{"id":24868,"date":"2024-12-13T09:17:40","date_gmt":"2024-12-13T08:17:40","guid":{"rendered":"https:\/\/www.riskinsight-wavestone.com\/?p=24868"},"modified":"2024-12-13T09:17:41","modified_gmt":"2024-12-13T08:17:41","slug":"electric-mobility-how-can-charging-point-operators-secure-their-charging-infrastructure","status":"publish","type":"post","link":"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/12\/electric-mobility-how-can-charging-point-operators-secure-their-charging-infrastructure\/","title":{"rendered":"Electric Mobility \u2013 How can charging point operators secure their charging infrastructure?\u00a0"},"content":{"rendered":"\n

With the European Union\u2019s ban on the sale of combustion engine vehicles set for 2035, the electric mobility market is rapidly expanding. Alongside it, <\/span>electric vehicle charging infrastructures<\/span><\/b> (EVCI) are developing at a fast pace: cumulative investments by 2030 could reach \u20ac50 billion for private chargers and \u20ac30 billion for public chargers.<\/span>\u00a0<\/span><\/p>\n

However, unlike traditional gas stations, these are highly <\/span>computerized and connected systems<\/span><\/b>. Indeed, digitalization allows for a <\/span>smart<\/span><\/b> ecosystem <\/span><\/b>and<\/span> direct <\/span>operational gains<\/span><\/b>. This includes features such as <\/span>smart charging<\/span><\/b>, which allows for financial and energy savings by optimizing electricity consumption depending on grid strain. The<\/span> driver\u2019s experience<\/span><\/b> is also improved, as they can use their smartphone to easily locate connected chargers and interact with them.<\/span>\u00a0<\/span><\/p>\n

All these functionalities present <\/span>specific cybersecurity challenges<\/span><\/b> that we will analyze in this article. We will outline strategies that <\/span>Charging Point Operators<\/span><\/b> (<\/span>CPOs<\/span><\/b>) can implement, focusing on <\/span>public charging stations<\/span><\/b>. Indeed, public chargers are more exposed and thus, are the most complex case study from both operational and cybersecurity perspectives.<\/span>\u00a0<\/span><\/p>\n

What are the cyber risks in the charging ecosystem?<\/span><\/b>\u00a0<\/span><\/h1>\n

Why are cyber risks significant, and what is their nature? To understand this, we need to examine the charging ecosystem.<\/span>\u00a0<\/span><\/p>\n

The central player in this ecosystem is the CPO, who is on the <\/span>front line of cyber risks<\/span><\/b>. CPOs are responsible for the direct operation of charging stations, both on-site and remotely. Typically, they use a cloud-hosted software solution called a <\/span>CSMS (Charging Station Management System)<\/span><\/b>.<\/span>\u00a0<\/span><\/p>\n

The role of the CSMS has been highly standardized thanks to efforts by the <\/span>Open Charge Alliance (OCA)<\/span><\/b>, a consortium that developed the <\/span>OCPP (Open Charge Point Protocol)<\/span><\/b>. OCPP handles more than just maintenance and monitoring; it allows the CSMS to communicate with the charger in real-time to manage the charging process (reserving the station, driver authentication and authorization, billing, etc.). This introduces a cybersecurity risk: compromising the CSMS could lead to a widespread compromise of the CPO\u2019s entire charging network.<\/span>\u00a0<\/span><\/p>\n

However, to fully map out the possible risks, we must also consider other industry players who share cyber risks with the CPO.<\/span>\u00a0<\/span><\/p>\n

First,<\/span> charging stations<\/span><\/b> manufacturers<\/span><\/b> play a key role. Responsible for charger design and production, they also handle software updates and provide patches for vulnerabilities. In some charger models, manufacturers maintain permanent remote access for maintenance purposes via a secondary OCPP connection. If not properly secured, this connection can pose a risk to the CPO.<\/span>\u00a0<\/span><\/p>\n

To ensure the remote connection of charger networks to the CSMS, <\/span>Wide Area Network (WAN)<\/span><\/b> solutions are frequently used. This can involve a 3G\/4G link, or integration into a preexisting on-site network. In both cases, the link is not under the CPO\u2019s control, making them dependent on the cybersecurity maturity of the <\/span>telecom provider<\/span><\/b> they choose.<\/span>\u00a0<\/span><\/p>\n

Additionally, the CPO must integrate their information system with the <\/span>site owner<\/span><\/b>. Indeed, chargers can be in a variety of environments: highway rest areas, corporate parking lots, shopping malls, public roads etc. Depending on the use case, the stations may be interfaced with building systems (such as occupancy sensors or smart meters) or with user authentication and payment systems. Typically, the CPO has no authority over these systems and their security.<\/span>\u00a0<\/span><\/p>\n

This <\/span>multiplicity of actors <\/span><\/b>tends to increase the <\/span>attack surface<\/span><\/b> on the CPO\u2019s information systems. A breach could result in the <\/span>leakage of customer data<\/span><\/b> or serve as a foothold for a broader cyberattack targeting the CPO and\/or its partners, with significant <\/span>financial and reputational impacts<\/span><\/b>.<\/span>\u00a0<\/span><\/p>\n

On a local scale, potential attacks are also severe, including <\/span>cyber-physical risks<\/span><\/b> (e.g.: a malicious modification of charging parameters, which could lead to battery overheating and potentially a fire) or <\/span>grid destabilization risks<\/span><\/b> (e.g.: the malicious activation or deactivation of multiple chargers at once, potentially overloading the power grid).<\/span>\u00a0<\/span><\/p>\n

These scenarios are likely to become more plausible with the growing popularity of <\/span>extreme fast chargers <\/span><\/b>(especially for heavy-duty vehicles) and <\/span>bidirectional charging implementations<\/span><\/b>, which allow parked vehicles to feed stored energy back into the grid.<\/span>\u00a0<\/span><\/p>\n

Implementing new standards: is it enough to address the risks?<\/span><\/b>\u00a0<\/span><\/h1>\n

As the charging market rapidly grows, it is becoming more structured, and new standards are emerging. This presents an opportunity to provide a unified cyber response to the risks we have discussed.<\/span>\u00a0<\/span><\/p>\n

Take <\/span>ISO 15118-20<\/span><\/b>, for example. Published in 2022, it specifies robust communication mechanisms between vehicles and chargers. In addition to the already mentioned <\/span>smart charging<\/span><\/b> and <\/span>bidirectional charging<\/span><\/b> use cases, ISO15118 introduces <\/span>Plug & Charge<\/span><\/b>: this feature allows the charger to automatically authenticate a vehicle and process payment, eliminating the need for payment cards or RFID tags.<\/span>\u00a0<\/span><\/p>\n

The primary goals of ISO 15118 are thus to streamline usage, improve energy efficiency, and ensure interoperability. However, its adoption could also bring security benefits, notably through the implementation of a global <\/span>Public Key Infrastructure (PKI)<\/span><\/b> for charging stakeholders: vehicle manufacturers, mobility operators, and CPOs.<\/span>\u00a0<\/span><\/p>\n

Meanwhile, the development of OCPP is also expected to accelerate, following the official approval of OCPP 2.0.1 as an <\/span>international standard<\/span><\/b> (IEC 63584) by the International Electrotechnical Commission.<\/span>\u00a0<\/span><\/p>\n

However, it will take time before these standards become widely adopted. Several major players, such as Tesla, have developed <\/span>proprietary protocols<\/span><\/b> with similar features. Moreover, most existing chargers and vehicles are not compatible with ISO 15118 or OCPP 2.0.1 and need to be replaced.<\/span>\u00a0<\/span><\/p>\n

Thus, we cannot rely solely on standards to address cybersecurity risks: it is imperative to find ways to secure current infrastructures.<\/span>\u00a0<\/span><\/p>\n

Note\u202f: <\/span><\/i>to know more about Plug & Charge and smart charging, feel free to check out the articles by EnergyStream, Wavestone\u2019s energy blog (only available in French):<\/span><\/i>\u00a0<\/span><\/p>\n