Cyber security concerns and best practices in EV charging … – EVreporter

admin on July 14, 2023 Leave a Comment

Pulse Energy is a start-up based out of Bangalore that offers an energy-as-a-service API for EV charging. They predominantly cater to fleet operators and help their vehicles get access to multiple EV charging networks. In this article, Akhil Jp from Pulse Energy shares the cybersecurity concerns they have noticed in this space over the last two years and recommends the best practices that Charge Point Operators (CPOs) should follow to create a secure charging ecosystem.

In our estimate, 70% of DC chargers in India are insecure. The main security breaches we observed in the India EV charging ecosystem are:

Today, it is potentially possible for one to snoop into the traffic between the charger and the server.

Here is the typical and simplified form of an EV charging network, where green dots represent the EV, light orange represents the user information such as payments and user credentials, dark orange boxes represent the charger management system, and the blue dots represent the charger.

Image source: Pulse Energy

In the majority of cases, the communication link between the charger and the CMS today is insecure. If we take a basic charging setup, every charger has a LAN cable that runs all the way to the modem or the communication module. In case of an insecure system, one could place an interceptor and start capturing traffic. The interceptor can easily be built by taking a Raspberry pi and placing it between the charger and modem. A simple Nginx reverse proxy server with websockets enabled can do the trick. It is not even expensive to build one and can be done for INR 2,000 to 3,000. Most of the cabinets in public charging areas are not locked; someone can open them and place these hardware interceptors. If you are a CPO, make sure that you talk to your charger OEMs about enabling TLS or secure websockets, so such threats can be avoided.

Image source: Pulse Energy

Many charger manufacturers do not support secure communication, although there are some who do and some who are working towards enabling it. Our attempts to promote secure communication are sometimes met with resistance from these manufacturers, as their hardware does not accommodate it.

Below are a few examples of how these vulnerabilities can be exploited.

Every CPO is trying to enable easy charging access through their mobile app or website. I am sharing a few basic best practices that can be implemented with low effort.

Image source: Pulse Energy

Certificate pinning If you have an EV charging app, make sure that you do certificate pinning. This is a process of ensuring that your app only speaks to your server, as it will only trust the certificate that your server provides. You can pin the root certificate in case you want to avoid having to update your app every time your domain certificate gets rotated. Certificate pinning helps secure the system from a man-in-the-middle attack.

Enable secure websockets (TLS) Ask your charger OEM to start supporting secure websockets. Getting CMS vendors to enable TLS is easy, but its not worth it if your hardware does not support it. This can prevent MITM (Man In The Middle) attacks between the charger and the cloud server.

Obfuscation Enable code obfuscation within your EV charging app. Reverse engineering mobile apps are easy these days, poor security can lead to leakage of hardcoded secrets and payment gateway keys. It is possible that one can reconstruct entire API requests and figure out what keys are used for those APIs.

No hard coding keys There are applications and websites out there that have hardcoded keys with which you can start and stop charging sessions using. One needs to actively avoid doing that.

Over the last couple of years, the Indian EV Charging industry has been rapidly growing, and everyone has been trying to keep up. However, we have now reached an inflection point where we need to focus on strengthening our systems. This applies to us too, Pulse Energy is not perfect either. We have a long way to go and each of have to take trade offs. However, It is crucial for every developer working in this field to be well-informed about security measures and to prioritize making their chargers and cloud interfaces more secure.

This article was first published in EVreporter July 2023 magazine.

Also read: Profitability analysis of an EV charging station

Subscribe & Stay Informed

Subscribe today for free and stay on top of latest developments in EV domain.

Read the original post:
Cyber security concerns and best practices in EV charging ... - EVreporter

Related Posts
Posted in Cloud Servers

Comments are closed.