Cybersecurity researchers at Sandia National Laboratories in Albuquerque, N.M. have released a detailed analysis aimed at helping the U.S. get ahead of potential threats to the nation’s fast-growing, electric vehicle charging infrastructure.
The research revealed vulnerabilities ranging from skimming credit card information — which has happened at some gas stations and ATMs — to using cloud servers to potentially hijack an entire electric vehicle charger network.
Sandia National Laboratories does research and development on a wide range of issues from global security and defense to energy technologies and nuclear deterrence.
Researchers there have been studying America’s charging infrastructure for the past four years and said successful attacks on Russia’s charging infrastructure have already occurred, displaying anti-Putin and pro-Ukraine messages on some Russian chargers.
Sandia cybersecurity expert Brian Wright told EV Rider the good news is the basic U.S. structure appears sound.
“Most of the vulnerabilities we saw were nothing you couldn’t fix with a quick update or quick architecture redesign. It’s nothing critical. It’s just a lot of little things that are overlooked because these companies are trying to roll these chargers out as quickly as possible to keep up with demand.”
Wright said the review of vulnerabilities primarily focused on Level 3 DC fast charging stations. ChargePoint, which is one of the nation’s largest charging providers, collaborated with Sandia.
In one example, the review found a vulnerability which could have acted as a first step to cyber attacks that could have impacted some 150,000 chargers connected to the ChargePoint system.
Another part of the review found that a bad actor might have been able to manipulate ChargePoint’s smartphone app to remotely tamper with a charging session, which in a worst-case scenario could cause a fire by exceeding maximum charging current.
EV Rider reached out to ChargePoint’s media team via email on two separate occasions to see if the company wanted to elaborate but did not receive a response by the time of this story’s publication. If a response is received this story will be updated
Although ChargePoint was mentioned in the report, Wright said that’s because they collaborated with researchers. He stressed it doesn’t mean ChargePoint is less secure than other providers.
For example, Wright confirmed that the research team also looked at Electrify America stations but declined to say what, if any, vulnerabilities were found.
He said documented vulnerabilities were reported to companies with the assumption they would be fixed.
The team’s work is also meant to serve as a blueprint to help the federal government standardize best practices and mandate minimum security levels.
Wright advises EV charging customers to use smartphone apps to start a charging session as opposed using a credit card.
“A fleet service RFID tag, that’s at the bottom of my [recommended] list. That is different than Google Pay or Apple Pay, which I would rank higher than a credit card swipe. But I do advocate for credit cards in the sense that the companies will refund you for fraudulent charges, so you have that assurance,” Wright said.
Some cars, such as Teslas, the Ford Mustang Mach-E and others, offer a streamlined process that allows customers to plug-in to start and pay for a charging session without using a smartphone, smartwatch or credit card, which Wright also recommends using when available.
At many charging stations drivers can also use smartwatches, smartphones or credit cards that have short-range wireless payment technology, commonly referred to as “tap to pay,” which Wright says is also safer than doing a credit card swipe.
For government agencies or private companies considering chargers for fleets he recommends making sure an organization’s security team is included in the vendor vetting process to help make sure the charging company chosen is following best practices when it comes to cybersecurity.
Learn More About EV Cybersecurity Best Practices And Vulnerabilities
- Read the detailed review in the scientific journal Energies
- Department of Energy cybersecurity support for small businesses
Pinch & zoom to enlarge info graphics or use your browser’s zoom feature
Full screen version of Recommended Cybersecurity Practices
