The electric vehicle charging network is vital infrastructure. How vulnerable are charging stations to cyber attacks, and who does your personal data end up with when you charge your car?
In the wake of the electric car, one charging station after another is appearing along the highway and on the streets. With millions of (home) charging stations worldwide, the overall electric vehicle charging network is so large, and so many people, businesses and governments depend on it, that it is vital infrastructure.
Infrastructure that can become targets of cyber attacks. Hackers who manage to take control of large numbers of charging stations could, in a worst-case scenario, cripple the power grid, with dire consequences. Experts actually consider such a doomsday scenario, but governments have been slow to introduce cyber legislation.
Without adequate cyber security, privacy is also not guaranteed. Use of public charging stations triggers various data flows between all kinds of parties. The underlying databases contain sensitive personal data that criminals are known to love to get their hands on and offer for sale.
Another way malicious actors could enrich themselves is to infect privately owned charging stations with ransomware. Users - from individuals to fleet companies - are prevented from charging by that type of hostage software until they pay a ransom.
Meanwhile, municipalities closely track how public charging stations are used. Charging data is analyzed to know where there is a need for new charging stations.
Users of a charging station on the English Isle of Wight will have looked strangely in April 2022. The screen on the pole showed not the operator's usual information, but a porn site. The object turned out to have been to have been hacked. Whereas that was still in the bell-ringing category, electric drivers in Russia fell victim to a digital attack of much greater magnitude two months earlier. On the M11 between Moscow and St. Petersburg, all charging stations were flattened by a Ukrainian supplier of components to those same stations. No power was provided, only war propaganda, with the texts on the interfaces, "GLORY TO UKRAINE / GLORY TO THE HELDEN / DEATH TO THE FILE."
With millions of (home) charging stations at home and abroad, the overall electric vehicle charging network is so large, and so many people, businesses and governments depend on it, that it is about critical infrastructure. Infrastructure that obviously must be properly secured against
The consequences of a cyber attack on charging stations can range from localized, relatively minor disruption, to large and long-term disruptions on a national scale. The examples above are peanuts compared to what is likely to happen at some point in the future, here or elsewhere. For example, a successful attack on the back-office system of one or more charging station operators can already cause a significant portion of traffic - including emergency services and delivery and freight transport - to stop moving even a meter, with dire consequences. A study from several years ago commissioned by the National Charging Infrastructure Agenda, which examined various doomsday scenarios in the Netherlands, takes into account that such an attack could actually occur in the coming years.
The blackest scenario? Such manipulation of large numbers of charging stations that the grid voltage changes or a blackout of the power grid occurs, which could disrupt the entire economy and public life and cause billions of dollars worth of damage. That could happen if hackers gain control of charging infrastructure with a capacity of about 1 gigawatt. This danger is also feared elsewhere. An American study examined a hypothetical but realistic scenario in which less than 1,000 hacked charging stations could cripple New York's power grid. Count on certain "state actors" to play with the thought of someday making that work. The studies are fascinating but hardly comforting reading.
From charging poles over to charging cards, because charging a plug-in car at a public charging station almost always involves using a charging card. (In the case of some contractors, you can also - or even must - pay with an app, which is a much more privacy-sensitive method. A new European law also allows "ad hoc payments" at all newly installed public charging stations, such as via a payment card or QR code.)
Providers of charge cards (around 700) have joined forces with charging station manufacturers and operators (around 1,300) have mushroomed in recent years. From large energy suppliers to small companies completely unknown to most people - mostly start ups. (For consumers, the market is a jungle, but there are websites that bring order to the chaos, such as Laadpastop10 and Chargepastop10.) In an effort to capture as much of the growing electric driving market as quickly as possible, cybersecurity was usually not the first thing these parties cared about.
For example, many charging passes have for years been unencrypted and demonstrably insecure because of the use of a chip which also caused problems in the public transport chip card. This enables technically savvy fraudsters, among other things, to clone cards and to charge at the expense of any other charge card user (a kind of identity fraud).
Also shown to be possible: "trickle charging. There is no charge for very short charging sessions, and a large number of charging sessions of less than a minute in a row add up to a free full battery. A ethical hacker wrote a script for this for this. The disadvantage for the fraudster, however, is that you can be located immediately and it takes a long time to actually make a profit.
Moreover, these forms of fraud, in the eyes of charge card providers, occur on such a small scale that they are not worth fighting are not worth fighting. Security and privacy versus the convenience of a well-functioning and cheap product is not a dilemma for them in this case: they choose the latter for now.
All in all, in terms of the cybersecurity behind electric charging, strides have been made, but there still remains much work to be done. In 2021, a survey among market participants concluded the following:
''The results show that parties are aware of the importance of cybersecurity. However, this awareness is in many cases based on trust and not always on explicit agreements regarding cyber security. It must be made clear who has what role and responsibility in the chain with regard to cyber security. This is to prevent the shared responsibility from resulting in cybersecurity not being embedded anywhere. [...] The organizations spoken with recognize that there are vulnerabilities with respect to cybersecurity. How big these risks are, how likely it is that an incident will occur and how big the impact is then, is not equally clear with every organization.''
In collaboration with the European Network for CyberSecurity (ENCS) has knowledge and innovation center for
Moreover, last year ('real') legislation arrived - something that had long been lacking. Charging station operators managing more than 300 megawatts of charging capacity in the Netherlands are now listed as "vital providers" in the Network and Information Systems Security Act (WBNI), and they are required to report hacks and cyber incidents on their charging infrastructure to the National Cyber Security Center (NCSC). This anticipates the translation of the European NIS2 directive into national laws and regulations in the coming years. This directive is aimed at increasing digital resilience and limiting the consequences of cyber incidents. Companies that fail to comply can be fined up to two percent of their annual turnover or up to 10 million euros. The upcoming and partially overlapping Cyber Defense Regulation will elevate the digital security of various hardware and software products at least on paper.
This has been the case in the United Kingdom for two years now: operators of poorly secured charging stations there can face hefty fines. British cybersecurity legislation has forced several companies to invest heavily in improving the security of their charging stations, which in much needed in many cases. It is to be expected that legislation will have a similar effect here. Constantly updating software and firmware is crucial anyway, knowing that a hacker can have enough of a single bug to overpower a charging station.
However, many hackers do not so much want to attack infrastructure (or, via the charging port, an electric car itself) as to get their hands on personal data. Data they can sell on the dark web, or use to blackmail people.
Use of a public charging station triggers all kinds of (separate) data flows between cars, charging card providers, charging station operators, cloud- and hosting providers, third-party (payment) systems as well as municipalities. On pages 7 through 12 of this presentation by eViolin (association of charging station operators and related service providers), it is easy to see how, in the case of different types of charging, data and invoices are shared between (the cloud and databases of) all kinds of parties.
Public charging stations (and, in many cases, the cars themselves and their manufacturers) track, among other things, the location, date, start and end time of a charging session, the charging status of the batteries in the car at the beginning and end of a charging session, and the amount of power delivered. From this user data, behavioral patterns can be derived (including frequently driven routes, daily routines, power consumption, charging behavior, and preferences for charging station operators) and detailed user profiles can be established, as, among other things is happening in China. But in China, anonymity and privacy are a long way off, and as far as we know, this is not the practice in the Netherlands. The General Data Protection Regulation would also place restrictions on this.
Apart from possible identification based on thorough data analysis or possible camera surveillance at charging stations that can capture car, license plate and driver on camera, the system is also set up so that a charging station, when using a charging card, basically does not know who is charging. The only thing that the RFID-charge card communicates is an ID, a unique code that for the charge station (operator) is not visibly linked to a person - only to the charge card provider. Only that charge card provider knows the personal and payment data of its customers in addition to the charging data.
With one card from one provider, you can charge at any charging station operator in virtually all of Europe. If you have a charge card and account with party X and you charge at party Y, these parties - often with the intervention of mediation of third parties - settle the costs for the charging session among themselves before they are recovered from the user by the card provider. That way, your most immediate personal data does not have to be shared with everyone, let alone over and over again with each different charging station operator.
People can have an infinite number of charging passes in their possession. In the Netherlands there are around 30 charge cards that you can apply for free like this. If you use a different pass each time, you are a different ID each time and in that sense even harder to track. On the other hand, this strategy does mean that you have to create an account with multiple pass providers and that the personal data you provide in the process ends up in multiple databases.
And as is usually the case with personal data, that is where the greatest danger lies. It only takes one party that does not have the security of its databases in order, and the personal data is soon up for grabs in bulk. In June last year it was revealed that an Amazon-hosted database of semi-public Shell Recharge charging stations was not password protected and could be accessed by anyone via a Web browser. It doesn't get any more niggling, because then hacking could even be omitted. At issue were nearly a terabyte of names, e-mail addresses and phone numbers of lease drivers using Shell's charging stations, as well as the names of fleet managers, including police departments.
These kinds of central databases often contain such large concentrations of sensitive - but by no means always encrypted or anonymized - data, that as soon as someone manages to put a breach in the security, there is in fact a jackpot on the street. Follow the news structurally for a while and you're bound to read about the one large-scale data breach after another. Aside from negligent management and outright security blunders, the problem with databases is that they can never really be protected well enough. There is always a back door ajar somewhere in the system, and there is always someone who has access, but really shouldn't have it at all. What if such a person goes out of lineor gets tricked by a phishing mail and unintentionally gives out the access code?
Numerous specialized companies are indispensable for the rigging and proper functioning of the charging infrastructure. But the more parties involved, the more complex the task of ensuring that the digital system behind electric driving is foolproof and none of the parties involved leave any stone unturned. Cybersecurity and privacy are as strong as the weakest link.
For example, many providers of private charging systems have yet to need to step up. Such systems are the most common, but compared to public charging stations, there are hardly any inspection rules for those units and they are much less protected against hacks. Users can lose access to their charging system through a ransomware infection (hostage software) until they pay a ransom. Whether an individual gives in to that is questionable, but for companies or organizations with a sizable fleet of vehicles and their own charging stations, it's soon a different story.
To smooth out peaks in collective energy consumption and better balance the power grid, more and more electric vehicles are able to "offload" and supply power to the home grid (Vehicle to Home, V2H). By connecting between its own charging station at the curb and the meter box behind the front door, the vehicle acts as a mobile home battery. A handy Internet-of-Things application that lets you run your washing machine and dishwasher more economically. But what if a hacker gives himself access to smart home devices by first breaking into a home charging station? The chances of it happening to you are slim, but not inconceivable.
A wealth of information can be found about electric charging in many ways. One topic that has received a lot of attention on specialized websites but also in the media is the lack of price transparency in the market. Because every charging card provider has one
The privacy aspects of electric charging discussed in this article are remarkably almost nowhere discussednot even on extensive question-and-answer pages. In scientific publications is written about, but otherwise privacy seems to be an understudied topic in this context. A working group of the aforementioned eViolin focuses specifically on the privacy of electric drivers and meets monthly, but what that working group has specifically advised or accomplished within the industry is unclear. By the way, the first sentence of the group's (hopefully outdated?) description makes one think: ''Privacy is important, but is still often underestimated in the EV [Electric Vehicle] world.''
After all, (some) electric drivers could potentially be identified from charging station user data, certainly in combination with other, possibly available datasets, for example on travel movements. This underlines the importance of making the data irreversibly irreducible for parties that show an interest in this, such as local governments.
The question is whether this will be addressed by charging station operators, because on behalf of the municipalities of Amsterdam, The Hague, Rotterdam and Utrecht, the Hogeschool van Amsterdam is analyzing, partly on the basis of the anonymous RFIDs, the charging data from the public charging stations in and around those cities. Altogether this involves over 43,000 poles, almost 70% of the current total number in the Netherlands. The municipalities use the data - made available in aggregated form on a public dashboard - for making new policies regarding electric charging. Other municipalities elsewhere in the country are also doing this. Public charging points are increasingly being placed proactively and data-driven based on usage, outgoing Infrastructure and Water Management Minister Mark Harbers wrote a few weeks ago in a letter to the House of Representatives.
