The spread of electric vehicles is melding parts of the U.S. power and transportation sectors — and posing a unique problem for grid cybersecurity, experts warn.
The two industries are connected by powerful chargers, known as electric vehicle supply equipment (EVSE), that could offer ways for hackers to disrupt the grid.
"You do reach a tipping point where you’ve got so much load on the grid provided by these chargers, that if you could control it and manipulate them in aggregate, you would start to see power system problems," said Jay Johnson, principal member of technical staff at Sandia National Laboratories.
Johnson and his team at Sandia are exploring ways to prevent such a grid attack, which would take a difficult and coordinated effort to pull off. Hacking enough chargers could theoretically cause blackouts, though experts say there isn’t enough EVSE installed right now for a feasible attack on the power grid (Energywire, Aug. 19, 2019).
But as electric vehicles gain ground nationwide, some cybersecurity researchers and industry groups are eyeing weak points in charging networks that could be exploited to harm other sectors.
"EV charging is right there at the intersection of two U.S. critical infrastructures, the transportation sector and the energy sector. But we need to understand that it also intersects with a lot of other critical infrastructure in the United States," Johnson said.
This is particularly true for medium- and heavy-duty EVs, whose high-voltage chargers could do more damage if hacked, according to the National Motor Freight Traffic Association. Ripple effects from a cyberattack on extreme fast charging (XFC) infrastructure could "cause widespread systemic and societal issues," NMFTA said in a 2018 cybersecurity review.
Charging stations "for light passenger vehicles and heavy-duty electric trucks present major vulnerability points also to the grid that supplies power to the XFC systems," the industry group warned.
There are still non-cyber barriers to widespread XFC deployment, including safety and cooling concerns, market challenges and steep costs for building power-hungry stations.
Still, heavy-duty EV trucks are in the middle of a "great technological shift," NMFTA said, and targeting their chargers could give an attacker "unique opportunities to cause widespread harm." A hack of enough truck chargers could be used to cause "extreme power fluctuations through load cycling" — essentially switching the chargers off and on quickly — ultimately causing power outages.
"To highlight a few examples: gas stations wouldn’t be able to provide gas; grocery stores wouldn’t be able to provide goods; clean water would become unavailable in large cities if the water treatment chemicals upon which they rely stop flowing," NMFTA said.
Such a dire scenario may sound farfetched, but experts are gauging new cyber risks as EVs surge in popularity. The novel coronavirus pandemic has hindered the rise of EVs, but gas-powered vehicles have been hit worse, according to BloombergNEF. Analysts there project EVs will account for over half of all passenger vehicles sold by 2040 (Energywire, May 19).
Large commercial vehicles are spearheading a shift to bigger EV chargers. Heavy-duty electric semis, while not yet in mass production, will rely on XFC infrastructure to charge on a time crunch.
"With power levels of 200 [kilowatts] or higher, the malfunction of an individual or a fleet has the potential to impact the local distribution system, especially when multiple EVs are charging simultaneously," said Rish Ghatikar, senior program manager for information and communication technologies at the Electric Power Research Institute. "As XFC adoption grows, so does the importance of associated cybersecurity."
Even for smaller passenger vehicles, demand for faster, higher-powered chargers is growing. EVSE is often placed in public spaces, from shopping malls to office buildings. For charging points, public availability is key, unlike electric substations that are protected by fences. That could provide more opportunities for a hacker to find vulnerabilities in the devices, experts say.
No rules
The convergence of energy and transportation is not without growing pains. In a symposium on EV cybersecurity hosted by the National Institute of Standards and Technology last September, participants noted that the two sectors lacked coordination and had "very little understanding of each other’s concerns and approaches to cybersecurity," according to NIST.
The fragmented process for designing EV supply equipment could lead to unintended risks, several researchers warned at the conference. Since "neither sector is developing or implementing EVSE in the majority of cases," the cybersecurity concerns of each sector may not be addressed, NIST said in its official summary of the symposium.
Another concern is the lack of comprehensive cybersecurity guidelines for EVSE. Both the electricity and transportation sectors are heavily regulated, but for the latter industry, rules cover "safety, anti-pollution, and energy consumption," NIST pointed out, while the energy sector focuses on "safety and reliability."
The two different regulatory frameworks were "not developed with each other’s operations in mind," which could lead to "confusion and conflict over cybersecurity," NIST said.
Currently, there are no cybersecurity standards for XFC systems for medium- and heavy-duty vehicles, according to Urban Jonson, chief technology officer for NMFTA.
"Unfortunately, there have been competing interests that have hindered development," Jonson said.
Despite the lack of progress toward XFC standards, Jonson said that NMFTA and the Department of Transportation’s Volpe National Transportation Systems Center have created a set of best practices for securing superfast chargers. Jonson said the national labs are currently assessing the groups’ guidelines, while NIST and the Department of Homeland Security are developing more "formal" recommendations.
"What remains is to further educate and make the purchasers of these technologies aware of the resources available," Jonson said.
‘Fresh attack surface’
There is still disagreement over what EV cybersecurity standards should cover and whether they should be voluntary.
Mandatory cybersecurity rules for the bulk power system, developed by the North American Electric Reliability Corp., don’t apply to "grid-edge" technologies like chargers but could be used as a reference as EV cybersecurity standards developed at DOT or other agencies, said Ghatikar.
"There are ongoing efforts related to EV charging infrastructure focusing on understanding risks and threats, and developing recommended cybersecurity controls unique to the electric transportation sector," Ghatikar said.
Both industries are aware of the gap and have been working to update legacy systems that are often insecure against modern cyberattacks, said Matthew Carpenter, senior principal security researcher at the cybersecurity and engineering consultancy GRIMM.
"That cooperation doesn’t mean there aren’t learning curves and struggles to achieving functionality, stability and security, but the parties involved seem to be paddling in the same direction, albeit from different yachts," said Carpenter.
"EVs represent an interesting and fresh attack surface," he added.
Once a vulnerability in a charger is found, it can be exploited to compromise the grid, other EVSE or even the vehicles themselves, Carpenter said.
"New attacks for EVs are still being discovered: Batteries can be damaged and possibly explode. Electric motors can be individually driven in whatever direction and torque the programming tells them to," Carpenter said.
Smartphone apps to monitor and control charging present another possible avenue for hackers.
EVSE is still a new technology, and while there is a lot of research on the potential cyberthreats, the next steps are turning to practical defenses.
"There’s a lot that exists out there in academia, it’s just the application of those technologies to this particular research space. That’s where we are now, and we need to start doing this at an accelerated rate," Sandia’s Johnson said.
