Cybersecurity is crucial in every product connected to the internet. Society is getting so used to use devices with connections to the internet for so many daily routines, that is important to guarantee that every single connected device has cybersecurity measures implemented to ensure security in the whole ecosystem. Charging stations of electric vehicles are not an exception. Electric vehicles (EV) charging infrastructure is as vulnerable to suffer cyber threats as any other connected device.
Even if our EV has security protocols and safe algorithms implemented, as well as safety measures, what happens when we plug it in to charge it or we use one of their associated applications? Is our security still guaranteed? Sometimes there might be security breaches within the electric vehicles charging stations (EVCS) ecosystem that could endanger our privacy, but also our safety and even the entire electric grid infrastructure.
These security weaknesses can affect all the elements that an EVCS is composed of. From the charging point – the station itself-, to the charge point operators (CPO) – who provide the charging network infrastructure-, as well as the distribution system operators (DSO) –the operating managers of energy distribution networks. Implementing cybersecurity measures in each of them is essential to creating a trusted environment where users can experience flawless and secure charging.
Are there any specific parts of these EVCS elements that are more vulnerable to security breaches? Yes. Security in EVCS should be especially focused on communication, mobile apps, firmware updates and physical access points. The reason is that, as the charge point and the CPO back-office establish communication with each other, it's important to implement measures to ensure that not anyone can't interfere and alter this communication, which is essential to the proper functioning of the EV charging, by using, for example, encrypted communication.
On the other hand, security should be also strengthened in the mobile apps used to interact with the charging point and the software installed in the station, as these can be easily exposed to cyber threats.
Another important aspect of EVCS cybersecurity is to support firmware updates, a process where many vulnerabilities can be identified and corrected to optimize security. Also, the physical access points of the EV charging stations are exposed to physical attacks, for example by attempting to modify vulnerable software on internal components as microprocessor or memory.
But what consequences would happen if an EVCS is cyber-attacked? Very different and specific scenarios may occur, but the most frequent scenario will be identity theft, data alteration, unauthorized access privileges, malware insertion, private & sensitive information theft, electricity flow manipulation and changes in operating parameters that may compromise charging stations’ safety among many others.
Furthermore, security lack or vulnerabilities in EVCS make it possible to launch large-scale cyber-attacks that also compromise security in the power grid. Therefore, not only E-mobility would be in danger, but also the electricity infrastructure itself.
Therefore, cybersecurity for EVCS is a critical need due to the high risks, complexity and quick evolution of connected devices we are experiencing nowadays. Setting a minimum level of security can prevent an attack from resulting in the charging point to malfunction and become a security and safety risk to users, CPO’s and DSO’s.
DEKRA is committed to cybersecurity. For this reason, we offer our customers different evaluation services to support them to ensure their EVCS products are safe and secure. From Security Verifications of the charge points, where a number of test cases or security control can be checked on the EVCS to verify its security; to Pen testing evaluations, where vulnerabilities, security breaches and security improvement can be identified, considering the complete EVCS ecosystem.
In addition, DEKRA also offers a CPO certification according to well-known cybersecurity programs such as ioXt Alliance or IEC 62443-4-2, which are a reference of security for connected products and demonstrate to end-users that the product complies with a minimum of security guarantees through approval seals.