Examining Vulnerabilities of Electric Vehicle Charging Infrastructure

The team looked at a few entry points, including vehicle-to-charger connections, wireless communications, electric vehicle operator interfaces, cloud services and charger maintenance ports. They looked at conventional AC chargers, DC fast chargers and extreme fast chargers.

The survey noted several vulnerabilities on each interface. For example, vehicle-to-charger communications could be intercepted and charging sessions terminated from more than 50 yards away. Electric vehicle owner interfaces were chiefly vulnerable to skimming of private information or changing charger pricing. Most electric vehicle chargers use firewalls to keep separate from the internet for protection, but Argonne National Laboratory researchers found some systems did not. Additionally, an Idaho National Laboratory team found some systems were vulnerable to malicious firmware updates.

The multi-lab team found many reports of charger Wi-Fi, USB or Ethernet maintenance ports allowing reconfiguration of the system. Local access could allow hackers to jump from one charger to the whole charger network through the cloud, Johnson said.

Patches and Next Steps
In the paper, the team proposed several fixes and changes that would make the U.S. electric vehicle charging infrastructure less vulnerable to exploitation.

These proposed fixes include strengthening electric vehicle owner authentication and authorization such as with a Plug-and-Charge public key infrastructure, Johnson said. They also recommended removing unused charger access ports and services and adding alarms or alerts to notify charger companies when changes are made to the charger, like if the charger cabinet is opened. For the cloud, they recommended adding network-based intrusion detection systems and code signing firmware updates to prove that an update is authentic and unmodified before being installed. Sandia has produced a best-practices document for the charging industry.

Now that this review has been completed, the Sandia team has received follow-on funding to tackle some of these gaps. They are working with Idaho and Pacific Northwest national laboratories to develop a system for electric vehicle chargers. This system will use cyber-physical data to prevent bad guys from impacting the electric vehicle charging infrastructure.

The team has another research project that involves evaluating public key infrastructures for electric vehicle charging, providing hardening recommendations for charging infrastructure network owners, developing electric vehicle charging cybersecurity training programs and assessing the risk of the various vulnerabilities. Risk analysis looks at both the likelihood of something bad happening and the severity of that bad thing to determine which changes would be the most impactful.

“The government can say ‘produce secure electric vehicle chargers,’ but budget-oriented companies don’t always choose the most cybersecure implementations,” Wright said. “Instead, the government can directly support the industry by providing fixes, advisories, standards and best practices. It’s impossible to create solutions if you don’t understand the state of the industry. That’s where our project comes in; we did the research to find where we are and what gaps would be the quickest and most impactful to fix.”