Why EV chargepoint operators need a best practice approach to cyber security
The UK government’s unveiling at the COP26 climate change event in Glasgow last November of a new electric-vehicle (EV) chargepoint design developed by PA and the Royal College of Art brought EVs into sharp focus. A rapid scale-up in adoption of EVs will result in an explosion of new entrants to the chargepoint market to meet demand. But there’s a risk that the rush to meet net-zero timelines could leave cyber security as an afterthought. The infrastructure will likely be targeted by cyber attackers who will look to disrupt services for financial gain or simply impact national transport systems.
PA established a set of cyber-security best practices to ensure that the design it developed with the Royal College of Art meets secure-by-design principles. These best practices draw on standards developed for safety-critical systems such as medical devices and utility networks.
As the UK energy transition continues to gain pace, the number of complex devices upon which we are increasingly reliant upon from day to day grows. Chargepoints join smart meters, medical devices and home hub devices – among others – as devices that we need to be confident will function securely even when under an attack. Manufacturers and operators of chargepoints can look to the rollout of these for key lessons in protecting their piece of critical infrastructure, as well as following three essential cyber-security best practices.
Principle 1: Protect critical functionality
Range anxiety is a key concern for EV drivers. Imagine reaching a chargepoint with five miles left in the electric ‘tank’ and plugging in, only to find the charger doesn’t charge the car. The EV chargepoint should be designed to work even when subject to a cyber attack or loss of communications back to its operator. Medical device manufacturers follow a similar design principle to ensure patients are protected in the event of failures. The essential performance of the device needs to be identified to ensure that functionality is maintained.
Protecting this critical functionality had to form part of the design brief. For this and other projects where critical – cyber-enabled – infrastructure is being rolled out, designers need to use a defence in depth approach. With the chargepoints, this means putting the charging function at the core. When any design is being developed, critical functions – in this case the ability to charge – need to be separated from ancillary and support functions. The chargepoint operator will face challenging commercial decisions through the design process; for example, is it better for our brand to allow consumers to charge their vehicle, even if the charging cannot be billed?
Principle 2: Protect the fleet
A cyber attack on a fleet of chargers can have a significant impact with thousands of EV chargepoints being taken offline, resulting in a widespread inability to charge electric vehicles. As the adoption of EVs grows, this could result in driver behaviours like those seen during the recent fuel crisis.
Protecting the chargepoint operator’s platform and chargepoints from large-scale cyber attacks is critical. Mitigations should include preventing malware spreading as a priority. For chargepoints, this would mean ensuring malware cannot spread from one EV chargepoint to another over the network. This would ensure the central platform cannot be hijacked to control the whole EV chargepoint fleet. Chargepoint or other operators should use private networks to protect the central platform and EV chargepoint networks from internet-based threats.
Principle 3: Update software securely
EV chargepoints will be in the field for many years, and as the cyber-threat landscape evolves, new security vulnerabilities will be discovered. If a vulnerability is found, it is important that the EV chargepoint software can be updated securely, quickly, efficiently and at scale. Chargepoint operators also need to be able to deploy new product features and fix product defects to keep the service running smoothly.
EV chargepoint designers need to ensure the software comes from a trusted source, is encrypted to protect against reverse engineering and intellectual property theft, and has checks to protect against modification. Without these protective measures a cyber attacker could modify and potentially deploy new software to disrupt the charger’s operation, leak or steal sensitive data, or hold the chargepoint operator to ransom.
The pressing need to accelerate the deployment of EV-charging infrastructure is a key factor driving both consumer adoption and attitudes to electric vehicles. Consumers need a reliable, easy-to-use and widely available charging infrastructure across the entire transport network covering homes, car parks, service stations and side streets.
The sustainability benefits offered by EVs will not be viable in the medium to long term without cyber security being considered. The types of wide-scale disruption seen because of ransomware in the NHS or because of the recent fuel crisis demonstrate how vulnerable critical infrastructure can be to supply chain and security threats.
For EVs to reach their full potential, it will be essential to have a secure, widespread, and highly available charging network. A focus on cyber security will enable the benefits of electric vehicles to be realised as part of a net-zero future.