The global push to meet rising electric vehicle (EV) adoption with sufficient EV smart charger infrastructure is astounding. Bloomberg estimates the global charging infrastructure market opportunity to be $1.9T between 2022 and 2050. That opportunity will be seized by a host of organizations both large and small, public and private. From EV fleet depots to fast charging stations along highways, parking garage smart chargers for employees and home chargers, EV supply equipment (EVSE) are already becoming a common sight.
With smart chargers like the Enel X Way JuiceBox and JuicePump being installed more frequently, a new set of cybersecurity risks has emerged that could affect both EVSE owners and individuals using public smart chargers.
These risks are broad: anyone who uses public EVSE is susceptible at least while their EV is plugged in, whether they are paying or not, as is any organization that owns a smart charger (i.e. one connected to the internet).
Cybersecurity threats to EVSE also run deep—the personal information given by EV drivers ranges from credit card information linked to names and home addresses all the way to vehicle identification numbers (VINs). EVSE owners give up names and addresses linked to their EVSE, as well as customer data logs and sometimes bank information. Skilled hackers could even target vehicles themselves, posing a risk to drivers’ safety.
How could cyberattackers target EV charging?
Attacks could range from harvesting credit card and personal data to making fraudulent purchases, or piecing together personal data and VINs to steal identities.
More sophisticated attackers could take remote control of a whole fleet of EV chargers and shut them down or ransom their functioning, forcing organizations to choose between indeterminate downtime and making a payout. Or, as has already been documented, they could access vehicle controls and tamper with EVs while they’re plugged in.
What we’ve seen so far: Why we need EV charging cybersecurity
As of mid-2023, reported cyberattacks on EV chargers have been few and minor, including explicit images being displayed on EVSE screens in England and several incidents of hackers tampering with the functionality of vehicles plugged into public chargers.
Major organizations have yet to be targeted, but in 2023 a cybersecurity company (so-called “white hat” hackers) exposed a dangerous vulnerability in Shell’s EVSE data logs. The company was alerted to an unprotected internal database containing millions of EV charging logs from Shell’s smart charging network.
These logs revealed the personal information of EV drivers and smart charger owners, both individuals and organizations operating EVSE fleets. Information included names, phone numbers, email addresses, physical addresses, and even VINs in some cases. Shell has since been able to secure the leak, but it revealed how vulnerable EV chargers are to cyberattack.
Best practices in EV charging cybersecurity
The National Institute of Standards and Technology (NIST) has developed a cybersecurity framework to help organizations improve their cybersecurity risk. It consists of five functions—identify, protect, detect, respond, and recover. Together those functions cover the full breadth of cybersecurity, and enable organizations to work both proactively and reactively.
It’s an important starting place for any site host, charge point operator (CPO), or EVSE manufacturer, but it isn’t enough. To ensure the highest degree of security for its network of smart chargers globally, Enel X Way employs an eight-part cybersecurity framework that builds on the NIST framework. Enel X Way’s framework includes a dedicated Cyber Emergency Readiness Team (CERT) and a rigorous assurance component with audits from global standards in data protection and cybersecurity.
With access to every Enel X Way smart charger globally, the CERT is constantly looking for and eliminating security threats across the Enel X Way network. The team monitors Enel X Way’s EV charger network year-round, working proactively to ensure the network doesn’t get compromised. When issues do arise, they work cross-functionally with other departments to unify responses, and perform forensic investigations to make sure security gaps are closed.
Beyond a CERT team and security framework, Enel X Way participates in five cybersecurity auditing programs globally:
- Service Organization Control (SOC) 1 Type 2—assesses the effectiveness of controls and processes Enel X Way has in place to protect clients' financial information. It evaluates data protection, system access, incident response, third-party risk management, and compliance with regulations.
- SOC 2 Type 2—directly evaluates cybersecurity controls, focusing on security, availability, processing integrity, confidentiality, and privacy.
- International Organization for Standardization (ISO) 27001—internationally recognized framework for information security management systems, which helps Enel X Way identify and address information security risks, enhance security, and protect sensitive information.
- Federal Risk and Authorization Management Program (FedRAMP)—a US government program that standardizes the security assessment, authorization, and continuous monitoring of cloud services.
- Cyberspace Administration of China—cybersecurity laws and regulations specific to China, including the implementation of required security measures, data protection practices, incident response capabilities, and adherence to content control guidelines.
Beyond those routine audits, Enel X Way complies with several information protection acts and regulations, including the:
- California Consumer Privacy Act (CCPA)
- European Union General Data Protection Regulation (GDPR)
- Canada Personal Information Protection and Electronic Documents Act (PIPEDA)
Together these form a tight web of cybersecurity that ensures Enel X Way EVSE owners and users can charge safely, no matter when or where in the world. Moreover, these practices are always being refined. As EV charging cybersecurity risks evolve, so does Enel X Way’s strategy to meet them.
As EV charging infrastructure expands globally, choosing a provider with strong cybersecurity practices is vital, whether you’re purchasing a single smart charger for home or hundreds of chargers for an EV fleet. By partnering with a provider known for their robust cybersecurity measures, you ensure that sensitive information like personal data and payment details remain secure.