Most people may not yet consider the dangers of having their EVs (Electric Vehicles) hacked and worry even less so about potential security breaches through EV charging points. Afterall, the average person does not tend to worry about a hack or security breach through their plug socket when they connect their other appliances to charge.
However, by 2025, the automotive cybersecurity market is expected to be worth over $4 billion. This is because, by the same year, the EV and CAV (Connected and Autonomous Vehicles) global market growth is estimated to result in 470 million vehicles connected to computerised databases. These vehicles, in addition to the tens of millions of charging points (both private and public) that must accompany them, could create an abundance of targets for cybercriminals.
It is not just the protection and cyber security of physical cars we must consider, but also the charging stations they require, their connection to the grid, and the data these systems carry (from personal information to billing accounts).
Not Just Another Plug: Gaining Access to EV and CAV systems
Electric vehicle systems aim to provide charging points for EVs, linking these into a cloud network which, through grid operators and cloud services, link back to owners. Such vast networks containing a large variety of elements result in increased vulnerabilities as with every access point comes an opportunity for these to be exploited.
Most EV hacking used to come from “white-hat” hackers – These are professionals who use their hacking skills to test cyber security systems legally and then report the weaknesses they find back to the EV companies so that they can be fixed. However, instances of illegal “black-hat” hacks outweighed “white-hat” hacks for the first time in 2021. These are the kind of attacks we more conventionally view as hacking, where the perpetrator is doing so to exploit.
Typical methods of hacking that have already emerged include access via non-robust apps linking to vehicles, either from manufacturers themselves or third parties, where personal data can then be stolen or even vehicle control gained. Firmware updates for both vehicles and chargers can also be intercepted, with hacked public charging points creating an evolved version of a ticket machine cybercrime, potentially siphoning a few pennies off the top of every recharging fee. Also, an arguably lax attitude to systems control and access mean that many chargers currently allow direct access via USB or similar connections.
This is in addition to potential energy system access via V2G (Vehicle-to-grid) systems, where these systems are designed to supply energy back to the grid when needed and transfer information in a bidirectional way. However, while energy providers are working hard to prevent access from their side, and it is hoped they are also considering access the other way with people wanting to take electricity without paying for it or having others pay for it.
The Consequences of EV Hacking
The potential consequences of cyber-attacks on EVs or their charging stations range from inconvenient to destructive. In April of this year, hackers remotely breached the security of English EV charging stations and displayed pornography on the screens. Whist this was likely just a prank, sometimes a hacker might be looking for a free recharge on their own vehicle. However, other times, attackers have hacked electric vehicles and charging stations in ways that affect their abilities to operate correctly.
For example, in January of this year, a 19-year-old, white-hat hacker from Germany gained access to 25 privately-owned Tesla vehicles across 13 countries via a third-party app the drivers used to connect with their cars. This allowed him to unlock doors, open windows, turn on their radios, flash their headlights, disable the anti-theft system, see if a driver is inside and even start their engines to begin “keyless driving”, although this hack did not allow access to remotely controlled steering, acceleration, or braking. However, with an increasing CAV market, we may see the emergence of similar hacks which allow perpetrators to send autonomous vehicles (and even their passengers) to specific locations.
The OCPP (Open Charging Point Protocol), which is a protocol to set up and manage charging stations including payment transactions for charging, has also been found to be vulnerable to hacks when dependent on HTTP. This includes the “Brokenwire Hack” where hackers were able to look at data passed back and forth over the CCS (Combined Charging System) interface and use electromagnetic interference to interrupt the communication between vehicle and charger, causing the session to stop; all using just 1W of power and from over 150 feet away using relatively simple transmitter and ariel set up. The ability to halt vehicle charging could become an even larger concern for fleet vehicles than individual, private drivers if it leads to entire charging stations being held for ransom.
Other instances to be aware of are billing frauds where RFID (Radio Frequency Identity) Cards, that allow you to initiate charge by tapping it against a card reader at a chargepoint, are cloned to falsify billing. In a world of increasingly monetised data, the hacking of home chargers and vehicles too can lead to the theft of personal data as well as data relevant to OEMs (Original Equipment Manufacturers).
Not all hackers are looking to profit financially, though, with some politically-charged attacks aimed to sway public opinion. In February, Russian EV charging stations were forcefully accessed and their screens made to protest the war displaying pro-Ukrainian slogans.
Standards for Protection
There are currently two main standards that look to protect the owners of EVs internationally:
- ISO 15118 is an international standard defining a vehicle to grid (V2G) communication interface for bi-directional charging/discharging of electric vehicles. The standard provides multiple use cases like secure communication, smart charging and the Plug & Charge feature used by some electric vehicle networks.
- ISO 21434 is a technical standard of cybersecurity measures for the development lifecycle of road vehicles that will comply with EU and UNECE regulations for a certification of a "Cyber Security Management System". Due to the increasing risks of cyber attacks on vehicles and because the infrastructure for online updates of vehicles (OTA (Over The Air)), fleet management, communication between vehicles (Car2x/V2X) and other requirements offer vehicles new attack surfaces, this standard is intended to propose measures for development.
The question that is asked in the interest of complete and continued cybersecurity is, do these standards work together and create a secure environment for the whole of the network and whole time they operate?
Measures of Protection
To ensure active cyber protection, there will need to be active monitoring of EVs and their systems. For example, ISO 21434 works adequately for vehicles coming off the production line but what it doesn’t allow for is frequent testing afterwards and necessitating secure and regular firmware updates. This should be rigorously implemented on not just new vehicles but older EVs too, both private and commercial.
CPOs (Charge Point Operators) are looking more at the use of software and apps. So, it will be best to learn from the experience of others and utilise data such as that collected by the UK’s National Cyber Security Centre who have extensive capability resource material that could help understand how we build secure and defensible systems from commencement and not just as an afterthought.
Whilst for the average driver there isn’t as much to do to prevent hacks as there is for manufacturers, the best thing for drivers is keep all vehicle and EV charger software up to date as well as take greater caution with storing of sensitive information. It was the insecure security of a third-party app that allowed access to the sensitive information that lead to the incident cited above where 25 Teslas across 13 countries were hacked.
According to Jin Ye, University of Georgia Professor researching cybersecurity solutions for CAEVs, the main areas of focus for manufacturers should be a secure on-board diagnostics port, secure software updates, better firewall, penetration testing, reliable hardware, and code reviews.
To ensure the protection needed for a safe EV market to thrive, we must recognise that cyber security is not solely an IT issue but a business issue with far reaching impacts across organisations as a whole. Thus, we should remove any silo thinking and instead treat this as a systems engineering problem, which few corporations currently do (although admittedly a move in this direction is most notably adopted by Tesla). EVs are an inevitable and arguably necessary future for transportation in a world where business and infrastructure are increasingly governed by environmental drivers. But, as they are already here today, protection needs to be in place now, and ready for the wider rollout of electric vehicles and EV charging.