EVs rev up cybersecurity challenges
Without a meaningful way to secure and insure the electric-vehicle infrastructure, EV owners, charging stations and fleet managers are vulnerable to hackers.
Even as the Biden administration recently reaffirmed its commitment to electric vehicles (EVs), questions linger about the ability of charging infrastructure and the vehicles themselves to cope with a cyberattack.
If charging stations are deemed critical infrastructure, that could make the challenge even greater, especially as states add them to public property.
Many state and local agencies carry cybersecurity insurance to insulate themselves from some of the financial costs of an attack on their IT systems, but insurance to cover EV and charging stations is relatively unexplored territory.
A recent report from the IBM Institute for Business Value touched on these new cybersecurity risks and the implications for insurance. The report said that “software-heavy” EVs and their charging stations are in constant communication with other vehicles and the world around them, and while software updates can be delivered quickly to patch security gaps, the large attack surface “lights up the radar of cyber criminals.”
The report also noted that the “effects trickle into the insurance industry as well, as they struggle to assess an unfamiliar set of risks and losses.” An IBM spokesperson did not respond to requests for further comment. Mike Hamilton, chief information security officer at cybersecurity-as-a-service company Critical Insight, agreed that the lack of precedent is troubling for the future of insurance.
“The bigger issue is … how are we going to figure out how to price this insurance based on risk, when we do not have the benefit of 200-year-old actuarial tables the way we do for everything else?” he asked. “That's what they need to figure out.”
Dan Leja, a vice president at risk advisory and insurance firm Horton Group, who has already written extensively on the cybersecurity insurance issues associated with EVs, also noted the stakes for local governments who manage and insure their own fleets.
If local governments remain intent on electrifying those vehicle fleets, ensuring they have appropriate insurance against a possible cyberattack must be “top of mind,” Leja said, especially if they rely on self-insurance on vehicles operated by employees, as some are.
“If [governments] are pushing out an incentive or a government initiative to go electric, are you taking into consideration the cyber exposures related to this, and are there enough case studies that [governments] have reviewed where [the EV fleet] could potentially cause more of a threat than a benefit?” Leja asked.
It might be necessary for the federal government to step in and insure for instances of major cyber incidents through legislation, as Congress did after the Sept. 11, 2001, terrorist attacks. The resulting Terrorism Risk Insurance Act created a program that provides for shared public and private compensation for certain insured losses after a terrorist attack and has since been reauthorized several times.
Leja said expanding that scheme, offered by every insurance provider for an additional premium but optional for the insured parties, could help protect EV companies and charging station providers from massive losses in the event of a debilitating attack.
“If you want to be proactive and cover your organization in the event something like this happens, you purchase it. If you want to decline, you decline it,” he said. “But if something happens, you're at risk where the government's not going to step in and help you out,” unless you’re covered, Leja added.
That is especially prescient given the lack of profitability in the auto insurance marketplace. Meanwhile, cyber insurance premiums have also been rising, leaving around half of municipal governments with inadequate coverage. That could produce a perfect opportunity for greater federal intervention, Leja said, especially given the amount of customer data at risk.
In a bid to get the issue under control, insurance companies and EV manufacturers could standardize best practices as a way to assess their cyber risk, said Loney Crist, senior vice president of cybersecurity software development at technology company IPKeys Cyber Partners.
That includes making sure that cars are fully current on their necessary software patches and updates, something that could be tracked in the same way that insurance companies use telematic devices to make sure a policyholder is a safe driver.
“At some point, I think insurance companies will be able to look and see if you're doing best practices to maintain that technology because it's very vulnerable,” Crist said. “There's going to be some way of going through and making sure that you're not allowing things to be plugged into [the EV ecosystem] and affecting it.”
Just as insurance companies will need to keep track of cars’ software to ensure they are secure, the charging stations will also be subject to continuous monitoring so that insurance companies can “really understand the risk,” Hamilton said. Any self-assessment that charging providers fill out to document risks “ain’t gonna do it,” he said.
Despite the concerns over the cybersecurity of EVs and their charging infrastructure, observers said it will likely take a major cyberattack or other incident to truly focus leaders’ attention on ensuring the technology’s safety. Hamilton drew a parallel with investments in pipeline cybersecurity, which greatly increased after the Colonial Pipeline attack, describing the thinking as “management by landmine.” Crist agreed and also noted the parallels with pipeline cybersecurity.
“If [an attack] can take the grid down because of the way that [hackers] are attacking the charging stations, or if they could create a massive pile up because they took advantage of a car and caused it to kill a bunch of people,” Crist said, that would make it a bigger issue for elected officials and force them to act. “That's when things kick in,” he added.