What you should know about cybersecurity and EV charging infrastructure
Michelle Froese • Editor
In late 2021, a vulnerability in an electric vehicle (EV) charging app revealed the full names, addresses, and charge histories of more than 140,000 UK users. Last year, Shell patched a weakness in one database that could have led to a similar fate, exposing millions of charging logs across its EV charging network. Fortunately, the energy company caught the vulnerability in time. But not all charging providers will be as lucky unless security measures become standardized and impenetrable.
Several researchers from different organizations have purposely compromised EV-related subsystems or infrastructure over the last few years to expose vulnerabilities in the technology. The conclusion: millions of smart EV charger units are susceptible to account hijacking.
“I think cybersecurity is extremely important and has not been discussed enough in the EV and charging industries,” shares Joachim Lohse, CEO of Ampcontrol, an AI-powered charging management software and payment platform. “Everyone wants to talk about the next great feature, and security is simply a far less ‘exciting’ topic.”
But it’s a critical one if we’re to advance EV adoption. Although the market for electric vehicles is expanding, it’s at a slower pace than many predicted, and experts agree that establishing reliable public charging infrastructure is the key to mass adoption. In this case, reliability must cover charger availability, as well as data protection.
Where to begin
EV charging stations are complex from a security standpoint due to their network connectivity, interfaces, and integration with various systems, including vehicles, power grids, and payment processors. They’re also easily accessible to the public, putting them at risk for various security attacks.
“From my perspective, there are two main aspects to cybersecurity at EV charging sites: protection against attacks that aim to bring a charging network down and protection of drivers' personal information,” says Lohse. “Charging station hardware always communicates with the Internet, which means it needs protection similar to websites, business software systems, and other electronic devices.”
The good news is the risk to drivers’ data, such as their credit card information, tends to be lower because these terminals or mobile apps (such as the Apple App Store) are typically subjected to greater encryption and audits.
Figure 1. EV charging management software can reduce energy costs, increase charger uptime, and track vehicles. This dashboard displays live site activity, site load, as well as the charger and connector status.
The bigger concern, according to Lohse, is the poor protection of charging station data, which can make it easy for outsiders to interrupt entire charging networks.
“Unfortunately, we see ignorance. Companies are alerted to a security threat but ignore it since no one will audit their system,” he says.
“Companies must follow basic due diligence when connecting EV charging stations.”
Charging systems have several components, including the EV charger
4-WAY
hardware, communication devices (such as routers), and software that typically runs on the Cloud (Figure 1). One might think the fastest way to hijack data is through the Cloud but, again, it tends to be much better protected than the other components.
“Where we see companies cutting corners is when the chargers connect to the software. Charging stations use WebSocket to exchange data between the charger and the cloud software. Similar to web applications, this communication goes through the Internet,” Lohse explains.
ADVANCED THERMAL MANAGEMENT CONTROLS
for E-Mobility Applications
We partner with OEMs and system suppliers to design and produce custom solenoids, valves, and valve systems for current and emerging mobility architectures.
+ Multiple in/multiple out
+ Coolant control/switching
+ Proportional control
+ Diaphragm, spool, & pilotoperated
+ Valve systems and manifolds
Some of the core protections used in common applications (such as apps, websites, etc.) across the IT industry include:
1. Encryption (TLS 1.3)
Authentication (password protection, secrets, or highest security profile) Security protocols (HTTPS, WSS)
“Essentially, if companies exchange data between their EV chargers and software without these basic protections, they risk hackers accessing or interacting with the applications,” says Lohse. For example, they can start connecting a large number of virtual charger bots to the network and overload the servers.”
This may paint a dark picture, but as charging stations scale and potentially become one of the biggest energy consumers in the grid, they also become a risk for utilities.
CONTACT US WITH YOUR CHALLENGE.
+ Magnetics for axial flux motors
+ Customized sensor integration & feedback
“Just imagine a scenario where thousands of EVs are charging in a region, and a hacker can suddenly and simultaneously interrupt the charging stations... this would drop power quickly and unexpectedly. And the utility would need to react extremely fast to avoid wider outages.”
At the same time, adds Lohse, charging stations will become more connected to the utility communication and grid management system.
“Although we’re still far from a true smart grid, utilities can only realistically realize such a grid when charging
networks are more secure than today,” he says. “While several layers of protection and utilities have many more certifications that will protect them, a security risk on the EV charger side could also mean a risk to overall grid stability.”
Setting standards
The Open Charge Alliance is one of the most prominent organizations that has developed communication protocols (called, “OCPP”) to standardize the language between hardware and software. These standards include various security aspects that cover the three protections mentioned above.
The problem is the OCPP is not an industry standard, such as the International Organization for Standardization (ISO) — which offers independent, non-governmental, international standard development. So, while some countries and states oblige EV charging networks to follow OCPP protocols, they’re not globally enforced, nor do they include a large number of certifications or audits.
“Some companies follow these protocols and have very good protection, while others don’t implement everything. It’s essential to understand that using OCPP does not necessarily mean a company’s chargers are protected. It depends on how it was implemented with the OEMs and the software company.”
According to Lose, all sides of the industry — from the OEMs to the software providers — must follow these security standards, invest in continuous improvements, and make customers aware of potential security risks. This means all industry parts must commit to exchanging data to ensure cybersecurity protections. So, for example, if a software company finds that an EV charger is running with outdated encryption, it shares this with the provider and the OEM to help them improve security (Figure 2). HTX7045C
Series
LLC Half-Bridge Transformers
• Low interwinding capacitance to minimize EMI and achieve high CMTI (Common Mode Transient Immunity)
• Optimized for isolated bias supplies for SiC and GaN gate drivers, such as the UCC25800-Q1 from Texas Instruments
• Ideal for automotive OBC and traction inverters in EV/HEV
Figure 2. An EV fleet management expert providing onsite testing as part of the commissioning process to ensure proper and secure software operation.
3.
“The first step is really quite simple. Companies must follow basic cybersecurity principles — such as authentication, encryption, and secure protocols. They could use VPNs or more advanced role-based access control for their applications.”
A VPN is a virtual private network that encrypts Internet traffic, protecting online data. And note, these are not EV-industry inventions. Rather, they’re commonly implemented protections in nearly every tech or digital industry.
“In addition to the technical steps, we recommend investing in security at the company level. This means getting SOC 2 Type 2 certified and training staff to protect information, hardware, and more.”
SOC 2 Type 2 certification is a rigorous auditing process that evaluates and verifies a service provider’s ability to securely manage customer data, based on five trust principles: security, availability, processing integrity, confidentiality,
and privacy. It involves a thorough examination by an independent auditor, demonstrating that a company consistently meets these standards, ensuring reliable data protection and management practices.
For now, Lohse is noticing increasingly stringent requirements in the proposal process when selecting vendors, asking for certifications and details on protecting data and their future infrastructure.
“I think this is the right step,” he says. “Companies must review encryption, authentication, and other methods potential vendors use. And I expect we will see more third-party audits and certifications as the industry and networks grow. They’re expensive and take time, which is why we don’t see them too often yet. Everyone is trying to move fast, and the market is still new.”
Eventually, artificial intelligence (AI) will play a more significant role in EV charging security by detecting anomalies in charging patterns and user behaviors, potentially identifying cyber
threats in real time. The AI algorithms will also optimize charging schedules and load balancing, ensuring grid stability (Figure 3) and preventing unauthorized access to charging networks.
“In the future, AI can also help to identify possible attacks, security gaps, and such,” agrees Lohse. “For instance, we’ve already invested in R&D resources to develop tools and alerts to identify security threats better and resolve issues automatically.”
Fortunately, most hackers look for an easy hit, an unsecured system that requires little effort to breach.
“Hackers typically don’t take the complicated route,” he says. “The concern right now is that the EV charging industry is sometimes looking away or not making its best effort to ensure safe and secure infrastructure. But this can be corrected with the right intent and enforced standards that ensure a secure and reliable EV ecosystem. It’s an essential fix and a must for greater EV adoption.” EV
Figure
A local controller, such as the one shown here, can manage power even during Internet outages or interruptions. Its hardware is hardwired to an EV charger and other assets.
Why surge protection matters for EV charging infrastructure
Michelle Froese • Editor
Electrical transients, often called surges, are short-duration, microsecond events. Surges are a risk to any electrical equipment, and electric vehicle (EV) charging infrastructure is no exception. Such events can interrupt, delay, or corrupt signal transmissions. More significantly, they can damage, degrade, and destroy electronic equipment.
“A surge is unlike any other power quality anomaly out there in that a fuse or a breaker cannot react fast enough to stop a microsecond transient event,” explains Jason Mies, director of Industrial Sales with Raycap, a global electrical protection and connectivity solutions manufacturer. “This means specially designed equipment called Surge Protection Devices (SPD) that react in nanoseconds are required to divert that microsecond event to the
ground and protect the downstream equipment.”
Consider the ac sine waves in Figure 1. The spikes are all transient events, which can damage or destroy equipment — immediately or over time.
“In terms of surges, we often hear about a lightning event completely damaging equipment. However, the real concern is the smaller surge events that can degrade electronics over time,” says Mies. “Let’s take an EV charger expected to perform for 10, 20, or even 30 years. Faulty power from to a switching transient could slowly degrade that charger over time, reducing its output and total life expectancy.”
EV charging infrastructure is already subject to numerous challenges, including network availability, charging speed, vehicle compatibility, O&M
concerns, and others. The reliability of the power source related to a surge event is one concern no EV driver should have to add to this list.
“If a driver pulls up to a charger and it’s out of service due to a surge event, that’s one thing that could have easily been prevented,” he says. “While equipment immunity to surges varies, it typically requires external surge protection to ensure reliability for the intended useful life. Installing surge protection in front of the charger is undoubtedly a best practice.”
Mies adds that Europe already requires surge protection in three separate locations in an EV charging site to comply with the International Electrotechnical Commission (IEC), the international standards organization for electrical, electronic, and related technologies. However, this is not yet the case in the United States. Until
Figure 1. A transient or surge event is a sudden and brief increase in voltage that can be quite intense — as shown in the ac sine waves.
it becomes standard regulation, it’s up to OEMs and installers to ensure the safest, most reliable infrastructure possible.
What’s the difference between a surge and an over-voltage event?
A power surge is a brief and sudden increase in voltage that lasts only a few microseconds. According to the Institute of Electrical and Electronics Engineers (IEEE), it’s a transient event that’s an 8×20 waveform (Figure 2). The IEEE is currently the world’s largest professional association for electronics and electrical engineering.
An over-voltage, on the other hand, occurs when the voltage exceeds the normal range for a more extended period, potentially causing overheating and damage to electrical equipment. Essentially, surges are microsecond events, whereas over-voltages are fault events that can last for seconds, minutes, or hours.
It’s important to install proper fuses and breakers to protect equipment from over-voltages and install surge protection for surges. Why? Because these devices react in nanoseconds to protect against that microsecond transient event, according to Mies.
“It could cost thousands of dollars in damaged equipment, not to mention downtime and service required, thanks to an electrical surge,” he warns. “Prevention is simple… if you want to keep your site up and running and reliable, surge protection is a very inexpensive way to eliminate many of the headaches and hazards related to surge events.”
Where should surge protection be installed in EV chargers?
Surge protection should be strategically installed to ensure comprehensive protection for the EV charging equipment and the connected vehicle. The most
significant place to protect against a lightning or utility fault event is at the power distribution panel, which feeds the charger.
“You might think the OEM or charging companies will take care of installing surge protection at the factory, but if that protection is sacrificed, it’s necessary to replace the full charger,” says Mies. “So, placing this protection in the power distribution cabinet better safeguards all the downstream charging equipment.”
The amount of exposure is also a factor, he added, as big utility lines can conduct a lot of energy, making installing SPDs at the equipment supplying power to the chargers the ideal location.
In the case of a major power event related to a downed power line or transformer damage, it’s ideal to have surge protection that’s rated to protect against fault events at that
Figure 2. A surge event is a sudden, short spike in voltage lasting from microseconds to milliseconds (left), whereas an over-voltage is a sustained increase in voltage, lasting from seconds to hours (right).
power distribution equipment. In this case, it’s protecting the equipment and the power service.
Another threat to chargers relates to unbonded ground systems when there’s already existing power. “We call this ground potential rise,” he shares. “It happens at sites with ground systems that are not connected. If lightning strikes, it dissipates through the earth and hits and energizes the ground systems for the equipment at different levels. The power and signal conductors will try to equalize the energy between the equipment, causing damage.”
This means surge protection is required at the opposite ends of each of those lines to protect the equipment properly (Figure 3).
When evaluating surge protection for an EV charging site, consider the following:
• At the voltage protection level, size the surge protection as close to the nominal voltage of the equipment as possible. “If it’s a 480-volt device charger, it’s important to use a 480-volt rated surge protector,” says Mies. “Ensure you’re clipping that energy as close to the nominal as possible.”
• Ensure the surge protection equipment complies with the latest UL 1449 standards (see the UL site for exact ratings based on the manufacturer and product). This ensures the device has been tested properly and can handle voltage events safely.
WHEN PRECISION MATTERS.
• Avoid cheaper designs to save costs. “If the surge protector is improperly designed, then it can cause smoke and even fire at a site that’s completely avoidable. So, make sure you go online and check that UL listing,” he says. “Most reputable surge protectors are designed to handle multiple events without needing to be serviced or swapped out.”
• The most important consideration is for a surge protector to sacrifice in safe mode if it reaches end-of-life.
Is it worth the cost?
“How much does an EV charger cost?” asks Mies. “An SPD is typically far less costly than a charger, and maybe 10% of the total cost. I’d say that’s worth the cost of service calls, downtime, and potential equipment damage. Overall, surge protection is an extremely inexpensive way to keep equipment running.”