Topics:
The ISO 15118 standard is quickly reshaping the EV charging ecosystem, especially from a point of view of making the electric grid more efficient, and handling the increased load as more chargers and electric vehicles join the grid.
The standard also addresses cybersecurity, in particular communication between the car and charging stations. It protects against unauthorized charging sessions and introduces PKI and digital certificates to verify identities. Transport layer security (TLS) is also a recommendation in the standard and prevents the manipulation of data as it’s exchanged between vehicles and chargers.
At the recent Black Hat USA conference, however, Trend Micro Senior Threat Researcher Salvatore Gariuolo joined the Nexus Podcast and called into question whether the standard is sufficient enough to protect EV charging—charging stations in particular.
“We have to focus on the risks that the standard leaves behind, and this is a particularly important focus for cybersecurity,” Gariuolo said. “For example, with the introduction of the standard, we might protect the communication between the EV and the charging station. But at the same time, if we leave the charging station exposed, it will still be possible for malicious users to carry out a denial of service, for example.”
Gariuolo said charging stations remain the most vulnerable part of the EV infrastructure, and this is in spite of the fact that most attacks would require physical access to the station. Most, as he points out, however, are unguarded.
“The most impactful attack is on the infrastructure. So that's the place where the most significant risks lie,” he said. “But at the same time, even the EVs are at risk. And this is because the charging stations are separate physical systems. So this means that an attack on the EV charging ecosystem doesn't only affect the digital space. It also has an effect on our real life.”
Gariuolo said a compromised charging station could deliver unsafe power levels to the car, and put the car and driver at risk if, for example, the battery is damaged.
“This is particularly dangerous because, first of all, it can put at risk the components in the electric vehicles, like the battery. But this can also create safety hazards for the user,” Gariuolo said. “Imagine having an electric vehicle on fire because of these attacks.”
Gariuolo points out that ISO 15188 does not consider the protection of the charging station.
“The charging station is by design out of the focus of the ISO standard,” he said. “The standard makes an assumption and it’s a very dangerous assumption, that the charging stations are secure entities. This is an assumption that can backfire.”
Gariuolo added that vulnerabilities at charging stations have the potential to undermine the security the standard aims to enforce. One example: since ISO 15188 does not include a mechanism for stations to synchronize their clocks with trusted time sources, an attacker could modify the station’s clock and force it to accept revoked or expired digital certifications.
Given the nascent nature of this ecosystem, charging station manufacturers must come to the cybersecurity table, as do e-mobility service providers and car manufacturers. Stations, he said, need tamper-resistant hardware to prevent physical attacks, intrusion detection capabilities to monitor whether a station has been compromised, and a mechanism to validate the integrity of software and whether it has been modified.”
“The charging station is believed to be trusted, it is not,” he said.
Michael Mimoso is Director of Influencer Marketing at Claroty and Editorial Director of Nexus.
