Justin Godfrey-Cass
Head of Transport Solutions
The electric vehicle (EV) market is growing as consumers and governments make choices and policies for more sustainable transport. The UK is expected to have 300,000 electric vehicle charge points by 2030* – charge points that are essentially IoT devices exchanging operational and performance, even payment, data. Those EV connections must be cyber secure to protect against incidents that could disrupt transport and cause financial and reputational damage to operators.
The installation of charge points at private residences, commercial sites and public locations must ramp up to sustain a higher number of electric vehicles. In turn, those charge points must be connected so that operators can monitor performance, usage and maintenance, and process payments from public locations, all the while being cyber secure.
Cellular IoT connectivity is flexible, scalable and can support rapid implementations, making it ideal to connect charge points. However, charge point operators (CPOs) and original equipment manufacturers (OEMs) must ensure cybersecurity is built-in to their designs and operations because failing to do so would carry enormous risk.
Do electric vehicle charge points collect and exchange data?
A lot of information can be generated and collected by EV charge points. This can include driver details, such as subscription credentials if they have an account with a CPO and/or payment information. It could also extend to driver behavioural data such as how often they charge. Certainly, usage information will be gathered because CPOs must understand how many vehicles charge within a given time frame, how long they spend and how much energy this uses.
Performance data will almost certainly be collected too so that CPOs can assess and monitor how charge points are performing and whether maintenance is required. This is important to keep equipment in good working order so that when drivers arrive, they can be confident charge points will be operational and able to provide a full service.
Then there is data important to the management of the electricity grid. Information on energy levels from charge points can be used to load-balance the grid, manage energy fluctuations and avert the risk of power outages and surges.
What could a cyberattack on electric vehicle charge points do?
The depth and breadth of EV charge point data in play makes for a significant cyberattack surface for cybercriminals. What’s more, the data is of high value, it could be captured and held to ransom, used to sabotage operations, even to inform phishing attacks.
Other acts of sabotage could alter the information that is displayed on charge point screens. This happened in the Isle of Wight when charge points began displaying a pornographic website and in Russia when screens displayed messages in support of Ukraine.
Cybercriminals probe for weaknesses. If they find any, they will use whichever method works to generate the mayhem they hope will get them a result. Any point within the attack surface could be the weak one and, as the EV charging network expands, so the cybersecurity implications get bigger too.
How can electric vehicle charge point operators secure connections?
EV charge points communicate with servers. They must do so securely. They present credentials for identification, and these must be protected. They run applications, which must be implemented in such a way that they are secure. Charge points must communicate only with the right destinations and must be defended against malware, ransomware, man-in-the-middle (MiTM) attacks and everything else. That defence must be capable of evolving because cyberattacks do, all the time.
Mechanisms for securing two-way communication include secure private access point names (APNs), encrypted virtual private networks and fixed private IPs. CPOs and OEMs should ask themselves how secure their devices are, but also their people and processes because security must operate end to end.
How can Wireless Logic help?
Wireless Logic’s Security Framework includes a range of technology capabilities, standards and best practices to help CPOs and OEMs strengthen identity and authentication policies and defend, detect and react to cyber threats.
Defending means managing the cyberattack surface to prevent unauthorised access of devices, cloud infrastructure and data. Practically, this encompasses IoT SAFE (a SIM standard to authenticate and authorise IoT devices to mobile networks), cloud authentication, software updates, encrypted communications and secure APNs.
Detecting means monitoring devices and networks to spot any anomalies or abnormal behaviour. This requires usage-based insights and detailed analysis to detect, for example, changes in target URLs or data usage.
Finally, reacting means taking swift and targeted action should anything happen. Automated countermeasures can isolate a security threat, such as that posed a device, and initiate remedial action by, for example, forcing a software update or taking a device out of service altogether.
Security must be a priority concern for EV CPOs and OEMs. As charge point networks expand, they need secure connectivity built in.
To find out how Wireless Logic can help, get in touch.
