Cybersecurity for EV chargers: Asking the right questions to mitigate your risk

Cybersecurity for EV chargers: Asking the right questions to mitigate your risk 

Public utility commissions, transportation regulators and privacy watchdogs are increasingly asking charging providers: what steps are being taken to keep North America’s charging infrastructure safe and working in the face of growing cybersecurity risks? This blog post explains why cybersecurity matters for EV charging, things station buyers should look for when selecting a station and network provider such as third-party certification, the benefits of Systems and Organization Controls (SOC 2) Type 2 certification (third-party certification) and key steps station owners can take to help minimize their exposure to cybersecurity risk.  

One thing to keep in mind is that, as with any discussion of cybersecurity, this is an evolving and dynamic space. Cybersecurity standards are progressing, and FLO’s perspective is that the more the charging industry collaborates and works toward solutions, the better we can protect station reliability and sensitive user data.  

Why does cybersecurity matter for EV charging?  

Charging stations are critical infrastructure because they power a growing proportion of North America’s vehicles. That’s why reliability has been and continues to be. Further, those looking to add charging stations are increasingly asking about cybersecurity when selecting EV chargers. 

It goes without saying, but cybersecurity is not just an EV charging issue. Cybersecurity concerns have also been raised for oil and gas facilities and pipelines. This is part of a broader conversation about the cybersecurity of internet-connected devices (IoT or Internet of Things) and critical infrastructure generally. Recent media coverage has highlighted risks to both connected vehicles (of any propulsion type) and chargers. In short, because almost all public charging stations are connected to smart devices, they have the potential to become the weak link that a bad actor exploits to gain access to or control of sensitive information or critical infrastructure. It is vital that charging station and charging network providers take their cybersecurity obligations seriously. 

A secondary risk relates to the way our utility grids work. Power grids must be in balance between electricity demand and supply to operate effectively. Normally, utilities and electricity system operators can expect that a certain percentage of electrical appliances are in use, and they balance the power available accordingly. Some commentators warn that if a bad cybersecurity actor controlled enough electrical appliances (including charging stations) in a region, they could seriously disrupt the power grid, for example, by turning many on or off or demanding more power than expected.  

What should station purchasers look for?  

Emerging standards in the EV charging market increasingly demonstrate that charging providers are designing and operating with cybersecurity in mind, while also offering the added assurance of third-party audits. In general, security should be built into product architecture following the “defense in depth principle”. This means that even if one line of defense is compromised, additional layers exist to help maintain security. Leading networks are constantly evaluating the threat landscape and working to harden their defenses. EV charging is not just one technology; it typically includes hardware, elements of “connection”, software and firmware and payment. It can therefore be helpful to break down EV charging into critical elements to understand vulnerabilities and recommended safeguards, since a comprehensive cybersecurity risk analysis needs to cover the full technological landscape.  

The following table highlights different elements of the charging experience and cybersecurity certifications that can help indicate a provider’s focus on cybersecurity. Please note that this table reflects what FLO believes to be a good set of best practices as of the time of this post, but it is not intended to be an exhaustive review of all security-related standards and practices in the industry. 

Why SOC 2 Type 2?  

FLO selected SOC 2 Type 2 certification as its primary organizational cybersecurity framework because (1) it is audited, giving our customers important assurances that, when it comes to cybersecurity, FLO walks the talk and (2) it aligns with and helps ensure FLO’s compliance with several regulatory frameworks and standards that are critical to our customers and EV drivers, including General Data Protection Regulation (GDPR),  Health Insurance Portability and Accountability Act (HIPAA), and California Consumer Privacy Act (CCPA).  

SOC 2 Type 2 covers a wide range of cross-cutting security controls and supports operational effectiveness over time. It evaluates the implementation and effectiveness of controls over a period of a year, rather than at a single point in time, helping provide a comprehensive view of an organization’s evolving security posture over time. 

What else can station owners do to help reduce their cybersecurity risk?  

1. Ask questions and work with reliable providers that have a track record in cybersecurity. The first step is asking questions. Companies that care about cybersecurity typically have resources to read and subject matter experts who are generally very happy to help you understand the risks and the work they do to keep users safe. They also typically engage in standards development. FLO works on key industry forums such as ChargeX, the Society of Automotive Engineers (SAE) and the Canadian Standards Association (CSA), for example, to ensure we have the latest information and also share our expertise to help make the industry stronger and more prepared.  
2. Physically inspect for station damage or unusual modifications. Any station modifications might be a signal that a bad actor has tampered with the station in a way that might have compromised the station’s security. You can do this yourself, but it’s also a good idea to ensure you have a qualified maintenance plan (usually offered by your station provider), which will also provide regular inspections. 
3. Keep your stations (and your EVs) updated! The number one way to help reduce cybersecurity risk over time is to ensure your station, and your EV, are properly updated to the latest software and firmware. Public FLO stations will automatically update with “over the air” updates, as long as they are properly installed, are supported by FLO under a valid Global Management System (GMS) service and have a proper internet connection. If you have any questions, call FLO’s Owner Support: Commercial team.