Cybersecurity with EVs may not seem like a real threat today, but several breaches have already been reported across the world, highlighting the need for more focus on data protection in the e-mobility ecosystem. For example, a 19-year old hacked into 25 Tesla cars in March this year using only a mobile app. In Europe, 15% of small businesses surveyed by Munich Re have had their delivery vehicles compromised by hackers. Meanwhile, Deloitte Canada has found that 84% of the cyberattacks on automobiles were carried out remotely, with half of them recorded in just the last two years.

Clearly then, the cybersecurity of electric vehicles is of utmost importance, especially as the proliferation of clean transport is now inevitable. Close to 66 country governments are targeting ICE phaseouts in the near future. The EU has already banned the sale of ICE vehicles after 2035, India plans to sell 30% of all new vehicles as EVs by 2030, the US plans to install 500,000 EV chargers at a cost of nearly $5 billion, and e-commerce giant Amazon has already ordered 100,000 electric delivery vans from Rivian for the US. Also, global EV sales shot up by 80% in 2021 as the technology improves everyday and the prices come down.

With all this positive movement towards transport decarbonisation, everything could be brought to a grinding halt by rogue actors who could bruteforce the EV ecosystem into malfunctioning.

The Electric Delivery Van (EDV) developed for Amazon by Rivian

How are EVs vulnerable? 

EVs are different from ICE vehicles in not just the fuel that powers them, but the way they obtain the fuel. A traditional gasoline car, for example, would pull into a gas station/petrol pump and refuel in 5-10 minutes. Payments today are mostly done through credit or debit cards but cash is still frequently used. EVs have to connect to a charging point instead, which itself is connected to a larger grid for its power feed and uses the internet to access cloud-based applications.

Fig. 2: Ford introduced over-the-air updates to its EVs in 2020, following Tesla’s footsteps

And therein lies the vulnerability. The connection to the internet and the abundance of electronics that pair a battery pack to the vehicle’s motors, the connector to the battery management system (BMS), the other end of the connector to the charging point and the charger to the grid, can all have their settings changed — or disabled — if their security is breached. A wealth of data is exchanged between an EV and a charger every time the two connect, including:

  • Vehicle specifications,
  • Battery charge left (hence the driving range), and the maximum allowable rate of power input for safe charging.

Fig. 3: An EV charging system that shows its numerous channels of communication

The payment mechanism meanwhile collects credit/debit card numbers. This links back to the customers’ bank accounts, phone numbers, ID documents, residential and/or office address and even spending habits. Unauthorised access to this data by ‘black hats’ (hackers that steal information to commit crimes) could:

  • Deny service to the owners when plugged in
  • Plant malware in the vehicles to record their GPS use and track the owners
  • Duplicate IDs and override the owner’s claim on the vehicle (insurance fraud)
  • Trigger erroneous decisions by the on-board computers to compromise user safety (eg.,  tricking the Battery Management System into overheating or shutting down the batteries)
  • Compromise the vehicle’s interaction with the grid by overriding in-built safeguards (both within the vehicle and the charging point)
  • Gain access to the owners’ home or office wi-fi networks (depending on where the vehicle is charged) and hack into their other devices

Tracking and storing data that uniquely identifies individuals is also used by governments to build detailed user profiles. When combined with compromised voice-activated systems within the vehicles that record conversations, these can lead to a severe breach in privacy and transmit sensitive information to authorities.

Attacking the grid 

The EV chargers themselves can be made to malfunction by restricting or blocking their charging capacities. Since a facility usually has several chargers — a city may even choose a handful of service providers for all its EV users to ensure interoperability — overriding how they interact with the grid can simulate an attack.

For instance, switching them on and off incessantly or getting them all to malfunction simultaneously may signal instability to the grid’s control centre. Spread over a wide area, this would potentially cause an abrupt shutdown of power services and may plunge entire cities into blackouts.

Fig. 4: Hacked EV chargers in Russia denouncing Putin and praising Ukraine

Interestingly, the hacking of charging stations in Russia on the M11 highway between Moscow and St. Petersburg in February 2022 enabled the hackers to publicly broadcast messages against government officials. While not exactly anti-EVs, the breach clearly shows that hacking charging networks is possible.

Enforcing EV cybersecurity 

The way around the issue has been discussed for some time and the US-based National Institute of Standards and Technology (NIST) is reportedly in the process of drafting regulations that all EV and charging infrastructure manufacturers must abide by. The regulations will aim to enforce strict encryption standards at all data transfer points and at least for the US, the plan is to have the applicants to government EV programs prove that they meet and/or exceed the standards.

Other best practices recommended by Sandia National Laboratories are:

  • Implementing secure coding and encryption practices for all connections
  • Implementing tamper-detection sensors and alarms to warn of a security breach
  • Installing firewalls and validating virtual network traffic to shield against intruders
  • Encrypting all network traffic using the FIPS 140-2 compliant cryptographic module
  • Using VLAN (Virtual Local Area Network) and network segmentation to isolate EV charger installations and prevent hackers from bruteforcing multiple networks simultaneously

The overall idea is to treat EVs and EV charging setups as computer networks — which they are — that process large amounts of sensitive data. Therefore, they must be developed, installed and protected under the same security standards that are employed to protect other computer networks. The need is very real going forward as the world rapidly progresses onto the Internet of Things (IoT) and cloud-based applications, both of which will inevitably be targeted by black hats, whether working on their own or under the direction of larger forces.

India should act early to safeguard the future of EVs

This is also an opportunity for India to set down safeguards quite early in its EV transition since EVs still account for less than 2% of its annual auto sales. The Bureau of Indian Standards (BIS) would do well to work with industry cohorts to devise cybersecurity standards that are tailor-made to Indian conditions. That would include a specific focus on heavy encryption for all payment apps, VLANs for charging parks and home chargers, as well as ensuring that the service providers accept regular spot checks to weed out any compromised systems. Ideally, a nationwide act that codifies e-mobility as a necessary addition to the economy and safeguards its implementation at all points would be excellent, foresighted policymaking.