Why we need to be fuzzing EV smart charging infrastructure

Following reports of vulnerabilities in products and applications related to electric vehicle (EV) charging stations in India this month, and a white hat attack on German Tesla charging stations in January, remedial measures are required to prevent EV charging stations from being susceptible to cyber-attacks.

Last year we saw the number of EV charging points across the UK increase by 31% with a total of 37,261 charging devices on the public infrastructure. As demand for EV’s and charging points increase, we need to make sure that measures to ensure high levels of robustness and cyber security can match the pace of this roll out.

Transportation continues its transition to greener alternatives, meaning more work is needed to ensure the secure exchange of critical commands between vehicles, charging points and management systems. After 2030 no new petrol or diesel cars and vans will be sold in the UK and furthermore, after 2035 hybrid sales will also be banned. Therefore, adoption of EV vehicles in the UK is of significant interest to everyone.

Cyber attacks targeting vehicles have the potential to impact critical infrastructure sectors such as manufacturing, medical services and agriculture, as well as privately owned vehicles. Any impact of cyber attacks on the public or critical infrastructure industry will have crucial ramifications, with lasting effects.

Currently, there is no unified approach to cyber security in EVs and the EV charging infrastructure, so we are reliant on best practices being adopted by the industry itself. CyTAL has been following the EV industry for a few years and taking a close look at EV communication protocols, for example, the Open Charge Point Protocol (OCPP). Having joined the Open Charge Alliance, CyTAL is supporting the development of cyber security requirements for the industry by offering technical guidance, and tools.

Proven cyber security assurance practices will be crucial for securing our EV charging infrastructure and providing better protection for customers, EVs and supporting power systems. Fuzzing, or fuzz testing, is a comprehensive vulnerability testing method that enables the simple and efficient detection of critical security issues between connected interfaces. A key function of any cyber security toolkit, fuzzing can reveal serious defects and security loopholes in the protection of devices, systems, networks, data and users.

Fuzz testing can be applied at any stage of system implementation to any development methodology, meaning it can be easily integrated into an existing workflow and test environment and maintained for continuous delivery.

Whilst recent cyber security incidents in India, Germany and Russia didn’t cause significant problems, they have demonstrated that hackers can easily infiltrate EV charging stations, which points to poor security designs, a lack of testing or both. It’s only a matter of time before such attacks create major disruption or reputational damage. Overall, we should be taking a proactive approach, building better security testing into the design and release process as opposed to waiting for vulnerabilities to be found and then exploited.