Automobiles and the Cloud are merging, and the charging stations needed to operate Electric Vehicles (EVs) are no exception to this convergence. Bringing the Cloud closer to EV charging stations allows for a bevy of new possibilities, including a Common Charging Systems (CCS) platform that allows drivers to use EVs on long trips and charge up even when far away from home. But because the Cloud is based on the Internet, it also brings a lot of risk that demands a cohesive security and privacy protection strategy. This column will discuss some of the possibilities generated by new features and services, as well as cover the inherent risks of linking our EV charging stations with the Cloud. Four key recommendations to deal with these risks will follow.
The Possibilities: Bringing the Smart Grid to EV Charging
State-of-the-art EV charging stations utilize the Smart Grid, an electric supply network that uses Information & Communications Technology (ICT) to detect usage. Generally speaking, this means that these charging stations harness the power of ICT to process financial transactions and other services, in addition to supplying the actual EV fuel (i.e., electric power) itself. This infrastructure can optimize efficient energy utilization with interactive and real-time information exchange to manage power transmission, power consumption, authentication, payment, and other energy-related services.
It’s difficult to overestimate the impact an ICT-driven EV car-charging infrastructure would have on our daily lives. Let’s just address three segments: 1) electricity suppliers, 2) car owners, and 3) charging station operators (i.e., the equivalent of gas stations for petrol cars).
The introduction of ICT into EV charging is expected to result in more accurate energy consumption billings, which is attractive to utility companies and/or utility brokers. While paltry when compared against petroleum, electric power required to run these cars can still generate considerable costs. Inaccurate dispensing of fuel hurts suppliers’ bottom lines, and therefore should matter to shareholders. This impact on performance can only be expected to become more significant as more EVs hit the road. The Smart Grid, when utilized and secured correctly, can assure the integrity of usage rates in a way that was previously not possible.
For car owners, this technological advancement toward a CCS standard means more charging stations, since they will be cheaper and easier for service providers to install than their previous-generation counterparts. Also, this technology may improve services or introduce new ones, powered by the massive amount of user data that would be gathered through the Cloud. A uniform CCS standard would also make the equivalent of “data/text roaming” a possibility for electric vehicle owners. Just as phones work in foreign countries with roaming enabled, the CCS system is expected to allow drivers to drive to other regions and use charging stations there as conveniently as they would back in their home city. For instance, the transition from a membership-based charging facility to a standard CCS infrastructure is already happening in Europe, where residents can drive freely within the European Union territory.
But what about people who will install and operate EV charging stations, much like the way that petroleum cars have gas stations today? Up to now, EV charging stations have been limited to bulky and expensive equipment that run on Point-of-Sale technology. Due to their high costs to purchase and operate, these stations have only been deployed in a small number of locations. By applying ICT technology, these charging stations are expected to be much lighter, both in terms of hardware and software required to run them. This will allow more charge stations to be built in the future, resulting in a more robust charging infrastructure for EVs.
Risks of Bringing the Cloud to EV Charging Stations
But all of these advancements and advantages come with a steep price. The ICT technology required to make all of this possible is extremely vulnerable to cyber attack. After all, the Cloud is powered by the Internet, and the Internet, while an open platform that makes most of the convenience we enjoy today possible, also attracts an endless brood of bad actors with bad intentions. Let’s address the groups who benefited greatly in the last section – electric providers, car owners, and charging station operators.
For electric power operators, CCS presents a profound dilemma. At first glance, following a CCS standard that is connected to the web offers tremendous upsides: more customers to serve, an attractive accounting system that allows for accurate billing, and even ancillary services to provide new revenue streams. But then come the downsides of the Cloud – the same Cloud which enables all of these attractive possibilities can be broken into by hackers to steal power, consumer information, or in some cases even shut down access. Indeed, the buzz of the possibilities of this new future is undermined by the sobering reality that hackers will try to cause havoc. Much like the internet itself, a new way to do things for the electric provider is simultaneously a new and green field for hackers to exploit.
For drivers, the availability of electric power at these stations could be undermined by attacks. The absence of fuel could at the very least be an inconvenience but at its worst, could inspire massive panic throughout a given region. Just as important, drivers’ private data, including the GPS location of their vehicles, financial information stored in the back server to process transactions, and others can be stolen by hackers.
For infrastructure providers/operators, a hacking incident could simply cut off business for the duration of the attack. Since almost no infrastructure provider will have the IT security know-how necessary to address attacks, nor would they want to fiddle with their IT system for fear of causing further damage, these charging station operators would be entirely dependent on their suppliers and service providers until they can be back in business. Moreover, repeated attacks would undeniably result in damage to reputation as a provider.
Four Thoughts on EV Charging Infrastructure Security
We’ve seen that there is a tremendous upside as well as a myriad of risks to linking the Cloud with EV car charging. However, there are some general guidelines, backed with proven and available technologies, to minimize risks to the point of mutually assured operations between involved entities, including the three listed above.
Build a Safe ICT Infrastructure in the Cloud
Unlike previous years, providers cannot launch their services without building a safe network, or “safe house,” as the starting point towards secure and trusted communications. Why? Because we are becoming increasingly dependent on machines to make critical decisions on our behalf, and in order to run these machines with trust, we need to make sure a plan is in place to build infrastructure with security in mind.
A safe house not only implies secure coding (and the updates thereto) of software; it would also have preventive measures in place to fight against the leakage of private data. Furthermore, a safe network would also have solutions embedded within it to detect suspicious activities and entities following installation and launch.
This requirement is not limited to the charging station network itself; it would also extend to the ICT infrastructure providing the electrical power and other third-party services. That refers to the network, on which web servers provide various services, and in which the confidential information of end-users would be collected and made readily available to process any transaction. These providers need to have a back-end network that has been built with security in mind. Their web servers must observe traffic coming in and out, in order to block out most of the attacks through the web. They may be legally obligated to encrypt customer information when not being used. They may need to manage how much and what levels of access employees and/or customers will have. These are all difficult hurdles to overcome, but it is nonetheless critical that these questions be answered prior to opening them up to third-party services.
Guard Critical Infrastructure Against External Attacks
Let’s assume that a CCS standard charging station is launched after a reasonably safe network has been built. The moment this network is open to all the endpoints that are dependent on them would make it vulnerable to new, external attacks coming in along with legitimate customers. Therefore, a strategy needs to be in place to mitigate new attacks coming in from the outside. There are a variety of different solutions to fight against new attacks in the back server, such as network firewalls, IDS/IPS, web firewalls, etc. The endpoints themselves – the charging stations – must also have some answer against external attacks in the form of a specialized firewall.
Authenticate Users and Service Providers
Once a safe network that can mitigate against external attacks has been built, the next step is to authenticate all parties involved for complete trust. This would assure all parties that the right person is making the right request at a permissible time, in addition to any other conditions that would need to be fulfilled for trusted transactions. For this to be possible, not only would the car owner need to be authenticated on all transaction requests, authentication from the service provider’s side would also need to be in place.
Encrypt Communications to Preserve Privacy
Providing a safe channel of communication between the service provider and the car owner would be another key component of a safe EV charging infrastructure. Geolocation data and other personal information should be transmitted encrypted from both the client side (i.e., the station where the charging is taking place) and the server side (the safe network that can block against external attacks).
Like any new technology, the merging of cars with the Cloud through an ICT-powered CCS infrastructure brings about a lot of opportunities and risks. Unlike other technologies, this infrastructure needs to be built and then managed with security and privacy protection in mind. The integrity of power delivery, payment processing, privacy of customer information are all important issues to be managed by service providers in the coming years.
In spite of the inherent risks involved, the march of progress dictates that we embrace new ICT-driven technology to replace outdated EV charging stations that are too expensive and difficult to operate. By paying attention to security prior to connecting, I think that we can expect a significant rise in not only EVs, but the rolling out of charging stations needed to keep these vehicles on the road.
Jaeson Yoo serves as Chief Security Evangelist for Penta Security Systems Inc. With over five years of IT Security consulting and public speaking experience for automobiles, IoT, PKI authentication, web security and data encryption, Jaeson brings Penta Security’s proprietary core technologies closer to partners and customers all over the globe.