EV Charging Cybersecurity: Navigating the Landscape

Abstract

In this article, I delve into the realm of cybersecurity in Electric Vehicle (EV) chargers, focusing on the Open Charge Point Protocol (OCPP). Drawing from my personal experiences in the IoT and EV charging industry, I explore the challenges, compliance, and the reality of cybersecurity in this dynamic field, especially for large scale fleet implementations.

Table of Contents

1. Cyber Security (CS) in IoT
2. Interoperability via OCPP
3. OCPP Built-in Cyber Security Available from 1.6J onwards
4. White Papers on Cyber Security in EV Industry
5. Are EV Chargers Critical Infrastructure Threat?
6. OCPP J1.6 & 2.0 Security Profile 1-3 in a Nutshell
7. Conclusion

Cyber Security (CS) in IoT

Drawing on my extensive experience in the Internet of Things (IoT) sector spanning over a decade, I've closely observed the evolution of cybersecurity practices. IoT devices, inherently susceptible due to their exposure to the open internet, traditionally rely on security measures such as Digital Certificates and Digital Signatures.

The efficacy of these security measures is significantly heightened when a single entity exercises control over both the firmware and the cloud endpoint. This control eliminates cross-company dependencies, establishing a closed loop of connectivity. Essentially, when the same company owns both sides of the security equation—firmware and cloud endpoint—it enables the lockdown of URLs and embedded certificates for Digital identification on both ends, resulting in a robust foundation for IoT cybersecurity. Crucially, the certificate keys are securely retained within the confines of the company, and can be swapped within the company.  

In practical terms, this means that single companies, understanding the potential consequences of device hacking on their brand reputation, purposefully restrict connections.

Examples such as Alexa exclusively connecting and functioning with AWS or Google Home exclusively associating with Google Cloud underscore the deliberate lockdown of connection points. This strategic measure serves to disable cross-connections or changeable URLs in the name of security, reinforcing the commitment to maintaining a secure IoT ecosystem.

Enter Interoperability via OCPP

In the intricate landscape of IoT, interoperability stands out as both a boon and a potential security challenge, especially when facilitated by the Open Charge Point Protocol (OCPP). The prospect of mixing and matching IoT devices with a different personalized cloud instance, while advantageous, is precisely what other IoT devices often avoid to avert the risks of endpoint hacking.

Embracing the benefits of OCPP introduces a unique flexibility to blend chargers seamlessly with backend servers in the field. However, this very feature, when not handled judiciously, can pose security threats. University Research Labs were successful in hacking chargers using the open-published API of the OCPP feature in a controlled lab environment.

In response to such vulnerabilities, OCPP introduced the OCPP 1.6J Option security extension white paper and API fixes. If universally implemented, this could serve as a robust cybersecurity solution for grid-connected EV chargers.

It's important to note that these security features are optional, allowing OCPP compliance even without their implementation. The choice of whether to adopt these optional security specifications is subjective and varies among companies. While some smaller companies showcased robust certificate-based security implementations a decade ago, other entities may still limit the integration of these features today to avoid the overhead.

OCPP Built-in Cybersecurity is Available from 1.6J onwards

OCPP provides a built-in cybersecurity framework with three security profiles. The APIs provided by OCPP for securing connections between chargers and the cloud are more likely to be enabled with Security Profile 2 or 3. So when a single company handles both firmware and cloud-side components, it can easily offer a pre-integrated plug-and-play solution

However, my observation indicates that these security APIs (Security Profile 2 or 3) are often disabled or overlooked in mix-and-match scenarios, where (Firmware/Hardware) EV chargers and (Cloud Software) Charging Management Software (CMS) or Charging Station Management Software (CHMS) originate from different entities.

 The challenge arises when two distinct companies, responsible for firmware and cloud-side implementation, must collaborate and share keys for feature implementation. Regrettably, such collaborative efforts are seldom witnessed in the field, hindering the seamless integration of security.

In this intricate dance of interoperability and security, neither side is inherently motivated to bring engineers together for custom integration and the sharing of sensitive certificate information. Specifications of this nature are rarely published, leaving potential vulnerabilities undisclosed.

For larger customers seeking comprehensive security measures, requesting written details regarding these optional features becomes imperative. Without such explicit requests, these optional security measures may remain just that—optional, potentially leaving systems vulnerable to unforeseen cybersecurity threats.

White Papers on Cyber Security in EV Industry

The discourse surrounding EV charging cybersecurity is diverse, emanating from various sources, including government and university labs, non-profit organizations, and the private sector. It is noteworthy that the priorities, focus, and threat perceptions diverge based on the organization's nature.

In the realm of the private sector, white papers addressing EV charging cybersecurity, compliance, and industry practices predominantly originate from marketing departments. These documents commonly emphasize general cybersecurity practices but often lack specific implementation details. Buyers are advised to engage in a thorough examination of these papers and insist on obtaining written specifics based on Specific EV charger Models for that Country, particularly concerning optional security features.

For instance, there is a tendency for these papers to extensively discuss generic cybersecurity practices while providing limited clarity on the substantive aspects of their products by Model number or with in-house vs 3rd party CMS provider.

When delving into OCPP certification details, it becomes apparent that the certification may not cover security modules. It is possible for a system to be deemed OCPP certified without comprehensive coverage of security module. The introduction of the OCPP 1.6J security module at a later stage adds an additional layer of complexity, potentially leading to EV chargers previously certified being referred to simply as OCPP certified.

In my experience working in the cybersecurity aspects of EV charging, there is a notable emphasis on discussions regarding the critical nature of cybersecurity in the context of EV charging infrastructure and calling it critical infrastructure. Concurrently, there is a discernible trend of companies leveraging cybersecurity as a sales and marketing tool. While these companies often publish white papers and cybersecurity practices, it's noteworthy that critical aspects of cybersecurity by model and setup are omitted.

This observation underscores the importance of stakeholders critically evaluating the content of white papers and cybersecurity practices, ensuring that the emphasis on marketing does not compromise the substance of the security measures being offered. Stakeholders are encouraged to engage critically with white papers, seeking transparency and specificity in implementation details to fortify their understanding and decision-making processes.

Are EV Chargers Critical Infrastructure Threat ?

As EV chargers become more ubiquitous and form a critical part of infrastructure, concerns about their vulnerability rise.

The integration of EV chargers into our grid comes with a set of security considerations that evolve with scale. Individually or in small clusters, these chargers may not pose a significant threat. However, as we expand the network, a more profound question emerges: Are grid-tied EV chargers a critical infrastructure threat?

As electric vehicle (EV) chargers ascend the value chain, especially with the advent of Heavy Vehicle Mega-charging or functionalities like Vehicle-to-Grid (V2G), the significance of Cybersecurity (CS) will undoubtedly amplify.

In my estimation, the answer lies in the potential interest of hostile nation-state actors seeking control over systems that offer batched control to numerous chargers. The ramifications of such control could be widespread and consequential.

The real concern arises not at an individual charger Level or at OCPP level, but when we contemplate the vulnerability of Charging Management Systems (CMS) or Charging Station Management Systems (CSMS). Many of these systems are relatively new by Startups, and startups, in particular, may lack the dedicated resources needed to address potential vulnerabilities. This brings to light the importance of scrutiny, especially when deploying these systems for large fleets, where aggregate loads can impact the grid locally or even at a large scale.

Among the various considerations, the secure transmission of confidential information, including passwords and certificate details, stands out. I've encountered instances where the seemingly obvious choice of email was suggested for transmitting sensitive data. It's surprising that this default option remains prevalent, considering the potential risks of Nation State Level Actors can be involved. Buyers, especially those dealing with large fleets, should actively engage in understanding and ensuring the robustness of these security practices.

In navigating the landscape of EV charging security, all stakeholders must be proactive in addressing potential threats and vulnerabilities. By adopting a hands-on approach, buyers can contribute to a safer and more secure deployment of EV charging infrastructure.

OCPP J1.6 Security Profile 1-3 in a Nutshell

Readers are directed to the OCPP 1.6 security whitepaper edition 3.pdf for an in-depth understanding, available for download here.

https://www.openchargealliance.org/uploads/files/OCPP-1.6-security-whitepaper-edition-3.zip

Understanding Security Profiles

Conclusion

In the ever-evolving landscape of EV charging, cybersecurity is a critical consideration. This article aims to raise awareness about the nuances of OCPP security and encourage stakeholders to prioritize robust cybersecurity practices. OCPP certification is a spectrum.

The article reflects on my observations of OCPP security in EV chargers and emphasizing the need for collaboration, transparency, and vigilance in addressing the evolving challenges of cybersecurity in the rapidly expanding world of electric vehicles.

Join the Conversation

Share your experiences and observations regarding cybersecurity in the field of EV charging.

#evcharging #evfleet #evchargers