The commercial charging station market has recently seen an increase in reports of possible cybersecurity incidents and particular challenges that can be addressed at the hardware level. Key security vulnerabilities in chargers include weak encryption of communication protocols, insecure software, and the possibility of physical tampering with components. 

Reports of vulnerabilities in EVCS systems using popular communication protocols, such as Power Line Communication (PLC), are primarily based on extensive tests and analyses of hardware and software. While actual security incidents remain relatively rare, they do occur in smaller numbers. [1] 

For example, Girdhar et al. [2] introduced a model with components such as EV chargers, cloud systems, battery storage, and grid elements like transformers and circuit breakers. At the same time, another approach [2] includes communication standards (such as IEEE 2030.5, SAE J1772, ISO 15118, ISO 61851-24, ISO 61850, and IEC 62196-1/2/3), which are the leading PLCs standards in the market. In this way, the security of the EVCS ecosystem is closely tied to the security of each individual subsystem, as any compromised interaction can potentially disrupt the entire station's environment.

Cybersecurity threats may stem from various internal or external conditions, leading to hazardous outcomes affecting interconnected elements. For example, attackers might exploit vulnerabilities to gradually manipulate the charging process, posing risks to the power grid’s stability, especially during peak demand times. This emphasizes the need for comprehensive security measures that cover both the physical and cyber aspects of the system.

For instance, in January 2023, a hacker exploited vulnerabilities in a commonly used screen-sharing program to gain access to the operating system (OS) of a new 350-kW charger produced by a U.S.-based electric vehicle (EV) charging company. Once inside the system, the hacker could manipulate the OS menu, open a web browser, and even navigate to a competitor's website, all while the charging application continued to run in the background. This breach exposed significant security risks within the EV charging infrastructure, highlighting how such an internal breach could potentially lead to severe consequences, like overloading the power grid if hackers manipulated charging schedules and energy flow during peak demand periods. This incident underscores the interdependency of elements within the EV charging ecosystem and the risks posed by cyberattacks, which could even impact the stability of the power grid.

These examples highlight the critical need for comprehensive cybersecurity measures to safeguard not only individual chargers but also the broader grid infrastructure they are connected to. [2, 1] 

Key Incidents and Enhancing Hardware Security 

Many EV charging stations use Power Line Communication (PLC) technology to transmit data between the charger and the vehicle. Research has shown that some older versions of this technology lack adequate encryption, allowing attackers to intercept communications and access sensitive information, such as network keys. Katherine Kozan, an engineer from the Southwest Research Institute, reports that penetration tests have revealed a common issue in older devices where the absence of proper security measures poses a significant vulnerability. [4] 

Firmware vulnerabilities 

Some chargers in their basic versions allow attackers to interact with and analyze the firmware, potentially exposing security vulnerabilities. In certain cases, this could enable remote attacks in which the charger’s functions are disrupted, or the device is used as an entry point into a larger network. In June 2023, security researchers uncovered a significant vulnerability involving an internal database hosted on a widely used public cloud platform. The database, which lacked password protection, stored nearly a terabyte of log data belonging to a global EV charging service provider with a network encompassing hundreds of thousands of stations worldwide. The exposed data included sensitive customer information such as names, email addresses, phone numbers of fleet customers, details about fleet operators, vehicle identification numbers (VINs), and the locations of public and residential charging points. This breach highlighted the risks of inadequate cloud security in handling sensitive information within large-scale EV charging networks. [1] 

A notable case involved vulnerabilities in the Open Charge Point Protocol (OCPP), where weaknesses in the communication management systems were exploited by attackers to hijack electric vehicle (EV) chargers. These flaws allowed for the potential launch of distributed denial-of-service (DDoS) attacks, which could lead to widespread disruptions across EV charging networks. Additionally, the compromised systems posed risks to sensitive driver information, including the theft of payment data and personal details. Such incidents highlight the critical need for securing communication protocols and reinforcing cybersecurity measures across EV infrastructure to protect both users and service providers. [9] 

Encrypting the network membership key is crucial for securing the V2G (Vehicle-to-Grid) charging process. FJ Olugbodi from SwRI notes that inadequate security for direct access keys can lead to memory tampering in PLC devices, potentially resulting in destructive firmware attacks. However, implementing encryption in embedded systems presents challenges, such as potential functionality disruptions. SwRI has developed a zero-trust architecture that integrates embedded systems under a unified cybersecurity protocol, minimizing attack risks, with further testing planned. [4] 

The ability to remotely manipulate software without security controls enables DDoS attacks, ransomware, or interference with an EV’s battery management system. According to the IEA’s Global Electric Vehicle Outlook 2021 report, despite the pandemic, a record 3 million new EVs were registered in 2020—a 41% increase over 2019—while the global automotive market shrank by 16%. This trend accelerated in 2021, with EV sales in the first quarter nearly 2.5 times higher than the same period the previous year. By 2024, the global EV fleet surpassed 20 million, driven by advancements in charging infrastructure, technology, and stricter emissions regulations. [4, 5] 

Hardware-level protection 

Protection at the hardware-level in the context of EV charging stations includes hardware security features such as HSMs (hardware security modules) for storing cryptographic keys and performing cryptographic operations in an isolated environment. It is also important to implement physical anti-tampering safeguards that detect attempts at unauthorized access or opening of devices (ID&P). Such measures can include detecting tampering with sensors, controllers, and communication modules to ensure the integrity of the charging system.  

The report, “Cyber-Attack Event Analysis for EV Charging Stations” also mentions that hardware protection includes regular hardware penetration testing and safeguards against physical attacks and attempts to reprogram devices to protect charging stations from hardware tampering and cyber-attacks. [8] 

Attackers can gain access to critical information, such as Wi-Fi or user data, through physical manipulation of the hardware, especially in chargers that feature popular chips like Raspberry Pi modules. While these attacks require physical access, they could potentially allow unauthorized control of the charger and, consequently, even expose a backdoor entry into the vehicle user's home IoT network. [6] 

Ensuring that encryption protocols are consistently standardized for communication between vehicles and charging stations would greatly reduce the risk of unauthorized access. Many current protocols, such as those specified in ISO 15118, require stronger encryption methods to secure transmitted data. [8] 

Source: César Baciero on Pexels - https://www.pexels.com/pl-pl/zdjecie/ladowanie-samochod-pojazd-monochromatyczny-8349487/ 

Secure firmware updates 

To enhance the security of firmware updates, manufacturers should require mandatory signatures and verification for updates to prevent the installation of malicious software. This is particularly effective against remote manipulation of software. To further protect updates, mechanisms should be in place to prevent downgrade attacks, where attackers install older, vulnerable versions of software. For Over-the-Air (OTA) updates, ensuring the integrity of the update process, including servers and data transmission, is essential. Security measures should also address man-in-the-middle risks and protocol vulnerabilities to guard against various threats. [2, 3] 

"The information provided in this blog is for general informational purposes only and does not constitute legal advice. The content and materials available here may not reflect the most current legal developments or other information." 

Author:

Bartosz Wojenka, AV / ADAS Engineer

🔴 Interested in full-driver state detection services, including complex testing for drowsiness, distraction, stress, and driving under the influence? E-mail us at  humanfactors@robotec.ai

🔴 Curious about our latest projects? Follow us on  LinkedIn to keep up with our news.

References: 

 [1] Upstream, “Global Automotive Cybersecurity Report. The automotive cybersecurity inflection point: From experimental hacking to large-scale automotive attacks---the focus shifts to impact”, 2024. Available: https://upstream.auto/reports/global-automotive-cybersecurity-report/. [Accessed Oct. 28, 2024]. 

[2] M. Girdhar, J. Hong, Y. You, T.J. Song, and M. Govindarasu, “Cyber-Attack Event Analysis for EV Charging Stations,” 2023 IEEE Power & Energy Society General Meeting (PESGM), pp. 1-5, July, 2023. Available: https://arxiv.org/pdf/2211.08530. [Accessed Oct. 12, 2024]. 

[3] U.S. Department of Transportation, National Highway Traffic Safety Administration, “Cybersecurity Best Practices for the Safety of Modern Vehicles” (pre-final), 2022. Available: https://www.nhtsa.gov/sites/nhtsa.gov/files/2022-09/cybersecurity-best-practices-safety-modern-vehicles-2022-pre-final-tag_0_0.pdf. [Accessed Oct. 18, 2024]. 

[4] Southwest Research Institute, “SwRI evaluates cybersecurity risks associated with EV fast-charging equipment“, July 16, 2024. Available: https://www.swri.org/press-release/swri-evaluates-cybersecurity-risks-associated-ev-fast-charging-equipment. [Accessed Oct. 18, 2024].  

[5] S. Hamdare, O. Kaiwartya, M. Aljaidi, M. Jugran, Y. Cao, S. Kumar, ... and J. Lloret, “Cybersecurity risk analysis of electric vehicles charging stations,” Sensors, 23(15), 6716, 2023. Available: https://doi.org/10.3390/s23156716. [Accessed Oct. 22, 2024]. 

[6] V. Stykas, “Smart car chargers. Plug-n-play for hackers?”, PenTestPartners, 2021. Available: https://www.pentestpartners.com/security-blog/smart-car-chargers-plug-n-play-for-hackers/. [Accessed Oct. 18, 2024]. 

[7]  Southwest Research Institute, “SwRI hacks electric vehicle charging to demonstrate cybersecurity vulnerabilities”, November 9, 2020. Available: https://www.swri.org/press-release/electric-vehicle-charging-cybersecurity-vulnerabilities. [Accessed Oct. 12, 2024]. 

[8] IEA, “Global EV Outlook 2021: Accelerating ambitions despite the pandemic”, OECD Publishing, Paris, 01. Available: https://doi.org/10.1787/3a394362-en. [Accessed Oct. 12, 2024]. 

[9] E. Kovacs, “EV Charging Management System Vulnerabilities Allow Disruption, Energy Theft”, SecurityWeek, February 2, 2023. Available: https://www.securityweek.com/ev-charging-management-system-vulnerabilities-allow-disruption-energy-theft/. [Accessed Oct. 18, 2024].