Electric Vehicle Charging Stations Are Here - Will Cyberattacks Follow?

Brought to you by CYRIN

Recently, cyber hackers have been in the news for hitting strategic targets. In May, as described in that month's CYRIN Newsletter, they attacked United Healthcare’s medical claims clearinghouse, Change Healthcare, to disrupt several parts of the healthcare system.

More recently, CDK Global, a company that provides software technology to over 15,000 car dealerships in North America, was hit during the week of June 17th and dealerships faced major disruptions to vehicle sales, financing, insurance and repairs.

Some dealers were out of service for several days and some switched to manual processes, including writing up orders by hand, to serve customers. In fact, the attacks were so severe that MarketWatch (a subsidiary of Dow Jones and Company) attributed a 2% drop in sales of new auto parts and vehicles in June to the attack.

It’s clear that hackers are targeting the “soft” underbelly of the marketplace they are looking to disrupt. Now people from the Department of Energy (DoE) to NIST along with experts in the private sector are voicing their concerns about Electric Vehicle (EV) charging stations as the next potential “soft” target for cyber hackers.

How are EV charging stations vulnerable?

There are already more than 5,000,000 electric vehicles on the road with more than 175,000 public EV charging stations in the United States. Their power is also their potential downfall, because “when they are networked, they can become a potential tool for attackers to destabilize the local power grid”. A lone charging station doesn’t present the kind of threat that a network of such stations might; if enough charging systems were compromised, cyberattackers might “destabilize the grid through a sudden increase in charging demands, which can lead to cascading failure and a drop in the system’s frequency.”

According to SpectrumNews1, although there have been no security threats made to electric vehicles (EV), experts believe that EV chargers can pose a risk and are highly unregulated. In March of 2024, more than 122,000 hybrid electric vehicles were sold in the U.S., which was up almost 30% from sales seen in March 2023. The U.S. expects to see more electric vehicles hit the road over the next few years due to various initiatives and legislative actions taken by the current Administration.

However, researchers are concerned about the security of charging stations. They have found several vulnerabilities on popular brand charging stations. Hackers can infiltrate the devices in the vehicles which could give them access to user data, interrupt charging, or cause a blackout of all surrounding chargers.

The risks posed to EV charging stations are no different from risks posed to many newer technologies. The National Cybersecurity Alliance said that due to the massive push to get more EV chargers online, companies might not be doing all the necessary testing to ensure their product is safe and secure. These security risks could be hackers tapping into systems remotely or physically. If they are physically tampering with the chargers, the process mirrors that of a credit card skimmer you might find at a gas station.

Government Involvement

The Biden-Harris Administration has set an ambitious goal “to build a national network of 500,000 public electric vehicle (EV) charging stations across the country by 2030 to ensure that all Americans can access a convenient, affordable, and reliable charge for their EVs.” As the number of electric vehicles rise, so does the need for charging stations, and issues of cybersecurity need to be more deeply considered. These issues are at the forefront of cybersecurity issues, especially given the emphasis on the need to get more EVs on the road. These cybersecurity issues are complex, due to the integration of the EV charging stations with the electrical grid. The trick is to balance the need for a clean energy future with the cybersecurity threat to the infrastructure required to sustain it.

The Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) has indicated that between 2022 and 2025, “CESER will have invested over $8 million in several research projects with public and private partners to develop and promote cybersecurity standards for the EV and EV supply equipment (EVSE) ecosystem.”

The research, largely conducted by DOE’s national laboratories, with some public-private partnerships, has focused on some key strategy including: 1) testing all emergent technologies for cybersecurity vulnerabilities, and increasing resilience by “developing technologies that detect malicious activity in the power source and prevent an attack from occurring;” 2) coordinating risk management with EV stakeholders by addressing risks specific to the EV charging ecosystem; 3) improving secure communications within the EV charging infrastructure; and 4) assessment and coordination of EVSE cybersecurity standards. This effort will be backstopped by the DOE’s Grid Modernization Initiative funded in 2023 with a $39 million lab call. This will include efforts by researchers at several DOE national labs to identify gaps in cybersecurity and provide a baseline for efforts related to harmonizing cybersecurity standards and voluntary cybersecurity testing across the EV charging ecosystem.

More EVs on the roads, more cybersecurity risks

While the car industry works to make EVs more financially and geographically accessible, David Strom writes in an April 9, 2024 article in Dark Reading “the increasing popularity of electric vehicles (EVs) isn’t just a favorite for gas-conscious customers, but also for cybercriminals who focus on using EV charging stations to launch far-reaching attacks.” Strom points out that each charging point – no matter its location – utilizes online software that interacts and interfaces with the electrical grid. In other words, the vulnerabilities of Internet of Things (IoT) are a “software sinkhole.”

In the same Dark Reading article, researchers from Checkpoint Software and SaiFlow added that, “compromised stations could damage the power grid…or result in stolen customer data.” It may not get better soon. Elias Bou-Harb, a computer scientist at Louisiana State University, who has studied charging station security, has found “almost every charging product has major vulnerabilities.” Bou-Harb also indicated that “the government regulations have come too late,” as “the market is already saturated with various charging products.”

All of this is further complicated by the fact that the average age of power generation equipment in the US is 28 years old, and these systems were designed and built before cybersecurity was a concern. Many power plants have systems in desperate need of an upgrade.

Potential Solutions

A coordinated and proactive approach is going to be needed to protect “the entire EV ecosystem,” given these potential points of vulnerability, including physical tampering, network vulnerabilities, malware, and unsecured communication. Because of this massive push to get more EV chargers online, a more robust approach will be needed to monitor and detect anomalies that indicate threats and doing the basics such as using secure communications protocols, while implementing strong authentication and authorization controls. And of course, standard patching protocols should be done regularly to update and patch the charger’s software as any vulnerabilities or security issues are discovered. This is a minimum approach, and others are calling for some certification process, like a UL certificate, that each charger would have to have before it’s installed and activated. It’s obvious that more needs to be done and the time to start is now.


How Can CYRIN Help

At CYRIN we believe that all solutions require training as a central element to keeping and maintaining best practices when it comes to cybersecurity. Training or lack of it will have consequences. Government, education, industry, basically all parties to the situation can become part of the solution.

We continue to work with our industry partners to address major challenges including incident response, ransomware, and phishing and set up realistic scenarios that allow them to train their teams and prepare new hires for the threats they will face. Government agencies have been using CYRIN for years, training their front-line specialists on the real threats faced on their ever-expanding risk surface. For educators, we consistently work with colleges and universities both large and small to create realistic training to meet the environment students will encounter when they graduate and enter the workforce.

In an increasingly digitized world, training, and experiential training is critical. Unless you get the “hands-on” feel for the tools and attacks and train on incident response in real world scenarios, you just won’t be prepared for when the inevitable happens. A full-blown cyberattack is not something you can prepare for after it hits. The best time to plan and prepare is before the attack.

Our training platform teaches fundamental solutions that integrate actual cyber tools from CYRIN’s labs that allow you to practice 24/7, in the cloud, no special software required. Cyber is a team effort; to see what our team can do for you take a look at our course catalog, or better yet, contact us for further information and your personalized demonstration of CYRIN. Take a test drive and see for yourself!

Image: UniqueMotionGraphics



You Might Also Read: 

Hackers Target Healthcare:


If you like this website and use the comprehensive7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


« DDoS Attack Knocks Azure Offline
AI At The Paris 2024 Olympics »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Perimeter 81 / How to Select the Right ZTNA Solution

Perimeter 81 / How to Select the Right ZTNA Solution

Gartner insights into How to Select the Right ZTNA offering. Download this FREE report for a limited time only.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

SealPath

SealPath

SealPath enables companies to protect and control their documents wherever they are: In their PC, in their corporate network, on a partner’s network, in the cloud.

Magnet Forensics

Magnet Forensics

Magnet Forensics' family of digital forensics products are used globally by thousands of law enforcement, military, government and corporate customers.

Forter

Forter

Forter provides new generation fraud prevention to meet the challenges faced by modern enterprise e-commerce.

Netlawgic Legal Services

Netlawgic Legal Services

Netlawgic is exclusively focused on delivering cyber law solutions to the industry. We provide our clients with specialized attention and problem solving in all aspects of cyber law.

GCHQ Apprenticeships

GCHQ Apprenticeships

GCHQ, the UK intelligence and security organisation, offers a unique three-year Cyber Security Degree Apprenticeship with employment on successful completion.

GBT Technologies

GBT Technologies

GBT Technologies is a technology company focused on chip design and software to enable IoT, global mesh networks, and for applications relating to artificial intelligence.

SAFECode

SAFECode

SAFECode is a global industry forum where business leaders and technical experts come together to exchange insights on creating, improving, and promoting effective software security programs.

Protected Media

Protected Media

Protected Media’s advanced cybersecurity ad fraud solution guards you against current and emerging threats across Connected TV, Display and Video advertising.

HunCERT

HunCERT

HunCERT's mission is to assist Hungarian Internet Service Providers in applying appropriate procedures to address the risks of computer network incidents and to respond to such incidents.

Comcast Business

Comcast Business

Comcast Business keeps businesses ready for what’s next with powerful connectivity, advanced cybersecurity solutions, and the right people at your side.

ImmuniWeb

ImmuniWeb

We Simplify, Accelerate and Reduce Costs of Security Testing, Protection and Compliance.

Traceable

Traceable

Traceable was founded to protect applications from next-generation attacks.

Cyber-Security Council Germany

Cyber-Security Council Germany

The German Cyber Security Council's objective is to consult businesses, government agencies and political decision-makers and to support them against cybercrime.

CyberUp

CyberUp

CyberUp is a nonprofit organization created to strengthen the cybersecurity workforce. We help employers reimagine how they grow and scale their cybersecurity workforce.

Framework Security

Framework Security

With Framework Security, you get more than a consultancy; you get a partner dedicated to simplifying cybersecurity and protecting your business in the most efficient way possible.

Xcelerate Solutions

Xcelerate Solutions

Xcelerate Solutions is a leading defense and national security company, providing integrated solutions in three service areas – Enterprise Security, Digital Transformation, and Strategic Consulting.