Why the Cybersecurity of Charging Stations Remains a Challenge

Over the past fifteen years, Dutch companies have been at the forefront of expanding charging infrastructure for electric vehicles worldwide. Brands like Alfen, EVBox, Fastned, and NewMotion, which was acquired by Shell, are known in the Netherlands and abroad as pioneers who ensure that electric vehicle drivers can top up their batteries wherever they go.

These commercial successes are underpinned by successful consortiums and industry standards. Perhaps the most successful standard is the Open Charge Point Protocol (OCPP), a network protocol that allows charging stations to communicate with the central management systems of charging station operators (CPOs). OCPP is developed by a consortium called the Open Charge Alliance, based in Arnhem, the Netherlands.

On November 20, 2018, the Open Charge Alliance released the first version of a whitepaper titled “Improved Security for OCPP 1.6-J.” Since then, this paper has been revised twice, with the latest edition from February 2022 available for download here.

Despite this security whitepaper approaching its fifth anniversary and the undeniable importance of security, the recommendations from this security whitepaper are still far from being implemented everywhere in the charging industry. We at Infuse (an ihomer company) receive regular inquiries from CPOs about what this security whitepaper means for their business. In this article, we explain what you should do with the security whitepaper and why it’s high time to start working with it.

The security issue of OCPP

Charging stations are almost always connected to a server system to manage billing and present availability to electric vehicle drivers in navigation apps. Well-designed cybersecurity measures are essential to protect the personal data of electric vehicle drivers and prevent fraud and misuse by malicious actors.

In our daily lives, measures for cybersecurity have become commonplace. We check for the padlock symbol in the browser’s address bar when logging into our bank accounts, and when using a banking app to make a payment via a QR code on a new phone, the phone requests permission for the app to access the camera.

However, for most charging stations, security measures are far from obvious, despite the clear necessity. In the immature market of the 2000s and 2010s, security was not a top priority. Additionally, not only are charging stations relatively new, but so is the Internet of Things, of which these charging stations are almost always a part. The Internet of Things consists of all “smart” devices connected to digital cloud services.

The technology used to connect devices to the Internet of Things has only recently begun to mature. Hilarious stories about “smart” microwaves breaking due to a firmware “update” and less amusing news about criminals accessing security cameras have increased awareness of the risks. Manufacturers are making more efforts, and governments are beginning to formulate safety requirements for internet-connected devices.

In 2017, the situation with charging stations and OCPP was abysmal. At a Chaos Computer Club congress, ethical hacker Mathias Dalheimer gave a presentation in which he ruthlessly cut down the security of an OCPP charging station. Fortunately, many representatives from the charging industry were in the audience and indicated their willingness to work on improvements.

What the Security Whitepaper does

More than a year and a half later, the OCA released its security whitepaper. The security whitepaper describes how to secure connections with version 1.6 of OCPP. The term “whitepaper” doesn’t really do it justice; the document is more like a specification with requirements. These requirements largely align with the security requirements included in the later OCPP version 2.0.1.

What do these requirements bring us? First, the implementation guarantees the following four properties of secure communication in the communication between CPOs and charging stations:

1. Confidentiality: Only the sender and receiver can see the content of a message.
2. Integrity: The message arrives at the receiver without intentional or unintentional alterations.
3. Authenticity: The receiver and sender are certain of each other’s identity.
4. Non-repudiation: The sender cannot later deny sending the message.

Additionally, the security whitepaper includes requirements that add two extra security features to OCPP:

• A log of security incidents that the charging station must keep and transmit to the management system upon request.
• A new, safer procedure for performing firmware updates.

On the world wide web, the Transport Layer Security (TLS) standard was introduced in the late 1990s to ensure these four properties of secure communication when communicating between web browsers and web servers. Nowadays, this standard is also widely used for the Internet of Things. It’s not surprising that OCPP has chosen to use TLS to secure communication connections.

The choice of TLS allows CPOs to use widely deployed web software to secure communication with the charging station, reducing the required investment and development time.

Challenges in implementation

If the security whitepaper offers so many improvements, why isn’t it being used by all CPOs? There are several reasons.

First, technical debt plays a role. Many of the providers now active in charging have been in the business for ten to fifteen years. In the early years, they often improvised solutions to get their charging networks off the ground. Thanks to their pioneering spirit, the Netherlands leads in vehicle charging, but these systems are often not secure. These providers now want to work more securely, but many of their charging stations and software systems were built insecurely. Converting these existing, functioning systems to a secure state is expensive and time-consuming. In practice, it’s more costly to upgrade an existing insecure network to a secure state than to build a new secure network. CPOs are concerned about the cost of developing new secure firmware for old charging stations and the risks of modifying insecure but critically important software systems.

Second, security is often seen as a technical matter, even though securing a charging station network also requires changes to the production and business processes of the CPO beyond the IT department.

As an example of a business process that needs to be established, consider issuing and managing the secrets for charging stations.

To securely connect a charging station to a management system, the charging station requires a secret, such as a password or a private key. A CPO must establish a process to create these secrets, install them on the charging station, ensure that they are recognized by the management system, and, most importantly, keep the secrets secret. They will have to decide whether the manufacturer of the charging station or the operator creates and installs the secrets on the charging station. In both cases, considerations must be made for how the management system recognizes the correct secrets, even when the manufacturer has no direct relationship with the CPO, and the charging station has ended up in the CPO network through intermediaries or acquisitions.

If something goes wrong with the management of such a secret, a charging station will no longer be able to connect to the management system. Customer service and technical support of the CPO must be able to recognize and resolve such a problem. This is especially challenging because the charging station is no longer connected to the management system via OCPP, so most procedures for remote problem resolution will no longer work.

In summary, if a CPO adds security features to their software thoughtlessly, without being prepared to face the operational consequences and adapt business processes beyond the software department, these security features will lead to operational issues and will soon be turned off.

Why you need to bite the bullet anyway

While there are understandable reasons why the adoption of the security whitepaper has been slow, we at Infuse hope and expect that it won’t take another five years for it to become common for CPOs to use the security whitepaper, or OCPP 2.0.1, which offers the same security features.

This expectation is driven by multiple mutually reinforcing developments. First, governments are including cybersecurity requirements in tenders and subsidy programs. Second, through mergers and acquisitions, smaller CPOs without specialized cybersecurity knowledge are being consolidated into larger, more professional organizations that are more aware of the risks. Third, newer versions of standards, such as OCPP 2.0.1, provide clear security requirements and recommendations, in contrast to earlier versions like OCPP 1.6 and particularly OCPP 1.5.

A fourth development is that many countries are now, albeit later than the Netherlands, beginning the serious deployment of public charging infrastructure. These countries will try to improve upon the solutions developed in the Netherlands. They will set higher requirements for non-functional aspects such as consumer protection and cybersecurity than we are accustomed to in the Netherlands. This is already evident in practice with the Electric Vehicle Supply Equipment Standards Regulation in California and the NEVI investment program of the U.S. federal government. If Dutch charging station manufacturers and operators want to do business in America, they will have to meet the high American expectations.

A fifth reason that CPOs will address security is that technical implementation is becoming easier due to the increasing availability of ready-made software components for charging station management and OCPP communication. At the time of writing, there are 564 projects on GitHub containing code related to OCPP. Commercially, there are many providers of charging station management systems and ready-made firmware modules, from established players like Driivz and has.to.be to relative newcomers like Pionix.

The security whitepaper and Infuse

Infuse and its predecessors have been involved with the security whitepaper from the beginning. We have gained experience in implementing various features from the security whitepaper at several leading companies in the European charging market. In doing so, we also consider the necessary operational changes for a secure and pleasant customer experience.

Would you like to have an informal discussion with us about security and OCPP? Email us at info@infuse-ev.com or call ihomer at +31 88 44 66 300. Or take a look around first at https://infuse-ev.com/.