Electric Vehicle Charging Stations Are Here - Will Cyberattacks Follow?

Brought to you by CYRIN

Recently, cyber hackers have been in the news for hitting strategic targets. In May, as described in that month's CYRIN Newsletter, they attacked United Healthcare’s medical claims clearinghouse, Change Healthcare, to disrupt several parts of the healthcare system.

More recently, CDK Global, a company that provides software technology to over 15,000 car dealerships in North America, was hit during the week of June 17th and dealerships faced major disruptions to vehicle sales, financing, insurance and repairs.

Some dealers were out of service for several days and some switched to manual processes, including writing up orders by hand, to serve customers. In fact, the attacks were so severe that MarketWatch (a subsidiary of Dow Jones and Company) attributed a 2% drop in sales of new auto parts and vehicles in June to the attack.

It’s clear that hackers are targeting the “soft” underbelly of the marketplace they are looking to disrupt. Now people from the Department of Energy (DoE) to NIST along with experts in the private sector are voicing their concerns about Electric Vehicle (EV) charging stations as the next potential “soft” target for cyber hackers.

How are EV charging stations vulnerable?

There are already more than 5,000,000 electric vehicles on the road with more than 175,000 public EV charging stations in the United States. Their power is also their potential downfall, because “when they are networked, they can become a potential tool for attackers to destabilize the local power grid”. A lone charging station doesn’t present the kind of threat that a network of such stations might; if enough charging systems were compromised, cyberattackers might “destabilize the grid through a sudden increase in charging demands, which can lead to cascading failure and a drop in the system’s frequency.”

According to SpectrumNews1, although there have been no security threats made to electric vehicles (EV), experts believe that EV chargers can pose a risk and are highly unregulated. In March of 2024, more than 122,000 hybrid electric vehicles were sold in the U.S., which was up almost 30% from sales seen in March 2023. The U.S. expects to see more electric vehicles hit the road over the next few years due to various initiatives and legislative actions taken by the current Administration.

However, researchers are concerned about the security of charging stations. They have found several vulnerabilities on popular brand charging stations. Hackers can infiltrate the devices in the vehicles which could give them access to user data, interrupt charging, or cause a blackout of all surrounding chargers.

The risks posed to EV charging stations are no different from risks posed to many newer technologies. The National Cybersecurity Alliance said that due to the massive push to get more EV chargers online, companies might not be doing all the necessary testing to ensure their product is safe and secure. These security risks could be hackers tapping into systems remotely or physically. If they are physically tampering with the chargers, the process mirrors that of a credit card skimmer you might find at a gas station.

Government Involvement

The Biden-Harris Administration has set an ambitious goal “to build a national network of 500,000 public electric vehicle (EV) charging stations across the country by 2030 to ensure that all Americans can access a convenient, affordable, and reliable charge for their EVs.” As the number of electric vehicles rise, so does the need for charging stations, and issues of cybersecurity need to be more deeply considered. These issues are at the forefront of cybersecurity issues, especially given the emphasis on the need to get more EVs on the road. These cybersecurity issues are complex, due to the integration of the EV charging stations with the electrical grid. The trick is to balance the need for a clean energy future with the cybersecurity threat to the infrastructure required to sustain it.

The Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) has indicated that between 2022 and 2025, “CESER will have invested over $8 million in several research projects with public and private partners to develop and promote cybersecurity standards for the EV and EV supply equipment (EVSE) ecosystem.”

The research, largely conducted by DOE’s national laboratories, with some public-private partnerships, has focused on some key strategy including: 1) testing all emergent technologies for cybersecurity vulnerabilities, and increasing resilience by “developing technologies that detect malicious activity in the power source and prevent an attack from occurring;” 2) coordinating risk management with EV stakeholders by addressing risks specific to the EV charging ecosystem; 3) improving secure communications within the EV charging infrastructure; and 4) assessment and coordination of EVSE cybersecurity standards. This effort will be backstopped by the DOE’s Grid Modernization Initiative funded in 2023 with a $39 million lab call. This will include efforts by researchers at several DOE national labs to identify gaps in cybersecurity and provide a baseline for efforts related to harmonizing cybersecurity standards and voluntary cybersecurity testing across the EV charging ecosystem.

More EVs on the roads, more cybersecurity risks

While the car industry works to make EVs more financially and geographically accessible, David Strom writes in an April 9, 2024 article in Dark Reading “the increasing popularity of electric vehicles (EVs) isn’t just a favorite for gas-conscious customers, but also for cybercriminals who focus on using EV charging stations to launch far-reaching attacks.” Strom points out that each charging point – no matter its location – utilizes online software that interacts and interfaces with the electrical grid. In other words, the vulnerabilities of Internet of Things (IoT) are a “software sinkhole.”

In the same Dark Reading article, researchers from Checkpoint Software and SaiFlow added that, “compromised stations could damage the power grid…or result in stolen customer data.” It may not get better soon. Elias Bou-Harb, a computer scientist at Louisiana State University, who has studied charging station security, has found “almost every charging product has major vulnerabilities.” Bou-Harb also indicated that “the government regulations have come too late,” as “the market is already saturated with various charging products.”

All of this is further complicated by the fact that the average age of power generation equipment in the US is 28 years old, and these systems were designed and built before cybersecurity was a concern. Many power plants have systems in desperate need of an upgrade.

Potential Solutions

A coordinated and proactive approach is going to be needed to protect “the entire EV ecosystem,” given these potential points of vulnerability, including physical tampering, network vulnerabilities, malware, and unsecured communication. Because of this massive push to get more EV chargers online, a more robust approach will be needed to monitor and detect anomalies that indicate threats and doing the basics such as using secure communications protocols, while implementing strong authentication and authorization controls. And of course, standard patching protocols should be done regularly to update and patch the charger’s software as any vulnerabilities or security issues are discovered. This is a minimum approach, and others are calling for some certification process, like a UL certificate, that each charger would have to have before it’s installed and activated. It’s obvious that more needs to be done and the time to start is now.


How Can CYRIN Help

At CYRIN we believe that all solutions require training as a central element to keeping and maintaining best practices when it comes to cybersecurity. Training or lack of it will have consequences. Government, education, industry, basically all parties to the situation can become part of the solution.

We continue to work with our industry partners to address major challenges including incident response, ransomware, and phishing and set up realistic scenarios that allow them to train their teams and prepare new hires for the threats they will face. Government agencies have been using CYRIN for years, training their front-line specialists on the real threats faced on their ever-expanding risk surface. For educators, we consistently work with colleges and universities both large and small to create realistic training to meet the environment students will encounter when they graduate and enter the workforce.

In an increasingly digitized world, training, and experiential training is critical. Unless you get the “hands-on” feel for the tools and attacks and train on incident response in real world scenarios, you just won’t be prepared for when the inevitable happens. A full-blown cyberattack is not something you can prepare for after it hits. The best time to plan and prepare is before the attack.

Our training platform teaches fundamental solutions that integrate actual cyber tools from CYRIN’s labs that allow you to practice 24/7, in the cloud, no special software required. Cyber is a team effort; to see what our team can do for you take a look at our course catalog, or better yet, contact us for further information and your personalized demonstration of CYRIN. Take a test drive and see for yourself!

Image: UniqueMotionGraphics



You Might Also Read: 

Hackers Target Healthcare:


If you like this website and use the comprehensive7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


« DDoS Attack Knocks Azure Offline
AI At The Paris 2024 Olympics »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Infosecurity Europe, 3-5 June 2025, ExCel London

Infosecurity Europe, 3-5 June 2025, ExCel London

This year, Infosecurity Europe marks 30 years of bringing the global cybersecurity community together to further our joint mission of Building a Safer Cyber World.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

National Security Agency (NSA) - USA

National Security Agency (NSA) - USA

NSA is a US intel agency responsible for the protection of government communications and information systems against penetration and network warfare.

Ministry of Defence Georgia - Cyber Security Bureau

Ministry of Defence Georgia - Cyber Security Bureau

The aim of the Cyber Security Bureau is to establish and develop stable, effective and secure Information and Communication Technology systems for the Civil Office of MoD of Georgia.

Cisco Talos

Cisco Talos

Talos is an industry-leading threat intelligence solution that protects your organization’s people, data and infrastructure from active adversaries.

CSI

CSI

CSI is a Managed Service Provider (MSP) delivering Hybrid Multi-Cloud, Data Protection, and Cyber Security solutions to highly regulated industries.

Vicarius

Vicarius

Vicarius’ mission is to revolutionize vulnerability management from problem detection to proactive problem resolution.

SEON Technologies

SEON Technologies

At SEON we strive to help online businesses reduce the costs, time, and challenges faced due to fraud.

Consortium for Information & Software Quality (CISQ)

Consortium for Information & Software Quality (CISQ)

The mission of CISQ is to develop international standards for software quality and to promote the development and sustainment of secure, reliable, and trustworthy software.

Westminster Insight - Cyber Security Conference

Westminster Insight - Cyber Security Conference

Join colleagues this December for Westminster Insight’s Cyber Security Conference, as you’ll assess how new technologies such as AI can secure your organisation against future threats.

Cloudsec Asia

Cloudsec Asia

Cloudsec Asia is Thailand's top-ranked cybersecurity consultant company. We offers security services to ensure that all your IT assets are reliable, accessible, and secure.

PROW Information Technology

PROW Information Technology

PROW is at the forefront of the technology and digital revolution with a focus and mastery in the cybersecurity, information security and data management realms.

Cybalt

Cybalt

Cybalt is a security services company that provides end-to-end security solutions to help clients achieve their business goals.

Kivera

Kivera

Kivera enforces your organisation governance and security policies across cloud deployments preventing misconfigurations turning into attack vectors.

Mindgard

Mindgard

The Mindgard Security Copilot platform secures your Artificial Intelligence, GenAI and LLMs.

Tychon

Tychon

Tychon develops advanced enterprise endpoint management technology that enables commercial and government organizations to bridge the gap between security and IT operations.

Infosec Ventures

Infosec Ventures

Infosec Ventures incubates and scales cyber security innovators that solve inefficiencies in cyber security.

CelcomDigi

CelcomDigi

CelcomDigi aspire to be Malaysia’s top Telco-Tech company, transforming beyond core connectivity to lead digitalization and innovation as part of nation-building.

Digital Twin Consortium (DTC)

Digital Twin Consortium (DTC)

Digital Twin Consortium is a global ecosystem of users who are driving best practices for digital twin usage and defining requirements for new digital twin standards.

Roundsec

Roundsec

Roundsec provide information security services including risk assessment and pentesting of sites and apps.