not of the entire vehicle. There’s also the opportunity to access personal data and even read texts and emails. However, while this might be annoying, or even dangerous for a single vehicle user, attacks on EV charging systems could be significantly more serious.

Cybersecurity Threats: Electric Vehicles

Introducing malware into the many systems in the modern vehicle could let a hacker take control of functions like acceleration, braking and steering. Advanced Driver Assistance Systems (ADAS) could also be a target, with the hacker changing the functionality of adaptive cruise control or pedestrian detection.

In an EV an attack could extend into manipulating the battery and charging system. This could lead to thermal runaway, where the battery overheats and catches fire.

Less seriously, but still unwelcome, a hacker could access personal information such as the driver’s home address. It may also be possible to track the vehicle’s location.

Furthermore, many drivers connect their cellphone to the vehicle’s systems. This presents a hacker with an opportunity to access cellphone data.

Cybersecurity Threats: Charging Stations

The EVSE infrastructure comprises public and private charging stations, plus electrical supply and billing systems. From a cybersecurity perspective, it’s the public stations that pose the most attractive target, although private chargers using Wi-Fi can also be vulnerable.

Reasons bad actors might choose to attack public charging stations include:

• To obtain free charging (stealing electricity)
• To obtain customer billing information (particularly credit card details)
• To destabilize the electricity grid

Public chargers also provide a means of attacking individual EVs. When an EV is connected, it and the ESVE exchange data. (This can be to identify the vehicle for billing and/or to determine the charging speeds and voltages to use.)

This data flow presents an opportunity to move malware placed on the EVSE across to the vehicle. Such an approach could potentially infect large numbers of EVs, and, when they are later plugged-in to private equipment, home and office networks too.

Mitigation Strategies

As EVSE becomes increasingly sophisticated, the number of potential attack vectors grows. Keeping equipment secure depends on addressing both physical and network access.

Private EVSE can be placed in locked garages or secured in similar ways, but the same is not true of public equipment. This means hackers have the option of attacking in-person or remotely.

Owners and operators of EVSE must ensure the built-in security tools and protocols are fully utilized. This means implementing appropriate passwords and encryption, as made available on the EVSE and associated routers by the manufacturers. In addition, passwords should be changed regularly, and whenever equipment is accessed by an EV technician.

For EVSE manufacturers, cybersecurity considerations must be an integral part of the design process. Furthermore, they must adhere to all prevailing standards, (such as ISO/SAE 21434, UL 2900, and IEC 62443), and ideally should participate in development of new standards.

Security Will Drive Confidence in EV Charging

Regrettably, the risk of cyberattacks on EVs and the associated electricity supply infrastructure is very real. Accordingly, manufacturers, operators, and users of both electric vehicles and their charging systems must remain vigilant at all times. In parallel, manufacturers, installers, and operators of EVSE must constantly seek out and respond to new and emerging attack vectors.

Inevitably, attention will also fall on the electric vehicle technician who needs access to the systems in both the cars and the charging equipment. Their role in ensuring security tools and systems are fully operational will only grow, because no countermeasures can be effective if not implemented correctly, as discussed here.