By Ling Cheng (Senior Product Marketing Manager)
Electric vehicle (EV) charging stations are crucial for the growth of the EV industry, akin to gas stations for traditional vehicles. Countries around the world are setting ambitious targets for their deployment to ensure widespread availability. For example, countries in the EU are collectively aiming for 3 million public charging points by 2030, and the US is targeting at least 500,000 public chargers by the same year.
Our research indicates that charging-related incidents accounted for 8% of automotive security incidents from the second half of 2022 to the first half of 2023. Charging systems, as connected devices, are connected not only to service clouds but also to critical infrastructure such as power grids, EVs, and third-party service providers. Any breach could result in significant economic losses, service disruptions, or data breaches. Moreover, malicious attacks could infiltrate power grids, leading to potential blackouts. In response to safety concerns, the UK government recently restricted the sale of charging equipment from a manufacturer for noncompliance with EV smart charging regulations.
Several countries have established cybersecurity standards and regulations for EV charging systems, or electric vehicle supply equipment (EVSE), including EV smart charging regulations in the UK, ETSI EN 303 645, NIST IR 8259, and ISA/IEC 62443. These standards and regulations primarily focus on ensuring the security of connected EV charging points in the context of the internet of things (IoT) or information and communication technology (ICT).
However, in the US National Institute of Standards and Technology (NIST) internal report (IR) 8473, finalized in October 2023, we observe a shift in scope from individual chargers to the entire charging infrastructure. This expanded scope — conveyed in the report’s title, “Cybersecurity Framework Profile for Electric Vehicle Extreme Fast Charging Infrastructure” — suggests that EVSE manufacturers and charge point operators (CPOs) need to consider cybersecurity from an industry-level risk-based approach rather than focusing solely on individual IoT devices.
Figure 1. EV extreme fast charging (XFC) ecosystem domains and profile scope
Image adapted from NIST IR 8473
What is NIST IR 8473?
NIST IR 8473, aka “Cybersecurity Framework Profile for Electric Vehicle Extreme Fast Charging Infrastructure,” is “designed to be part of an enterprise risk management program to aid organizations in managing threats to systems, networks, and assets” within the EV extreme fast charging (EV/XFC) ecosystem. It also “provides ecosystem-relevant parties with a means to assess and communicate their cybersecurity posture” in a way that aligns with the framework.
According to the NIST, organizations can use the profile to:
- Identify key assets and interfaces in each of the ecosystem domains.
- Address cybersecurity risk in the management and use of EV/XFC services.
- Identify the threats, vulnerabilities, and associated risks to EV/XFC services, equipment, and data.
- Apply protection mechanisms to reduce risk to manageable levels.
- Detect disruptions and manipulation of EV/XFC services.
- Respond to and recover from EV/XFC service anomalies in a timely, effective, and resilient manner.
NIST IR 8473 also recommends referencing IT, operational technology (OT), and automotive standards and regulations, such as NIST SP 800-20, ISO/SAE 21434, and ISA/IEC 62443.
Recommendations from NIST IR 8473
NIST IR 8473 is based on the NIST Cybersecurity Framework v1.1. The framework consists of five functions that “provide a high-level, strategic view for managing cybersecurity risk” in the EV/XFC ecosystem.
| Function | Description | Categories |
|---|---|---|
| Identify | The activities in the Identify function are the foundation for effective use of the framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus on and prioritize its efforts, consistent with its risk management strategy and business needs. | Asset management |
| Business environment | ||
| Governance | ||
| Risk assessment | ||
| Risk management strategy | ||
| Supply chain risk management | ||
| Protect | The Protect function supports the ability to limit or contain the impact of a potential cybersecurity event. | Identity management, authentication, and access control |
| Awareness and training | ||
| Data security | ||
| Information protection processes and procedures | ||
| Maintenance | ||
| Protective technology | ||
| Detect | The Detect function enables timely discovery of cybersecurity events. | Anomalies and events |
| Security continuous monitoring | ||
| Detection processes | ||
| Respond | The Respond function supports the ability to contain the impact of a potential cybersecurity event. | Analysis |
| Communications | ||
| Improvements | ||
| Mitigation | ||
| Response planning | ||
| Recover | The Recover function supports timely recovery to normal operations to reduce the impact from a cybersecurity event. | Communications |
| Improvements | ||
| Recovery planning |
Table 1. The five functions in the NIST Cybersecurity Framework v1.1, which forms the basis of NIST IR 8473
How VicOne can help
VicOne provides EVSE manufacturers and CPOs with multilayered cybersecurity protection solutions to safeguard their EVSE or charging systems from potential attacks. These solutions can:
- Continuously identify vulnerabilities and malicious objects in the binaries and firmware of EV chargers.
- Ensure charging stations are protected from potential attacks such as denial of service (DoS) with an intrusion detection or prevention system (IDS/IPS) technology.
- Empower charger manufacturers to harness VicOne’s innovative virtual patching technology for effective mitigation, providing an average of 102 days of protection before vendor patch release without code change.
Thus, our solutions cover the functions of identification, protection, detection, and response, as recommended in NIST IR 8473.
Figure 2. VicOne’s complete solutions for protecting the EV charging infrastructure
It is worth reiterating that NIST IR 8473’s specifications not only cover the EV/XFC ecosystem but also include automotive-related standards or regulations such as ISO/SAE 21434. Consequently, EVSE manufacturers and CPOs need a partner that is well-versed in both the automotive industry and the realm of cybersecurity. This is where VicOne can provide valuable support. VicOne has extensive experience with ISO/SAE 21434 and other relevant standards and regulations. And VicOne’s award-winning EV charging system solutions have notably been deployed by Delta Electronics, a global leader in power and energy management solutions, to ensure the protection of its EV charging infrastructure against potential threats.
