UK Encouraged to prioritise cybersecurity with EV charging points

In a move to propel the Electric Vehicle (EV) transition within the UK, the Department for Transport has announced new measures to accelerate the installation of EV infrastructure following the announcement in December to install 30,000 new charge points. This will be done through offering grants to public schools, nurseries, and local authorities. With that said, industry leader Bureau Veritas emphasises the critical need to also focus on cybersecurity risks associated with the growing EV infrastructure, especially with the recent National Grid warning associated with EV owners.

George White, Senior Consultant for EV charging at Bureau Veritas brings attention to the vulnerabilities in the EV space and how they can be addressed:

“In the pursuit of this electrified future, the digital aspect is rife with evolving cybersecurity threats that could potentially compromise the integrity of EV charging points. Unauthorised access through unprotected network or peripheral device interfaces poses a huge risk, as does firmware-based attacks that manipulate voltage settings, potentially causing major damage.

The UK Electric Vehicles (Smart Charge Points) Regulations 2021, is fundamentally the first place to start, which states that charge points must be designed, manufactured, and configured to provide appropriate protection:

against the risk of harm to, or disruption of, the electricity system
against the risk of harm to, or disruption of, the relevant charge point
for the personal data of the owner and any other end-user of the relevant charge point

“Ensuring the supplier of charge points adheres to this before they ship is key to ensuring that the right levels of security are maintained over its lifetime. Before charge points are shipped, we recommend thorough pre-installation inspections. This includes scrutinising passwords, ensuring software is up to date, validating security configurations, secure communication, data inputs, and ease of use. These assessments aim to identify and rectify security gaps before installation, saving time and resources.

“Firstly, the software must be capable of secure updates, employing cryptographic measures to protect against cyber-attacks. Regular security checks during setup and periodic updates are also essential, with owners responsible for verifying the authenticity and integrity of each update. Furthermore, sensitive security considerations, such as credentials, should be stored securely, avoiding hard-coded information, and designed to verify authorised access.

“Charge points must also be able to encrypt all communications to maintain the confidentiality and integrity of transmitted data, preventing unauthorised access or tampering. Along with this, the configuration should verify data inputs, discarding unverified data to prevent potential security vulnerabilities. Lastly, and quite importantly, for user convenience and compliance with privacy regulations, charge points should be designed for ease of use, minimising owner inputs, and allowing straightforward deletion of personal data.

“Cybersecurity is not a luxury but a necessity in the EV space. Bureau Veritas’s comprehensive approach, from third-party risk reviews to ongoing maintenance assessments, ensures a robust cybersecurity framework for the entire EV ecosystem, that we encourage companies to incorporate into their security measures and planning”.

Secura, a Bureau Veritas company, offers its cybersecurity services as three standalone engagements or as part of a holistic program. The services include third-party risk reviews, pre-installation inspections, and ongoing maintenance and maturity assessments, and also ensures the reliability and security of EVCS in Europe.