EV Charging Networks Prepare for Cyberattacks

As Europe and the U.S. push to ramp up development and sales of electric vehicles, researchers are concerned that cybersecurity is being neglected. 

In the worst of cases, hackers could engineer blackouts and do damage to entire electric grids by infiltrating charging stations and networks, officials and security analysts warn.

“If you have hundreds of thousands of chargers, you are a target,” said Harm van den Brink, a cybersecurity specialist at ElaadNL, a research organization in the Netherlands focused on testing EV charging.

In April, the Biden administration proposed tougher car emissions targets to accelerate the transition to EVs and has called for them to make up half of all new vehicle sales by 2030. The European Union has gone further, banning the sale of new gasoline- and diesel-powered cars starting in 2035.

In the rush to EVs, though, cybersecurity can’t be an afterthought, said Tomas Bodeklint, a research and business developer at the Research Institutes of Sweden, a government-run group that works on EV charging and other technologies. 

“When you get rapid deployment, you cut the corners a bit. Then there’s an increased risk if [products] haven’t been thoroughly tested and validated,” he said.

Efforts to address the security of EV charging stations are in early stages. European lawmakers are drafting new cyber rules for electricity grid operators that will likely include additional security requirements for EV charging infrastructure, said Anjos Nijk, managing director of the European Network for Cyber Security, a Netherlands-based organization that shares cyber threat information with critical infrastructure and energy companies.

The U.K. introduced requirements such as encrypting communications sent from stations and using unique passwords on certain equipment. 

“Things are speeding up very quickly now,” Nijk said.

U.S. states were required to address cybersecurity in plans created last year to win federal funding for EV infrastructure. More specifics are needed, said Jay Johnson,

A U.S. infrastructure law passed in 2021 includes $7.5 billion in funding for states to expand EV charging stations. Federal guidance noted applicants must take “appropriate” cybersecurity strategies to protect data and systems, but left it to the states to specify how.

South Dakota, for instance, said it would require companies that build EV infrastructure to encrypt communications and use firewalls. New York’s plan noted that standards for EV security technology are still being developed. “New York state will comply with all federal technical standards, including cybersecurity, once these are finalized,” the plan said. 

“This was a very big missed opportunity to harmonize requirements across the nation,” Johnson said. Nationwide cyber requirements would have been easier for companies working in multiple states to comply with, he said. 

Sandia recently assessed 12 unnamed charging products, and found security flaws such as openly displayed usernames, passwords and credentials to modify or configure some equipment, while others had better protections. “There’s a wide spectrum of cybersecurity capabilities of these products,” Johnson said.

Tesla is poised to dominate EV charging in the U.S., and auto manufacturers including General Motors, Ford, Volvo and Rivian signed on to adopt Tesla’s charging standard this year. Last week, Mercedes-Benz Group said it planned to support the Tesla Supercharger stations starting next year. Tesla didn’t respond to requests for comment. 

ChargePoint, a large provider of stations to company parking lots and towns in North America and Europe, takes several steps to secure its systems, Chief Information Security Officer Teza Mukkavilli said through a spokeswoman. At the end of January, the company was operating about 225,000 charging ports.

Among the cyber measures ChargePoint takes are penetration tests and isolating parts of the network to prevent domino effects to the larger electrical grid if there is a cyberattack, Mukkavilli said. 

ChargePoint uses various tools to address cyber risks in chips and software used in the stations, customer payment transactions and encryption, as well as its technology infrastructure, he said.

Cyber regulations that differ by geography won’t protect against large-scale effects of a major cyberattack, said van den Brink at ElaadNL.

“If you hack 100,000 chargers, it doesn’t matter where they are in Europe. It can have a big impact on the energy grid,” he said.

Last year, the city of Amsterdam for the first time included cybersecurity requirements in a public tender for public EV charging stations. Organizations vying for contracts must prove they comply with security standards and provide cyber assessments of their supply chains, said Jaap de Munnik, a former senior information security officer for the city. This month he joined Dutch seed provider Enza Zaden as an information security officer. 

Amsterdam’s requirements are designed to fend off attacks that could cause power outages or force charging stations to use more power than they should, which could damage transformers and power lines, he said.

Amsterdam has shared its requirements with other Dutch cities, and de Munnik said he hoped they follow suit.

Write to Catherine Stupp at [email protected]