Cyber security needed for growing EV market
Network security and data privacy are set to shape the development of electric transport. By safeguarding them now, we will prevent incidents occurring and build consumer trust. That’s why a diverse range of partners have joined this initiative set up by the Knowledge Platform for Charging Infrastructure (NKL) and the ElaadNL innovation centre, laying the ground for secure growth of electric transport in the Netherlands.
Place: Ukraine. Date: Christmas Eve, 2015. An operator at a power plant looks at his computer screen and sees the cursor moving of its own accord. The cursor opens up systems and proceeds to shut down an entire substation; then moves on to another network, and the next substation shuts down. Then it turns out that the telephone network for reporting malfunctions is also down. Nobody‘s got any idea what just happened or who has been affected. This hack left 200,000 Ukrainians without electricity.
What sort of impact would an event like this have on the EV transport system? At 100,000 vehicles, the current electric fleet is relatively limited in size. But that situation is set to change dramatically in coming years. Cyber security issues can have a powerful influence on development – witness the impact of similar problems in the development of the Dutch public transport travel card and of smart meters.
From hack to theft
What could happen if the network isn’t secure? Attackers could, for example, use a malicious software update to hack a car and take control of it. A company with charging stations on its premises could read data from cars belonging to employees or visitors and gain access to private information. A malicious individual could hack charging stations in a car park to determine the location of expensive cars, or discover details of previous locations and fuel consumption.
Fortunately, no major issues have occurred, as yet. And the multiple parties making up the ‘charging chain’ are determined to keep it that way. They have no illusions about guaranteeing absolute security, but energy suppliers, charging station producers, government agencies and technologists want to do everything they can to prevent incidents – or at the very least to maximise damage control. That’s why the NKL brought the parties together for an intra-sectoral roundtable discussion in the Dutch city of Arnhem on 29 May 2017. This unique initiative brought together a broad range of participating organisations, government agencies and businesses.*
It’s unique because it marked the first time that interested parties from all corners of the sector got together to gain a shared understanding of the developments, threats and opportunities associated with the cyber security of electric transport. And getting together is crucial, because the power and data used by an electric vehicle pass through numerous companies and organisations and – even if only for a fraction of a second – connect them all: the charging station host, the charging station operator, the vehicle’s producer, the list goes on.
The NKL roundtable discussion was complemented by tailored talks from ElaadNL that illuminated the subject from a rich variety of perspectives. NKL and ElaadNL partnered in mounting this event.
No major incidents have occurred and the electric transport market is about to take off – so this is the perfect moment to share knowledge and establish courses of action. No links in the chain have suffered reputational damage, so conditions are ideal for taking action. As Harm van den Brink from ElaadNL says: ‘What we need first are solid foundations – before the system expands massively’.
Currently, the market is developing in an evolutionary and diverse fashion, and there is little sense of a coherent overall picture. A coherent strategy necessitates sharing knowledge – even when reporting bad news, such as a leak. That means all parties need to be open, believes Achim Friedland from GraphDefined. The party responsible for any given data at any given moment must be firmly established in policies and protocols. Who is going to draft these policies and protocols? Roland Ferwerda from NKL says that preferably the market itself should take the initiative in unison. But whatever the case, independent agencies will always be necessary for quality control, certification, monitoring and compliance.
A common language
Sector chain partners already have access to tools such as privacy impact assessments to identify where potential hazards lie. This means they can forestall incidents, rather than having to react to them – or at least work out what damage-limiting actions to take in various scenarios.
One way of preventing incidents occurring is to standardise systems and components; to create a common ‘language’. This guards against gaps or disconnects in the system. We also need to establish standards for safety requirements, quality and preconditions. This can be included in the policies and protocols. Independent parties with no commercial interest should oversee quality, certification, compliance, etc. These measures will promote security, enhance trust between sector partners and maximise consumer confidence. A single incident affecting just one vehicle owner could negatively impact the entire electric transport sector.
Policy promotes security and confidence, and that’s a crucial factor for governments wanting to invest in electric transport, while also representing public interests. But policy can also disrupt development when it lags behind or fails to connect with market developments. So if the market takes the initiative to tackle the issue of cybersecurity, the government will have to join the discussion. Here too, the correct approach will ensure policy acts as a stimulus.
Working together, the sector chain partners attending the NKL roundtable discussion identified situations they need to prevent and the methods for doing so (see the infographic below for a summary). This fruitful process generated a long list. Which points should be attended to first? To help us answer this question, we assessed each issue according to two axes: urgency and vulnerability (in other words: how many parties and people would be affected).
Network instability would have a huge impact in the Netherlands, but the chance of such an incident occurring tomorrow is not very large. At the same time, network stability calls for so much preparation that there is little time to lose. Similarly, energy theft is currently a non-urgent issue affecting few people – unless someone affected by it decided to make a song and dance about it.
Ultimately, the cyber security roundtable discussion generated a list of actions falling into the six main areas shown in the infographic on the right: policy, data, privacy, network stability, protocols and awareness. Everyone present agreed to take concerted and effective action on these points. Absent parties have been invited to join this initiative. Cooperation and open consultation are preconditions for a successful follow-up.
*Parties involved in this initiative: Mike Kireev (ABB), Aram Segaar (Blue Bricks), Maurice Snoeren (DNV GL), Harm van den Brink and Arjan Wargers (ElaadNL), Peter Borsje (ENGIE), Achim Friedland (GraphDefined), Peter van den Boogaard (North Brabant province), Erik Poll and Pol van Aubel (Radboud University Nijmegen), Wout Benning (RAI) and Robbie Blok and Roland Ferwerda (NKL).
If you want to get involved, sign up here.