EXECUTIVE SUMMARY:
Last year, global sales for electric vehicles (EVs) increased by 60% worldwide and one in every seven passenger cars purchased globally was an EV. In contrast, just five years earlier, only one in every 70 cars bought was an electric vehicle. Consumer demand for EVs is at an all-time high, but the growth of this sector may mean unprecedented security challenges.
The industry is in the midst of a rapid expansion phase. New EV charging stations are popping up in parking lots and on street corners the world over. However, the new installations could prompt cyber attackers to target EV charging networks, the vehicles themselves, and/or the connected power grids.
EV charger risk
For many connected devices, the race-to-market has translated to cyber security measures that were ‘bolted on,’ but not ‘built in’. In other words, cyber security was largely an afterthought. In the case of electric vehicle chargers, that’s a particularly unsettling prospect, as EV chargers are interlinked with other infrastructure.
The National Institute of Standards and Technology (NIST) has commented on the enormity of the cyber safety concern pertaining to electric vehicle charging stations:
“EVSE [Electric Vehicle Supply Equipment] is supported by electronics, both for charging the vehicle and facilitating communications, so EVSE is susceptible to cyber security vulnerabilities and attacks. EVSE also ties together two critical sectors — transportation and energy (specifically, the grid) — that have never been connected electronically before. This creates the potential for attacks that could have significant impacts in terms of money, business disruptions and human safety.”
Real-world examples…
Cyber attacks that exploit EV charging station weaknesses may be able to cause power fluctuations and power outages, as attacks would suddenly alter the demands of EV charging networks. Alternatively, might a cyber attack completely disable EV charging infrastructure, stranding drivers? This would be similar to cutting off the fuel supply, which almost occurred on the East Coast of the U.S, during the Colonial Pipeline attack.
The examples above represent just a handful of the ugly scenarios that cyber security and electric vehicle supply equipment researchers have written about. A few researchers have already come across vulnerabilities that could allow cyber criminals to remotely shut down EV chargers or steal electricity.
As a society and within the cyber security community, we must work together to address this type of cyber risk.
Addressing the risk
While this list might not be comprehensive, it offers strong starting points…
- Network and hardware segmentation. The industry should leverage trusted components and create a partitioned architecture. Thus, a compromise in one sector would not necessarily morph into a lateral danger for an adjacent sector.
- Software security. Enterprises in the electric vehicle ecosystem must use secure software. Implementing the principle of ‘least privilege’ is key, as it ensures that software operates with the lowest possible permission level. This has a variety of implications.
- Monitoring and incident response planning. Electric vehicle equipment producers should continuously monitor systems for malicious cyber activity and should be prepared for cyber threats to emerge. Enterprises may wish to explore MDR/MPR solutions.
- Building security in, rather than bolting it on. Cyber security needs to be built into the software, hardware deployment operations and more. In addition, we need to account for the human factor within the cyber risk conversation. For example, technicians need to be properly trained and authorized ahead of engaging with infrastructure.
Over a million lines of code are embedded into many of today’s cars. Automotive software has never been more complex. Now, the challenge is how to secure all of it.
For more insights into connected cars, please see CyberTalk.org’s past coverage. To receive more cutting-edge cyber security news, best practices and analyses, please subscribe to the CyberTalk.org newsletter.