Electric Vehicle Charging Stations Are Here - Will Cyberattacks Follow?

Brought to you by CYRIN

Recently, cyber hackers have been in the news for hitting strategic targets. In May, as described in that month's CYRIN Newsletter, they attacked United Healthcare’s medical claims clearinghouse, Change Healthcare, to disrupt several parts of the healthcare system.

More recently, CDK Global, a company that provides software technology to over 15,000 car dealerships in North America, was hit during the week of June 17th and dealerships faced major disruptions to vehicle sales, financing, insurance and repairs.

Some dealers were out of service for several days and some switched to manual processes, including writing up orders by hand, to serve customers. In fact, the attacks were so severe that MarketWatch (a subsidiary of Dow Jones and Company) attributed a 2% drop in sales of new auto parts and vehicles in June to the attack.

It’s clear that hackers are targeting the “soft” underbelly of the marketplace they are looking to disrupt. Now people from the Department of Energy (DoE) to NIST along with experts in the private sector are voicing their concerns about Electric Vehicle (EV) charging stations as the next potential “soft” target for cyber hackers.

How are EV charging stations vulnerable?

There are already more than 5,000,000 electric vehicles on the road with more than 175,000 public EV charging stations in the United States. Their power is also their potential downfall, because “when they are networked, they can become a potential tool for attackers to destabilize the local power grid”. A lone charging station doesn’t present the kind of threat that a network of such stations might; if enough charging systems were compromised, cyberattackers might “destabilize the grid through a sudden increase in charging demands, which can lead to cascading failure and a drop in the system’s frequency.”

According to SpectrumNews1, although there have been no security threats made to electric vehicles (EV), experts believe that EV chargers can pose a risk and are highly unregulated. In March of 2024, more than 122,000 hybrid electric vehicles were sold in the U.S., which was up almost 30% from sales seen in March 2023. The U.S. expects to see more electric vehicles hit the road over the next few years due to various initiatives and legislative actions taken by the current Administration.

However, researchers are concerned about the security of charging stations. They have found several vulnerabilities on popular brand charging stations. Hackers can infiltrate the devices in the vehicles which could give them access to user data, interrupt charging, or cause a blackout of all surrounding chargers.

The risks posed to EV charging stations are no different from risks posed to many newer technologies. The National Cybersecurity Alliance said that due to the massive push to get more EV chargers online, companies might not be doing all the necessary testing to ensure their product is safe and secure. These security risks could be hackers tapping into systems remotely or physically. If they are physically tampering with the chargers, the process mirrors that of a credit card skimmer you might find at a gas station.

Government Involvement

The Biden-Harris Administration has set an ambitious goal “to build a national network of 500,000 public electric vehicle (EV) charging stations across the country by 2030 to ensure that all Americans can access a convenient, affordable, and reliable charge for their EVs.” As the number of electric vehicles rise, so does the need for charging stations, and issues of cybersecurity need to be more deeply considered. These issues are at the forefront of cybersecurity issues, especially given the emphasis on the need to get more EVs on the road. These cybersecurity issues are complex, due to the integration of the EV charging stations with the electrical grid. The trick is to balance the need for a clean energy future with the cybersecurity threat to the infrastructure required to sustain it.

The Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) has indicated that between 2022 and 2025, “CESER will have invested over $8 million in several research projects with public and private partners to develop and promote cybersecurity standards for the EV and EV supply equipment (EVSE) ecosystem.”

The research, largely conducted by DOE’s national laboratories, with some public-private partnerships, has focused on some key strategy including: 1) testing all emergent technologies for cybersecurity vulnerabilities, and increasing resilience by “developing technologies that detect malicious activity in the power source and prevent an attack from occurring;” 2) coordinating risk management with EV stakeholders by addressing risks specific to the EV charging ecosystem; 3) improving secure communications within the EV charging infrastructure; and 4) assessment and coordination of EVSE cybersecurity standards. This effort will be backstopped by the DOE’s Grid Modernization Initiative funded in 2023 with a $39 million lab call. This will include efforts by researchers at several DOE national labs to identify gaps in cybersecurity and provide a baseline for efforts related to harmonizing cybersecurity standards and voluntary cybersecurity testing across the EV charging ecosystem.

More EVs on the roads, more cybersecurity risks

While the car industry works to make EVs more financially and geographically accessible, David Strom writes in an April 9, 2024 article in Dark Reading “the increasing popularity of electric vehicles (EVs) isn’t just a favorite for gas-conscious customers, but also for cybercriminals who focus on using EV charging stations to launch far-reaching attacks.” Strom points out that each charging point – no matter its location – utilizes online software that interacts and interfaces with the electrical grid. In other words, the vulnerabilities of Internet of Things (IoT) are a “software sinkhole.”

In the same Dark Reading article, researchers from Checkpoint Software and SaiFlow added that, “compromised stations could damage the power grid…or result in stolen customer data.” It may not get better soon. Elias Bou-Harb, a computer scientist at Louisiana State University, who has studied charging station security, has found “almost every charging product has major vulnerabilities.” Bou-Harb also indicated that “the government regulations have come too late,” as “the market is already saturated with various charging products.”

All of this is further complicated by the fact that the average age of power generation equipment in the US is 28 years old, and these systems were designed and built before cybersecurity was a concern. Many power plants have systems in desperate need of an upgrade.

Potential Solutions

A coordinated and proactive approach is going to be needed to protect “the entire EV ecosystem,” given these potential points of vulnerability, including physical tampering, network vulnerabilities, malware, and unsecured communication. Because of this massive push to get more EV chargers online, a more robust approach will be needed to monitor and detect anomalies that indicate threats and doing the basics such as using secure communications protocols, while implementing strong authentication and authorization controls. And of course, standard patching protocols should be done regularly to update and patch the charger’s software as any vulnerabilities or security issues are discovered. This is a minimum approach, and others are calling for some certification process, like a UL certificate, that each charger would have to have before it’s installed and activated. It’s obvious that more needs to be done and the time to start is now.


How Can CYRIN Help

At CYRIN we believe that all solutions require training as a central element to keeping and maintaining best practices when it comes to cybersecurity. Training or lack of it will have consequences. Government, education, industry, basically all parties to the situation can become part of the solution.

We continue to work with our industry partners to address major challenges including incident response, ransomware, and phishing and set up realistic scenarios that allow them to train their teams and prepare new hires for the threats they will face. Government agencies have been using CYRIN for years, training their front-line specialists on the real threats faced on their ever-expanding risk surface. For educators, we consistently work with colleges and universities both large and small to create realistic training to meet the environment students will encounter when they graduate and enter the workforce.

In an increasingly digitized world, training, and experiential training is critical. Unless you get the “hands-on” feel for the tools and attacks and train on incident response in real world scenarios, you just won’t be prepared for when the inevitable happens. A full-blown cyberattack is not something you can prepare for after it hits. The best time to plan and prepare is before the attack.

Our training platform teaches fundamental solutions that integrate actual cyber tools from CYRIN’s labs that allow you to practice 24/7, in the cloud, no special software required. Cyber is a team effort; to see what our team can do for you take a look at our course catalog, or better yet, contact us for further information and your personalized demonstration of CYRIN. Take a test drive and see for yourself!

Image: UniqueMotionGraphics



You Might Also Read: 

Hackers Target Healthcare:


If you like this website and use the comprehensive7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


« DDoS Attack Knocks Azure Offline
AI At The Paris 2024 Olympics »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

mmCERT

mmCERT

mmCERT is the national Computer Emergency Response Team for Myanmar.

Awen Collective

Awen Collective

Awen Collective develops software-based tools for performing Digital Forensics, Incident Response and Cyber-Crime Investigation.

CyberArrow

CyberArrow

CyberArrow (formerly EBDAA) is a consultancy company providing high quality consultancy services in Risk & Compliance and Awareness & Education.

Lynx

Lynx

Lynx provides high added value services in the area of information systems security and ICT infrastructure building.

Secure Soft

Secure Soft

Secure Soft are experts in Computer and Information Security with a presence in Peru, Colombia and Ecuador.

SafeLogic

SafeLogic

SafeLogic provides strong encryption products for solutions in mobile, server, Cloud, appliance, wearable, and IoT environments that are pursuing compliance to strict regulatory requirements.

GuardSI

GuardSI

GuardSI was created to protect companies from growing threats to security such as fraud, hacking, internal theft, accidents and human mistakes that can directly affect the business.

Authomize

Authomize

Authomize aggregates identities and authorization mechanisms from any applications around your hybrid environment into one unified platform so you can easily and rapidly manage and secure all users.

IntelliGenesis

IntelliGenesis

IntelliGenesis provide comprehensive cyber, data science, analysis, and software development services that provide tailored, secure solutions for your critical data and intelligence needs.

Bedrock Systems

Bedrock Systems

BedRock Systems is on a mission to deliver a trusted computing base from edge to cloud, where safety and security isn’t just a perception, it’s a formally proven reality.

Pratum

Pratum

Pratum is an information security services firm that helps clients solve challenges based on risk, not fear.

Avalanchio Technologies

Avalanchio Technologies

The Avalanchio platform gives you a complete solution to collect, process, and analyze security data to detect threats in real-time and analyze historical data using security DSL or SQL.

Strac

Strac

Eliminate Personal Data Risks from your business. Our Dataless SaaS removes the need to manage sensitive data across web, mobile apps, servers and communication channels.

Timus Networks

Timus Networks

Timus Networks enables today's work from anywhere organizations to secure their networks very easily and cost effectively.

Bit Sentinel

Bit Sentinel

Bit Sentinel is an information security company. We help companies like yours discover, prioritize, and effectively remediate potential cybersecurity risks.

Cydea

Cydea

Cydea are an optimistic cyber security consultancy of experts in security, data, technology and design that want to build a safer, more secure world where more things go right.