Hacking EVs could threaten the power grid
In mid-June last summer, cybersecurity researchers warned that the growing popularity of electric vehicles could introduce new hacking vulnerabilities in the power grid. Even though this might be a not-so-recent piece of news it is, at a guess, still of interest for this community.
The warning from the experts is about the so-called electric vehicle supply equipment (EVSE) used for recharging plug-in electric vehicles (EV) as an infrastructure element. As the spread of EVs is increasing all over the U.S. it connects two critical infrastructures; the energy sector and the transportation sector, forcing them to unite their needs in this matter.
If a lot of such EVSEs were hacked simultaneously, controlled and manipulated it could cause power system problems on the grid. This is particularly true for medium and heavy-duty EVs, whose high-voltage chargers could do more damage if hacked, according to the National Motor Freight Traffic Association. For example, power outages could ultimately be caused by hacking multiple EVSEs by rapidly switching them on and off, causing extreme power fluctuations on the grid through load cycling. The effect could be devastating as, for example, gas stations would not be able to provide gas, grocery stores would not be able to provide goods, clean water could potentially become unavailable in larger cities, and so on. A team at the Sandia National Laboratories are exploring ways to prevent such a grid attack, which will be both difficult to pull off and to coordinate. Another concern is the lack of comprehensive cybersecurity guidelines related to the EVSE. Of course, both the electricity sector and the transportation sector are heavily regulated, but their safety focuses differ a bit. For example, the transportation sector rules cover “safety, anti-pollution, and energy consumption,” while the energy sector focuses on “safety and reliability.” In a symposium on EV cybersecurity hosted by the National Institute of Standards and Technology (NIST) last September, NIST concluded that the two sectors lacked coordination and had “very little understanding of each other’s concerns and approaches to cybersecurity.” Clearly, the two different regulatory frameworks were “not developed with each other’s operations in mind,” which could lead to “confusion and conflict over cybersecurity,” NIST said.
Matthew Carpenter, a senior principal security researcher at the cybersecurity and engineering consultancy GRIMM, states:
“That cooperation doesn’t mean there aren’t learning curves and struggles to achieving functionality, stability and security, but the parties involved seem to be paddling in the same direction, albeit from different yachts.”
“EVs represent an interesting and fresh attack surface. Once a vulnerability in a charger is found, it can be exploited to compromise the grid, other EVSE or even the vehicles themselves. New attacks for EVs are still being discovered: Batteries can be damaged and possibly explode. Electric motors can be individually driven in whatever direction and torque the programming tells them to.”
It should be taken into consideration that EVSE is still a new technology, and in tandem there is a lot of research on the potential cyberthreats. Next steps should be to turn this into practical defences.
Read more about the Symposium on Federally Funded Research on Cybersecurity of EVSE at:
Written by Joakim Rosell
Open Web Applications and Security Project (OWASP) and AutoSec came together once again on December 12, 2020, over an online lunch seminar on the Zoom platform. The day's agenda included welcome notes by AUTOSEC and OWASP followed by two timely presentations by Tomas...
Last week, Reportlinker.com announced the release of "OEM Cyber Security Layout Report, 2020", written by “Research In China”. The report highlights that the most important attack vectors in automotive cybersecurity are mainly towards servers and digital keys. But...
Once again, we are approaching the end of the year, so what could be more convenient than an end-of-the-year-list of cyber incidents within automotive cybersecurity. The list is taken from Upstream’s 2021 Automotive Cybersecurity Report, and the incidents are just...