Possibility
Explore our work: what we do, how we do it, and the value we create for our clients.
Impact
Culture
Possibility
Explore our work: what we do, how we do it, and the value we create for our clients.
Global Shifts
Empowered consumers
Healthier humans
Future organisations
Business for better
Safer societies
Sustainable world
Industries
Consumer and manufacturing
Defence and security
Energy and utilities
Financial services
Government and public sector
Health
Life sciences
Transport
Services
Set growth strategy
Build brands, products, and services
Reimagine AI, digital, and data
Improve organisational performance
Deliver complex programmes
Empower your people
Impact
Culture
In the media

Why EV chargepoint operators need a best practice approach to cyber security

By Andy Bridden, Mark Olliver

E&T Magazine

25 February 2022

Tags

This article first appeared in E&T Magazine

The UK government’s unveiling at the COP26 climate change event in Glasgow last November of a new electric-vehicle (EV) chargepoint design developed by PA and the Royal College of Art brought EVs into sharp focus. A rapid scale-up in adoption of EVs will result in an explosion of new entrants to the chargepoint market to meet demand. But there’s a risk that the rush to meet net-zero timelines could leave cyber security as an afterthought. The infrastructure will likely be targeted by cyber attackers who will look to disrupt services for financial gain or simply impact national transport systems.

PA established a set of cyber-security best practices to ensure that the design it developed with the Royal College of Art meets secure-by-design principles. These best practices draw on standards developed for safety-critical systems such as medical devices and utility networks.

As the UK energy transition continues to gain pace, the number of complex devices upon which we are increasingly reliant upon from day to day grows. Chargepoints join smart meters, medical devices and home hub devices – among others – as devices that we need to be confident will function securely even when under an attack. Manufacturers and operators of chargepoints can look to the rollout of these for key lessons in protecting their piece of critical infrastructure, as well as following three essential cyber-security best practices.

Principle 1: Protect critical functionality

Range anxiety is a key concern for EV drivers. Imagine reaching a chargepoint with five miles left in the electric ‘tank’ and plugging in, only to find the charger doesn’t charge the car. The EV chargepoint should be designed to work even when subject to a cyber attack or loss of communications back to its operator. Medical device manufacturers follow a similar design principle to ensure patients are protected in the event of failures. The essential performance of the device needs to be identified to ensure that functionality is maintained.

Protecting this critical functionality had to form part of the design brief. For this and other projects where critical – cyber-enabled – infrastructure is being rolled out, designers need to use a defence in depth approach. With the chargepoints, this means putting the charging function at the core. When any design is being developed, critical functions – in this case the ability to charge – need to be separated from ancillary and support functions. The chargepoint operator will face challenging commercial decisions through the design process; for example, is it better for our brand to allow consumers to charge their vehicle, even if the charging cannot be billed?

Principle 2: Protect the fleet

A cyber attack on a fleet of chargers can have a significant impact with thousands of EV chargepoints being taken offline, resulting in a widespread inability to charge electric vehicles. As the adoption of EVs grows, this could result in driver behaviours like those seen during the recent fuel crisis.

Protecting the chargepoint operator’s platform and chargepoints from large-scale cyber attacks is critical. Mitigations should include preventing malware spreading as a priority. For chargepoints, this would mean ensuring malware cannot spread from one EV chargepoint to another over the network. This would ensure the central platform cannot be hijacked to control the whole EV chargepoint fleet. Chargepoint or other operators should use private networks to protect the central platform and EV chargepoint networks from internet-based threats.

Principle 3: Update software securely

EV chargepoints will be in the field for many years, and as the cyber-threat landscape evolves, new security vulnerabilities will be discovered. If a vulnerability is found, it is important that the EV chargepoint software can be updated securely, quickly, efficiently and at scale. Chargepoint operators also need to be able to deploy new product features and fix product defects to keep the service running smoothly. 

EV chargepoint designers need to ensure the software comes from a trusted source, is encrypted to protect against reverse engineering and intellectual property theft, and has checks to protect against modification. Without these protective measures a cyber attacker could modify and potentially deploy new software to disrupt the charger’s operation, leak or steal sensitive data, or hold the chargepoint operator to ransom.

The pressing need to accelerate the deployment of EV-charging infrastructure is a key factor driving both consumer adoption and attitudes to electric vehicles. Consumers need a reliable, easy-to-use and widely available charging infrastructure across the entire transport network covering homes, car parks, service stations and side streets.

The sustainability benefits offered by EVs will not be viable in the medium to long term without cyber security being considered. The types of wide-scale disruption seen because of ransomware in the NHS or because of the recent fuel crisis demonstrate how vulnerable critical infrastructure can be to supply chain and security threats.

For EVs to reach their full potential, it will be essential to have a secure, widespread, and highly available charging network. A focus on cyber security will enable the benefits of electric vehicles to be realised as part of a net-zero future.

Explore more

Press release

The PR24 draft determinations have attempted to balance a difficult trilemma

PA's Anthony Legg shares his views on the PR24 draft determinations.
Water crashing over bridge during hurricane
In the media

Rising frustration in Houston after millions lost power in storm

Wei Du, energy expert at PA, comments on Hurricane Beryl and utility resiliency in the New York Times
Water crashing over bridge during hurricane
Solar panels and wind power at dusk
In the media

Potential record-setting hurricane season is forecast and may weaken energy demand, prices

The latest National Oceanic and Atmospheric Administration (NOAA) hurricane season forecast and the potential impact on the US power markets.
Solar panels and wind power at dusk
An aerial view of wind turbines, Holland
Press release

PA Consulting appoints James Turnbull as new Global Head of Energy and Utilities

Read about our new appointment
An aerial view of wind turbines, Holland

Contact the team

We look forward to hearing from you.
Get in touch

Get actionable insight straight to your inbox via our monthly newsletter.