How big is the threat of hacking public EV chargers?

As regular Charged readers know, most folks in the EV charging field believe chargers should be online, for many reasons—remote diagnostics, user information, participation in V2G applications, etc. However, anything that’s hooked up to the net can potentially be hacked, and EVSE is no exception.

A recent Wired article recounted several recent incidents in which pranksters hacked into public chargers, hijacking their user interfaces to display rude messages. YouTube channel The Kilowatts recently posted a video demonstrating that it was possible to take control of an Electrify America station’s operating system.

So far, EVSE hackers have been content to pull childish pranks (at least as far as we know), but cybersecurity experts warn of the potential for serious mischief.

“This is a major problem,” says Jay Johnson, a cybersecurity researcher at Sandia National Laboratories. “It is potentially a very catastrophic situation for this country if we don’t get this right.”

Several researchers have documented the vulnerabilities. Jay Johnson and colleagues identified several charger security issues in a paper published the journal Energies. Another study, led by Concordia University and published in the journal Computers & Security, highlighted a dozen types of “severe vulnerabilities.” British security research firm Pen Test Partners analyzed 7 popular EV charger models, and found that 5 had critical security flaws.

Theoretically, hackers could access vehicle data or consumers’ credit card information, or even stop or start charging.

“It’s not about your charger, it’s about everyone’s charger at the same time,” Ken Munro, a co-founder of Pen Test Partners, told Wired. If a hacker were to switch thousands, or millions, of chargers on or off simultaneously, it could destabilize an entire electrical grid. “We’ve inadvertently created a weapon that nation-states can use against our power grid,” says Munro.

Munro’s top recommendation: don’t connect your home charger to the internet. That might not be a bad idea—arguably, home users benefit little from being online—but it’s not a good option for public chargers, which need to be online not only to handle payment, but also to help ensure reliability. Therefore, EVSE manufacturers and CPOs are going to have to raise their security games significantly.

“It’s the responsibility of the companies offering these services to make sure they are secure,” Jacob Hoffman-Andrews of the Electronic Frontier Foundation told Wired.

Pen Test Partners has found that most charging firms have been responsive to fixing the vulnerabilities it identified—ChargePoint and others plugged gaps in less than 24 hours.

“Everybody knows this is an issue and lots of people are trying to figure out how to best solve it,” says Johnson, adding that many public charging stations have upgraded to more secure methods of transmitting data. But more coordination is needed. “There’s not much regulation out there.”

The 2021 Bipartisan Infrastructure Law includes cybersecurity measures, but these fall short of what experts say is needed. The Federal Highway Administration has finalized a rule requiring states to implement “appropriate” cybersecurity strategies, but this only applies to chargers funded under the BIL, and as Johnson told Wired, it’s vague about what’s actually required. “If you drill down into the state plans, you’ll find that they are actually extremely light on cyber requirements. The vast majority that I saw just say they will follow ‘best practices.’”

The National Institute of Standards and Technology is developing a framework for fast charging that’s intended to guide future regulation. Johnson says the 2022 Protecting and Transforming Cyber Health Care Act could serve as a model for an EVSE cybersecurity regime. “Regulation is a way to drive the entire industry to improve their baseline security standards.”

Regulators and standards bodies are notoriously slow, and the EV charging industry offers lots of opportunities for fast-moving companies. Unfortunately, there are plenty of opportunities for hackers too, so let’s hope the guys and gals in white hats can stay ahead of them.

Source: Wired