A team at Sandia National Laboratories completed four years of work on and published a summary of various vulnerabilities in electric vehicle charging infrastructure this week in the journal Energies, drawing attention to the risks of evolution.
While all growth comes with its share of risks, it’s access to digital exploitation in this case. According to the team led by Jay Johnson, an electrical engineer at Sandia, while charging infrastructure still faces old-school problems like the skimming of credit card information, it also faces issues as grand in scope as the utilization of cloud servers to hijack entire charging networks.
“By conducting this survey of electric vehicle charger vulnerabilities, we can prioritize recommendations to policymakers and notify them of what security improvements are needed by the industry,” Johnson said. “The Bipartisan Infrastructure Law allocates $7.5 billion to electric vehicle charging infrastructure. As a part of this funding, the federal government is requiring states to implement physical and cybersecurity strategies. We hope our review will help prioritize hardening requirements established by the states. Our work will also help the federal government standardize best practices and mandate minimum security levels for electric vehicle chargers in the future.”
Larger impacts on critical infrastructure and the power grid were the focus here. The team investigated entry points for AC chargers, DC chargers, and extreme fast chargers, such as vehicle-to-charger connections, wireless communications, electric vehicle operator interfaces, cloud services, and charger maintenance ports. Each had its troubles.
Vehicle-to-charger communications, for example, could be intercepted and terminated from more than 50 yards away. EV owners were most vulnerable to skimming their private information or changing charger pricing, as some vehicle chargers use firewalls, but others do not. Some systems were even vulnerable to malicious firmware updates already. Charger Wi-Fi, USB, or Ethernet maintenance ports could also allow reconfiguration of a system, while local access could allow hackers to breach the whole network from a single charger.
“We don’t want bad things to happen to the grid, and we want to keep electric vehicle drivers safe and protect people working on the equipment,” Brian Wright, a Sandia cybersecurity expert on the project, said. “Can the grid be affected by electric vehicle charging equipment? Absolutely. Would that be a challenging attack to pull off? Yes. It is within the realm of what bad guys could and would do in the next 10 to 15 years. That’s why we need to get ahead of curve in solving these issues.”
With follow-on funding provided, the Sandia team has transitioned to addressing some of these gaps. It has already proposed fixes and changes to reduce vulnerabilities, such as strengthening EV owner authentication and authorization, removing unused charger access ports and services, and adding alarms to notify charger companies when changes are made.