Analysis

Securing electric vehicle supply equipment

Cybersecurity strategies for hyperconnected ecosystems

As electric vehicle (EV) adoption picks up speed, the cybersecurity risks associated with an interconnected EV ecosystem are moving to the forefront. Explore strategies to help service providers secure electric vehicle supply equipment.

EV charging cybersecurity

Electric vehicle adoption is accelerating to new speeds and extending the reach to new audiences and locations. States, such as California, have laid down the gauntlet to commit that 100% of new cars and light trucks sold in California will be zero-emission vehicles by 2035, including plug-in hybrid electric vehicles.¹ This shift is not only driving change in California, but across the United States and globally, and is mainly attributed to environmental awareness, government incentives, technological advancements, and growing demand for cleaner transportation alternatives.

The hyperconnected nature of charging technologies that connect an EV to the electricity grid using a charging device entails the exchange of sensitive data and control commands among various entities in the EV ecosystem. When built into hyperconnected smart city infrastructures, integration across various stakeholders with different roles and security standards is required, increasing the cybersecurity risks associated with electric vehicle supply equipment. High rewards and extreme physical and remote connectivity make electric vehicle supply equipment (EVSE) a lucrative target for cyberattackers.

Business drivers for securing electric vehicle supply equipment

Evolving regulatory landscape

The regulatory landscape for EVSE is rapidly evolving to keep pace with technology advancements in the EV space. The International Organization for Standardization (ISO) 15118 has established a standardized communication protocol between charging stations and EVs. This standard enables a “plug and charge” functionality for an effective and secure charging process by allowing EVs to automatically communicate with the charging stations and exchange the required information without requiring manual interaction from the user.

The standard defines secure authentication and authorization methods for EVs and EVSE to ensure only authorized vehicles can access charging supply equipment. Service providers should utilize ISO 15118 to enable interoperability between EVs and EVSE and future proof their infrastructure.

Consumer trust and privacy

Trust and privacy are now firm requirements from consumers and should be built into the product life cycle from the design phase. EVSE service providers are expected to provide clear and transparent information to consumers about what personal data devices and services are being processed, the organizations that process this data, and the lawful basis on which the processing takes place.

Interconnected ecosystem of EV entities

The EV charging application ecosystem is complex and involves several components and vendors. The specific elements of the EV charging application supply chain include software development companies that design and build EV charging applications, cloud service providers, charging network operators, data aggregators, and payment gateway providers. Failure to properly vet and secure EVSE software supply chain components can lead to vulnerabilities in EVSE applications and infrastructure and further expand the attack surface.

Risk of energy theft and financial fraud

Another exciting development is vehicle-to-grid (V2G), whereby the EV battery is used to inject power back into the power grid. Broad security measures are required to mitigate the risk of financial fraud and energy theft and prevent bad actors from hacking the system and overloading the grid by injecting energy when it isn’t required.

Security by design: EVSE security components

Expand all
Collapse All

Secure over-the-air (OTA) updates

Applications that connect to endpoint charging stations are susceptible to various types of cyberattacks, such as account takeovers, man-in-the-middle, supply chain attacks, and application programming interface abuse. One of the challenges from a security perspective is that applications running on the endpoint charging station machines don’t get updated as often as they should; doing so requires planning and logistics to update the software at these endpoint devices. As a result, many run outdated versions of Linux and JavaScript in which new vulnerabilities haven’t been patched and leave these devices susceptible to attack.

Enabling secure OTA updates for charging station firmware to address potential vulnerabilities is an element of security by design for EV charging stations. OTAs provide EVSE owners with a cost-effective way to introduce feature upgrades, security enhancements, and bug fixes, while eliminating the need for manual updates at each station location.

Network and communication security

Borrowing leading practices from the Internet of Things and industrial control systems, EVSE communications can be secured by implementing cryptographic algorithms and secure communication protocols. To deploy cryptographic systems on a widespread basis across multiple administrative domains, more work is required on governance and operational procedures such as defining a trust framework—for example, a public key infrastructure (PKI), which is widely adopted on the internet to securely exchange confidential messages, verify the integrity of the messages, and authenticate relevant entities.

Protecting electric vehicle supply equipment requires a multilayered security approach; implementing other defensive controls that work by blocking, segmenting, or isolating traffic will only allow the legitimate to get to the accepted destinations inside the EVSE’s network. Network firewalls can monitor traffic to and from networks to enable compliance with security policies, allowing authorized traffic and blocking high-risk traffic.

Authentication of users, vehicles, and charging stations

Implementing a PKI for EV charging stations is a crucial component of securing the communication and data exchange and establishing trust between the users, vehicles, and charging stations. PKI enables mutual authentication, where all entities can verify each other’s identity prior to starting a charging session.

In a hyperconnected charging ecosystem, each charging station will be assigned its unique digital certificate, which contains its public key and other identifying information. This certificate will be used to verify the station’s authenticity during communications. In the event of an EVSE compromise, centralized certificate life cycle management is required to automatically revoke, issue, and update certificates.

Secure payment gateways

When implementing secure payment gateways for EVSE, several secure by design principles should be followed. If handling credit card payments, Payment Card Industry Data Security Standard (PCI DSS) and General Data Protection Regulation (GDPR) requirements should be followed to safeguard consumer payment data and enable transparent data-handling practices.

Data security mechanisms such as tokenization are recommended to reduce the risk of data exposure during the transaction and storage. Implementing multifactor authentication mechanisms adds another layer of security for users to prevent unauthorized access to their accounts. In addition, fraud detection and prevention strategies such as transaction monitoring, geolocation tracking, and user behavior analytics can be used to introduce another layer of security to the EVSE ecosystem. These strategies use machine learning algorithms to detect anomalies and potentially suspicious activities and reduce the risk of fraud and energy theft.

Deloitte automotive cybersecurity offerings

Mobility ecosystem cyberattacks now pose not only cybersecurity but also enterprisewide risks, threatening business continuity and the operations of organizations. Therefore, to mitigate their effects, organizations should consider implementing solutions to enhance cyber resilience and remediate enterprise risk.

Deloitte can help clients design, build, and operate dynamic, business-aligned security programs wherever they may be in their cyber journey. Our services related to automotive cybersecurity include but are not limited to:

Cybersecurity management systems (CSMS);
Secure by design;
Threat analysis and risk assessments (TARA);
Vehicle cybersecurity risk management;
Software update management systems (SUMS);
Supplier cybersecurity management; and
Vehicle cybersecurity monitoring.

We combine industry-leading strategic advisory services with deep technical capabilities to help organizations design, implement, and operate advanced cyber and strategic risk programs. Connect with our team to learn how we can help you build resiliency, deepen trust, and fuel performance.

¹ California Air Resources Board, “California moves to accelerate to 100% new zero-emission vehicle sales by 2035,” press release, August 25, 2022.

Get in touch

Leon Nash

Principal | Deloitte Risk & Financial Advisory

leonnash@deloitte.com

+1 714 436 7879

Leon, a principal at Deloitte & Touche LLP, is the Automotive and Future of Mobility leader of the Cyber Risk Services practice of Deloitte Risk & Financial Advisory. He has over two decades of experi... More

Shima Mousavi

Automotive Cybersecurity Leader

shmousavi@deloitte.com

+1 424 448 9847

Shima is a senior manager in the Cyber and Strategic Risk practice in Deloitte & Touche LLP. Shima has more than 10 years of work experience in leading the development and integration of cybersecurity... More

Viewing offline content