As the energy Internet of Things grows each new connected device offers a potential threat vector and requires securing against cyber attack.
With connections to the distribution system for energy delivery and smart charging and billing systems for metering and payment, electric vehicles (EVs) and EV chargers in particular are becoming an increasingly important component of the critical infrastructure. While rates and areas of growth of EVs are uncertain and for example present arguably one of the greatest unknowns for network planning, the numbers are accelerating as vehicle prices decline and the charging infrastructure is built out.
For example, in Europe some 220,000 public EV chargers are expected to be in operation by 2020, according to the Transport and Environment Network in a September 2018 study.
In view of the importance of securing the EV charging infrastructure, the Dutch EV knowledge and innovation centre ElaadNL approached the European Network for Cyber Security (ENCS), which took on the task of developing a set of requirements with the European Distribution System Operators’ Association (E.DSO).
“In the future, the EV fleet will represent grid-scale cumulative power capacity; compromising EV charging could be as disruptive as compromising a power plant,” comments Onoph Caron, Managing Director of ElaadNL, which also is the initial beneficiary.
Cyber security requirements
The requirements integrate the expertise of key industry stakeholders with the aim to provide municipalities, distribution system operators (DSOs) and others such as businesses with a practical set of considerations for the procurement and communications operations of EV chargers.
The requirements, which are applicable throughout Europe, are based on the principle of ‘security by design’. They were developed on the basis of a threat assessment identifying the threats and possible attacks related to EV charging systems. Each requirement is justified by one or more possible threats identified, according to the ENCS.
Moreover, care has been taken to align the requirements with common standards and best practices for security for devices used in the industrial control systems domain. They are applicable to the different devices included in the EV charging system and to the different communication technologies, protocols and software systems selected by the charge point operators.
Regarding procurement of the charge point, the requirements cover its security, that it has all functionality needed to set up secure operational processes now and into the future including firmware update capability, that its vendor takes measures to ensure its security throughout its lifecycle with an information security management system, and that measures including documentation are taken to assure that security measures have been implemented well.
On operations, the requirements are aimed to ensure secure encrypted communications between the charge point operator and the DSO. These requirements also can be used as part of the security requirements when new server systems are procured or set up.
“From a security standpoint, the potential impact of EVs on the grid simply can’t be understated,” adds Anjos Nijk, Managing Director of ENCS. “These requirements will be vital in neutralising the growing threat from hackers who could potentially cause a blackout through poorly-protected EV chargers.”
The EV charge point requirements are the first in an upcoming series of security standards for smart grid components and part of a commitment by ENCS and E.DSO to take joint active leadership in addressing security issues in Europe’s energy sector.
The collaboration was initiated in a 2016 memorandum of understanding to work together on knowledge exchange for security regulations, effective cyber security practices and standardisation for energy distribution companies.
In May 2018 the two organisations expanded the partnership to include areas such as security requirements, training and regulatory recommendations. Specific commitments include taking responsibility for grid security requirements and testing, and assuring that certification delivers an improved level of grid security; providing dedicated security training and exercises, and developing and expanding this training portfolio in line with threat landscape developments; and establishing a research agenda covering the needs and priorities of European DSOs, and collaborating on Horizon 2020 security call applications.
“These requirements are not only key to the long-term vision of our work with ENCS but lay a strong foundation for meaningful and proper certification,” says Joachim Schneider, Chairman of E.DSO’s Technology Committee. “You can only really achieve this with requirements born out of a collaborative effort between grid operators and cyber experts, which was a key element in our project.”