As the industry prepares for an increase on the volume of electric vehicle sales, solutions to some fundamental business problems for recharging are still up in the air, and utilities and vendors alike are facing the challenge of securing the IT systems associated with the charging infrastructure, according to a new report from Pike Research.
Important areas for electric vehicle cyber security investment include:
• Securing financial transactions required for electric vehicle recharging.
• Implementing secure and hardened IT environments on EVSEs and Distribution Grid hardware.
• Secure end-to-end communications throughout the electric vehicle infrastructure.
• Authoritative identification of vehicle owners/operators for recharging transactions.
• Compliance with applicable Data Privacy Laws and other regulations.
The report talks about key cyber security risks for electric vehicle charging infrastructures based upon three key security standards: ISO 27002:2005 for IT networks, NISTIR 7628 Volume 2 for Personal Data Privacy, and NIST 800-82 for ICS networks.
The report identifies key areas of the electric vehicle infrastructure where there should be a cyber security investment. The five top areas:
• Securing financial transactions required for electric vehicle recharging. A number of approaches are on the table for energy purchases: Some expect the gasoline station model of card charges to carry over, while others foresee scenarios in which electric vehicle recharging bills against the vehicle owner’s energy statement, no matter where the recharging occurs. Regardless, there is potential for complex financial transaction flows, which also means potential for fraud and lost revenues.
• Implementing secure and hardened IT environments on Electric Vehicle Supply Equipment (EVSE) and distribution grid hardware. EVSEs, plus some of the new distribution grid hardware to control time of recharge, will introduce application code into new areas, meaning operating systems, IP telecommunications, and application software all face potential for attack. Most of these devices will be in exposed locations and the owner/operator would have to harden them against tampering and reuse after theft. They would also need to be resilient enough to survive time out of touch with a central hosting site.
• Secure end-to-end communications throughout the electric vehicle infrastructure. Despite not knowing the exact business approaches that will be ultimately selected, we can state with reasonably certainty that an electric vehicle infrastructure will have to protect financial a transactions, user data queries or updates, price signals, energy distribution signals, and a number of other sensitive data flows through multiple areas off the infrastructure. Although encryption is not by itself a complete solution to secure communications, it is nevertheless a required component.
• Authoritative identification of vehicle owners/operator for recharging transactions. Regardless of how users will pay for electric vehicle recharging, research shows a strong likelihood it will be necessary to authoritatively identify the person recharging the electric vehicle. Possible solutions include using the VIN to identify the user (but VINs identify a vehicle, not a person), using the electric vehicle’s MAC address, or issuing a recharging card to the vehicle owner, as some existing programs do today.
• Compliance with applicable data privacy laws and other regulations. EV charging infrastructures are likely to carry a significant amount of personally identifiable information (PII), in areas such as customer preferences management, energy consumed, or data analytics. This PII falls under existing data privacy laws in many parts of the world — laws that are not always in alignment from one jurisdiction to another.
Beyond this list, other solutions will compete for electric vehicle security investment:
• Network behavioral anomaly detection
• Multifactor authentication for sensitive or powerful commands
• Network resiliency throughout the EV infrastructure
• Key management and rotation for encryption
• Data loss prevention, implemented with digital rights management
• Data scrubbing, blurring, sanitizing
Click here for more information on the report.