Hackers that target electric vehicle infrastructure can lock drivers out of their vehicles, steal payment information and even compromise electrical grids.
Electrifying the nation’s vehicles and transportation infrastructure exposes drivers and cities to new risks. If cybercriminals hack into electric vehicles, they could not only penetrate the vehicle itself, but also compromise the entire connected infrastructure -- including charging stations, electrical grids, back office utilities and the cloud, according to experts at NextGov’s May 6 Cyber Defenders event.
Hackers that get into charging systems can even lock drivers out of their vehicles through a denial of service attack, said Sunil Chhaya, senior technical executive at the Electric Power Research Institute (EPRI). Threat actors could damage an EV by overcharging its battery or steal payment information through a charging station, Southwest Research Institute Computer Scientist Austin Dodson said. Hackers can also skim credit card information and users’ PIN codes from charging stations. “If they’re able to get that information … that's obviously very attractive for an attacker,” he said.
When heavy duty vehicles start charging at multi-megawatt plazas, they can strain cities’ power systems. If these systems are not managed or secured properly, attackers can shut down electrical grids and cause blackouts for entire city blocks, Chhaya said.
Fleets of publicly owned vehicles like electric buses, trucks and emergency response vehicles are also at risk. Officials should ensure the vehicles and infrastructure are secure, as disruptions would have a major impact on city and emergency services, the panelists said.
“The issue here is that you are combining transportation, which is one critical infrastructure, with the grid, which is another critical infrastructure,” Chhaya said. EV infrastructure just expands the problem geographically, he said. “Now, you're going to have to make sure that both of them are protected simultaneously…. This is why we emphasize design as a system.”
“Every component [of EV infrastructure] is designed with very limited knowledge of how it interacts with the rest of the system,” Chhaya said. Cars have a few, specific interfaces with EV infrastructure, but they have not been designed to account for upstream actions, he said.
Prevention and mitigation of threats to EV infrastructure begin with good enterprise cybersecurity standards, the experts explained. Intrusion detection software running on the entire network will show “when attacks are happening, whether somebody has gotten onto your network and what they're trying to attack,” Chhaya said. Standard cybersecurity hygiene or best practices, such as good user security and password protection, are still applicable in this space, he said.
To ensure security on all fronts, EV infrastructure designers must ensure “that every aspect of the system – from the customer, to the endpoints, vehicles, back office utilities and cloud providers – is operating on one set of requirements,” Chayya said. “There has not been any activity that has looked at the entire system end to end.”
The ultimate solution, Chhaya said, is the adoption of a systemwide set of cybersecurity standards developed in conjunction with the National Institute of Standards and Technology. He cited the EPRI’s OpenDSS electrical power system simulation as a potential training tool.
“Even if you are a small cog in a giant machine, you still need to know how that machine operates,” he said. “So that you know exactly what the implications of a flaw in the other parts of the machine may be to you, and vice versa.”