Cyber security for electric vehicle charging infrastructure

Cyber security needed for growing EV market

Network security and data privacy are set to shape the development of electric transport. By safeguarding them now, we will prevent incidents occurring and build consumer trust. That’s why a diverse range of partners have joined this initiative set up by the Knowledge Platform for Charging Infrastructure (NKL) and the ElaadNL innovation centre, laying the ground for secure growth of electric transport in the Netherlands.

Place: Ukraine. Date: Christmas Eve, 2015. An operator at a power plant looks at his computer screen and sees the cursor moving of its own accord. The cursor opens up systems and proceeds to shut down an entire substation; then moves on to another network, and the next substation shuts down. Then it turns out that the telephone network for reporting malfunctions is also down. Nobody‘s got any idea what just happened or who has been affected. This hack left 200,000 Ukrainians without electricity.

What sort of impact would an event like this have on the EV transport system? At 100,000 vehicles, the current electric fleet is relatively limited in size. But that situation is set to change dramatically in coming years. Cyber security issues can have a powerful influence on development – witness the impact of similar problems in the development of the Dutch public transport travel card and of smart meters.

From hack to theft

What could happen if the network isn’t secure? Attackers could, for example, use a malicious software update to hack a car and take control of it. A company with charging stations on its premises could read data from cars belonging to employees or visitors and gain access to private information. A malicious individual could hack charging stations in a car park to determine the location of expensive cars, or discover details of previous locations and fuel consumption.

Joining forces

Fortunately, no major issues have occurred, as yet. And the multiple parties making up the ‘charging chain’ are determined to keep it that way. They have no illusions about guaranteeing absolute security, but energy suppliers, charging station producers, government agencies and technologists want to do everything they can to prevent incidents – or at the very least to maximise damage control. That’s why the NKL brought the parties together for an intra-sectoral roundtable discussion in the Dutch city of Arnhem on 29 May 2017. This unique initiative brought together a broad range of participating organisations, government agencies and businesses.*

It’s unique because it marked the first time that interested parties from all corners of the sector got together to gain a shared understanding of the developments, threats and opportunities associated with the cyber security of electric transport. And getting together is crucial, because the power and data used by an electric vehicle pass through numerous companies and organisations and – even if only for a fraction of a second – connect them all: the charging station host, the charging station operator, the vehicle’s producer, the list goes on.

The NKL roundtable discussion was complemented by tailored talks from ElaadNL that illuminated the subject from a rich variety of perspectives. NKL and ElaadNL partnered in mounting this event.

Solid foundations

No major incidents have occurred and the electric transport market is about to take off – so this is the perfect moment to share knowledge and establish courses of action. No links in the chain have suffered reputational damage, so conditions are ideal for taking action. As Harm van den Brink from ElaadNL says: ‘What we need first are solid foundations – before the system expands massively’.

Currently, the market is developing in an evolutionary and diverse fashion, and there is little sense of a coherent overall picture. A coherent strategy necessitates sharing knowledge – even when reporting bad news, such as a leak. That means all parties need to be open, believes Achim Friedland from GraphDefined. The party responsible for any given data at any given moment must be firmly established in policies and protocols. Who is going to draft these policies and protocols? Roland Ferwerda from NKL says that preferably the market itself should take the initiative in unison. But whatever the case, independent agencies will always be necessary for quality control, certification, monitoring and compliance.

A common language

Sector chain partners already have access to tools such as privacy impact assessments to identify where potential hazards lie. This means they can forestall incidents, rather than having to react to them – or at least work out what damage-limiting actions to take in various scenarios.

One way of preventing incidents occurring is to standardise systems and components; to create a common ‘language’. This guards against gaps or disconnects in the system. We also need to establish standards for safety requirements, quality and preconditions. This can be included in the policies and protocols. Independent parties with no commercial interest should oversee quality, certification, compliance, etc. These measures will promote security, enhance trust between sector partners and maximise consumer confidence. A single incident affecting just one vehicle owner could negatively impact the entire electric transport sector.

Policy stimulus

Policy promotes security and confidence, and that’s a crucial factor for governments wanting to invest in electric transport, while also representing public interests. But policy can also disrupt development when it lags behind or fails to connect with market developments. So if the market takes the initiative to tackle the issue of cybersecurity, the government will have to join the discussion. Here too, the correct approach will ensure policy acts as a stimulus.

Action list

Working together, the sector chain partners attending the NKL roundtable discussion identified situations they need to prevent and the methods for doing so (see the infographic below for a summary). This fruitful process generated a long list. Which points should be attended to first? To help us answer this question, we assessed each issue according to two axes: urgency and vulnerability (in other words: how many parties and people would be affected).

Network instability would have a huge impact in the Netherlands, but the chance of such an incident occurring tomorrow is not very large. At the same time, network stability calls for so much preparation that there is little time to lose. Similarly, energy theft is currently a non-urgent issue affecting few people – unless someone affected by it decided to make a song and dance about it.

Ultimately, the cyber security roundtable discussion generated a list of actions falling into the six main areas shown in the infographic on the right: policy, data, privacy, network stability, protocols and awareness. Everyone present agreed to take concerted and effective action on these points. Absent parties have been invited to join this initiative. Cooperation and open consultation are preconditions for a successful follow-up.

*Parties involved in this initiative: Mike Kireev (ABB), Aram Segaar (Blue Bricks), Maurice Snoeren (DNV GL), Harm van den Brink and Arjan Wargers (ElaadNL), Peter Borsje (ENGIE), Achim Friedland (GraphDefined), Peter van den Boogaard (North Brabant province), Erik Poll and Pol van Aubel (Radboud University Nijmegen), Wout Benning (RAI) and Robbie Blok and Roland Ferwerda (NKL).

If you want to get involved, sign up here.

Peter Borsje, Senior Business Developer at ENGIE.

‘Convince management of the urgency of the matter’

‘The most important thing, I think, is to make management understand the risks and opportunities. If we don’t our message won’t hit home. I’m very aware of how important network stability is. Just imagine an industrial park with a smart grid going down. There’s a lot of work still to be done in the area of business IT. It’s clear to me now just how important it is to get clarity on precisely what data there is, where it is, and who owns it.’

Peter Borsje (ENGIE)

Test your crucial infrastructure

The idea of having absolute security in your network is an illusion. The potential for network breaches are everywhere: in the cables running beneath every street. What’s more, most sensors in devices were made with user-friendliness in mind, not maximising security and privacy. And organisations tasked with expanding networks in cities are likely to go for the cheapest option – not necessarily the best and the safest.

It is now possible to simulate the magnitude of the impact on your network of incidents such as misuse, theft or attacks. It was for this purpose that Igor van Gemert - founder and CEO of SIM-CI - founded his firm, an agency offering Digital Twin Cities: virtual reality simulation platforms of real cities and their crucial cyber infrastructure. These maps make it possible to simulate the effects of incidents such as a gas explosion, a cyber attack or an attack. Simulation exercises can be used to devise strategies for preventing incidents of this kind taking place in the real world.

Click here for more information.

‘Prevent reputational damage’

‘North Brabant province is a partner in the promotion of electric transport, so naturally we’re keen to find out whether the charge station network is secure. What would happen if an EV charging station wasn’t secure, or if it was attacked for data? The possible loss and dissemination of citizens’ data would risk reputational damage and loss of trust for us as an organisation. Our national government is trying to get to grips with cyber security, but should it also impose standards? One important issue for me is privacy – what information is being collected, and what is happening to it?’

Peter van den Boogaard (North Brabant provincial government)

Cut out the human factor

Whatever you do to maximise the security of your network and systems the human factor will always be a big risk. You can monitor the security of systems all you want, but you can’t control people. The most you can do is put safeguards in place. But a pop-up window asking ‘Are you sure you want to do this or that?’ won’t help, because people are so used to closing pop-ups, and they’d close this one too.’

How could these factors affect electric transport? When it comes to the charging process you can recommend avoiding using interactive pop-ups because of their vulnerability. That means building systems that are secure from the ground up. Also avoid manual installations, updates and modifications to settings, and instead implement automated software configuration based on encrypted identification.

Currently, two parties determine whether and in what ways a system can be secured. The first is the developer, who is imposes standards in settings. The second is the consumer, who has to enquire at point of purchase whether the system is demonstrably secure. Then, of course, it must be tested to see whether it is truly safe.

Mike Kireev, Technical Product Manager Connected Services Product Group EV Charging Infrastructure at ABB.

‘Cyber security adds value’

‘We’ve got to be pragmatic. We’re profit oriented and we need to satisfy the demands of the consumer. If we can offer secure charging stations, that’s a value we’re offering over and above our competitors. It’s our task to explain to them why it’s important. The fact that we want to sell in every country means it’s so crucial that we devise a universal approach. Right now we’re having to take all sorts of regulations into account. Let’s try to achieve a universal approach.’

Mike Kireev (ABB)

Interested in joining this initiative? Sign up here.

Video Elaad Talks Cybersecurity * Website NKL * All texts written by NKL (René Lamers). All photographs copyright NKL, with the exception of photo 5: 123RF. Infographic: Loek Weijts.

Report Abuse

If you feel that this video content violates the Adobe Terms of Use, you may report this content by filling out this quick form.

To report a Copyright Violation, please follow Section 17 in the Terms of Use.