A Tesla Model S sedan is plugged into a charging station in Falls Church, Virginia
AFP

As government agencies large and small work to meet the White House's call to modernize our cybersecurity infrastructure, others are creating the infrastructure needed for our move toward clean energy. The nexus of these efforts is cybersecurity for electric vehicle (EV) charging stations.

Hackers rarely target only the point where they gain access to a system. A hospital ransomware attack, for example, may begin with a single compromised terminal at a nurse's station, but the end goal is to hold the entire network hostage.

In the same vein, an attack on a vulnerable EV charging station may not hold much attraction for a hacker. But accessing someone's private data via their EV's system might be more interesting, and getting into the whole electric grid would be quite the coup for most hackers. Could that really happen?

Take a look at the recent Colonial Pipeline attack. A single stolen password allowed cybercriminals to shut down fuel supplies to the entire southeastern U.S. Our electric grid is similarly vulnerable because of our aging infrastructure — more than 70% of the grid is 30 years old.

This kind of security simply wasn't thought about when these systems were built. Now we're adding new components — EV charging stations — to this aging network and thinking of it all as the electric grid, which doesn't seem that vulnerable to cyber attacks. But because of the technology at the heart of electric vehicles, there is definitely vulnerability.

The connections between the vehicle, charger, processor and grid are all electronic and, therefore, hackable. In cybersecurity, we talk about attack surfaces, the points of entry that a hacker might exploit, in the same way that a burglar might see the windows and doors of your home as potential points of entry. Adding EV charging stations to the grid increases the attack surface, and each car that connects widens the attack surface more.

The most up-to-date approach to limit the attack surface of software and hardware, in general, is the concept of security by design, where security isn't the responsibility of one entity at the end of the production process but built into all aspects of a product, from conception to delivery. This is what's needed for the EV charging infrastructure.

That means state and local governments must think about security from the beginning. They must require vendors to show that they use sophisticated security measures to protect their product from attackers.

It may seem like a tall task as states and municipalities rush to meet the federal government's requirements for clean energy and claim a portion of available charging station funding administered through the Federal Highway Administration's National Electric Vehicle Infrastructure (NEVI) program. But the administration has shown a strong commitment to cybersecurity and states that receive NEVI funds must "protect consumer data and protect against the risk of harm to, or disruption of, charging infrastructure and the grid."

Local governments don't have to go through it alone, though. There are partners available to help. Homeland Security's Cybersecurity & Infrastructure Security Agency (CISA) is one example. The agency offers free tools — technical assistance, assessments, training and more — to help organizations reduce cyber and infrastructure risk. Collaboration is part of their mandate so they stand ready to assist.

The Department of Energy (DOE) is another example. The agency's Alternative Fuels Data Center has already created a framework for developing EV charging infrastructure. In addition to comprehensive information specifically for local and regional leaders, guides to setting up charging stations and a dozen real-world case studies, DOE's Vehicle Technologies Office offers project assistance to public and private stakeholders.

Local businesses, trade or technical schools and other government entities may also be available to help municipalities practice security by design as they develop EV charging infrastructure.

Read more

Aside from the federal government's mandate, providing the strongest possible cybersecurity of charging assets just makes sense. If you knew that a gas pump was likely to leak your credit card information to thieves, would you use that pump?

If consumers doubt the security of EV charging infrastructure, purchases of EVs could stall, harming the environment and putting government and company commitments to electric vehicles in jeopardy.

From a rural and small-town standpoint, it makes a lot of business sense to offer travelers a safe, secure option for charging vehicles on long trips. Charging an EV takes longer than filling a gas tank, which gives charging station operators an opportunity to provide additional products and services to consumers with time on their hands.

That glistening future of happy patrons pumping money into the local economy as their EVs fuel up is only possible through trust. Local businesses, and therefore governments, prosper when consumers choose their location to charge up because they know charging stations are secure. Think about the popularity of clean, secure roadside gas stations with an interesting local flavor.

Protecting the EV charging infrastructure from attack isn't only for EV drivers. We all benefit when our personal data and the entire electric grid are protected from cybercriminals.

Brian Gant is an assistant professor of cybersecurity at Maryville University.

(Opinions expressed in this article are the author's own.)