Machine translations by Deepl

Charging infrastructure challenges grid protection and privacy

The electric vehicle charging network is vital infrastructure. How vulnerable are charging stations to cyber attacks, and who does your personal data end up with when you charge your car?


This article in five points:

  • In the wake of the electric car, one charging station after another appears along the highway and on the streets. With millions of (home) charging stations worldwide, the overall electric vehicle charging network is so large, and so many people, businesses and governments depend on it, that it is vital infrastructure.
  • Infrastructure that can become targets of cyber attacks. Hackers who manage to take control of large numbers of charging stations could, in a worst-case scenario, cripple the power grid, with dire consequences. Experts actually consider such a doomsday scenario, but governments have been slow to introduce cyber legislation.
  • Without adequate cyber security, privacy is also not guaranteed. Use of public charging stations triggers various data flows between all kinds of parties. Underlying databases contain sensitive personal data that criminals are known to love to get their hands on and offer for sale.
  • Another way malicious actors could enrich themselves is to infect privately owned charging stations with ransomware. Users - from individuals to fleet companies - are prevented from charging by that kind of hostage software until they pay a ransom.
  • Meanwhile, municipalities keep close track of how public charging stations are used. Charging data is analysed to know where there is a need for new charging points.

Users of a charging station on the English Isle of Wight will have looked odd in April 2022. The screen on the pole showed not the operator's usual information, but a porn site. The object appeared to have been created by a prankster to have been hacked. Whereas that was still the category of bell ringing, electric drivers in Russia fell victim to a digital attack of much greater magnitude two months earlier. On the M11 between Moscow and St Petersburg, all charging stations were flattened by a Ukrainian supplier of components of those same stations. No power was provided, only war propaganda, with the texts on the interfaces: "GLORY TO UKRAINE / GLORY TO THE HELDEN / DEATH TO THE FILE."

With millions of (home) charging stations at home and abroad, the overall electric vehicle charging network is so large, and so many people, businesses and governments depend on it, that it is about critical infrastructure. Infrastructure that obviously needs to be properly secured against malicious persons. Hackers - whoever they may be - are not only targeting cars connected to the internet, as we saw in a previous article in this series have shown, charging infrastructure can also apparently be targeted.

The consequences of a cyber attack on charging stations can range from localised, relatively minor disruption, to large and long-term disruptions on a national scale. The examples above are peanuts compared to what is likely to happen at some point in the future, here or elsewhere. For instance, a successful attack on the back office system of one or more charging station operators could already cause a significant proportion of traffic - including emergency services and delivery and freight transport - to stop moving a metre, with all the consequences that would entail. A study from a few years ago in which various doomsday scenarios in the Netherlands were examined on behalf of the National Charging Infrastructure Agenda, takes into account that such an attack could actually happen in the coming years.

The blackest scenario? Such manipulation of large numbers of charging stations that the grid voltage changes or a grid blackout occurs, which could disrupt the entire economy and public life and cause billions of euros worth of damage. This could happen if hackers gain control over charging infrastructure with a capacity of about 1 gigawatt. This danger is also feared elsewhere. A US study explored a hypothetical but realistic scenario where less than 1,000 hacked charging stations could cripple New York's power grid. Count on certain 'state actors' to toy with the thought of one day making that work. The studies are fascinating but hardly reassuring reading.

Unsecured charge cards

From charging poles over to charging cards, because charging a plug-in car at a public charging station almost always involves using a charging card. (In the case of some contractors, you can also - or even have to - pay with an app, which is a much more privacy-sensitive method. A new European law also enables 'ad hoc payments' at all newly installed public charging stations, for example via a payment card or QR code.)

Providers of charging cards (around 700) together with charging station manufacturers and operators (around 1,300) have mushroomed in recent years. From large energy suppliers to small companies completely unknown to most people - mostly start-ups. (For consumers the market is a jungle, but there are websites that create order out of chaos, such as Load pass10 and Charge post top10.) In an attempt to maximise their share of the growing electric car market as quickly as possible, cyber security was usually not the first thing these parties cared about.

For instance, many charge cards have been unencrypted for years and demonstrably unsafe because of the use of a chip which also caused problems in the public transport chip card. Among other things, this enables technically savvy fraudsters to clone and charging at the expense of any other charge card user (a kind of identity fraud).

Also proven possible: 'trickle charging'. There is no charge for very short charging sessions and a large number of charging sessions of less than a minute in a row add up to a free full battery. A ethical hacker wrote a script here for. However, the disadvantage for the fraudster is that you are immediately locatable and it takes a long time to actually make a profit.

Moreover, in the eyes of charge card providers, these forms of fraud occur on such a small scale that they make it difficult to combat not be worth. Security and privacy versus the convenience of a well-functioning and cheap product is not a dilemma for them in this case: they choose the latter for now.

Cybersecurity requirements

All in all, in terms of cybersecurity behind electric charging, strides have been made, but still remain a lot of work to do. In 2021, a inventory among market participants the following:

''The results show that parties are aware of the importance of cybersecurity. However, this awareness is in many cases based on trust and not always on explicit agreements regarding cyber security. Clarity is needed on who has what role and responsibility in the chain with regard to cybersecurity. This is to prevent shared responsibility resulting in cybersecurity not being embedded anywhere. [...] The organisations spoken with recognise that there are vulnerabilities with regard to cybersecurity. How big these risks are, how likely an incident is to occur and how big the impact is then, is not equally clear for every organisation.''

In collaboration with the European CyberSecurity Network (ENCS) has knowledge and innovation centre for smart and sustainable charging ElaadNL just under a decade ago special cyber security requirements drawn up by Dutch municipalities in tenders for charging infrastructure. The ENCS tests whether public charging points comply with these (non-binding) requirements meet. The requirements - which are tightened every so often - include the physical security of charging stations, their management systems (Charge Station Management Systems, CSMS), authentication and encrypted communication between charging stations and electric cars on the one hand (a.o. ISO 15118) and, on the other hand, third-party charging stations and underlying systems (Open Charge Point Protocol), and the segmentation of such systems so that they do not topple like dominoes in the event of an attack. However, the survey mentioned above showed that charging station operators were not entirely comfortable with the requirements and initially only complied with them to some extent. Meanwhile, they are increasingly complying with them.

Cyber incidents mandatory reporting

Moreover, last year saw ('real') legislation - something that was lacking for a long time. Charging post operators managing more than 300 megawatts of charging capacity in the Netherlands are now listed as 'vital providers' in the Network and Information Systems Security Act (WBNI) and they are mandatory report hacks and cyber incidents on their charging infrastructure to the National Cyber Security Centre (NCSC). This anticipates the translation of the European NIS2 guideline into national laws and regulations in the coming years. It aims to increase digital resilience and mitigate the consequences of cyber incidents. Companies that fail to comply can be fined up to two per cent of their annual turnover or up to €10 million. The upcoming and partly overlapping Cyber defences regulation will take the digital security of various hardware and software products to the next level, at least on paper.

This has now been the case in the UK for two years: operators of poorly secured charging stations there can face hefty fines. UK cybersecurity legislation has forced several companies to invest heavily in the improving security of their charging stations, which in many cases was also badly needed. It is to be expected that legislation will have a similar effect here. Constantly updating software and firmware is crucial anyway, knowing that a hacker can have enough of a single bug to make a charging station to be overpowered.

Data streams

However, many hackers do not so much want to attack infrastructure (or, via the charging port, an electric car itself) as to get their hands on personal data. Data they can sell on the dark web, or use to blackmail people.

Use of a public charging station triggers all kinds of (separate) data flows between cars, charging card providers, charging station operators, cloud- and hosting providers, third-party (payment) systems as well as municipalities. On pages 7 to 12 of this presentation by eViolin (association of charging station operators and related service providers) is good to see how data and invoices are shared between (the cloud and databases of) all kinds of parties.

Public charging stations (and in many cases the cars themselves and their manufacturers) keep track of, among other things, the location, date, start and end time of a charging session, the charging status of the batteries in the car at the beginning and end of a charging session, and the amount of power delivered. From this user data, behavioural patterns are derived (including frequently driven routes, daily routines, power consumption, charging behaviour and preferences for charging station operators) and detailed user profiles can be created, including, among others happens in China. But in China, anonymity and privacy are far from the norm and, as far as we know, this is not the practice in the Netherlands. The General Data Protection Regulation would also place restrictions on this.

Apart from possible identification based on thorough data analysis or possible camera surveillance at charging stations that allows car, license plate and driver to be captured on camera, the system is also set up in such a way that when using a charging card, a charging station basically does not know who is charging. The only thing the RFID-charging card communicates is an ID, a unique code that for the charging station (operator) is not visibly linked to a person - only to the charging card provider. Only that charge card provider knows the personal and payment data of its customers in addition to the charging data.

With one pass from one provider, you can access any charging station operator in almost all of Europe. If you have a charge card and account with party X and charge at party Y, these parties - often with third-party intervention - charging session costs between themselves before they are recovered from the user by the pass provider. This way, your most immediate personal data does not have to be shared with everyone, let alone every time with every different charging station operator.

People can have an infinite number of charge cards in their possession. In the Netherlands, there are around 30 charge cards that you can apply for free like this. If you use a different pass each time, you are a different ID each time and in that sense even harder to track. On the other hand, this strategy does mean that you have to create an account with several pass providers and that the personal data you submit in the process end up in several databases.

No password: terabyte of personal data up for grabs

And as is usually the case with personal data, this is where the biggest danger lies. It only takes one party that does not have the security of its databases in order, and personal data is soon up for grabs in bulk. In June last year appeared that an Amazon-hosted database of semi-public Shell Recharge charging stations was not password-protected and could be accessed by anyone via a web browser. It doesn't get any more clumsy, because then hacking could even be omitted. At stake were nearly a terabyte of names, e-mail addresses and phone numbers of lease drivers using Shell's charging stations, as well as the names of fleet managers, including police forces.

These kinds of central databases often contain such large concentrations of sensitive - but by no means always encrypted or anonymised - data, that as soon as someone manages to put a breach in the security, there is effectively a jackpot on the street. Follow the news structurally for a while and you are bound to read about the one large-scale data breach after another. Apart from negligent management and outright security blunders, the problem with databases is that they can never really be protected well enough. There is always a back door ajar somewhere in the system, and there is always someone who has access, but actually has it shouldn't have at all. What if such a person's off-book, or be fooled by a phishing email and thus inadvertently hand over access (code)?

Extortion

Numerous specialised companies are indispensable for the rigging and proper functioning of the charging infrastructure. But the more parties involved, the more complex the task of ensuring that the digital system behind electric driving is watertight and none of the parties involved drop a stitch. Cybersecurity and privacy are as strong as the weakest link.

For example, many private charging system providers have yet to step up. Such systems are the most common, but compared to public charging stations, there are still hardly any inspection rules for those units and they are much less protected against hacks. Users can lose access to their charging system due to a ransomware infection (hostage software) until they pay a ransom. Whether an individual gives in to that is questionable, but for companies or organisations with a sizable fleet of vehicles and their own charging stations, it is soon a different story.

To smooth out peaks in collective energy consumption and better balance the power grid, more and more electric vehicles are able to 'offload' and supplying power to the home network (Vehicle to Home, V2H). By connecting between its own charging station on the pavement and the meter box behind the front door, the vehicle acts as a mobile home battery. A handy Internet-of-Things application that lets you run your washing machine and dishwasher more economically. But what if a hacker gives himself access to smart home devices by first breaking into a home charging station? The chances of it happening to you are slim, but not inconceivable.

Hardly any information on privacy to be found

A wealth of information can be found about electric charging in many ways. One topic that has attracted a lot of attention on specialised websites but also in the media is the lack of price transparency on the market. Because every charging card provider has a other pricing model on it, you can charge for a charge at one charging station significantly cheaper or more expensive out of his than at another charging station 200 metres away. But electric drivers often do not know in advance the tariff at which they plug in, even though it is a legal obligation to inform them about it.

On the privacy aspects of electric charging discussed in this article, remarkably hardly entered anywhere, also not on extensive question-and-answer pages. In scientific publications is written about, but otherwise privacy seems to be an underreported topic in this context. A working group of the aforementioned eViolin focuses specifically on electric driver privacy and meets monthly, but what that working group has specifically advised or achieved within the industry is unclear. Incidentally, the first sentence of the group's (hopefully outdated?) description gives food for thought: ''Privacy is important, but is still often underestimated in the EV [Electric Vehicle] world.''

Data-driven charging station policy

After all, (some) electric drivers could potentially be identified from charging station user data, especially when combined with other datasets that may be available, for instance on travel movements. This underlines the importance of making the data irreversibly irreducible for parties interested in this, such as local authorities.

The question is whether this will be addressed by charging station operators, because on behalf of the municipalities of Amsterdam, The Hague, Rotterdam and Utrecht, the Hogeschool van Amsterdam is analysing, partly on the basis of the anonymous RFIDs, the charging data of the public charging stations in and around those cities. Altogether, this amounts to over 43,000 poles, nearly 70% of the current total number in the Netherlands. The municipalities use the data - made available in aggregate form on a public dashboard - for making new policies on electric charging. Other municipalities elsewhere in the country are also doing so. Public charging points are increasingly being installed proactively and data-driven based on usage, outgoing Infrastructure and Water Management Minister Mark Harbers wrote a few weeks ago in a letter to the House of Representatives.

Privacy First continues to monitor developments around cybersecurity, data and privacy in relation to charging infrastructure.

This article was also published at PONT Data & Privacy, see Charging infrastructure puts electric grid protection and personal data to the test - PONT Data&Privacy (privacy-web.co.uk)