Electric Vehicle Charging Stations Are Here - Will Cyberattacks Follow?

Brought to you by CYRIN

Recently, cyber hackers have been in the news for hitting strategic targets. In May, as described in that month's CYRIN Newsletter, they attacked United Healthcare’s medical claims clearinghouse, Change Healthcare, to disrupt several parts of the healthcare system.

More recently, CDK Global, a company that provides software technology to over 15,000 car dealerships in North America, was hit during the week of June 17th and dealerships faced major disruptions to vehicle sales, financing, insurance and repairs.

Some dealers were out of service for several days and some switched to manual processes, including writing up orders by hand, to serve customers. In fact, the attacks were so severe that MarketWatch (a subsidiary of Dow Jones and Company) attributed a 2% drop in sales of new auto parts and vehicles in June to the attack.

It’s clear that hackers are targeting the “soft” underbelly of the marketplace they are looking to disrupt. Now people from the Department of Energy (DoE) to NIST along with experts in the private sector are voicing their concerns about Electric Vehicle (EV) charging stations as the next potential “soft” target for cyber hackers.

How are EV charging stations vulnerable?

There are already more than 5,000,000 electric vehicles on the road with more than 175,000 public EV charging stations in the United States. Their power is also their potential downfall, because “when they are networked, they can become a potential tool for attackers to destabilize the local power grid”. A lone charging station doesn’t present the kind of threat that a network of such stations might; if enough charging systems were compromised, cyberattackers might “destabilize the grid through a sudden increase in charging demands, which can lead to cascading failure and a drop in the system’s frequency.”

According to SpectrumNews1, although there have been no security threats made to electric vehicles (EV), experts believe that EV chargers can pose a risk and are highly unregulated. In March of 2024, more than 122,000 hybrid electric vehicles were sold in the U.S., which was up almost 30% from sales seen in March 2023. The U.S. expects to see more electric vehicles hit the road over the next few years due to various initiatives and legislative actions taken by the current Administration.

However, researchers are concerned about the security of charging stations. They have found several vulnerabilities on popular brand charging stations. Hackers can infiltrate the devices in the vehicles which could give them access to user data, interrupt charging, or cause a blackout of all surrounding chargers.

The risks posed to EV charging stations are no different from risks posed to many newer technologies. The National Cybersecurity Alliance said that due to the massive push to get more EV chargers online, companies might not be doing all the necessary testing to ensure their product is safe and secure. These security risks could be hackers tapping into systems remotely or physically. If they are physically tampering with the chargers, the process mirrors that of a credit card skimmer you might find at a gas station.

Government Involvement

The Biden-Harris Administration has set an ambitious goal “to build a national network of 500,000 public electric vehicle (EV) charging stations across the country by 2030 to ensure that all Americans can access a convenient, affordable, and reliable charge for their EVs.” As the number of electric vehicles rise, so does the need for charging stations, and issues of cybersecurity need to be more deeply considered. These issues are at the forefront of cybersecurity issues, especially given the emphasis on the need to get more EVs on the road. These cybersecurity issues are complex, due to the integration of the EV charging stations with the electrical grid. The trick is to balance the need for a clean energy future with the cybersecurity threat to the infrastructure required to sustain it.

The Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) has indicated that between 2022 and 2025, “CESER will have invested over $8 million in several research projects with public and private partners to develop and promote cybersecurity standards for the EV and EV supply equipment (EVSE) ecosystem.”

The research, largely conducted by DOE’s national laboratories, with some public-private partnerships, has focused on some key strategy including: 1) testing all emergent technologies for cybersecurity vulnerabilities, and increasing resilience by “developing technologies that detect malicious activity in the power source and prevent an attack from occurring;” 2) coordinating risk management with EV stakeholders by addressing risks specific to the EV charging ecosystem; 3) improving secure communications within the EV charging infrastructure; and 4) assessment and coordination of EVSE cybersecurity standards. This effort will be backstopped by the DOE’s Grid Modernization Initiative funded in 2023 with a $39 million lab call. This will include efforts by researchers at several DOE national labs to identify gaps in cybersecurity and provide a baseline for efforts related to harmonizing cybersecurity standards and voluntary cybersecurity testing across the EV charging ecosystem.

More EVs on the roads, more cybersecurity risks

While the car industry works to make EVs more financially and geographically accessible, David Strom writes in an April 9, 2024 article in Dark Reading “the increasing popularity of electric vehicles (EVs) isn’t just a favorite for gas-conscious customers, but also for cybercriminals who focus on using EV charging stations to launch far-reaching attacks.” Strom points out that each charging point – no matter its location – utilizes online software that interacts and interfaces with the electrical grid. In other words, the vulnerabilities of Internet of Things (IoT) are a “software sinkhole.”

In the same Dark Reading article, researchers from Checkpoint Software and SaiFlow added that, “compromised stations could damage the power grid…or result in stolen customer data.” It may not get better soon. Elias Bou-Harb, a computer scientist at Louisiana State University, who has studied charging station security, has found “almost every charging product has major vulnerabilities.” Bou-Harb also indicated that “the government regulations have come too late,” as “the market is already saturated with various charging products.”

All of this is further complicated by the fact that the average age of power generation equipment in the US is 28 years old, and these systems were designed and built before cybersecurity was a concern. Many power plants have systems in desperate need of an upgrade.

Potential Solutions

A coordinated and proactive approach is going to be needed to protect “the entire EV ecosystem,” given these potential points of vulnerability, including physical tampering, network vulnerabilities, malware, and unsecured communication. Because of this massive push to get more EV chargers online, a more robust approach will be needed to monitor and detect anomalies that indicate threats and doing the basics such as using secure communications protocols, while implementing strong authentication and authorization controls. And of course, standard patching protocols should be done regularly to update and patch the charger’s software as any vulnerabilities or security issues are discovered. This is a minimum approach, and others are calling for some certification process, like a UL certificate, that each charger would have to have before it’s installed and activated. It’s obvious that more needs to be done and the time to start is now.


How Can CYRIN Help

At CYRIN we believe that all solutions require training as a central element to keeping and maintaining best practices when it comes to cybersecurity. Training or lack of it will have consequences. Government, education, industry, basically all parties to the situation can become part of the solution.

We continue to work with our industry partners to address major challenges including incident response, ransomware, and phishing and set up realistic scenarios that allow them to train their teams and prepare new hires for the threats they will face. Government agencies have been using CYRIN for years, training their front-line specialists on the real threats faced on their ever-expanding risk surface. For educators, we consistently work with colleges and universities both large and small to create realistic training to meet the environment students will encounter when they graduate and enter the workforce.

In an increasingly digitized world, training, and experiential training is critical. Unless you get the “hands-on” feel for the tools and attacks and train on incident response in real world scenarios, you just won’t be prepared for when the inevitable happens. A full-blown cyberattack is not something you can prepare for after it hits. The best time to plan and prepare is before the attack.

Our training platform teaches fundamental solutions that integrate actual cyber tools from CYRIN’s labs that allow you to practice 24/7, in the cloud, no special software required. Cyber is a team effort; to see what our team can do for you take a look at our course catalog, or better yet, contact us for further information and your personalized demonstration of CYRIN. Take a test drive and see for yourself!

Image: UniqueMotionGraphics



You Might Also Read: 

Hackers Target Healthcare:


If you like this website and use the comprehensive7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible


« DDoS Attack Knocks Azure Offline
AI At The Paris 2024 Olympics »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 7,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

NSFOCUS Information Technology

NSFOCUS Information Technology

NSFOCUS is a global service provider and enterprise DDoS mitigation solution provider.

DKCERT

DKCERT

DKCERT (Danish Computer Security Incident Response Team) handles security incidents on forskningsnettet, the National Research and Education Network (NREN) in Denmark.

Axis Capital

Axis Capital

AXIS Insurance’s Professional Lines Division is a leading underwriter of technology/cyber coverage and other specialty products around the globe.

Secure Code Warrior

Secure Code Warrior

Secure your code from the start with gamified, scalable online secure coding training for software developers.

RHEA Group

RHEA Group

RHEA Group offers aerospace and security engineering services and solutions, system development, and technologies including cyber security.

THEC-Incubator

THEC-Incubator

THEC-Incubator program is designed for international and ambitious tech startups in the Netherlands. Areas of focus include Blockchain and Cyber Security.

JupiterOne

JupiterOne

JupiterOne is the security product that is changing how organizations manage and secure their software defined assets.

Prancer

Prancer

Prancer is the industry's first cloud-native, self-service SAAS platform for automated security validation and penetration testing in the cloud.

iManage

iManage

iManage's intelligent, cloud-enabled, secure knowledge work platform enables organizations to uncover and activate the knowledge that exists inside their business.

AccountabilIT

AccountabilIT

AccountabilIT is a full spectrum information technology services firm for enterprises with complex information technology needs seeking relief from those challenges.

Secure Halo

Secure Halo

Secure Halo has been protecting the intellectual assets and sensitive information of the federal government and private sector for 20+ years, through our proactive approach to risk and cybersecurity.

Somos

Somos

From voice to messaging to fraud prevention and beyond, Somos are committed to developing innovative solutions that ensure that our ability to maintain trustworthy connections never stops.

Saidot

Saidot

Saidot is a Finnish AI governance and alignment company committed to helping businesses safely and transparently integrate AI into their operations.

Fusion5

Fusion5

Fusion5 is a leading ANZ Business Services and IT Solutions provider. Our customers trust us to make their potential reality by providing advisory, IT project deployment, and managed services.

CRYPTIQ

CRYPTIQ

CRYPTIQ empowers businesses to navigate the ever-evolving cybersecurity landscape with confidence and clarity.

Vivid Computing Solutions

Vivid Computing Solutions

At Vivid Computing Solutions we provide comprehensive solutions that keep your business running efficiently and securely.