While the Biden administration pushes carmakers to electrify their products to help address the climate crisis, the main U.S. agency for technology and competition is pressing for cybersecurity guidelines for the industry to guard against domestic and international hacking.
New draft guidance from the National Institute of Standards and Technology calls for companies building ultrafast charging networks to secure digital payment systems on charging stations and the EV equipment that connects the wider power grid.
Without basic cybersecurity guidelines or standards for EV charging stations, companies could connect equipment that might be vulnerable to hackers. “It’s kind of like ‘Bring your own device to the grid,’” said Megan Samford, chief product security officer for energy management at
Schneider Electric,
which makes EV charging equipment and other devices that connect to electric grids, such as solar panels.
Researchers have warned that hackers could infiltrate EV charging networks to steal customer data or cause damaging effects to the electric grid and potentially engineer blackouts. There is a rush to increase electric vehicle production and adoption in the U.S. and in Europe, which raises risks that cybersecurity protections could be an afterthought, analysts say. In April, the Biden administration proposed tougher car emissions targets to accelerate the transition to EVs and has called for EVs to make up half of all new vehicle sales by 2030.
A 2021 U.S. infrastructure law gave states $7.5 billion in funding to expand EV charging stations. Security guidance at the time asked states to adopt “appropriate” cybersecurity strategies to protect data and systems, but gave states leeway to specify how.
Security experts at NIST started working on more specific, though voluntary, steps last fall, said Jim McCarthy, a senior security engineer at NIST and one of the authors of the guidelines.
“Now people can point to this and say, ‘OK, let’s start here. We can conduct all of our subsequent cybersecurity analysis and mitigation based on what’s provided in this,’” McCarthy said.
In a recent analysis of 12 unnamed EV charging products, Sandia National Laboratories found security flaws including openly displayed usernames, passwords and credentials that hackers could modify or use to configure some equipment. Some products had stronger security safeguards.
Charging infrastructure includes both operational technology common in critical industries like energy, and information-technology systems ubiquitous in other businesses, according to NIST. Often companies treat those systems separately, but NIST recommends considering their common cybersecurity risks because of the interdependencies in EV charging.
Malware that could infect EV charging equipment and spread among stations is the most concerning cyber threat, McCarthy said. “If somebody can’t charge their car at the time they need to because of some malware or some sort of cybersecurity attack, that’s a big problem,” he said.
NIST also recommends protecting networks through encryption, firewalls and antivirus software. Companies should use logging tools for “extended periods” to help with forensic analyses, the document says. Logs help companies analyze after a cyberattack how hackers got in.
NIST is collecting comments from the public until Aug. 28 and then plans to finalize the guidelines.
Write to Catherine Stupp at [email protected]
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
#U.S #Issues #Draft #Cybersecurity #Guidelines #Charging #Networks
