The Infrastructure Investment and Jobs Act, as passed by the US Congress in November 2021, authorizes $7.5 billion to help meet US President Joe Biden's goal of installing 500,000 electric vehicle charging stations by 2030. Biden aims to have EVs represent half of all new vehicles being sold in the US by 2030. But as the number of stations increases, the number of vulnerabilities does as well.
For the past several years, hackers have been busy targeting their cyber-attacks at electrical system vulnerabilities. In the case of charging stations, some of these soft spots are located inside the stations; some are located inside the equipment that controls connections between the grid and the station; and still, others are inside assets that sit on the grid side of the relationship, and these are mostly owned by utilities. Europe-based wind power companies (Deutsche Windtechnik AG, Enercon GmbH, and Nordex SE) suffered attacks focused on stopping the flow of electrons, identity theft attacks, and stolen payments. In most cases, the results can be service disruptions affecting customers and revenue reductions for the providers of electrons and/or asset owners.
Hackers constantly look for ways to use all system vulnerabilities to their maximum advantage. This is a problem for the consumer, just as it is for commercial enterprises. Added to the stresses created by several types of hacker disruptions —physical destruction; electronic jamming; creating a "Denial of Service" — are concerns about weak control systems. PlugInAmerica.org worries that the existing supervisory control and data acquisition hardware is primative. "It [EV charging] doesn't handle the simple faults gracefully, and is not reliable, much less scalable. But it also is not yet on the Internet, so is inaccessible (for the most part). In fact, it's scary how primitive some of these systems still are," they said.
Caution - Protect your backend. Situated at the heart of EV infrastructure are stations connected to a central control unit, commonly referred to as "the backend.” This backend communicates over a wireless network using the same technology as a SIM card (in other words, it uses machine-to-machine communications). Stations collect sensitive data such as payment data, location data, and demographic data that might include email addresses and IP numbers. Since a mobile app or an RFID card is used to access the station, sensitive data is also collected on the apps, including location data and online behavior history.
According to the National Cybersecurity Center, "this data can be used to find patterns of daily routines and location data as well as private information." Networked stations have obvious advantages for operators, who can monitor usage and reliability in real time, but being networked means being vulnerable.
Additionally, Cisco Talos reported, "The most vulnerable elements of an electric vehicle charging station will usually be the EV management system (aka: the EVCSMS). Vendors who own these stations need to stay connected with them over the Internet to process payments, perform maintenance, and make their services available to EVs." Consequently, this can expose their stations to attackers who may seek to exploit those EVCSMS. Talos is distressed that EVCSMSs are "vulnerable in numerous ways." Many are developed with poor security practices, from hard-coded (and thus stealable) credentials to poor security code development that lets attackers exploit management interfaces to compromise the system. Talso thinks that "this is not dissimilar from many modern IoT devices, like web cameras or home routers" that traditionally have poorly designed security. EV management system is incredibly similar to other IoT products and markets, as well.
This is our second warning report against the EV charging stations: https://redskyalliance.org/xindustry/hackers-are-waiting As EVs are more and more promoted and produced, this issue will become and ever present danger.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs. com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings