There have been a lot of headlines linking cybersecurity and cars recently. The thought of driverless and connected cars being hacked pricks our sense of safety in a very visceral way – imagine the terror of someone else taking control as you drive! But other advances in automotive technology are opening up cyber vulnerabilities too. These are just as important, even if not as immediately dangerous. Yet, few people stop to think about the cybersecurity consequences of electric vehicles (EV).
One entity that is thinking about it though, is ELaadNL. Based in the Netherlands, where EV adoption has outpaced most other countries so far, ElaadNL is the knowledge and innovation centre for charging infrastructure in the Netherlands. As such, it can’t afford not to think about cybersecurity.
EVs are set to become an important part of our critical energy infrastructure across Europe. Not only will they be a source of additional demand and physical infrastructure for the grid, but they promise to become a key component of the smart grid as a source of flexible storage. This makes EVs critical and cybersecurity crucial.
If a number of charging points were compromised, a third party could, for example, increase the load taken from the distribution system operator (DSO) to the point where it could possibly harm the local grid. Then there are threats such as personal data theft, economic espionage and denial of service to consider. Hackers, hacktivists, organised criminals, terrorists, state-sponsored actors and even disgruntled company insiders could all have motivation to try and compromise EV charge points or charge point operators (CPOs).
So what to do? The same as with any piece of the new smarter, connected grid: a collaborative industry approach that establishes best practice, helps participants follow it and locks in an ongoing commitment to cybersecurity.
In this spirit, ElaadNL approached ENCS to collaborate on a set of security requirements it could use to procure equipment for the Netherland’s charging infrastructure. Based on a risk assessment and shared expertise, the ‘security-by-design’ requirements aim to ensure that charging equipment is as secure as possible and, if a breach should occur, that any consequences would be limited.
The requirements cover both the procurement of the charge point and the security of communications between the CPO and the DSO. As well as advice on how to procure the most robust systems, they include measures to make sure security systems have been well implemented and that the vendor ensures security throughout the equipment’s lifecycle.
The project also saw ENCS contribute to the emerging industry standard Open Charge Point Protocol (OCPP) communication solution. OCPP is the accepted protocol of choice in 50 countries and over 100,000 charging stations, providing accessibility, compliance and uniform communications between charging stations and management systems. OCPP is the protocol used between the charging station and the backend of the charge station operator and also enables the charge point operator (CPO) to remote control the current flowing to the cars. Via this protocol the CPO can send a charge profile to multiple charge points to control the charge process. This makes OCPP one of the important protocols to focus on with respect to cybersecurity.
EVnetNL, which grew from the same project as ElaadNL, installed around 3,000 charging points across the Netherlands between 2009 and 2014. Procurement requirements and communications protocols will need to be constantly revised and updated to keep abreast of the evolving industry and cyber threats, but it’s good to see partnerships like ENCS and ElaadNL’s drive cybersecurity standards in the EV industry forward.