The Weakest Link.

Featured Image: Eneas De Troya via Flickr CC BY 2.0

In the swing of the electric revolution, little attention was paid to the digital security of the EV charging stations. It is time to set things right.

 

HACK THE CHARGER, HACK THE GRID

The vulnerability of electric vehicle (EV) charging stations was brought to the public attention before. Namely in 2013, at the Hack in the Box Security Conference in Amsterdam, Israeli security expert Ofer Shezaf dwelled on some of the security issues of the EV chargers. The list included physical accessibility, unprotected communication channels, and poorly encrypted RFID cards. He explained how hackers can conduct identity and financial theft, as well as ‘denial of charging service’. Shezaf’s talk brought home the realization that an EV charger is nothing more than a computer behind a panel, located on a street corner—an exceptionally vulnerable device.

Given the rapid digitalization taking place in the utilities sector, it is time we paid attention to another security threat associated with the EV chargers—the threat to the power grid itself.

One of the experts advocating this notion is Dr. Klaus Kursawe, Chief Scientist at the European Network for Cyber Security (ENCS), the independent, non-profit member organization that brings together critical infrastructure stake owners and security experts. The ultimate goal of ENCS is to make European energy grids and infrastructure secure. Together with its partners Enexis and ElaadNL, ENCS has begun studying security protocols of EV charging points as a part of their integration into the Smart Grid.

Until 2003, Kursawe has been working for IBM on various issues around Trusted Computing. He then became the Senior Researcher at the Philips Laboratories in Eindhoven, where he headed the “Trusted Systems and Services Cluster”.  Several years ago, he was one of the few researchers arguing against the onset of the smart grid, warning that the society and the industry simply “were not ready” for it. “I was standing on stage and telling people to stop the smart grid. It made me well-known, but not very popular. I have since then seen the light,” he laughs.

At ENCS, Dr. Kursawe is participating in a project that involves testing the vulnerability of the EV chargers. The research is being done together with the Dutch power network operator Enexis and the innovation center in the field of charging infrastructure ElaadNL. Thanks to them, ENCS’s laboratory was fitted with a fully operational charging point. Kursawe’s team is exploring the possible scenarios of cyberattacks and suggests security measures to prevent them.

 

It is while leading this research that he realized the full range of security issues faced by the EV industry. Most of all, he is worried about the attacks that can compromise grid stability.

Here is how he explains it: “If one Tesla goes on supercharging, it would feel to the grid as if 120 households have come online for half an hour* [ed. see explanation below]. Imagine a street where five Teslas are charging simultaneously—this can be physically damaging to the grid, the fuses might blow.” Hypothetically, one can devise an attack that would involve manipulating the load, damaging the grid, and cutting the area of power. Because the charger is communicating with the electricity grid, in the future it can potentially serve as an entry point into it. In case an EV charger is not properly protected, the utilities could face yet another security loophole.

“Everybody talks about security, but not everybody does it,” says Dr. Kursawe. According to him, the energy sector has suffered its share of security incidents, primarily related to smart meters, but the problem does not stop there. “The smart grid is still developing, and it will be attackable within five years. Snowden bought us two years by distracting the hacking community with the NSA, but their attention is turning back to the industrial control systems. It’s just a matter of time before it happens to the energy sector.” The increasing use of IoT applications by the utilities does not make the situation easier. Dr. Kursawe: “We already have an insanely complex system, yet we are making it even more complex. I do see the opportunities of the IoT, but we are moving at a really high speed, and we keep connecting things, often without understanding how the whole interconnection works.”

It creates a situation where we do not need an attack for the incident to happen—with the system being so complex, it becomes hard to predict when and why things will go wrong.

“We already have an insanely complex system, yet we are making it even more complex. We keep connecting things, often without understanding how the whole interconnection works.”

Dr. Kursawe

 

THE UNUSUAL SUSPECTS

A few assumptions can be made regarding the parties potentially interested in hacking the EV infrastructure.  

Anyone’s first guess would be an acclaim-seeking hacker, and rightfully so. Dr. Kursawe: “It could be a teenage hacker because if things go the way he wants them to go, it makes him famous.” Next in line are competing operators of the EV charging spots. “We have seen it happening in other fields when competing companies are either hacking each other or paying the hackers to do the attacks.” As the rivalry on EV charging market intensifies, this notion does not seem unlikely. Finally, one could also imagine that the countries dependent on oil export have the capacity to conduct cyber-attacks on the electric car infrastructure, motivated to sabotage the electric car market.

According to Dr. Kursawe, no major attacks took place just yet. This can be explained by the fact that the full-scale EV charging infrastructure has not arrived. “We know that the people have previously hacked cars; we know that hacking has been used to harm industrial competitors; we know that states are using hacking to defend national interests. Yes, so far the link to the EV charging stations is hypothetical, but there is also no charging infrastructure big enough to be worth attacking.”

While the smart grid is in the growth phase, we have an opportunity to properly test out things in small pilot projects, and get to grips with security before the chargers are installed en masse and the EV infrastructure finally shapes itself.

This can be expected in ten years from now, according to Kursawe. He says: “Once it’s there, you cannot go and say—sorry, I did it all wrong, let’s replace those hundreds of thousands of chargers. Nobody will be able to afford that. This is why we have to think about the future threats and set things right from the start, so we do not run into trouble when the electric vehicles really kick off.”

Larger forces are at play when it comes to making the EV infrastructure secure. “There are a lot of market players, and everything is very unregulated. The charging spots are controlled by the companies different from the power grid operators, and they have different things to worry about. The whole market setting doesn’t encourage anyone to invest in security. We’ve seen some devices that are extremely lacking in protection.”

Particularly the operators of the charging stations have little incentive to ensure that their infrastructure is digitally secure, and no one can force them to do otherwise. “If I start a charging company and put almost no security in the chargers, no one can stop me. By law, I have to be allowed to the grid,” says Dr. Kursawe. As a result, the grid operators are putting up with poorly protected charging facilities that compromise the stability and health of the electricity grid.

“We know that the people have previously hacked cars; we know that hacking has been used to harm industrial competitors; we know that states are using hacking to defend national interests. Yes, so far the link to the EV charging stations is hypothetical, but there is also no charging infrastructure big enough to be worth attacking.”

Dr. Kursawe

 

THE LOW-HANGING FRUITS

With enough effort, any system can be broken into—this is a well-known truth among the security experts. This does not mean that we cannot implement security measures. First of all, we have to cover up the existing security holes gaping at the face of the hacker community.  Dr. Kursawe calls these loopholes “the low-hanging fruits,” because they are relatively easy to lay hands on even for semi-professional hackers. “Here, a car owner cannot do much. It is the job of the EV charging spot operators,” he says.

Because we mostly cannot move the chargers away from the streets, the operators have to look into other options of safeguarding them, and one way to go around this is getting the system architecture right. A standalone charger should not be used as a gateway to the rest of the EV infrastructure, and, hence, the grid. Dr. Kursawe comments: “Preferably, the charging spot should not be connected to the Internet and not contain any critical information. So, if I physically attack a device, I have just that one device, and that’s it. I cannot corrupt the rest of the network. It is important that the stations can only talk to a protected system, and not to each other.”

Security issues need to be raised in a vendor-buyer dialog. “You have to be aware that many vendors do not have security systems in place,” explains the expert, “It is your responsibility to inform the vendor what you want—doing this will prevent you from buying something without any integrated security measures.”

Finally, Dr. Kursawe takes the security discussion even further: “One of the biggest missing things in cyber security is personal liability. When a CEO of any company that handles large amounts of personal data knows that he will get fired or go to jail in case a system gets hacked, he will make sure security measures are in place. I do not say that we should put more CEOs in jails, but there is certainly a necessity to impose liability on people who make end-decisions and set the budgets—they should feel responsible for the digital security too, and not just the Chief Information Officer who eventually gets fired.”

This idea seems to be shared in Brussels. Earlier this summer the European Parliament and the Council of the European Union agreed on the main provisions of the Network and Information Security Directive. The Directive articulates that, when it comes to critical infrastructure, the companies operating in this field should become responsible for ensuring the digital security of their systems, and failing to do so will result in sanctions. Should this Directive be implemented, cybersecurity will stop being an ephemeral threat, and rather become a direct responsibility of specific managers.

Dr. Kursawe sums it up: “Keep monitoring or build a strategy to begin monitoring, and get the tools in place. If something happens, you need to find out as soon as possible.”

 

*Ed. Estimation made on the basis of comparing the energy rate of an average Californian household to that of the Tesla supercharger. Dr. Kursawe is referring to the article “Supercharging More Electric Cars Risks Crashing the Grid—Here’s What Might Help, by Sabine Bergmann, posted in California Magazine on November 4, 2014.

 

*This article first appeared in the printed copy of NRG Magazine, in September 2015.

 

Share

The Weakest Link.