Securing electric vehicle supply equipment

EV charging cybersecurity

Electric vehicle adoption is accelerating to new speeds and extending the reach to new audiences and locations. States, such as California, have laid down the gauntlet to commit that 100% of new cars and light trucks sold in California will be zero-emission vehicles by 2035, including plug-in hybrid electric vehicles.¹ This shift is not only driving change in California, but across the United States and globally, and is mainly attributed to environmental awareness, government incentives, technological advancements, and growing demand for cleaner transportation alternatives.

The hyperconnected nature of charging technologies that connect an EV to the electricity grid using a charging device entails the exchange of sensitive data and control commands among various entities in the EV ecosystem. When built into hyperconnected smart city infrastructures, integration across various stakeholders with different roles and security standards is required, increasing the cybersecurity risks associated with electric vehicle supply equipment. High rewards and extreme physical and remote connectivity make electric vehicle supply equipment (EVSE) a lucrative target for cyberattackers.

Business drivers for securing electric vehicle supply equipment

Evolving regulatory landscape

The regulatory landscape for EVSE is rapidly evolving to keep pace with technology advancements in the EV space. The International Organization for Standardization (ISO) 15118 has established a standardized communication protocol between charging stations and EVs. This standard enables a “plug and charge” functionality for an effective and secure charging process by allowing EVs to automatically communicate with the charging stations and exchange the required information without requiring manual interaction from the user.

The standard defines secure authentication and authorization methods for EVs and EVSE to ensure only authorized vehicles can access charging supply equipment. Service providers should utilize ISO 15118 to enable interoperability between EVs and EVSE and future proof their infrastructure.

Consumer trust and privacy

Trust and privacy are now firm requirements from consumers and should be built into the product life cycle from the design phase. EVSE service providers are expected to provide clear and transparent information to consumers about what personal data devices and services are being processed, the organizations that process this data, and the lawful basis on which the processing takes place.

Interconnected ecosystem of EV entities

The EV charging application ecosystem is complex and involves several components and vendors. The specific elements of the EV charging application supply chain include software development companies that design and build EV charging applications, cloud service providers, charging network operators, data aggregators, and payment gateway providers. Failure to properly vet and secure EVSE software supply chain components can lead to vulnerabilities in EVSE applications and infrastructure and further expand the attack surface.

Risk of energy theft and financial fraud

Another exciting development is vehicle-to-grid (V2G), whereby the EV battery is used to inject power back into the power grid. Broad security measures are required to mitigate the risk of financial fraud and energy theft and prevent bad actors from hacking the system and overloading the grid by injecting energy when it isn’t required.

Deloitte automotive cybersecurity offerings

Mobility ecosystem cyberattacks now pose not only cybersecurity but also enterprisewide risks, threatening business continuity and the operations of organizations. Therefore, to mitigate their effects, organizations should consider implementing solutions to enhance cyber resilience and remediate enterprise risk.

Deloitte can help clients design, build, and operate dynamic, business-aligned security programs wherever they may be in their cyber journey. Our services related to automotive cybersecurity include but are not limited to:

• Cybersecurity management systems (CSMS);
• Secure by design;
• Threat analysis and risk assessments (TARA);
• Vehicle cybersecurity risk management;
• Software update management systems (SUMS);
• Supplier cybersecurity management; and
• Vehicle cybersecurity monitoring.
  

We combine industry-leading strategic advisory services with deep technical capabilities to help organizations design, implement, and operate advanced cyber and strategic risk programs. Connect with our team to learn how we can help you build resiliency, deepen trust, and fuel performance.

¹ California Air Resources Board, “California moves to accelerate to 100% new zero-emission vehicle sales by 2035,” press release, August 25, 2022.