By Ling Cheng (Senior Product Marketing Manager)
The Taiwan Ministry of Economic Affairs recently announced that cybersecurity has been included as a voluntary product certification (VPC) item for electric vehicle (EV) charging systems. The purpose is to ensure that the public can avoid potential cybersecurity risks when using internet-connected EV charging systems. Therefore, the certification standard aims to ensure that electric vehicle supply equipment (EVSE) has five essential cybersecurity protection capabilities: physical security, system security, firmware updates, communication security, and identity authentication and authorization mechanism security. The new requirements became effective on June 29, 2023, with a one-year transitional period ending on July 1, 2024.
But Taiwan is not the first to have such a standard in place. In 2020, the European Telecommunications Standards Institute (ETSI) released ETSI EN 303 645, a security and privacy protection standard for the consumer internet of things (IoT), aimed at ensuring that consumer IoT devices are protected against the most common cybersecurity threats. In the same vein as ETSI EN 303 645, the UK’s Electric Vehicles (Smart Charge Points) Regulations, which took effect on June 30, 2022, establish a security baseline to ensure that charge points meet certain device-level requirements, enabling a minimum level of access, security, and information for consumers.
Unplugged and interrupted: the shocking reality of cyberattacks
Why is so much attention apparently directed toward the cybersecurity protection capabilities of EV charging systems? Let’s take a look at several occurrences:
- In 2022, charging stations in a council’s car parks in the Isle of Wight were hacked to display an embarrassing porn website on their screens. Imagine when customers come to charge at these stations and they encounter such content. It’s unlikely that they’ll trust the equipment after that.
- In 2022, charging stations in Russia were targeted in an attack, causing disruptions for EV owners who couldn’t charge their vehicles. This incident had an impact on EV owners in the country, as a number of EV charging stations outside Moscow were hacked and disabled.
- The Log4Shell vulnerability, which gained widespread attention in late 2021, was also discovered in commonly used OCPP (Open Charge Point Protocol) servers/clients within EV charging systems and charging station management systems (CSMSs). Successful exploitation of this vulnerability could result in data theft, denial-of-service (DoS) attacks, or even physical damage to the chargers. Imagine the potential risks posed by such vulnerable EV charging systems being deployed worldwide and the extensive impact they could have on business.
- In 2023, researchers presented at VehicleSec a new cyberattack approach called the Charging Pile Ransom Attack, exploiting EV charging stations to remotely detain vehicles. Essentially, after charging, a user might be unable to leave unless they pay the attacker a ransom.
As evidenced by the above examples, cyberattacks are not just about data breaches; they can have a profound impact on business. Beyond reputational damage, these attacks can disrupt services and affect revenue. Moreover, the consequences are not limited to the EV charging systems themselves. Compromised EV charging systems can be used by attackers as a stepping stone to further impact the service cloud (the organization), the EVs (the customers), and even the power grid (critical national infrastructure). Surely, stakeholders wouldn’t want their charging stations to become vulnerable entry points in the power network.
Figure 1. Possible attack vectors in an EV charging system network
Guarding the charge: resilient cybersecurity for EV charging systems
The growing concern over the cybersecurity of EV charging systems in various countries and regions is driven by the potentially significant impact they can have. From the aforementioned examples, two common attack methods can be observed:
- Exploitation of open-source vulnerabilities in EV charging systems
- Attacks on CSMSs, EVs, and power grids directed toward charging stations
This is in line with the Taiwan Ministry of Economic Affairs’ announcement of the EV charging system VPC project, where in section 6.2.3, on operating systems and network services, the two points mentioned above are explicitly listed as inspection items:
- According to 22.214.171.124, the operating systems and network services of EV charging systems should not contain common vulnerabilities and exposures (CVEs) publicly listed in the National Vulnerability Database (NVD), and should not have a Common Vulnerability Scoring System (CVSS) score of 7 or higher. If vulnerabilities with CVE numbers are found, and their CVSS scores are 7 or higher (or classified as High or Critical severity), this requirement is not met. Therefore, it is recommended to consider using a vulnerability management platform with NVD data that can continuously monitor vulnerabilities and provide virtual patches to quickly mitigate vulnerabilities while making as little change to the system as possible.
- According to 126.96.36.199, EV charging systems should be capable of resisting DoS attacks, preventing prolonged periods of unavailability due to resource exhaustion or receiving erroneous messages. Vendors should provide data to demonstrate the ability to withstand DoS attacks, and the services provided by the tested equipment should function normally during an attack. Therefore, it is recommended to ensure that EV charging systems have the capability of integrating intrusion detection and prevention systems (IDPSs), allowing immediate detection and blocking of attacks.
These requirements are similar to those outlined in ETSI EN 303 645 and the UK’s EV smart charge points regulations. Adhering to them can also assist in meeting the demands of the European market.
How VicOne can help
With regard to security, the standard that is commonly used is “secure by design.” But as Max Cheng, VicOne’s CEO, points out, “this level of security is not enough.” He adds: “It’s a must to implement robust monitoring systems and intrusion detection mechanisms to enable early detection of potential cyberthreats. Real-time monitoring and analysis of system logs can help identify anomalies and respond promptly.”
“At VicOne, our cybersecurity products give you that added layer and protect you and your data,” he continues. “We work closely with and complement what many of the top manufacturers and operators have in place.”
Figure 2. Multilayered protection for securing communication protocols used with charging stations, back-end systems, and vehicles
Summarizing the requirements of the items from Taiwan’s EV charging system VPC project discussed above, EVSE or EV charger manufacturers and charge point operators (CPOs) need three capabilities: vulnerability management platform, virtual patches, and IDPS. And VicOne enables manufacturers and operators to have all three capabilities at once.
VicOne’s Security Agent, which is integrated into chargers or EVSE controllers, can provide superior detection and protection for charging piles or EVSE controllers. VicOne’s vulnerability management platform, xZETA, can help implement virtual patching by working with Security Agent to prevent and intercept an exploit from taking network paths to and from a vulnerability. Additionally, to prevent the impact on charging stations, one more layer of protection against charging station attacks affecting EVs can be applied: VicOne’s xCarbon, an IDS/IPS for electronic control units (ECUs), can provide superior detection and protection in vehicles, enabling vehicle security operations centers (VSOCs) to quickly understand the nature of a potential attack.
Figure 3. VicOne’s complete solution for protecting the EV charging system network
Watch this webinar, “From Band-Aids to Immunity: Rethinking Virtual Patches for Connected Vehicles” by Gregor Knappik, Cybersecurity Solutions Architect at VicOne, to find out how our patent-pending virtual patch works.
Read this press release to know how we partner with Delta Electronics, a global leader of power and energy management solutions, to secure EV charging infrastructure.