Recently, cyber hackers have been in the news for hitting strategic targets. In May, as described in that month's CYRIN Newsletter, they attacked United Healthcare’s medical claims clearinghouse, Change Healthcare, to disrupt several parts of the healthcare system. More recently, CDK Global, a company that provides software technology to over 15,000 car dealerships in North America, was hit during the week of June 17th and dealerships faced major disruptions to vehicle sales, financing, insurance and repairs. Some dealers were out of service for several days and some switched to manual processes, including writing up orders by hand, to serve customers. In fact, the attacks were so severe that MarketWatch (a subsidiary of Dow Jones and Company) attributed a 2% drop in sales of new auto parts and vehicles in June to the attack.
It’s clear that hackers are targeting the “soft” underbelly of the marketplace they are looking to disrupt. Now people from the Department of Energy (DoE) to NIST along with experts in the private sector are voicing their concerns about Electric Vehicle (EV) charging stations as the next potential “soft” target for cyber hackers.
There are already more than 5,000,000 electric vehicles on the road with more than 175,000 public EV charging stations in the United States. Their power is also their potential downfall, because “when they are networked, they can become a potential tool for attackers to destabilize the local power grid”. A lone charging station doesn’t present the kind of threat that a network of such stations might; if enough charging systems were compromised, cyberattackers might “destabilize the grid through a sudden increase in charging demands, which can lead to cascading failure and a drop in the system’s frequency.”
According to SpectrumNews1, although there have been no security threats made to electric vehicles (EV), experts believe that EV chargers can pose a risk and are highly unregulated. In March of 2024, more than 122,000 hybrid electric vehicles were sold in the U.S., which was up almost 30% from sales seen in March 2023. The U.S. expects to see more electric vehicles hit the road over the next few years due to various initiatives and legislative actions taken by the current Administration.
However, researchers are concerned about the security of charging stations. They have found several vulnerabilities on popular brand charging stations. Hackers can infiltrate the devices in the vehicles which could give them access to user data, interrupt charging, or cause a blackout of all surrounding chargers.
The risks posed to EV charging stations are no different from risks posed to many newer technologies. The National Cybersecurity Alliance said that due to the massive push to get more EV chargers online, companies might not be doing all the necessary testing to ensure their product is safe and secure. These security risks could be hackers tapping into systems remotely or physically. If they are physically tampering with the chargers, the process mirrors that of a credit card skimmer you might find at a gas station.
The Biden-Harris Administration has set an ambitious goal “to build a national network of 500,000 public electric vehicle (EV) charging stations across the country by 2030 to ensure that all Americans can access a convenient, affordable, and reliable charge for their EVs.” As the number of electric vehicles rise, so does the need for charging stations, and issues of cybersecurity need to be more deeply considered. These issues are at the forefront of cybersecurity issues, especially given the emphasis on the need to get more EVs on the road. These cybersecurity issues are complex, due to the integration of the EV charging stations with the electrical grid. The trick is to balance the need for a clean energy future with the cybersecurity threat to the infrastructure required to sustain it.
The Department of Energy’s Office of Cybersecurity, Energy Security, and Emergency Response (CESER) has indicated that between 2022 and 2025, “CESER will have invested over $8 million in several research projects with public and private partners to develop and promote cybersecurity standards for the EV and EV supply equipment (EVSE) ecosystem.”
The research, largely conducted by DOE’s national laboratories, with some public-private partnerships, has focused on some key strategy including: 1) testing all emergent technologies for cybersecurity vulnerabilities, and increasing resilience by “developing technologies that detect malicious activity in the power source and prevent an attack from occurring;” 2) coordinating risk management with EV stakeholders by addressing risks specific to the EV charging ecosystem; 3) improving secure communications within the EV charging infrastructure; and 4) assessment and coordination of EVSE cybersecurity standards. This effort will be backstopped by the DOE’s Grid Modernization Initiative funded in 2023 with a $39 million lab call. This will include efforts by researchers at several DOE national labs to identify gaps in cybersecurity and provide a baseline for efforts related to harmonizing cybersecurity standards and voluntary cybersecurity testing across the EV charging ecosystem.
While the car industry works to make EVs more financially and geographically accessible, David Strom writes in an April 9, 2024 article in Dark Reading “the increasing popularity of electric vehicles (EVs) isn’t just a favorite for gas-conscious customers, but also for cybercriminals who focus on using EV charging stations to launch far-reaching attacks.” Strom points out that each charging point – no matter its location – utilizes online software that interacts and interfaces with the electrical grid. In other words, the vulnerabilities of Internet of Things (IoT) are a “software sinkhole.”
In the same Dark Reading article, researchers from Checkpoint Software and SaiFlow added that, “compromised stations could damage the power grid…or result in stolen customer data.” It may not get better soon. Elias Bou-Harb, a computer scientist at Louisiana State University, who has studied charging station security, has found “almost every charging product has major vulnerabilities.” Bou-Harb also indicated that “the government regulations have come too late,” as “the market is already saturated with various charging products.”
All of this is further complicated by the fact that the average age of power generation equipment in the US is 28 years old, and these systems were designed and built before cybersecurity was a concern. Many power plants have systems in desperate need of an upgrade.
A coordinated and proactive approach is going to be needed to protect “the entire EV ecosystem,” given these potential points of vulnerability, including physical tampering, network vulnerabilities, malware, and unsecured communication. Because of this massive push to get more EV chargers online, a more robust approach will be needed to monitor and detect anomalies that indicate threats and doing the basics such as using secure communications protocols, while implementing strong authentication and authorization controls. And of course, standard patching protocols should be done regularly to update and patch the charger’s software as any vulnerabilities or security issues are discovered. This is a minimum approach, and others are calling for some certification process, like a UL certificate, that each charger would have to have before it’s installed and activated. It’s obvious that more needs to be done and the time to start is now.
At CYRIN we believe that all solutions require training as a central element to keeping and maintaining best practices when it comes to cybersecurity. Training or lack of it will have consequences. Government, education, industry, basically all parties to the situation can become part of the solution.
We continue to work with our industry partners to address major challenges including incident response, ransomware, and phishing and set up realistic scenarios that allow them to train their teams and prepare new hires for the threats they will face. Government agencies have been using CYRIN for years, training their front-line specialists on the real threats faced on their ever-expanding risk surface. For educators, we consistently work with colleges and universities both large and small to create realistic training to meet the environment students will encounter when they graduate and enter the workforce.
In an increasingly digitized world, training, and experiential training is critical. Unless you get the “hands-on” feel for the tools and attacks and train on incident response in real world scenarios, you just won’t be prepared for when the inevitable happens. A full-blown cyberattack is not something you can prepare for after it hits. The best time to plan and prepare is before the attack.
Our training platform teaches fundamental solutions that integrate actual cyber tools from CYRIN’s labs that allow you to practice 24/7, in the cloud, no special software required. Cyber is a team effort; to see what our team can do for you take a look at our course catalog, or better yet, contact us for further information and your personalized demonstration of CYRIN. Take a test drive and see for yourself!