By Eoin Carroll, Vehicle Services Work Group

As of 2023 there are now 1.7 million electric cars in operation in the USA, a 325% increase from 400,000 in just four years. These are typically cheaper to fuel than petrol-or diesel-powered vehicles and often have fewer parts to repair and maintain. However, the economic benefits of these vehicles can be quickly outweighed if the systems used to power electric vehicles can be easily weaponized by malicious entities.

As the number of electric vehicles on the roads continues to increase, so too does the number of personal and commercial charging ports available to drivers. Yet EV charging stations – or Electric Vehicle Supply Equipment (EVSE) – can quickly become a gateway for hackers to gain unauthorized access to a vehicle. As the majority of these are remotely managed, if the hacker gains access to a single station, it is likely they will also have access to any within the same network. Security flaws within the technology used to power vehicles can be used to execute a ‘denial of service’, remotely switching chargers on or off and removing an owner’s access in order to prevent the owner from charging the car. Attackers can even infiltrate the communication taking place between the vehicle and the charging station, enabling them to exploit the vehicle and obtain sensitive information.

Worse still, with EVSE connected to the energy grid, any successful hacker can instruct an entire fleet of stations to start charging. This can quickly use up available surpluses, leading to monumental damage to critical infrastructure and leaving governments at the mercy of remorseless hackers looking for a large payout. What is worrying is this is not breaking news to the industry – in 2018, the Volpe Report from the Department of Transportation (DoT) identified a number of concerning gaps within the EV charging ecosystem which demonstrated very poor security of EVSE. These included the lack of basic cybersecurity best practices, trust models, testing, and guidelines for a number of different elements within the infrastructure.

Leading the charge for ‘trusted’ technology

Any vehicle must be resilient if it comes under attack from a connected and potentially compromised EVSE. If security measures that enable this are in place, malware will not be able propagate from the EVSE to the vehicle, or vice versa. It is therefore essential that original equipment manufacturers (OEMs) deliver features and software their customers can trust. The Trusted Computing Group (TCG)’s Vehicle Services Work Group (VSWG) is uniquely positioned to innovate secure by design and resilient solutions for the automotive industry.

Through our standards, specifications, and technologies, trusted computing can not only become a reality, but commonplace for electric vehicles. We are actively seeking out more vehicle manufacturers to collaborate with ourselves on the security issues facing the industry, and propose novel solutions to ensure a solid, trustworthy foundation for future innovation.

The VSWG is currently focused on the development of an end-to-end security reference architecture for the EV charging ecosystem. To overcome the weak security posture of the charging station and other EVSE, we have partnered with the Linux Foundation ENERGY EVerest Project, a consortium of EV charging experts. The primary goal of EVerest is to develop and maintain an open-source software stack for EV charging infrastructure, with the VSWG helping to support and promote the secure implementation of the ISO15118 Plug and Charge (PnC) standard within the greater ecosystem. We are doing this by developing a trustworthy platform reference for LF EVerest, in order to build vendor neutral and interoperable software that represents industry best capabilities.

Through our partnership with EVerest, we are working to understand the unique problems associated with EV charging and deliver novel solutions utilizing TCG technologies. Root-of-Trust hardware such as the TPM2.0 is already playing a significant role within standard implementation, providing the cryptographic agility needed for ISO15118-20 to operate successfully. With mass adoption of the final version of the ISO15118 standard expected shorty, the VSWG have a liaison in place with ISO/TC 22/SC 31/JWG 1 to support deployment of essential algorithms. We have also recognised the lack of an industry framework for EV charging applications and we continue to promote the Industrial Internet Security Framework (IISF) as a solid option for securing the EV ecosystem, with trusted computing technology as the core.

Looking ahead, EV architectures that incorporate high performance compute (HPC) and consolidated electronic control units (ECUs) will present challenges to manufactures, who must ensure vehicles are both resilient and secure by design. Leveraging a trusted computing hardware trust anchor will help manufacturers rise to the challenge and deliver security infrastructure or platform security services within the vehicle.