Increased commitment to regulation of emissions and vast improvements in battery and charging technology means that the growth of electric vehicles (EVs) is expected to continue on an upward trajectory. Despite a global slump in overall car sales during the pandemic, electric vehicle sales topped three million units in 2020. Deloitte projects that a 30% annual growth rate in sales should continue for the next decade. At that point, global EV sales will be over 30 million units or around 1/4 of all cars sold.
One of the biggest difficulties facing the EV industry is the rollout and security of charging stations. EV success hinges on consumer confidence that charging electric vehicles will be as easy as pumping gas. However, the challenge is not just in providing the physical infrastructure to charge EVs, but also in protecting all devices involved from the threat of cyberattack.
Electric vehicles and cybersecurity
The interface of widespread charging infrastructure is already attracting considerable attention from hackers and cybercriminals, making it a core priority for all involved in the industry. Every IoT device and piece of equipment connected to a network increases the attack surface of the connected system.
Moving forward, a flexible security model needs to be adopted that can easily and securely be scaled to meet the charging needs of EV users. It also needs to take into account the evolving requirements and infrastructure of the larger electrical grid that it connects to. There are several existing and proposed charging models, but the one that shows the most promise in terms of convenience and adaptability is termed plug and charge.
What is plug and charge?
Plug and charge is a charging infrastructure that automatically identifies an electric vehicle once it’s plugged into a charging station. Once authenticated, the vehicle is authorized to perform a transaction with the charger and recharge its battery. There’s no need for the driver to use credit cards or enter passwords; all they have to do is drive up to the charging station, plug in, and the technology does the rest. The system arises from ISO 15118, an international standard which delineates a vehicle to grid (V2G) communication interface.
This communication interface standard supports elements critical to integrating connected cars with an overall smart grid infrastructure. For example, smart charging to match grid capacity with EV charging demand and bidirectional energy transfer to allow EV users to sell excess energy that they’re not using back to the grid.
However, the ease with which drivers can tap into a plug and charge network belies the very significant security risks that distributed charging networks face. To address these risks, protect consumer data, and improve revenue security for manufacturers and service providers, plug and charge technology needs to deploy robust digital security solutions.
Plug and charge security risks
There are a number of threats posed by charging stations and their interaction with EVs that plug and charge security need to address. These include threats to:
- Charging stations: Infiltration of physical charging stations could allow attackers to access data, business logic, and the equipment’s underlying backend infrastructure. Hackers could ostensibly use a charging station infected with malware to harvest data or add monetary charges to each passing user. With potentially thousands of such stations, hackers could replicate successful attacks on an international scale.
- Vehicles: Attacks designed to specifically infect vehicles that interface with the charging station could seek to make their way to the car’s ECU and program them for different attacks. These could range from overcharge attacks on the vehicle’s battery to stealing the processing power of EVs to perform DDoS attacks.
- Data exchange: The exchange of data between the user EV, the charging station, and its home network creates rich sources of data for attackers to steal. In a hacking test, researchers were able to spoof signals between the charger and an EV through man-in-the-middle attacks.
- Energy theft: If authorization protocols are circumvented, it would be possible for attackers to steal energy from the grid, either for their own cars or to charge up batteries to sell to others.
- Energy grid: Security researchers have considerable concerns that EV charging infrastructure could be used as a conduit to attack the national energy grid itself through attacks such as fake overloading or DDoS.
Overcoming these plug and charge security challenges is essential if the technology is to be adopted broadly. The underlying security protocols of plug and charge limit these threats by using asymmetric cryptography using a public key infrastructure (PKI). Let’s take a closer look at how it works.
Securing plug and charge with PKI
As outlined in ISO 15118, the protocols that underpin plug and charge security are designed to address the major threats affecting the interface between EV users and the charging station. They focus on:
Data security: Confidentiality is critical—for user confidence, for service providers to adhere to data security regulations, and to prevent extraction of information like session keys that could be used in attacks. Under ISO 15118, data sent and received by the IoT equipment needs to undergo encryption and decryption using public key infrastructure.
Secure authentication: As part of the PKI, secure digital certificates ensure that the parties involved are who they say they are before any data is exchanged. This is very important for utilities to ensure that all users of the energy infrastructure are valid.
Data integrity: Security protocols must ensure that all messages and data sent between the communicating actors haven’t been tampered with in transit.
How PKI for plug and charge works
The essential mechanisms for plug and charge security are achieved through a combination of symmetric cryptographic algorithms and asymmetric cryptographic algorithms using a PKI. In a PKI, a public and private key encrypt the data exchanged between two parties after authenticating themselves through a secure handshake. For plug and charge security as per ISO 15118, that process, in simplified terms, looks like this:
Step 1: A TLS handshake authenticates both parties to the session.
Step 2: Using an Elliptic Curve Diffie-Hellman (ECDH) protocol, a common session key is agreed upon and shared.
Step 3: The data and messages exchanged use AES-128 for encryption.
Step 4: User authentication and message integrity is verified using Elliptic Curve Digital Signature Algorithm (ECDSA).
Certificate authorities (CAs) play a significant role in the function of the plug and charge security PKI. The trust in these certificates is what allows for secure authentication of the parties communicating through the protocol.
While a PKI provides the necessary security for data exchanged between EV users and the utility controlling the charging station, it must also not overly interfere with the user experience. It should also be scalable so it can be rolled out across an entire network without weakening security provision.
A plug and charge security solution
Plug and charge, with its ease of use, data protection and ability to securely interact with a smart grid infrastructure can become the norm for EV charging stations. This will benefit users, manufacturers, and utilities alike. However, this rollout depends on the deployment of a secure, scalable PKI that goes beyond provisioning of standard X.509 certificates.
As industry leaders in providing secure identities to IoT devices and networks, Intertrust’s Seacert is a certificate authority and managed PKI service with a proven track record in securing distributed device networks. It utilizes rigorous security mechanisms, including highly secure facilities and processes, and provides a rich, agile data structure for fine-grained control and secure updating.
To learn more about how Seacert can secure EV charging networks, get in touch with our team.
About Prateek Panda
Prateek Panda is Director of Marketing at Intertrust Technologies and leads global marketing for Intertrust’s device identity solutions. His expertise in product marketing and product management stem from his experience as the founder of a cybersecurity company with products in the mobile application security space.