More is being talked about how changes in infrastructure will enable threats. This is a good example of how such approaches can be examined.
ACM NEWS Do EV Charging Stations Open the Power Grid to Attack?
By Paul Marks, Commissioned by CACM Staff, March 29, 2022
Forget about range anxiety, the fear you'll drive your electric vehicle (EV) too far to make it back home before running out of power. Another concern rearing its ugly head to drivers of electric cars now is the digital security of the charging stations where they may replenish their batteries when away from home.
Vulnerabilities in the complex software used to control charging stations, it turns out, could allow attackers to mount debilitating hacks on power grids, disrupting electrical supplies, or even taking them down completely.
An international team of penetration testers reverse-engineered the way software at the mobile, Web, and embedded firmware levels is used to control commercial EV charging stations. The pentesters (penetration testers) found that Internet-connected EV Charging Station Management Systems (EVCSMS) that track and manage charging stations at drive-in sites were prone to a swathe of remote cyberattacks, some of them critical.
In addition to putting the power grid's stability at risk, some of the susceptibilities they identified could allow attackers to gain complete control of charging stations, letting them configure the systems as they wished—perhaps letting compatriots charge their EVs for free, or allowing them to claim illicit refunds. Some were also capable of being used as platforms from which distributed denial of service (DDoS) attacks could be mounted.
The research team published its findings in the January 2022 edition of peer-reviewed journal Computers & Security, at a time when EV charging station networks are fast proliferating globally to service the switch from hybrid and gasoline cars to EVs, as governments the world over pursue net-zero carbon dioxide emissions by 2050.
In the U.S., for instance, the Biden administration introduced plans as part of the bipartisan Infrastructure Law passed by Congress in November 2021 to encourage American states to roll out no less than 500,000 new EV charging stations coast-to-coast by 2030, with $5 billion in seed funding available to help make it all happen.
Tony Nasr, a cybersecurity engineer at the Concordia Institute for Information Systems Engineering in Montreal, Canada, wondered what such massive growth in this specialized form of Internet-based infrastructure would mean for urban security, especially since the charger networks are fed by critical infrastructure we all depend on: the power grid.
"Given the exponential growth in the number of EVs, and the resulting increase in the numbers of deployed EV charging stations, there is the utmost need to examine the cybersecurity of charging stations and their networks," Nasr says.
So, alongside his Concordia colleagues Sadegh Torabi and Chadi Assi, plus Elias Bou-Harb at the University of Texas at San Antonio and Claude Fachka at the University of Dubai in the United Arab Emirates, Nasr set about finding out more about the risks. However, as EV charging stations are based on a blizzard of commercial products developed by a variety of international vendors, how could they even begin to assess their security?
Their answer was to harness "dorking"—a precision form of Websearch—to find functional details on the mobile app and Web-based components of some 15 EVCSMS applications, used to manage the charging devices, plus the embedded firmware, the charging stations they are installed in, and their networking capabilities. ... '