Unsecured EV charging infrastructure an invitation for hackers

Oct. 10, 2023
The rush to cash in on EV charging may feel like the Wild West, but there’s no need for cities to ride alone.

As government agencies large and small work to meet the White House’s call to modernize our cybersecurity infrastructure, others are creating the infrastructure needed for our move toward clean energy. The nexus of these efforts is cybersecurity for electric vehicle (EV) charging stations.

Hackers rarely target only the point where they gain access to a system. A hospital ransomware attack, for example, may begin with a single compromised terminal at a nurse’s station, but the end goal is to hold the entire network hostage. In the same vein, an attack on a vulnerable EV charging station may not hold much attraction for a hacker. Accessing someone’s private data via their EV’s system, however, might be more interesting. Getting into the whole electric grid would be quite the coup for most hackers - could that really happen?

In the recent Colonial Pipeline attack, a single stolen password allowed cybercriminals to shut down fuel supplies to the entire southeastern U.S.. Our electric grid is similarly vulnerable because of our aging infrastructure - more than 70% of the grid is 30 years old. This kind of security simply wasn’t thought about when these systems were built.

New and Unusual Attack Surface

Now we’re adding new components - EV charging stations - to this aging network and thinking of it all as the electric grid, which doesn’t seem that vulnerable to cyber-attacks. The vulnerabilities lie in the technology at the heart of electric vehicles. The connections between vehicle, charger, processor, and grid are all electronic and, therefore, hackable.

In cybersecurity, we talk about attack surfaces, or the points of entry that a hacker might exploit in the same way that a burglar might see the windows and doors of your home. Adding EV charging stations to the grid increases the attack surface, and each car that connects widens the attack surface more.

The most up-to-date approach to limit the attack surface of software and hardware in general is the concept of security by design, where security isn’t the responsibility of one entity at the end of the production process but built into all aspects of a product, from conception to delivery. This is what’s needed for the EV charging infrastructure.

That means state and local governments must think about security from the beginning. They must require vendors to show that they use sophisticated security measures to protect their product from attackers. It may seem like a tall task as states and municipalities rush to meet the federal government’s requirements for clean energy and claim a portion of available charging station funding administered through the Federal Highway Administration’s National Electric Vehicle Infrastructure (NEVI) program, but the administration has shown a strong commitment to cybersecurity - states that receive NEVI funds must “protect consumer data and protect against the risk of harm to, or disruption of, charging infrastructure and the grid.”

Government Partners

Local governments don’t have to go it alone though. There are partners available to help. Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) is one example. The agency offers free tools - technical assistance, assessments, training, and more - to help organizations reduce cyber and infrastructure risk. Collaboration is part of their mandate, so they stand ready to assist.

The Department of Energy (DOE) is another example. The agency’s Alternative Fuels Data Center has already created a framework for developing EV charging infrastructure. In addition to comprehensive information specifically for local and regional leaders, guides to setting up charging stations, and a dozen real-world case studies, DOE’s Vehicle Technologies Office offers project assistance to public and private stakeholders. Local businesses, trade or technical schools, and other government entities may also be available to help municipalities practice security by design as they develop EV charging infrastructure.

Aside from the federal government’s mandate, providing the strongest possible cybersecurity of charging assets just makes sense. If you knew that a gas pump was likely to leak your credit card information to thieves, would you use that pump? If consumers doubt the security of EV charging infrastructure, purchases of EVs could stall, harming the environment and putting government and company commitments to electric vehicles in jeopardy.

Final Thoughts

From a rural and small-town standpoint, it makes a lot of business sense to offer travelers a safe, secure option for charging vehicles on long trips. Charging an EV takes longer than filling a gas tank, which gives charging station operators an opportunity to provide additional products and services to consumers with time on their hands.

That glistening future of happy patrons pumping money into the local economy as their EVs fuel up is only possible through trust. Local businesses, and therefore governments, prosper when consumers choose their location to charge up because they know charging stations are secure. Think about the popularity of clean, secure roadside gas stations with an interesting local flavor. Protecting the EV charging infrastructure from attack isn’t only for EV drivers. We all benefit when our personal data and the entire electric grid are protected from cyber criminals.

About the author: Dr. Brian Gant is an Assistant Professor of Cybersecurity at Maryville University.

About the Author

Dr. Brian Gant | Assistant Professor of Cybersecurity at Maryville University

Dr. Brian Gant is an Assistant Professor of Cybersecurity at Maryville University, with Executive professional with over 18 years of Corporate and Federal Government experience in analytics, threat intelligence, critical infrastructures and executive protection.