RESEARCH: How to make EVs charging stations more resilient to cyberattacks

October 6, 2022
|

An electric vehicle charging station with an identifying sign to its left Chadi Assi and colleagues found that electrical vehicle (EV) charging stations are vulnerable to remote cyber-attacks. Photo Credit: CityofStPete / flickr.com

As Quebec is gearing up to ban gas cars by 2035, Chadi Assi and an international team of cybersecurity experts led by researchers at the Security Research Centre at Concordia University found that electrical vehicle (EV) charging stations are vulnerable to remote cyber-attacks. These attacks could not only target users, but the power grid itself, resulting in possible service disruptions and failures in the electrical grid.  

To do this, the researchers built automated web-crawling routines that they ran across EV charging station makers' websites, which are all open and freely available to the public. They successfully found public data relating to 16 of the most commonly used EV charging systems, with five of them turning up details on the way the actual EV charging station management systems’ code worked. They then reverse-engineered how each type of charging stations worked and came up with potential angles of attack that might succeed. They found several severe vulnerabilities in need of patching, in which attackers could:  

  • Take full control of the charging systems 
  • Manipulate billing 

  • Take over the system so that it could then be used as a platform to mount denial-of-services attack on other systems 

  • Control he charge and discharge cycle of the connected EVs, which could destabilize the power grid to such an extent that it would trigger safety relays and cause power outages. 

They contacted the vendors to share their findings and one of them, Schneider Electric of Germany, acknowledged the team's findings and immediately reserved 12 Common Vulnerability and Exposure (CVE) numbers to assign when they are ready to publicly release patches. 

Read the summary article from the Communications of the Association of Computing Machinery.  



Back to top

© Concordia University