Is the world ready for millions of charging stations?
As Congress earmarks $ 7.5 billion towards the installation of 500,000 stations by 2030, there’s a large statement in Ford and GM’s choice to rely on Tesla’s charging network to power their future vehicles.
However, Tesla is far from the only player out there. With Tesla’s own trouble around cybersecurity, we have to ask if any EV charging networks are cyber-resilient enough to replace ICE vehicles going forward.
As we increase the reliance of critical infrastructure on a digitally-driven electrification infrastructure, Electric Vehicle (EV) charging stations have become an inescapable part of the automotive ecosystem and connected devices, which means those stations are susceptible to automotive cybersecurity attacks. Once a breach occurs on one vehicle, there is a threat that it can then be passed to others who are also connected through vehicle-to-vehicle (V2V), vehicle-to-grid (V2G), and overall vehicle-to-everything (V2X) communications.
Whose responsibility is it to ensure EV owners are protected from bad actors? Tier-1s and Tier-2s, whose products are connected to untrustworthy charging stations, already take cyber product security measures. But, the question remains– is it enough?
A new way to hack into cars, OEMs, and beyond
Taking advantage of EV security vulnerabilities is inevitable. In fact, it was already conducted by white hat hackers in 2022. The symphony of complex computing continuously monitors commands to and from electronic control units (ECUs), often connected to a single hub— the CAN Bus. It only takes one exploitable vulnerability to allow malware to spread like wildfire from one infected charging station to a vehicle, to other vehicles, and even the electric grid.
Yet, the focus on charging stations has been taking a back seat to properly securing vehicles, despite charging stations acting as an extension of the vehicle. Few OEMs own or operate EV charging stations. Even if they were, it’s unrealistic for the car owner to continue driving until they find a charging station from the same OEM. The Ford-Tesla partnership announces that Ford wants to provide their customers with a fast and dependable charging experience and take EVs one step closer to mass adoption. Yet, the growing need for charging stations may cause the opposite to happen. Smaller players with little to no cyber security knowledge can take advantage of the financial opportunity to meet demand. Not to mention the opportunity for bad actors to take action. With so little thought to securing sensitive 2-way data transfer points, EVs and manufacturers are exposed to a massive reputation hit.
The type of risk OEMs face with unprotected EV charging stations
The consequences of a breach through a charging station go far beyond the charging car. An insecure EV charger is the gateway for malware that can extend into every other car from the same OEM, the power grid, and other mission-critical infrastructure. While it can take only one breach into a car to cause the public to panic and lose trust in the OEM, that’s not the worst-case scenario. It may even slow EV adoption.
The data flow from a vulnerable charging station is connected to other sensitive and mission-critical systems that could potentially cause a lot more damage, including:
- Illegal access to fleet vehicles via V2V communication
- Create a pathway for unauthorized entry into OEM internal system
- Reveal vehicle operator’s personal information
- Disrupt one or more vehicle functionality
- Impact on broader infrastructure, such as the power grid
Electricity is a necessity for automotive, water, medical, and other critical systems that rely on continuous electricity to function. If the grid is compromised, entire cities are under threat. It’s a massive risk that impacts municipal operations, first responders, and impacts the life of every citizen.
The risk of disrupting our daily lives by breaching critical devices is looming. But who is responsible for identifying and managing vulnerabilities that could affect OEMs and other players in the EV automotive industry?
Why OEMs should care about insecure EV charging stations
EV charging stations are a cyber threat ticking bomb. EV station manufacturers still lack a comprehensive understanding of the software components and dependencies used in their systems.
This enables bad actors to take advantage of these vulnerabilities to fry a battery, manipulate battery data, drain the battery, or even make it explode. Since there’s no section-wide solution, it’s on the manufacturers to protect the car no matter if it’s on the lot or a customer’s home garage.
One hacked car can be a massive blow to the brand’s reputation and can cause billions in lost revenue. Plus, It is likely that OEMs will pay a higher price than the charging stations. At the very least, in terms of reputation. With hackers always being ahead, and regulation moving slowly, it comes down to the automotive industry to take even more action and fix the biggest cyber threat to the EV ecosystem. The solution is pretty simple.
How can OEMs protect their products and customers
It’s the wild west out there with the first to pay the price if no one takes charge of keeping the EV stations safe are the OEMs. OEMs should be aware of the risk a customer action can have to their product. Both OEM and EV manufacturers must act to mitigate this risk. With SBOMs becoming a routine requirement to ensure comprehensive quality standards of connected devices, the next obvious step should be for charging stations to have them too.
To facilitate effective and continuous monitoring of risk, EV chargers should adopt security best practices like SBOMs. SBOMs are already a requirement in other industries, and regulation for automotive is coming soon. It’s easy to see why. SBOMs help you understand the security posture of the connected device, in this case, the charging station, or EV.
OEMs can mitigate risks by choosing to only partner with EV charging stations that provide transparency in the form of SBOMs as they help quickly edit, validate, approve, and manage SBOMs for thousands of components. This requirement could cause charging station manufacturers and operators to start implementing security requirements early in the development stage as part of a better business and mindful risk management strategy.
The writing is on the wall. Protecting EV charging stations is necessary to answer the call of fleets and consumers who demand more ‘green’ options. Not just for the devices but for all the players in the EV ecosystem.
