Johnson is optimistic that the industry is moving in the right direction, albeit more slowly than is ideal. “I can't imagine [stricter standards] won't happen. It's just taking a long time,” he says. And he certainly doesn’t want to spark undue alarm, but rather apply steady pressure for improvement
THIS STORY WAS co-published with Grist, a nonprofit media organization covering climate, justice, and solutions.
- They found everything from the possibility of hackers being able to track users to vulnerabilities that “may expose home and corporate [Wi-Fi] networks to a breach.” Another study, led by Concordia University and published last year in the journal Computers & Security, highlighted more than a dozen classes of “severe vulnerabilities,” including the ability to turn chargers on and off remotely, as well as deploy malware.
- For instance, it identified a software bug in the popular Chargepoint network that hackers could likely exploit to obtain sensitive user information (the team stopped digging before acquiring such data).
- A charger sold in the UK by Project EV allowed researchers to overwrite its firmware.
- “It’s not about your charger, it’s about everyone’s charger at the same time,” he says. Many home users leave their cars connected to chargers even if they aren’t drawing power. They might, for example, plug in after work and schedule the vehicle to charge overnight when prices are lower.
- If a hacker were to switch thousands, or millions, of chargers on or off simultaneously, it could destabilize and even bring down entire electricity networks.
“We’ve inadvertently created a weapon that nation-states can use against our power grid,” says Munro. The United States glimpsed what such an attack might look like in 2021 when hackers hijacked Colonial Pipeline and disrupted gasoline supplies nationwide. The attack ended once the company paid millions of dollars in ransom.
Munro’s top recommendation for consumers is to not connect their home chargers to the internet, which should prevent the exploitation of most vulnerabilities. The bulk of safeguards, however, must come from manufacturers.
“It's the responsibility of the companies offering these services to make sure they are secure,” says Jacob Hoffman-Andrews, senior staff technologist at the Electronic Frontier Foundation, a digital rights nonprofit. “To some degree, you have to trust the device you're plugging into.”
Electrify America declined an interview request. With regard to the issues Malcolm and the Kilowatts documented, spokesperson Octavio Navarro wrote in an email that the incidents were isolated and the fixes were quickly deployed. In a statement, the company said, “Electrify America is constantly monitoring and reinforcing measures to protect ourselves and our customers and focusing on risk-mitigating station and network design.”
- Pen Test Partners wrote in its findings that companies were by and large responsive to fixing the vulnerabilities it identified, with ChargePoint and others plugging gaps in less than 24 hours (though one company created a new hole while trying to patch the old one). Project EV did not respond to Pen Test Partners but did eventually implement “strong authentication and authorization.”
- Experts, however, argue that it’s far past time for the industry to move beyond this whack-a-mole approach to cybersecurity.
There has been some movement toward changing that. The 2021 Bipartisan Infrastructure Law included some $7.5 billion to expand the electric vehicle charging network across the US, and the Biden administration has made cybersecurity part of that initiative. Last fall, the White House convened manufacturers and policymakers to discuss a path toward ensuring that increasingly vital electric vehicle charging hardware is properly protected.
- He also argued that bolstering EV cybersecurity is as much about building trust as it is mitigating risk. Secure systems, he says, “give us the confidence in our next-generation digital foundations to aim higher than we possibly could have otherwise.”
- But Johnson says the regulation omits devices installed outside that expansion, not to mention the more than 100,000 units already in place nationwide.
- Plus, he says, states haven’t offered much detail about what they’ll do. “If you drill down into the state plans, you'll find that they are actually extremely light on cyber requirements,” he says. “The vast majority that I saw just say they will follow best practices.”
Just what constitutes best practice remains ill-defined. Johnson and his colleagues at Sandia published recommendations for charger manufacturers, and he noted that the National Institute of Standards and Technology is developing a framework for fast-charging that could help shape future regulation. But, ultimately, he would like to see something akin to the 2022 Protecting and Transforming Cyber Health Care Act that’s geared toward electric vehicles.
“Regulation is a way to drive the entire industry to improve their baseline security standards,” he says, pointing to recent laws in other countries as models or starting points for policymakers in the United States. Last year, for instance, the United Kingdom rolled out a host of requirements for EV chargers, such as enhanced encryption and authentication standards, tamper detection alerts, and randomized delay functionality.
The latter means that a charger must be able to turn on and off with a random time delay of up to 10 minutes. That would mitigate the impact of all the chargers in an area coming online simultaneously after a power outage or hack. “You don’t get that spike, which is great,” says Munro. “It removes the threat from the power grid.”
Johnson is optimistic that the industry is moving in the right direction, albeit more slowly than is ideal. “I can't imagine [stricter standards] won't happen. It's just taking a long time,” he says. And he certainly doesn’t want to spark undue alarm, but rather apply steady pressure for improvement.
“It's scary stuff,” he says, “but it shouldn't be fear-mongering.”
No comments:
Post a Comment