The U.S. market expects to see at least 100 electric vehicle (EV) models by the end of 2022, up from the roughly 62 models currently available. This momentum was witnessed in all of the EV-related commercials during this year’s Super Bowl. About half of polled U.S. adults say they are likely to consider purchasing an EV in the next decade. Two key enablers for their EV adoption are availability and reliability of the charging infrastructure.
Availability of the charging infrastructure is being addressed by the new infrastructure bill, tax credits for EV charger hardware and EV charger installation costs; the White House’s $5 billion funding plan to states for EV chargers; and many environmental, social and governance (ESG) efforts undertaken by corporations. Once there are enough EVs on the road, many businesses could start seeing the value in installing chargers. For example, a hotel may want to attract guests who’d want to charge their EVs overnight. Similar business cases can be envisioned for other retail businesses.
The reliability aspect of the charging station infrastructure, however, requires attention to cybersecurity-related risks. These risks are highlighted in many academic literature and U.S. Department of Energy (DOE) lab reports. Sandia National Laboratories recently shared in a report: “As the U.S. transitions to transportation electrification, cyberattacks on vehicle charging could impact nearly all U.S. critical infrastructure.” The articles below further highlight the cybersecurity risk:
- Hackers could “power-jack” EV chargers to cause blackouts and steal data, study finds.
- A national EV charging network is coming. So are cybersecurity threats.
The U.S. Department of Defense (DOD) and Public Building Service (PBS) are both responding to these risks by requiring robust cybersecurity for EV charging stations in recent request for proposals (RFPs).
But what about the private sector? Charging station network operators, also known as charge point operators, would say they have cybersecurity covered by being payment card industry (PCI) compliant. Although PCI compliance is necessary, it is not sufficient because cybersecurity risk is not limited to potential personal and financial information loss. As you’ll see in the following image, the risk also involves potential damage to EV batteries, compromised EV life safety systems, charger malfunction, compromised building energy management network, bulk system (grid) frequency increase, etc. The risk only increases with bidirectional charging (i.e., power moving to/from EV to/from grid).
The cybersecurity risk involving a charging station and associated connectivity is too great to ignore. The impact could be better understood from the estimates highlighted in the following table:
While PCI compliance could be sufficient for charge point operators — as they lack full control over physical and logical management of a charging station over its life cycle, the connected building energy management infrastructure and charging station system design — it clearly is not adequate to manage risks for all stakeholders. At the same time, electrical contractors who commission and maintain charging stations often lack necessary expertise in cybersecurity.
So how should cybersecurity of the EV charging infrastructure be addressed? Adopting EVs without robust cybersecurity could bring considerable risk in terms of availability of assets and infrastructure, safety of people and confidentiality. The risk related to safety is not hypothetical. A German teenager recently found a vulnerability in a third-party app installed in a few Teslas, which allowed him to unlock doors, flash headlights and blast music. While this doesn’t sound too bad, it is essentially a doorway to disaster. External systems and applications connecting to a vehicle also bring significant risk.