Sandia publishes study on EV charging infrastructure vulnerabilities
Potential vulnerabilities in EV charging infrastructure range from the skimming of credit card information to the use of cloud servers to hijack an entire charger network.
In “Review of Electric Vehicle Charger Cybersecurity Vulnerabilities, Potential Impacts, and Defenses,”published in the scientific journal Energies, Jay Johnson, an electrical engineer at Sandia National Laboratories, reveals the results of four years of studying EVSE vulnerabilities.
The team considered entry points such as vehicle-to-charger connections, wireless communications, EV operator interfaces, cloud services and charger maintenance ports. They looked at conventional AC chargers, DC fast chargers and extreme fast chargers.
The survey noted several vulnerabilities on each interface. The team found many instances of charger WiFi, USB or Ethernet maintenance ports that allow reconfiguration of the system. Local access could allow hackers to jump from one charger to the whole charger network through the cloud, Johnson writes.
Based on this research, Sandia has produced a best-practices document for the charging industry. Proposed fixes include strengthening EV owner authentication and authorization, such as with a Plug and Charge public key infrastructure. The team also recommends removing unused charger access ports and services and adding alarms or alerts to notify charger companies when changes are made to a charger. For the cloud, they recommend adding network-based intrusion detection systems and code-signing firmware updates to prove that an update is authentic and unmodified before being installed.
The Sandia team has received follow-up funding to deal with some of the issues.
“The government can say ‘Produce secure electric vehicle chargers,’ but budget-oriented companies don’t always choose the most cybersecure implementations,” said Brian Wright, a Sandia cybersecurity expert on the project. “Instead, the government can directly support the industry by providing fixes, advisories, standards and best practices.”