Given climate change, the cost-of-living crisis, conflict in Ukraine, it appears that a day does not now pass without energy supply hitting the front pages.
From fracking to buying a new kettle, commentators have been filling news feeds and the airwaves with their views on all things energy related. Just when you thought the subject had been covered exhaustively another eye catching story pops up such as the revelation of the cyber risk to electric vehicle (EV) chargers.
Check Point software researchers have revealed that the threat posed to EV chargers by hackers could potentially harm the global adoption of electric vehicles – a key objective for many countries seeking to combat climate change.
The EU plans to phase out sales of petrol- and diesel-powered vehicles in 2035. The US Department of Transportation recently announced a $5 billion plan to create a new network of EV charging stations, with US President Joe Biden seeking 500,000 stations by 2030. Nearly a quarter of all cars newly registered in China are now electric or plug-in hybrid vehicles, following a decade of Chinese Government subsidies. Against this backdrop companies are making huge investments in their own EV strategies. In the UK, BP Pulse announced plans to invest up to £1 billion into the country’s EV charging infrastructure, with a global target of 100,000 charge points by 2030. And recently Amazon announced it is to create an electric fleet across the UK over the next five years.
But despite this investment, companies such as Check Point are claiming that little thought appears to have been given to cybersecurity. After all an EV charging point is simply an IoT device and therefore vulnerable to attack.
The main concerns centre on compromising, and subsequent hijacking of, the entire EV charging network, access to vehicle owner’s engine management systems posing potential safety concerns and charging operators suffering financial loss/reputational damage through ransomware deployment in network control systems.
The question is how likely is this to happen? The answer is very.
As with any IoT device, if it’s connected to the internet, its fair game for cyber criminals. The billions of dollars being spent in this sector, the ability to hold entire companies and networks to ransom and EV chargers makes this sector a very attractive target.
One month after the invasion of Ukraine, reports surfaced that EV charging stations in Russia were hacked to show messages stating Putin is a d**khead and Glory to Ukraine, with Russian energy company Rosseti claiming that a Ukrainian company that helped build the chargers used a backdoor to hack them.
Around the same time, a UK Council was also left red faced when explicit material was displayed on its public car park chargers. Three Isle of Wight Council car parks were affected by the breach, where screens were hacked and the council’s website replaced with a pornographic one.
A council spokesperson said: “The council would like to apologise to anyone who may have found the inappropriate web content and for any inconvenience from charge points out of action.”
Security company Pen Test Partners (PTP) spent a couple of years investigating the security of smart electric vehicle chargers by ‘road testing’ 6 major models with their findings published in July 2021.
The results were frankly scary, with major issues found with each model. PTP concluded: “There has clearly been a distinct lack of security assurance in the smart EV charger space. There’s something of a EV ‘gold rush’ going on as homes equip themselves with chargers and the public charging infrastructure offer more and more powerful charging.
Basic API security has been missing, as has some basic secure hardware choice. Manufacturers have exposed users to fraud and/or prevented their cars from charging. They’ve also unintentionally created a method for others to destabilise our power grid.”
One of the vendors tested had 2.9 million devices on it, all of which could be remotely exploited through a lack of strong authentication and request authorisation.
Complicating this issue is the current lack of standards and security certification for charging stations. Fortunately, when presented with the overall test results, the manufacturers acted to address the issues prevalent within their brand of EV charger, with one vendor fixing their issue within 24 hours.
The main take from this investigation is that PTP should not have uncovered the issues it did. Cyber security must be one of the integral design features of any internet connected product or service before it leaves the drawing board. This fundamental point is stressed by vXtream to any client before embarking on any IT project – from a simple website build to a complex hybrid cloud ecommerce platform.
The bottom line is simple. If EV vendors don’t provide a secure charging infrastructure, customers will vote with their feet and will not commit to electric vehicles.
The cost of which might ultimately be paid for by the planet.