Nathalie Forrestill, a cybersecurity consultant with Atkins, looks at the recent news and issues surrounding the security of electric vehicle charging infrastructure and asks how the industry should be planning to prevent attacks in the future.
If you charged your electric car on the Isle of Wight in April 2022 you might have been shocked by what you saw. A handful of council owned electric vehicle (EV) charge points on the island were programmed to display inappropriate content, causing a stir in the national press and leaving the council red-faced.
This incident may not seem particularly life-threatening, but it does raise the question: how secure is EV charging infrastructure? While charging technology is still in its early adoption phase, as it scales and becomes part of our Critical National Infrastructure (CNI), its reliability and safety will need to be assured. Cyber-attacks on CNI is on the rise, and we don’t want to see similar cyber-attacks targeting EV infrastructure as those which shut-down the Colonial Pipeline in the USA, and caused the black-out of Ukraine’s Power Grid.
The electrification of transport, especially for road and air, and of its supporting infrastructure is integral to the UK meeting net zero targets. The number of public charging devices in the UK has increased tenfold since 2015, with 28,000 public charge points across the UK in 2022. To achieve this target of 300,000 charge points by 2030, over 30,000 chargers will need to be installed in the UK each year. Enabling this delivery is likely to require huge changes in how EVs interact with both each other and the power grid, including concepts like vehicle to grid electricity return, further widening the potential attack landscape.
The EV charging eco-system is an immature but fast-growing sector, with multiple players entering the market. It’s not a profitable industry yet but, according to Deloitte, it will be once EVs make up 5% of the vehicles in circulation, which is expected to happen in the short to medium term. Currently, a strong contingent of start-ups make up this market, backed by large venture capital funds or large Original Equipment Manufacturers (OEMs) who are looking for the next disrupter.
These EV infrastructure start-ups are in the ideal position to ensure that their solutions are designed with cyber security and resilience in mind. However, as cyber security is a non-functional requirement, it isn’t always considered in high-pressured, time-critical environments when delivering a product to market. One study reviewed six different companies that produce EV chargers, all of whom were accredited for UK government grant funding, and found security vulnerabilities in their products. A hacker could potentially use these vulnerabilities to access the user’s home network and infiltrate other connected devices. Conversely, if a hacker were able to gain access to multiple devices, they could create major disruption or even bring down the grid network. This may seem unlikely, but one of the companies in the survey has 2.9 million devices in circulation which, theoretically, could be compromised. If all these devices were turned on simultaneously this could overload the electricity network.
Vehicles are not the only means of transportation using EV chargers, the electrification of aircraft is likely to also utilise this technology.In the future, there is the prospect of short-range, electric air transport for the public to use that will be hosted at small vertiports – essentially small airports for electrical vertical take-off and landing (eVTOL) aircraft.
The UK government recently awarded a consortium – led by Atkins and including partners Virgin Atlantic, Vertical Aerospace, Skyports, NATS, Connected Places Catapult, Cranfield University and WMG, University of Warwick – a £9.5 million grant as part of its Future Flight Challenge to develop a first-of-a-kind, viable advanced air mobility ecosystem that could progress into commercial operations. The project will see eVTOL test flights between Bristol Airport and an airfield in southwest England, and between London Heathrow Airport and the Living Lab vertiport – a testing facility that Skyports will build and operate. Cyber security will be an important consideration: the prospect of a hacker gaining access to a car to disrupt charging is concerning, but the threat of infiltrating an aircraft and its connected infrastructure is even more so.
And the future of driving extends still further beyond EV technology, with prospective autonomous vehicles to consider. While still in its infancy, this is an area in which multiple global organisations are heavily investing, and governments are already trying to unpick what this could mean to the motoring industry. For autonomous vehicles, security and safety are of paramount importance, and it is essential that any risk of a breach is mitigated against, including any backdoor risks from other interconnected vehicle elements, such as EV charging stations.
So, what next? The EV industry is evolving and may become the backbone for how we travel on a local scale in the future. As it evolves, EV chargers will become increasingly interconnected, and may also potentially be used for additional and multiple functions, for example, running vehicle diagnostic tests, or feeding in data about air quality. The security of EV charging infrastructure is not a single industry problem, it will require input from multiple stakeholders including the Department for Transport, the Office for Zero Emission Vehicles (OZEV), OEMs, Local Authorities and software developers. All these stakeholders will have differing perspectives and responsibilities, but together they will need to take a systems-thinking approach to ensure security is intrinsic to the delivery of EV technology.