Overlooked risks: the technologies being developed and applied in electric vehicles don’t always fully consider the security ramifications. Image: serperm73 / Adobe Stock
As the world transitions from combustion-engine to electric vehicles, there are a host of risks to be mindful of. Managing these will be important in order to grow trust in the sector.
Could a state cause a mass shutdown of electric vehicles (EVs) at the press of a button? Can hackers access and control other people’s vehicles? Could someone listen in via an EV’s microphone? While there are clear cyber security risks to EV devices, we must move past speculation and hyperbole and be guided by risk-based assessments. There are also many risks beyond cyber that we will have to manage when it comes to EVs.
EVs are the Future of Road Transport
Today, there are around 1.2 billion cars on the world’s roads. An overwhelming 97% of these vehicles are internal combustion engine vehicles, contributing around 10% of global CO2 emissions.
In many countries, within the next 10 to 15 years, climate targets are likely to translate into government policies banning or disincentivising the sale of vehicles running on fossil fuels. DNV’s Energy Transition Outlook predicts that 50% of global passenger vehicle sales will be electric by 2033, with the market moving fastest in Europe and China.
By 2050, we expect there will be around 2 billion passenger vehicles on the road, but emissions will fall dramatically from this sector as two thirds of cars on the road in 2050 will be battery electric – having outcompeted internal combustion engines due to high efficiency and low cost of fuel per distance travelled, together with supportive policies.
In Cyber, It’s About Digital Transformation and Security, Not Battery vs Combustion Engine
From a cyber security perspective, the transition is not one from internal combustion energy to battery electric. It’s one from vehicles with digital extras to fully digitally transformed, fully interconnected vehicles. Dozens of computers and hundreds of sensors operate and optimise brakes, electric flow, charging and many other functions within just one vehicle, always communicating with one another, and connecting via 4G and soon 5G networks to infrastructure, third-party services, and other vehicles.
Such innovations in EVs have great potential to reduce emissions, increase safety, maximise efficiency and make personal transport a more comfortable experience. But the technology and systems being developed and applied don’t always fully consider the security ramifications.
One example would be a control system that ‘sees’ the position of other cars, enabling vehicles to travel in clusters to save energy when they share a travel path. But this means sharing data vividly, and it creates a hefty attack vector. If the data is not anonymised, this could be used to track a person and their behaviour.
Should We Worry About a Big Red Button?
It is the more recent connection of operational technology (OT) – the control systems that manage, monitor, automate and control a vehicle’s physical components – to wider IT and the internet that is generating cyber security concerns.
Particularly, the question of a kill switch, in which an attacker could use a back door to shut down a vehicle completely, has recently made headlines. This is possible if a vehicle is connected to the outside world. And once access to one system in a vehicle has been obtained, there is potential to hack into the others.
But looking at this from a risk perspective, what would be the reason for a kill switch or other dramatic hacks on the OT of EVs? States and car manufacturers care about the economy and good business, and if a kill switch was ever used or even discovered, that business and part of the economy would be severely damaged.
Electric vehicles typically use components from a small number of vendors in Southeast Asia, creating the conditions for any vulnerabilities to have a serious domino effect should they be introduced
From a societal perspective, if an attacker wants to cause widespread disruption, what’s the best way to do this? Is it to shut down individual EVs, or to target wider energy infrastructure, from wind farms to power stations and the grid? If widespread disruption is the attacker’s aim, then energy infrastructure would be their primary target.
For an indication of what weaponised attacks on critical infrastructure look like, and how interconnected assets are, we need only look to the Russian cyber attack on satellite internet operator ViaSat in early 2022. This affected customers in Ukraine, but also deactivated thousands of wind turbines in Germany when their satellite-dependent monitoring systems were taken offline.
Attacks on infrastructure such as on satellites could affect EVs that depend on them. From another perspective, the proliferation of EV charging stations and related devices being connected to the grid is widening the attack surface. Many connected devices may not have been designed with cyber security in mind, or at the very least these devices may not be linked up in the best way to reduce vulnerabilities and manage security. This points to the operational security of EVs being more of an infrastructure issue, with the potential for power grids to be shut down.
From car manufacturers’ perspective, reputational and financial damage caused by a competitor or other actor is a more likely risk. Vulnerabilities could be exploited to cause comparatively minor operational issues affecting a vehicle’s charging, efficiency or range. To manage this risk, manufacturers need to secure their supply chains and ensure the security of third-party vendors. This also presents an opportunity to gain competitive advantage through demonstrating credentials as the secure option.
For the people driving EVs, attacks on OT are unlikely to present a personal security risk beyond the wider effects on society. It’s much more likely that the greatest risk will be posed by personalised data extracted from what is essentially a giant array of sensors.
The World’s Best Spy Tool?
Back to the big red button. If you were targeting someone as a security threat, would you shut down their car with the obvious repercussions for doing so, or would you silently gather data from it instead? The greatest personal EV risk is the ability to monitor and gather data.
Rather than comparing EVs to energy assets like wind farms, we could compare them to the home electric meter, in that they gather personal data and give insights into individuals’ behaviour. They are in the realm of consumer devices connected via home Wi-Fi networks. But unlike the home electric meter, an EV also travels with the individual and connects to many other devices and systems. Access to the data gathered – via hacking or simply by misuse – could present a security or at least a privacy risk. Yes, cameras and microphones could potentially be hacked, but the same could happen to a microphone in a combustion vehicle or many other devices we use daily.
The difference is that an EV may not even need to be hacked to present a risk. The integrity of data may be the bigger issue. A service station – likely operated by mechanics, not cyber or data specialists – may access systems and download data when servicing a vehicle. There isn’t always transparency about how organisations treat the data, whether it’s the service station, the manufacturer, a component supplier, or an online service provider.
Looking to the Supply Chain
The automotive industry has global and complex supply chains – and these are set to include a significantly greater number of electronics as digitally transformed EVs take over the market.
EVs today typically use components from a small number of vendors in Southeast Asia, creating the conditions for any vulnerabilities to have a serious domino effect should they be introduced. There are already moves by the US and Europe to bring home supply chains, which could increase the number of local suppliers and somewhat reduce the risk. But we should remember that supply chains based anywhere can introduce vulnerabilities.
The more suppliers can demonstrate their security posture through certification and conformity to standards, the more assured manufacturers can be that they are taking cyber security seriously
One example from within the energy industry would be attacks on Ukraine’s energy infrastructure in the mid-2010s, which cut the power to 225,000 people in western Ukraine. Investigators believe hackers accessed vulnerabilities in Supervisory Control and Data Acquisition (SCADA) systems. Many in the power industry in other countries became acutely aware that they were relying on the same kind of SCADA systems.
In DNV’s recent Cyber Priority research, which gathered the views of 600 energy professionals globally, just 57% said their organisations have good oversight of their supply chains. And these professionals placed ‘inadequate oversight of connected supply chain partners’ as the third greatest challenge in securing OT.
In the forthcoming Nixu Cybersecurity Index 2023, 68% of the 370 security decision makers surveyed have stated that their greatest concern is the risk posed by cyber threats to their operations and production.
Building Trust in the Security of EVs
Trust is fundamental to realising rapid growth in EVs. Drivers need to trust that the vehicle will have the range to get them to their destination and that they will have access to charging infrastructure. Manufacturers need to trust that supply chains can keep up and that supportive policies will continue. And policymakers need to trust that EVs are sustainable and contributing to societal aims like reducing emissions and local pollution. But all stakeholders need to trust that EVs are secure. Cyber security is an essential enabler for the rise of EVs.
The more suppliers can demonstrate their security posture through certification and conformity to standards, the more assured manufacturers can be that they are taking cyber security seriously. The essential ones to mention are TISAX (Trusted Information Security Assessment eXchange), the common standard for measuring the security of EV suppliers; ISO 21434, the industry standard for automotive cyber security; and ISO 27001 for information security. Auditing suppliers’ cyber security at several stages is also important, not only when procuring and integrating the supplier or its products into one’s systems, but also during operations.
Keeping up with standards and best practice only sets a baseline for manufacturers and suppliers; it doesn’t guarantee security. The preferred way forward is to apply secure technical design rules in combination with tailored cyber risk management, striving for adaptation and continuous improvement. Compliance needs to be complemented by work to identify and manage new risks and weaknesses, such as through employing penetration testing and intrusion detection in EVs and their components, as well as in related infrastructure.
Everyone involved in EVs can take steps. Service stations, for example, can obtain verification that they are secure and that they treat personal data properly. Suppliers can invest in ‘birth certificates’, taking certification into the factory. Regulators or other third parties could routinely test vehicle and production systems for vulnerabilities, to keep up with cyber security threats as they evolve.
EV drivers could limit the data collected based on their own benefit/risk assessment. Customer pressure can also lead to positive changes. Just as new vehicles can be customised to have a go-fast or family package, it may in the future be possible – if it gives a competitive advantage to the manufacturer – to receive a security package in which certain devices, software or data gathering processes are excluded.
For everyone involved in EVs, investing in and focusing on cyber security has significant benefits, with greater security building confidence, enabling innovation, ensuring compliance and increasing competitiveness. Direct cyber attacks on EVs won't 'bring roads to a standstill', but we must be mindful of threats to related infrastructure and supply chains, as well as safeguarding personal data.
The views expressed in this Commentary are the authors’, and do not represent those of RUSI or any other institution.
Have an idea for a Commentary you’d like to write for us? Send a short pitch to firstname.lastname@example.org and we’ll get back to you if it fits into our research interests. Full guidelines for contributors can be found here.